Privacy Policy

Last updated: 31 January 2026

This Privacy Policy explains how Bifin Sàrl (“Bifin”, “we”, “us”) processes personal data when you visit our website, subscribe to our journal, contact us, or where personal data appears incidentally in public corporate disclosures we process as part of our research and operation of an automated trading system.

1. Controller and contact details

Controller: Bifin Sàrl
Address: Bifin Sàrl, 2 Parc d’Activités, L-8308 Capellen, Luxembourg
RCS: B255923
VAT: LU33713503
Privacy contact email: info@bifin.ai

2. Summary of our activities

2.1 Website and journal subscription

We offer subscriptions to a journal where we publish educational content about our approach to building automated trading platforms.

• Account onboarding is handled via Memberstack.
• Payments are processed by Stripe.
• The website is hosted on Webflow.
• Our domain is registered with GoDaddy and our DNS is managed using Amazon Web Services services.
• An EU-based third-party security provider adds website security features; it is not granted access to customer data held in Memberstack or Stripe.

2.2 Processing of public corporate disclosures for our trading systems

We have built an AI trading agent that trades listed stocks on the New York Stock Exchange and Nasdaq using corporate news and announcements, press releases, statutory and regulatory corporate filings published through the U.S. Securities and Exchange Commission (including the SEC’s EDGAR system) and publicly disclosed financial statements.

We ingest information automatically, process them into trading signals, execute trades, and store relevant datasets. This operational processing runs on cloud infrastructure located in the United States (Section 7).

3. Personal data we process

3.1 Website visitors (technical and security data)

When you visit our website, we may process:

• IP address;
• device and browser information;
• timestamps and pages accessed;
• security and diagnostic logs.

3.2 Subscribers and customers

If you subscribe to our journal or create a member account, we may process:

• name (if provided), email address, and account identifiers;
• subscription status and entitlements (e.g., access rights);
• billing details needed for invoicing/tax compliance (e.g., billing address and VAT details if provided);
• customer support communications (content you send us).

3.3 Payment data

Payments are processed by Stripe. We do not receive or store full payment card details. We may receive:

• payment confirmation and status;
• transaction identifiers;
• invoice/receipt information necessary for accounting and support.

3.4 Public corporate disclosure data

We process publicly available corporate disclosures. These materials may contain personal data, typically in a professional capacity, such as:

• names and roles of directors/officers/signatories;
• business contact details included in filings;
• other personal data that appears in the text of public filings.

We use these disclosures to analyze corporate information and generate market signals. We do not use this information to build profiles about individuals as “consumers” or to make decisions about them.

4. Purposes of processing and legal bases

We process personal data only for specific purposes and under a valid legal basis.

4.1 Website operation, subscriptions, and support

We process personal data to:

• provide website functionality, member access, and journal subscriptions (contract);
• manage billing, accounting, and tax/VAT obligations (legal obligation and/or contract);
• respond to enquiries and provide customer support (contract and/or legitimate interests);
• secure our website and systems, prevent abuse, and investigate suspicious activity (legitimate interests).

4.2 Public corporate disclosures used for trading systems

We process personal data contained in public corporate disclosures to:

• ingest, structure, analyze, and transform disclosures into research outputs and trading signals; and
• operate, maintain, and improve our automated trading systems and related security controls.

Legal basis: legitimate interests.

Our legitimate interests include operating and improving research and automated trading technology based on public information, and maintaining the security and integrity of our systems. Access to operational datasets is restricted to authorized staff and is governed by least-privilege access controls.

4.3 Legal compliance and protection of rights

We may process and disclose personal data where necessary to:

• comply with applicable laws and lawful requests; or
• establish, exercise, or defend legal claims.

Legal basis: legal obligation and/or legitimate interests.

5. Cookies and similar technologies

Our public website pages are designed to operate without cookies used for advertising or cross-site tracking.

Member access and payment flows provided by our service providers (e.g., Memberstack and Stripe) may use strictly necessary cookies or similar technologies (such as session identifiers) to enable login, security, and payment processing.

6. Who we share personal data with

We do not sell personal data. We share personal data only:

• with authorized staff on a need-to-know basis; and
• with service providers that support our operations, subject to appropriate contractual safeguards.

Depending on your interactions, recipients may include:

• website hosting and delivery providers (Webflow);
• domain registration and DNS providers (GoDaddy and AWS);
• membership/onboarding provider (Memberstack);
• payment processor (Stripe);
• cloud infrastructure provider for our operational processing (Google Cloud);
• an EU-based website security provider (Nerdynet) providing security features for our website.

For our trading-related operational datasets, we do not grant access to third parties other than contracted infrastructure providers acting on our behalf and under appropriate safeguards.

7. International transfers

Some processing takes place in the United States, including our automated processing environment for public corporate disclosures and related datasets hosted on cloud infrastructure in the United States. Certain service providers used for website, membership, payments, and support may also process data outside the European Union/EEA depending on their infrastructure and support operations.

Where transfers outside the EU/EEA require safeguards, we use appropriate transfer mechanisms, which may include the European Commission’s Standard Contractual Clauses, alongside technical and organizational measures proportionate to the risk (such as access controls and encryption where appropriate).

You may request information about the safeguards applicable to a specific transfer by contacting us (Section 1).

8. Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law.

8.1 Operational datasets (including public-disclosure processing outputs)

For operational datasets where feasible, we apply the following lifecycle:

• data unused for 6 months is moved to an archive state; and
• after 3 months in archive, it is permanently destroyed.

8.2 Subscription and customer records

We retain subscriber and customer data for as long as needed to:

• provide the subscription and manage the customer relationship;
• meet accounting/tax/legal requirements; and
• maintain appropriate records for dispute handling and security.

We do not currently apply a separate fixed automated deletion schedule specifically for subscriber account records beyond retention controls and settings provided by our systems and providers. You can request deletion (Section 11); we will delete or anonymize personal data unless retention is required for legal obligations or to establish, exercise, or defend legal claims.

9. Security

We implement technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. This includes professional-grade cloud security controls, access management, monitoring, and least-privilege permissions.

No third parties are granted access to our operational trading datasets except contracted infrastructure providers operating under appropriate safeguards.

10. Automated decision-making

We do not use your website/subscription personal data for automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you.

Our automated trading systems make trading decisions about financial instruments based on public information and derived signals; these decisions are not decisions “about” website users or subscribers.

11. Your rights

Subject to the conditions and exceptions under the GDPR, you have the right to:

• access your personal data;
• rectify inaccurate or incomplete personal data;
• erase your personal data;
• restrict processing;
• data portability (where applicable);
• object to processing based on legitimate interests.

Where we process personal data based on legitimate interests, you may object. We will assess objections in line with the GDPR.

How to exercise your rights

Contact us at info@bifin.ai. We may request information necessary to verify your identity before fulfilling a request.

Public corporate disclosure data (information not obtained directly from you)

If your personal data appears in a public corporate disclosure we process, that data was obtained from publicly available sources (e.g., public corporate filings). Given the scale and nature of public disclosures, providing individual notices to every person whose data may appear in such sources may be impracticable; we therefore provide this information through this publicly available Privacy Policy and will respond to requests made under Section 11.

12. Complaints

You have the right to lodge a complaint with the Luxembourg supervisory authority, CNPD, or with your local supervisory authority in the EU/EEA, as applicable.

13. Changes to this policy

We may update this Privacy Policy to reflect changes in our processing or legal requirements. The “Last updated” date at the top indicates when this policy was most recently revised.

‍

‍