Members Portal

Book Call

Book Call

Members Portal

Privacy Policy

Effective date: 17th August 2025

1. SCOPE AND APPLICABILITY

1.1 This Privacy Policy (“Policy”) explains how Neurocloud Ltd (“Neurocloud”, “we”, “us”, “our”) collects, uses, discloses, transfers, and protects personal data in connection with:

  1. our public websites and pages;

  2. purchase and payment flows for the Licence and Subscription Fee;

  3. account creation and use of the Ancillary Platform (including any connection you choose to make to MT5); and

  4. customer support, security, and other interactions with us.

1.2 This Policy applies to processing for which Neurocloud determines the purposes and means (acting as controller). Where we act on a customer’s documented instructions in respect of their end users, we act as processor and our processing is governed by the contract with that customer in addition to this Policy.

1.3 This Policy does not apply to independent third parties you choose to use or interact with, including, without limitation, brokers, trading platforms, payment service providers, social media platforms, and other services not operated by Neurocloud. Their collection and use of personal data are governed by their own privacy policies. We do not onboard you to any broker, and we do not store your MT5 trading password or place or manage trades on your behalf.

1.4 This Policy applies regardless of where you are located. Additional disclosures and rights for particular jurisdictions are provided in the relevant sections and apply to the extent required by applicable law.

1.5 This Policy should be read together with our End-User Licence Agreement (EULA). If any statement in another document conflicts with this Policy in relation to the processing of personal data, this Policy governs; nothing in the EULA or any other document limits your non-waivable statutory rights under applicable data protection law.

1.6 Capitalised terms used but not defined in this Policy have the meanings given in the EULA or, where context requires, under applicable data protection law.

2. ROLES AND LEGAL BASES

2.1 Neurocloud determines the purposes and means of processing personal data in connection with our websites, checkout flows, account creation, access controls, Ancillary Platform operation, security, support, and business administration, and in doing so acts as a controller.

2.2 Where trading-related data are pulled from or linked to a trading account that you choose to connect (including MT5 identifiers, execution telemetry, balances/equity, P/L, drawdowns, symbol-level metrics, and configuration metadata), Neurocloud processes such data as an independent controller for the limited purposes of operating, securing, supporting, and improving the Licensed Software and Ancillary Platform, producing anonymised or aggregated analytics and service metrics, complying with law, and defending legal claims. Neurocloud does not use identified trading data for unrelated purposes without a separate lawful basis, does not request or store your MT5 trading password, and does not place, modify, or manage trades on your behalf.

2.3 If a business customer instructs Neurocloud to process personal data of that customer’s end users, Neurocloud acts as a processor and will process such data strictly on the customer’s documented instructions and subject to a written data processing agreement. In that context, the customer remains the controller in relation to its end users, and this Policy applies in addition to (and does not override) the parties’ processing terms.

2.4 Neurocloud relies on the following lawful bases under UK/EU data protection law, applied to the specific purposes below:

2.4.1 Contract (Article 6(1)(b)): creating and administering your account; enabling passcode activation and connection to MT5; providing the Licensed Software and Ancillary Platform; delivering support; processing payments and Subscription renewals you authorise.

2.4.2 Legitimate interests (Article 6(1)(f)): maintaining service security, integrity, and availability; preventing, investigating, and responding to misuse, fraud, or incidents; monitoring and audit necessary to enforce the EULA and protect Intellectual Property Rights; operating diagnostics, quality, and reliability measures; producing anonymised or aggregated analytics to improve features and capacity planning; handling ordinary business administration and customer management. Neurocloud undertakes a balancing test and processes on this basis only where your interests and rights do not override our interests.

2.4.3 Legal obligation (Article 6(1)(c)): tax and accounting record-keeping; responding to lawful requests from competent authorities; complying with consumer protection, data protection, export-control and sanctions laws; maintaining records necessary to meet statutory obligations.

2.4.4 Consent (Article 6(1)(a)): sending direct electronic marketing to individuals where consent is required; setting or reading non-essential cookies/SDKs for analytics or advertising; publishing identified testimonials you submit; providing identified confirmations via APVS at your request; other processing explicitly presented to you as optional. You may withdraw consent at any time with prospective effect, without affecting the lawfulness of processing prior to withdrawal.

2.4.5 Soft-opt-in (PECR Regulation 22): sending electronic marketing about our own similar products or services to existing customers, subject to a simple, free opt-out offered at the point of collection and in every message.

2.5 Neurocloud does not engage in automated decision-making that produces legal or similarly significant effects concerning you within the meaning of applicable law. Limited profiling may occur for security, fraud detection, abuse prevention, performance measurement, and service analytics; such profiling does not produce legal or similarly significant effects and is subject to appropriate safeguards and, where relevant, human review.

2.6 Where Neurocloud proposes to use personal data for a new purpose that is not compatible with the purpose for which it was collected, Neurocloud will assess compatibility under applicable law and, where required, will update this Policy, change the point-of-collection notice, and/or seek your consent before proceeding.

2.7 To the extent Neurocloud offers goods or services to individuals in the EEA and does not have an EU establishment, Neurocloud will appoint an EU representative pursuant to Article 27 GDPR and publish the representative’s contact details. Appointment of a representative does not limit Neurocloud’s responsibilities as controller.

2.8 Where the roles of independent third parties intersect with ours (for example, brokers, trading platforms, payment service providers, or APVS), those parties act as separate controllers for their processing under their own privacy policies. Neurocloud is not responsible for their processing activities, and nothing in this Policy makes Neurocloud a joint controller with such third parties.

2.9 If you are located outside the UK/EU, Neurocloud will rely on the lawful bases recognised by applicable local law that most closely correspond to those identified above and will honour mandatory local rights to the extent they apply.

3. PERSONAL DATA WE COLLECT

3.1 Neurocloud collects only the personal data reasonably necessary to provide, secure, and improve the Licensed Software and the Ancillary Platform, to administer our relationship with you, to comply with law, and to support the uses set out in Clause 5.

3.2 Categories of data we collect may include:

3.2.1 Account and identity data: name, email address, country of residence, account identifiers, and records of acceptance of our terms.

3.2.2 Authentication and access data: hashed passwords (for our systems), passcode issuance and usage logs, session identifiers, multi-factor authentication artefacts, and role or permission settings (for business accounts).

3.2.3 Transaction and billing data: purchase history, invoice details, tax/VAT identifiers (where provided), Subscription status, currency, and payment method token/reference. We do not store full payment card numbers; payments are processed by our payment service providers.

3.2.4 Refund and chargeback data: limited bank/payee details where a bank transfer is required to process an approved refund under the EULA, chargeback correspondence, and reconciliation records.

3.2.5 Platform connection and configuration data: MT5 account identifiers you connect, connection status, symbol lists, trading parameters and risk settings you choose to apply, and other configuration metadata necessary for operation. We do not request or store your MT5 trading password.

3.2.6 Execution and performance telemetry: timestamps, order status codes, symbols, balance/equity, P/L, drawdowns, win/loss counts, and other metrics required to operate the Licensed Software and display account performance to you.

3.2.7 Technical and security telemetry: IP address, device and browser information (user-agent, OS and version, language, time zone), cookie/SDK identifiers, approximate location (city/country derived from IP), login timestamps, feature utilisation, error logs, crash diagnostics, and security events (e.g., unusual access patterns).

3.2.8 Mobile identifiers: device identifiers and app interaction telemetry where you access our services from a mobile device or app interface.

3.2.9 Support and communications: enquiries, tickets, emails, call notes, complaint handling, fulfilment records, and related correspondence (including metadata such as time received and response times).

3.2.10 Marketing and attribution data: campaign and referral identifiers (including affiliate IDs), cookie preferences, advertising and analytics tags (subject to your choices in Clause 6), and your marketing subscriptions/opt-out status.

3.2.11 Verification and compliance data: information necessary to meet legal obligations or protect the service (e.g., identity or fraud checks where required by law or risk, documentary evidence you choose to supply, screening results, and audit logs).

3.2.12 APVS verification datasets: anonymised or aggregated performance datasets and supporting records supplied to Alpha Performance Verification Services for independent verification; identified confirmations only where you request them or where we have a lawful basis.

3.2.13 User-generated content and social interactions: testimonials, reviews, comments, or posts you submit for publication, and interactions with our official social media pages. Content you publish may be visible to others; consider carefully before posting personal data.

3.2.14 Inferences and derived data: limited, service-related inferences drawn from the data above (for example, usage patterns to improve reliability or support capacity planning). We do not create sensitive inferences about you.

3.3 We do not seek to collect special category personal data (e.g., health data, biometric identifiers, information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation). Please do not provide such data to us. If such data are nevertheless provided, we may delete or restrict them where permissible and appropriate.

3.4 We do not collect or require precise geolocation. Approximate location (city/country) may be inferred from your IP address to maintain security and provide regional settings.

3.5 Children’s data are not collected knowingly. Our services are not intended for individuals under 18, and we do not knowingly collect personal data from children under 13 (see Clause 17).

3.6 Where we need to collect personal data by law, under a contract with you, or to provide requested functionality, and you fail to provide that data when requested, we may be unable to perform the contract or provide the functionality. We will let you know if that is the case at the time.

3.7 We may combine personal data we already hold about you with data generated through your use of our services and, where lawful, with information from third-party sources identified in Clause 4, and we will use and protect the combined information in accordance with this Policy.

4. SOURCES OF PERSONAL DATA

4.1 We obtain personal data from: (a) you, when you provide it directly; (b) automated means generated by your use of our websites and the Ancillary Platform; (c) third parties you choose to connect or transact with (for example, TradeSync backend, MT5/brokers, payment service providers); and (d) other limited sources (for example, affiliates/marketing partners, APVS for verification you request, professional advisers, and public records). We use and protect all such data in accordance with this Policy.

4.2 Information you provide in checkout flows, account creation, passcode activation, Ancillary Platform settings, support tickets/emails/calls, surveys, complaint handling, and when exercising privacy rights.

4.3 Technical and security telemetry created when you access or use our services, including cookie/SDK identifiers, server logs, device and browser metadata (user agent, OS, language, time zone), IP address and approximate location derived from IP (city/country), session and login timestamps, feature utilisation, error/crash diagnostics, and security events. Details of cookies and similar technologies, and your choices, are in Clause 6.

4.4 If you connect external services, we receive the identifiers and data necessary to operate the Licensed Software - for example, MT5 account identifiers, connection status, execution telemetry and performance metrics via the TradeSync backend and/or broker/platform APIs you authorise. We do not request or store your MT5 trading password and we do not place, modify, or manage trades on your behalf.

4.5 We receive transaction confirmations, tokenised payment references, limited billing details (e.g., billing contact information), currency, and status updates (including chargeback notifications) from our PSPs to process purchases, Subscription renewals, refunds, and reconciliation. We do not store full payment card numbers.

4.6 Where you arrive via an advertisement or affiliate link, we may receive attribution data (for example, campaign, channel, and affiliate identifiers) to measure performance and administer programmes. The collection practices of those third parties are governed by their own privacy policies.

4.7 If you interact with our official pages (for example, by messaging, commenting, or submitting a testimonial) we receive the information you choose to share and any platform-provided metadata. Content you make public may be visible to others (see Clause 16).

4.8 Where you ask Alpha Performance Verification Services to verify performance, APVS may provide confirmations to you and/or to us. Ordinarily we share anonymised or aggregated datasets with APVS; identified confirmations are provided only at your request or where we have a lawful basis (see Clauses 3 and 5).

4.9 We may receive information from our legal/accounting advisers, insurers, fraud-prevention and security vendors, and from competent authorities or courts in connection with compliance obligations or lawful requests. Where proportionate and lawful, we may consult public records (for example, corporate registries) for business-account verification.

4.10 We do not purchase personal data from “data brokers” in the sense used by U.S. state privacy laws. We do not collect precise geolocation; approximate location may be inferred from IP to protect the service and apply regional settings.

4.11 We may combine personal data obtained from the sources above (for example, pairing account records with platform telemetry or PSP confirmations) and will use the combined information for the purposes set out in this Policy.

4.12 You are responsible for keeping your contact and account details accurate and up to date (see EULA Clause 19.8). If any information changes, please update it in your account or contact info@neurocloud.co so we can correct our records.

5. PURPOSES OF PROCESSING AND LAWFUL BASES

5.1 We process personal data only for specified, explicit, and legitimate purposes connected to providing and protecting the Licensed Software and the Ancillary Platform, administering our relationship with you, complying with law, and operating our business. For UK/EU residents, the lawful bases required by GDPR are identified for each purpose below; for others, they are provided for transparency.

5.2 Service delivery and account administration. Creating and administering your account; carrying out pre-contract steps at your request; issuing and validating passcodes; enabling any connection you choose to make to MT5; operating core features; and providing customer support. Lawful basis: contract (Article 6(1)(b)), including pre-contract steps; legitimate interests in service reliability (Article 6(1)(f)).

5.3 Security, integrity, and abuse prevention. Monitoring access and usage; enforcing access controls and rate limits; detecting and investigating suspicious activity or misuse; incident response; and audit trails necessary to enforce the EULA and protect intellectual property.

Lawful basis: legitimate interests in the security of services and users (Article 6(1)(f)); legal obligation where applicable (Article 6(1)(c)).

5.4 Payments, refunds, and billing. Processing purchases and subscription renewals you authorise; reconciling transactions; handling approved refunds under the EULA; managing chargebacks; and maintaining accounting and tax records.

Lawful basis: contract; legal obligation (tax and accounting).

5.5 Operational communications. Service notices such as maintenance, security advisories, onboarding information, and responses to support requests. Lawful basis: contract; legitimate interests in keeping you informed of service-affecting issues.

5.6 Marketing and advertising. Sending marketing about our own products and services; measuring and improving campaigns (including affiliates); and using non-essential analytics or advertising cookies or pixels where you allow. Lawful basis: consent where required for electronic direct marketing to individuals and for non-essential cookies or SDKs; legitimate interests for proportionate B2B outreach and performance measurement consistent with your choices; soft-opt-in under UK PECR Regulation 22 for existing customers, with a simple, free opt-out at collection and in every message. See Clause 6 for cookie choices and Clause 12 for U.S. opt-outs.

5.7 Service analytics and improvement. Diagnostics, reliability and capacity planning, feature-use analysis, and quality assurance. Where feasible we use anonymised or aggregated outputs. Lawful basis: legitimate interests in service improvement.

5.8 APVS performance verification. Independent verification of system performance by Alpha Performance Verification Services. Ordinarily this is based on anonymised or aggregated datasets; identified confirmations are provided only where you request them or where we have a separate lawful basis.

Lawful basis: legitimate interests in transparency; consent for identified confirmations at your request.

5.9 Legal and regulatory obligations; dispute management. Meeting statutory duties (including data protection, consumer protection, export control and sanctions); responding to lawful requests from authorities; and establishing, exercising, or defending legal claims. Lawful basis: legal obligation; legitimate interests in defending our rights.

5.10 Corporate transactions and governance. Managing mergers, acquisitions, restructurings, investments, or transfers of assets, subject to appropriate confidentiality safeguards. Lawful basis: legitimate interests in the orderly management of our business.

5.11 U.S. sale/sharing and targeted advertising. We do not sell personal information for money. Where you permit advertising cookies, we may make certain identifiers and internet activity available to partners for cross-context behavioural or targeted advertising, which some U.S. laws treat as “sale” or “sharing”. You may opt out at any time via Cookie Settings, by sending a supported Global Privacy Control signal, by using any “Do Not Sell or Share My Personal Information” link we provide, or by contacting us as described in Clause 12. Choices are browser- and device-specific.

5.12 Profiling and automated tools. We use automated tools, including rule-based or machine-learning-assisted analytics, for security (such as anomaly detection), fraud and abuse prevention, performance measurement, and service analytics. We do not engage in automated decision-making that produces legal or similarly significant effects concerning you. Where appropriate, safeguards and human review are applied.

5.13 Change of purpose and compatibility. If we intend to use personal data for a new purpose that is incompatible with the purpose for which it was collected, we will assess compatibility under applicable law and, where required, update this Policy, adjust point-of-collection notices, and/or seek your consent before proceeding. Where the new purpose is compatible, we may proceed without additional notice, taking account of the link with the original purpose, the context of collection, the nature of the data, and potential impacts.

5.14 Consent management and withdrawal. Where we rely on consent (for example, non-essential cookies, identified testimonials, identified APVS confirmations, or certain marketing), you may withdraw consent at any time with prospective effect, without affecting the lawfulness of processing prior to withdrawal. Withdrawal mechanisms are provided at the point of collection (for example, Cookie Settings, unsubscribe links) and in Clauses 11 and 12.

5.15 Legitimate interests balancing. Where we rely on legitimate interests, we perform and document a balancing test to ensure our interests are not overridden by your rights and interests. You may object to processing based on legitimate interests under Clause 11; we will honour your objection unless we demonstrate compelling legitimate grounds or the processing is required for legal claims.

5.16 Data minimisation and proportionality. We collect and process no more personal data than is reasonably necessary for the purposes described above and prefer anonymised or aggregated information where feasible. Where we act as a processor for a business customer, processing is limited to that customer’s documented instructions in accordance with Clause 2.

6. COOKIES, SIMILAR TECHNOLOGIES, AND YOUR CHOICES

6.1 We use cookies and similar technologies to operate, secure, and improve the Ancillary Platform and our websites. “Cookies” include HTTP cookies, HTML5/local storage, and comparable identifiers set by us or by service providers acting on our instructions. “Similar technologies” include SDKs (in mobile contexts), web beacons/pixels, and server-side logs that record access events.

6.2 We group these technologies into the following functional categories:

6.2.1 Strictly necessary technologies that are essential to sign-in, passcode activation, session continuity, load balancing, fraud prevention, and security. These cannot be switched off because the service will not function correctly without them.

6.2.2 Functional technologies that remember preferences (for example, language, region, UI settings) and improve usability.

6.2.3 Analytics and measurement technologies that help us understand usage, diagnose issues, and plan capacity. Where feasible, we use anonymised or aggregated outputs.

6.2.4 Advertising and attribution technologies that measure campaign performance (including affiliates) and, where you allow, support interest-based advertising.

6.3 Except for strictly necessary technologies, we seek your consent before setting non-essential cookies/SDKs. On first visit (and thereafter at intervals), we present a banner that allows you to accept, reject, or manage non-essential categories. You can change choices at any time via Cookie Settings. Your choices take effect per browser and device. If you clear cookies or switch browsers/devices, you will need to set your preferences again.

6.4 Where permitted (for example, certain B2B analytics), we may rely on legitimate interests for measurement that is strictly necessary and proportionate. In such cases we conduct and document a balancing test and apply mitigations (for example, IP truncation, shortened retention, or aggregation).

6.5 We honour supported opt-out preference signals, such as Global Privacy Control (GPC). When received, we treat the signal as a request to opt out of “sale”/“sharing” or targeted advertising for that browser and disable corresponding non-essential cookies/SDKs. The signal applies per browser and device and does not affect strictly necessary technologies.

6.6 Some browsers send a Do Not Track (DNT) signal. Our services do not respond to DNT at this time.

6.7 Emails we send may include web beacons that help us understand whether a message was delivered/opened and which links were clicked. You can disable this measurement by turning off image loading in your email client or by unsubscribing from marketing emails; you cannot unsubscribe from transactional messages necessary for the service.

6.8 We use both first-party and third-party technologies. Third parties set or read identifiers only to provide services to us (for example, hosting, security, analytics, email delivery, or advertising/attribution where permitted). Their handling of personal data is also governed by their own privacy policies. We require processors to act only on our documented instructions and to implement appropriate security.

6.9 If you allow advertising/attribution technologies, our partners may link or infer that the same browser/device (or, where you are signed in with that partner, the same account) has interacted with our content across different sites or apps. You may opt out at any time via Cookie Settings, supported GPC signals, and platform tools (for example, the ad preferences offered by Meta, Google, or your mobile OS). Industry tools (for example, DAA or NAI opt-out pages) may also provide additional controls. Opt-outs are browser/device-specific.

6.10 Rejecting or disabling non-essential cookies/SDKs will not stop the service from loading, but some features may be limited (for example, preference retention, accurate analytics, or tailored content). Disabling strictly necessary technologies using browser settings may prevent the service from functioning.

6.11 We retain cookie- or SDK-derived data no longer than necessary for the purpose in question, applying typical maxima such as: session-scoped identifiers that expire when you close your browser; analytics identifiers that rotate or expire within 12–24 months; and advertising identifiers that expire or are refreshed within 13–24 months, unless you withdraw consent earlier. We periodically review and reduce retention where feasible.

6.12 Where a mobile app or SDK is used, your device or OS may provide additional privacy controls (for example, resetting your mobile advertising identifier or limiting ad tracking). Using those controls may affect how we or our partners collect or use identifiers on that device.

6.13 We do not use device fingerprinting for advertising purposes. Limited device/connection profiling may be used for security (for example, to detect unusual access or abuse) consistent with Clause 5 and the EULA; such profiling is not used to make decisions that produce legal or similarly significant effects.

6.14 For transparency and auditability, we maintain records of consent and preference changes. A current list of common cookies/SDKs, their purposes, and typical lifetimes is available in our Cookie Settings or a Cookie Policy/Annex we may publish from time to time. Specific vendors and lifetimes may change as our service evolves.

6.15 If you are a U.S. resident in a state with opt-out rights for “sale” or “sharing” or “targeted advertising”, you may exercise those rights by using Cookie Settings, sending a GPC signal, using any “Do Not Sell or Share My Personal Information” link we provide, or contacting us as described in Clause 12. Your choice will be applied for that browser/device and respected going forward, subject to the limitations described above.

7. DISCLOSURES AND RECIPIENTS

7.1 We disclose personal data only to the extent reasonably necessary to provide and protect the Licensed Software and the Ancillary Platform, to administer our relationship with you, to comply with law, and for the other purposes set out in this Policy. We do not sell personal information for money. Where you consent to advertising cookies, we may “share” identifiers and internet activity for cross-context behavioural advertising as described in Clauses 6 and 12; you can opt out at any time.

7.2 We engage carefully selected service providers to act on our behalf and under our instructions (processors), including providers of hosting and cloud infrastructure, authentication and security, logging and analytics, customer support tools, email/SMS delivery, payment processing, and the TradeSync backend used by the Ancillary Platform. We require processors to:

  1. act only on our documented instructions;

  2. implement appropriate technical and organisational measures for security and confidentiality;

  3. ensure personnel confidentiality and appropriate training;

  4. not appoint sub-processors without appropriate safeguards;

  5. assist us with security, data-subject requests, and impact assessments where relevant; and

  6. delete or return personal data at the end of the services, subject to legal retention obligations.

7.3 Certain third parties you choose to use or connect - such as brokers, trading platforms (e.g., MT5), and payment service providers - act as independent controllers for their own processing. Their privacy policies govern their handling of your data. We do not request or store your MT5 trading password and we do not place, modify, or manage trades on your behalf.

7.4 For payments, subscriptions, refunds, and chargeback handling, we receive limited billing and transaction confirmations from payment service providers. We do not store full card primary account numbers. PSPs may process your data as independent controllers for fraud prevention and compliance.

7.5 For independent performance verification, we may share anonymised or aggregated datasets with Alpha Performance Verification Services (APVS). Identified confirmations are provided only where you request them or where we have a separate lawful basis (see Clauses 3 and 5). APVS operates independently of Neurocloud.

7.6 If you arrive via an advertisement or affiliate link, we may disclose limited attribution data to the relevant marketing or affiliate partner to measure campaign performance and administer programmes. Such partners may act as independent controllers for their own analytics and are responsible for their compliance. You can manage related cookies and signals as described in Clause 6.

7.7 We may disclose information to our professional advisers (legal counsel, accountants, auditors) and insurers for legitimate business purposes, subject to confidentiality obligations.

7.8 We may disclose information to competent authorities, courts, or law enforcement:

  1. where required by applicable law or lawful process;

  2. to establish, exercise, or defend legal claims; or

  3. to prevent, detect, or investigate suspected fraud, security incidents, abuse, or other harmful activity. Where legally permitted and practicable, we will provide you with advance notice of compelled disclosure and will disclose no more than is necessary.


7.9 In connection with a corporate transaction (for example, merger, acquisition, investment, restructuring, or sale of assets), we may disclose relevant information to the prospective or actual counterparty and its professional advisers under appropriate confidentiality safeguards. If control of our business changes, we will require the successor to honour this Policy with respect to your personal data.

7.10 We may publish or share aggregated or anonymised statistics (for example, uptime, feature adoption, non-identified performance ranges). Such information does not identify you and is not treated as personal data once properly anonymised.

7.11 Disclosures may involve international transfers. Where personal data are transferred outside the UK/EEA, we implement appropriate safeguards as described in Clause 8.

7.12 We do not authorise recipients to use personal data we disclose for their own independent purposes unless they are separate controllers with a lawful basis, or unless required by law. For processors, onward transfers are limited to sub-processors bound by written terms that provide no less protection than those described in this Clause.

7.13 We maintain internal records of processing and disclosures. A current overview of our key processor categories and transfer mechanisms is available on request at info@neurocloud.co. For business customers where we act as a processor, our Data Processing Agreement (or equivalent) governs sub-processor listings and notification practices.

7.14 For the avoidance of doubt, nothing in this Clause permits disclosure of your MT5 trading password (which we do not collect) or implies that we execute, manage, or control your trading activity. Those matters remain solely your responsibility and subject to your broker and platform terms.

8. INTERNATIONAL TRANSFERS

8.1 Your personal data may be transferred to and processed in countries outside the UK and the EEA, including (without limitation) the United States and other jurisdictions where our service providers operate. Those countries may have data-protection laws that differ from the laws of your country and, in some cases, may not be deemed to provide an equivalent level of protection.

8.2 Where we transfer personal data internationally, we implement appropriate safeguards to protect it, including one or more of the following (as applicable):

8.2.1 transfers to organisations in countries subject to an adequacy decision (including, where applicable, the EU-U.S. Data Privacy Framework and the UK-U.S. Data Bridge for certified recipients);

8.2.2 EU Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (or UK Addendum to the SCCs); and

8.2.3 supplementary measures appropriate to the transfer, which may include encryption in transit and at rest, access controls, data minimisation, pseudonymisation, split-processing, and internal policies and training.

8.3 We conduct and document transfer risk assessments (TRAs/TIAs) where required, taking into account the nature of the data, the context of the transfer, the recipient’s role (controller/processor), the legal environment of the destination country, and the technical and organisational measures applied.

8.4 We require our processors and sub-processors to flow down equivalent safeguards for any onward transfers and to process personal data only on our documented instructions, with appropriate security, confidentiality, and deletion/return obligations at the end of the engagement, subject to any legal retention requirements.

8.5 Requests from public authorities: if we receive a legally binding request from a public authority for access to personal data, we will, to the extent permitted by law, (a) notify you or your organisation promptly; (b) challenge unlawful or overbroad requests; and (c) disclose no more personal data than is strictly necessary to comply with the request.

8.6 Location of systems. Hosting and support environments may be distributed across multiple regions. We do not promise data residency in a particular country unless expressly agreed in writing with a business customer. Regardless of location, your personal data will be protected in accordance with this Policy and the safeguards described in this Clause.

8.7 Copies of safeguards. You may request a copy of the relevant transfer mechanism (for example, the SCCs or UK IDTA/Addendum) by contacting info@neurocloud.co. We may redact portions to protect commercially sensitive terms and the security of our systems and partners.

8.8 Changes in law. If any transfer mechanism we rely upon is amended, invalidated, or replaced, we will adopt an alternative mechanism or other appropriate safeguard. Where no suitable safeguard is available, we may suspend the affected transfers and, where feasible, adjust our processing to mitigate impact.

8.9 Nothing in this Clause limits your non-waivable rights under applicable law. Our international transfer practices are designed to work together with your rights set out in Clause 11 and our security commitments in Clause 10.

9. DATA RETENTION

9.1 We retain personal data only for as long as is necessary for the purposes set out in this Policy, including to provide and protect the service, administer our relationship with you, comply with legal and regulatory obligations, resolve disputes, and enforce our agreements. We apply storage limitation and data minimisation throughout.

9.2 Retention periods are determined by reference to objective criteria, including: the category and sensitivity of the data; the purpose for which it was collected; legal, regulatory, tax, accounting, and audit requirements; applicable limitation periods for claims; security and fraud-prevention needs; and the technical feasibility of deletion or de-identification in specific systems.

9.3 Unless a longer period is required by law or is necessary to establish, exercise, or defend legal claims, we generally apply the following guidelines:

9.3.1 Account and contract records: for the term of your agreement and six years thereafter.

9.3.2 Billing, payment, and tax records: six to seven years. We do not store full card primary account numbers.

9.3.3 Security, access, and authentication logs: twelve to twenty-four months, with shorter windows where feasible.

9.3.4 Platform telemetry and execution data: raw event data six to twelve months; derived, anonymised, or aggregated datasets may be retained longer for diagnostics, reliability, and capacity planning.

9.3.5 Support tickets and communications: up to twenty-four months from resolution, longer where required for compliance or dispute management

9.3.6 Marketing preferences and consent records: for the duration of your relationship and for an additional period necessary to demonstrate compliance. Suppression list entries are retained so we can continue to honour your opt-out.

9.3.7 Cookies, SDK identifiers, and similar technologies: as described in Clause 6 (for example, session identifiers expire at session end; analytics identifiers rotate or expire within twelve to twenty-four months; advertising identifiers typically within thirteen to twenty-four months).

9.3.8 Incident, compliance, and audit records: as needed for investigations and statutory requirements, typically up to six years.

9.4 Where we act as a processor for a business customer, we retain personal data in accordance with that customer’s documented instructions and our data processing terms. Upon termination of the applicable services or upon written request, we will delete or return such data within a reasonable period, subject to any legal retention obligations and any agreed export or assistance.

9.5 Backups and archives operate on rolling cycles. When data are deleted from active systems, corresponding copies in backups are not immediately erased but are removed in the ordinary course as backup media are overwritten. Access to backup data is restricted and backups are used only for restoration, security, or compliance purposes.

9.6 Where deletion is not reasonably possible without disproportionate effort (for example, due to storage in legacy logs or immutable archives), we will apply functional restriction, segregate or pseudonymise the data, and cease all processing other than storage for compliance or security purposes.

9.7 If legal proceedings or an investigation are reasonably anticipated or ongoing, we may place a litigation hold and suspend routine deletion until the matter is resolved.

9.8 On account closure or termination under the EULA, we will disable access and commence deletion from active systems of personal data that we no longer need, subject to the retention categories above. Anonymised or aggregated information that cannot reasonably be used to identify you may be retained without time limit.

9.9 We maintain records of our retention rules and review them periodically. Retention practices in this Clause operate together with your rights in Clause 11 and our security commitments in Clause 10.

10. SECURITY

10.1 We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, destruction, or damage, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks to individuals.

10.2 We maintain security policies approved by management; assign roles and responsibilities for information security; perform risk assessments; and review our controls periodically. Personnel with access to personal data are subject to confidentiality obligations and receive security and privacy training appropriate to their role.

10.3 Access to systems and data is granted on a least-privilege, need-to-know basis, enforced using role-based access controls and periodic access reviews. Administrative access is restricted and protected by multi-factor authentication where available. Accounts are unique to individuals; shared credentials are prohibited. Session timeouts and account lockouts are used in line with risk.

10.4 Personal data are encrypted in transit using modern transport protocols and, where appropriate, encrypted at rest. Encryption keys are managed securely, with limited access, rotation procedures, and separation of duties where feasible.

10.5 We use network segmentation, firewalls, secure configurations, and monitoring to reduce attack surface. Development follows secure coding practices, code review, dependency management, and change control. We track and remediate vulnerabilities based on severity and risk, and apply security updates in a timely manner. External security testing or reviews may be undertaken periodically.

10.6 Security-relevant events, including authentication, administrative actions, and configuration changes, are logged and retained for a limited period consistent with Clause 9. We monitor for indicators of compromise and anomalous activities and investigate alerts in accordance with our incident response procedures.

10.7 Where we engage service providers to process personal data on our behalf, we assess their security capabilities and require written data-processing terms, including confidentiality, appropriate technical and organisational measures, limited use on our documented instructions, and deletion or return of personal data at the end of the engagement, subject to legal retention obligations.

10.8 We maintain procedures for backup, continuity, and recovery designed to maintain service availability and integrity in the event of an incident. Backups are protected and tested periodically. We do not guarantee data residency in a specific country unless expressly agreed with a business customer.

10.9 We collect no more personal data than is reasonably necessary, segregate environments where feasible, and prefer anonymisation or aggregation where possible. Test and development environments use synthetic or de-identified data where practicable.

10.10 We maintain an incident response programme with defined roles, escalation paths, and post-incident review. Where a personal data breach occurs that is likely to result in a risk to individuals’ rights and freedoms, we will notify the relevant supervisory authority and affected individuals where required by law and within applicable timeframes. We will also provide information reasonably available at the time and follow up as further facts are established.

10.11 Security is a shared responsibility. You are responsible for securing your devices, networks, and credentials; using strong, unique passwords; enabling multi-factor authentication where available; keeping software up to date; and monitoring your account activity. We will never ask for your MT5 trading password. Further obligations are set out in the EULA (including Clause 19).

10.12 If you believe you have discovered a security vulnerability affecting our systems, please contact info@neurocloud.co with sufficient detail to allow reproduction. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it. We do not authorise testing that would breach applicable law or the EULA.

10.13 While we take reasonable and appropriate measures consistent with industry practice, no method of transmission or storage is completely secure. Nothing in this Clause limits your non-waivable statutory rights under applicable law. Our security measures should be read together with the international transfer safeguards in Clause 8 and the retention rules in Clause 9.

11. YOUR UK/EU PRIVACY RIGHTS AND HOW TO EXERCISE THEM

11.1 Under UK/EU data protection law you may have the following rights, subject to legal limits and exemptions:

11.1.1 Right of access: to obtain confirmation whether we process your personal data and a copy of it, together with certain information about our processing.

11.1.2 Right to rectification: to have inaccurate personal data corrected and incomplete data completed.

11.1.3 Right to erasure: to request deletion of personal data where, for example, it is no longer needed for the purpose collected, you withdraw consent (where consent is the lawful basis), or you successfully object (see 11.1.6). This right does not apply where processing is required by law, for legal claims, or for overriding legitimate interests.

11.1.4 Right to restriction: to request that we restrict processing while a challenge is resolved or where you require us to retain data for legal claims.

11.1.5 Right to portability: to receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit those data to another controller, where processing is based on consent or contract and carried out by automated means.

11.1.6 Right to object: to object at any time to processing based on our legitimate interests. We will honour your objection unless we demonstrate compelling legitimate grounds or the processing is required for legal claims. You may object at any time to direct marketing; we will stop marketing without requiring a reason.

11.1.7 Rights related to automated decision-making: we do not use automated decision-making that produces legal or similarly significant effects concerning you; if that changes, we will provide the required notices and safeguards.

11.1.8 Right to withdraw consent: where we rely on consent (for example, non-essential cookies/SDKs, certain marketing, identified APVS confirmations), you may withdraw consent at any time with prospective effect.

11.2 Send an email to privacy@neurocloud.co with: (a) your name and the email address associated with your account; (b) the right(s) you wish to exercise; and (c) sufficient detail to identify the data or processing in question. For marketing opt-out you can also use the unsubscribe link in emails or change cookie choices in Cookie Settings.

11.3 We may request reasonable information to verify your identity and authority before fulfilling a request. Verification depends on the nature of the request and sensitivity of the data and may include confirmation via your signed-in account, a verified email challenge, or additional documentation where necessary. If we cannot verify your identity with reasonable efforts, we may be unable to comply.

11.4 We will respond without undue delay and in any event within one month of receipt. We may extend by up to two further months where a request is complex or numerous; if so, we will inform you within the first month and explain why. Where permitted by law, we may decline manifestly unfounded or excessive requests or charge a reasonable fee to cover administrative costs.

11.5 We will not disclose or delete information where doing so would adversely affect the rights and freedoms of others, reveal trade secrets or intellectual property, undermine security or fraud-prevention measures, or prevent us from complying with legal obligations. Where feasible, we will provide redacted copies or a summary rather than refuse outright. Erasure does not apply to anonymised or aggregated information that can no longer reasonably identify you.

11.6 Where data originated from independent controllers (for example, brokers, payment service providers, social platforms, APVS), we will identify those controllers where feasible and direct you to exercise rights with them for processing they control. If we act as a processor for a business customer, we will notify that customer and assist them in responding in accordance with our data processing terms.

11.7 You may withdraw consent for non-essential cookies/SDKs or opt out of targeted advertising at any time via Cookie Settings, by sending a supported Global Privacy Control signal, or by using any “Do Not Sell or Share My Personal Information” link we provide. These choices are browser and device specific.

11.8 You may lodge a complaint with the UK Information Commissioner’s Office (ICO). Details are available on the ICO website. If you are located in the EEA and we have appointed an EU representative, you may also contact the competent supervisory authority in your Member State. We encourage you to contact us first so we can try to resolve your concern promptly.

11.9 You may request a copy of applicable international transfer safeguards (for example, Standard Contractual Clauses or the UK IDTA/Addendum). We may redact commercially sensitive information and security details.

11.10 Exercising your rights will not result in discriminatory treatment. Exercising erasure or restriction may limit functionality of the service. Nothing in this Clause limits your non-waivable statutory rights.

12. U.S. STATE PRIVACY NOTICE

12.1 This clause applies to residents of U.S. states with comprehensive privacy laws, including without limitation California (CPRA/CCPA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others to the extent those laws apply to our processing. It supplements the rest of this Policy and prevails over any inconsistent terms for individuals covered by those laws.

12.2 We collect the categories of personal information described in Clauses 3–5 for the purposes identified in Clause 5 and disclose them as described in Clauses 7–8. The categories typically include: identifiers (name, email, IP address, device identifiers), customer records (billing contact), commercial information (purchases, subscription status), internet or network activity (logs, analytics, cookie/SDK identifiers), approximate geolocation (city/country from IP), inferences (service analytics), and professional information for B2B contacts. We do not intentionally collect sensitive personal information, precise geolocation, or children’s data, and we do not knowingly collect information from individuals under 13.

12.3 We obtain personal information from you, from your devices and use of our websites and Ancillary Platform, from third parties you connect or transact with (for example, payment service providers and the TradeSync/MT5 connection you authorise), from affiliates/marketing partners for attribution, and from our service providers and professional advisers, as further detailed in Clause 4.

12.4 We use personal information to provide and operate the service, secure our systems, process payments and refunds, handle support, perform analytics and improvement, conduct marketing consistent with your choices, undertake APVS-related verification, meet legal obligations, manage corporate transactions, and defend legal claims, as further detailed in Clause 5.

12.5 Disclosures for business purposes. We disclose personal information to service providers acting on our behalf under written terms that restrict their use of information; to professional advisers and insurers; to APVS in the limited manner described in Clauses 3 and 5; to marketing or affiliate partners for attribution; to authorities where legally required; and in connection with corporate transactions, as described in Clause 7.

12.6 We do not sell personal information for money. When you permit advertising or analytics cookies/SDKs, we may make certain identifiers and internet/network activity available to advertising or analytics partners for cross-context behavioural advertising or targeted advertising. This may be deemed a “sale” or “sharing” or “targeted advertising” under some state laws. You may opt out at any time via Cookie Settings, by sending a supported Global Privacy Control (GPC) signal, by using any “Do Not Sell or Share My Personal Information” link we provide, or by emailing info@neurocloud.co with “Do Not Sell or Share” in the subject. Your choices are browser and device specific.

12.7 We do not seek to collect sensitive personal information as defined by applicable state laws. If sensitive personal information is provided inadvertently, we will handle it consistent with this Policy and applicable law and will not use it to infer characteristics about you.

12.8 Where we process de-identified data, we take reasonable measures to ensure the data cannot be associated with an individual, commit to maintain and use the data in de-identified form, and do not attempt to re-identify it except to test our de-identification processes.

12.9 Subject to exceptions and verification, you may have the right to:

12.9.1 know/access the personal information we hold about you and request details about our processing;

12.9.2 correct inaccuracies in your personal information;

12.9.3 delete personal information;

12.9.4 obtain a portable copy of certain information you provided to us;

12.9.5 opt out of sale or sharing of personal information and of targeted advertising;

12.9.6 limit the use and disclosure of sensitive personal information where collected (noting we do not seek to collect it); and

12.9.7 appeal our decision regarding a privacy request (where provided by state law).

12.10 Submit requests to info@neurocloud.co and include your name, the email associated with your account, the state you reside in, and the right(s) you wish to exercise. For marketing emails, you may use the unsubscribe link. For cookies/ads, use Cookie Settings and, where available, the “Do Not Sell or Share” link or a GPC signal.

12.11 We will verify your request using information reasonably related to your account or interactions with us, which may include confirming control of the email address on file, account sign-in, or additional information where appropriate. If we cannot verify your identity with reasonable efforts, we may be unable to fulfil the request.

12.12 If a request relates to household information, we may require additional verification or submissions from each member of the household in accordance with applicable law.

12.13 You may designate an authorised agent to submit requests on your behalf. We may require proof of authorisation (such as a signed permission or power of attorney), may ask you to verify your identity directly, and will restrict the agent’s use of information to fulfilling your request, verification, or fraud prevention.

12.14 If we decline your request, you may appeal by emailing info@neurocloud.co with the subject line “Appeal”. We will respond in writing within the applicable statutory period (typically 45 days, extendable where permitted) with a brief explanation of our decision and how you may contact your state’s attorney general if you remain dissatisfied.

12.15 We will not discriminate against you for exercising your privacy rights, except to the extent permitted by law (for example, when a difference in price or service is reasonably related to the value of the data at issue in a bona fide loyalty or rewards program). We do not currently offer such programs that require a financial incentive notice. If we do in future, we will provide the required notice and obtain consent.

12.16 We do not knowingly sell or share personal information of consumers under 16 years of age. If we learn that a consumer under 16 has provided personal information, we will delete it as required by law.

12.17 We retain personal information in accordance with Clause 9. We disclose retention criteria and typical periods there; specific statutory retention requirements may apply in some cases.

12.18 Where required by law, we maintain records of requests and our responses for at least twenty-four months and publish request metrics if and when we meet applicable thresholds.

12.19 We do not disclose personal information to third parties for those parties’ own direct marketing purposes separate from the disclosures in this Policy. California residents may request further information by contacting info@neurocloud.co.

12.20 If there is a conflict between this clause and the rest of the Policy for U.S. residents covered by state privacy laws, this clause controls to the extent of the conflict. All other terms of the Policy continue to apply.

13. MARKETING, COMMUNICATIONS, TESTIMONIALS, AND SHOWCASES

13.1 We may send you marketing about our own products and services. You can opt out of marketing emails at any time by using the unsubscribe link in the email or by contacting info@neurocloud.co. Opting out of marketing will not affect transactional or service communications (for example, account, billing, security, maintenance notices) that we need to send to operate the service.

13.2 Where required by law, we will obtain your consent before sending electronic direct marketing. For existing customers in the UK/EU, we may rely on the soft-opt-in for our own similar products or services, while always providing a simple, free opt-out at collection and in every message. For B2B contacts, we may rely on legitimate interests consistent with Clause 5. We maintain records of consent and opt-out to demonstrate compliance.

13.3 We may send operational messages related to onboarding, configuration, connection status, security advisories, support, and similar service matters. These messages are not marketing and cannot usually be opted out of without disabling the relevant service features.

13.4 If you receive SMS from us, you may opt out at any time by replying STOP. For assistance, reply HELP. Message and data rates may apply. We will not send marketing SMS without a lawful basis required by applicable law.

13.5 Advertising and attribution cookies or pixels are controlled via Cookie Settings and your browser or device controls. Where supported, we honour Global Privacy Control (GPC) signals. Choices are browser and device specific. Additional controls may be available through platform tools (for example, Meta/Google ad preferences) and industry pages such as DAA or NAI. See Clause 6 and, for U.S. residents, Clause 12.

13.6 We may create anonymised or aggregated materials for marketing and informational purposes, including performance illustrations that cannot reasonably identify you. We will not publish identified performance information about your account without your written consent.

13.7 You may opt out of use of your account performance for marketing at any time by emailing info@neurocloud.co. We will cease new use and remove or de-identify references from our digital channels within ten business days. Materials already printed, distributed, cached, or embedded in third-party channels may not be retractable, but we will take reasonable steps to remove or de-identify where feasible.

13.8 If you submit a testimonial, review, comment, image, or similar content for publication, you grant us a non-exclusive, royalty-free licence to use, reproduce, and publish that content, together with the name and attribution you supply, for the period reasonably necessary for the purpose for which it was provided. We may edit for length, clarity, or to remove personal or confidential information, while preserving the sense of your statement. You may withdraw consent for identified use at any time by contacting info@neurocloud.co; we will stop new use and remove or de-identify from our digital channels within a reasonable period, subject to archival, compliance, or legal retention. If compensation or a material connection exists, we will disclose it as required by law and platform rules. You should not include confidential information, third-party personal data, or content you do not have the right to share.

13.9 If you participate in a referral or affiliate programme with us, we may process limited attribution and programme communications necessary to administer the programme. Marketing preferences you set will not affect essential programme communications but will govern separate promotional messaging.

13.10 If we offer push notifications in an app or browser, you can control these in your device or browser settings. Security or service-critical push notifications may be required for certain features.

13.11 We do not sell personal information for money. Where you allow advertising technologies, certain identifiers and internet activity may be made available to partners for cross-context behavioural advertising, which some U.S. laws call “sale” or “sharing”. You can opt out at any time as described in Clauses 6 and 12.

13.12 Nothing in this Clause limits your statutory rights. Marketing and showcase practices in this Clause operate together with your rights in Clause 11, cookie and ad-tech controls in Clause 6, and U.S. state choices in Clause 12.

14. BROKERS, ASSET MANAGERS, TRADING PLATFORMS, AND OTHER THIRD-PARTY SERVICES

14.1 Our service interoperates with third parties that you may choose to use, including brokers and trading platforms (for example, MT5 and a broker such as Global Next Trade), regulated asset managers that administer account-opening pathways (for example, Pioneer Asset Management AG), payment service providers, and technical connectivity providers (for example, the TradeSync backend used by the Ancillary Platform). These parties are independent of Neurocloud and operate under their own terms and privacy policies.

14.2 In most cases these third parties act as independent controllers for their own processing. We are not responsible for their privacy practices, security, or compliance. Nothing in this Policy makes Neurocloud a joint controller with any broker, trading venue, payment provider, social platform, or APVS.

14.3 Information you submit directly to a broker, platform, asset manager, payment provider, social platform, or other third party is collected and used by that party under its privacy policy. This includes onboarding or know-your-customer information, suitability assessments, account applications, trading credentials, and payment card details. We do not receive this information unless the third party lawfully shares it with us or you provide it to us directly.

14.4 Where you connect your trading account to the Ancillary Platform, we may receive the limited identifiers and telemetry necessary to operate the Licensed Software and display performance to you, such as account identifiers, connection status, execution events, and performance metrics. We do not request or store your MT5 trading password and we do not place, modify, or manage trades on your behalf. Absent your request or a lawful basis, we do not receive a copy of your broker KYC files, suitability assessments, or complete account statements.

14.5 If we provide a link that routes to an account-opening pathway administered by a regulated asset manager, using that link is optional and solely at your discretion. If you use the link, the relevant third party may inform us that the link was used or that an account was opened so we can administer service eligibility, connection options, or programme reporting. We do not control the onboarding process, approvals, or ongoing broker relationship.

14.6 Purchases, subscription renewals, and refunds are processed by payment service providers acting as independent controllers for their fraud-prevention and regulatory obligations. We receive transaction confirmations, tokenised payment references, limited billing details, and chargeback notifications necessary to reconcile payments. We do not store full payment card numbers.

14.7 The Ancillary Platform uses a white-label integration of third-party technology (currently TradeSync) to facilitate data flows between your connected account and our interface. We engage such providers as processors under written data-processing terms that require confidentiality, appropriate security, processing only on our documented instructions, sub-processor controls, and deletion or return of personal data at the end of the engagement, subject to legal retention obligations.

14.8 If you arrive via an advertisement or affiliate link, we may receive limited attribution data from the relevant partner (for example, campaign or affiliate identifiers) to measure performance and administer programmes. Advertising and analytics partners may set cookies or SDKs only with your consent where required and subject to your choices described in Clause 6 and, for U.S. residents, Clause 12.

14.9 Neurocloud does not accept or hold client funds, does not store your trading passwords, and does not place, modify, or cancel trades for you. Any trading you undertake is between you and your broker or platform and is governed by their terms.

14.10 If you wish to exercise privacy rights in respect of data processed by a broker, platform, asset manager, payment provider, social platform, or APVS acting as an independent controller, you should contact that party directly. Where feasible, we will identify the relevant controller and, if we act as a processor for a business customer, we will notify and assist that customer in responding in accordance with our data-processing terms.

14.11 Disclosures to or access by third parties may involve international transfers. When we transfer personal data to processors outside the UK/EEA, we implement appropriate safeguards as described in Clause 8. Independent controllers are responsible for their own transfer mechanisms.

14.12 We seek to receive only the minimum personal data necessary to operate the service and will not request sensitive or unrelated information from third parties. Where data provided by a third party is inaccurate, please contact that third party to correct their records and notify us so we can update or refresh our connection where applicable.

14.13 References to brokers, platforms, or asset managers are for interoperability only and do not constitute a recommendation, solicitation, or endorsement. Your choice of broker or platform is entirely your own, and using any link we provide is optional.

15. APVS (THIRD-PARTY PERFORMANCE VERIFICATION)

15.1 We may engage Alpha Performance Verification Services (APVS) to independently review and verify certain performance information relating to use of the Licensed Software. Verification is limited to the scope, period, and methodology agreed with APVS and is intended to provide independent confirmation of calculations and presentation; it is not a guarantee of future results or the absence of error.

15.2 APVS ordinarily acts as an independent controller for its own processing under its privacy policy. Nothing in this Policy makes Neurocloud a joint controller with APVS. Where APVS performs work solely on our documented instructions and for our purposes, APVS will act as our processor under written terms; in that case, APVS will not use the data for its own purposes.

15.3 By default we supply APVS with anonymised or aggregated datasets sufficient to perform the agreed verification (for example, date ranges, symbol-level aggregates, equity curves, drawdown series, and win/loss counts). We do not provide your MT5 trading password or other credentials, and we avoid providing raw trade-by-trade data that directly identifies you unless strictly necessary.

15.4 If you ask APVS to confirm results for your specific account, or if an identified confirmation is otherwise lawful and necessary, we may provide limited identifiers to enable matching (for example, an account alias, broker name, and date range). We rely on consent where required and will not disclose more than is reasonably necessary to fulfil the request.

15.5 Our processing in connection with APVS relies on legitimate interests (transparency and substantiation of claims) and, where identified confirmations are provided at your request, consent. For business customers, we may also process as a processor on the customer’s instructions under our data-processing terms.

15.6 We use appropriate technical and organisational measures for transfers to APVS, including secure channels, access controls, and data minimisation. Where APVS acts as our processor, we require written terms addressing confidentiality, security measures, sub-processor controls, assistance with requests, and deletion or return of data at the end of the engagement, subject to legal retention obligations.

15.7 If a transfer to APVS involves personal data leaving the UK/EEA, we will apply an appropriate transfer mechanism as described in Clause 8. APVS is responsible for its own transfer mechanisms when acting as an independent controller.

15.8 We retain records of what was sent to APVS, the verification scope, and resulting confirmations for as long as reasonably necessary for audit, substantiation, and compliance, consistent with Clause 9. Where identified data were provided at your request, we retain them only for the period necessary to deliver the confirmation and maintain an audit trail, unless longer retention is required by law or for legal claims.

15.9 We may reference APVS verification in our materials. Identified marketing that could reasonably link results to you will not be published without your written consent. You may opt out of further marketing use under Clause 13.3; we will cease new use and remove or de-identify our digital references within the stated timeframe.

15.10 APVS verification does not constitute investment advice, a recommendation, or a suitability or appropriateness assessment. It does not alter the allocation of risk or the disclaimers in the EULA.

15.11 If APVS holds your personal data as an independent controller (for example, because you contacted APVS directly), you should exercise your privacy rights with APVS. If we provided identified data to APVS and you exercise your rights with us, we will, where applicable, notify APVS of your request and take reasonable steps to facilitate its handling consistent with law and our respective roles.

15.12 If any term in this Clause conflicts with binding law or regulatory guidance concerning independent assurance or verification, the lawful requirement prevails. This Clause operates together with Clauses 3, 5, 7, 8, 9, and 13.

16. COMMUNITY FEATURES AND PUBLIC CONTENT

16.1 Our websites and official pages may allow you to submit content for others to view, such as testimonials, reviews, comments, images, or similar materials. Use of any such feature is voluntary and at your discretion.

16.2 Content you choose to make public is visible to others and may be indexed by search engines, embedded on third-party sites, archived, or screen-captured by others. Public content is not confidential and is not protected in the same way as account or service data processed privately under this Policy.

16.3 You are responsible for what you publish. Do not post personal data you prefer to keep private, third-party personal data without permission, confidential or proprietary information, or content that infringes rights or breaches law or platform rules.

16.4 We may moderate, refuse, edit for length or clarity, or remove public content at our discretion, including to protect privacy, comply with law, address abuse, or enforce our EULA and site rules. Moderation does not create an obligation to monitor all content.

16.5 By submitting public content on our properties, you grant us a non-exclusive, royalty-free licence to host, reproduce, publish, display, and distribute that content, together with the name or attribution you provide, for the period reasonably necessary to operate our sites and showcase testimonials, subject to Clause 13. You may withdraw consent for identified marketing use at any time; we will cease new use and remove or de-identify from our digital channels within a reasonable period, subject to technical and legal limitations.

16.6 Removal of public content from our pages does not guarantee complete removal from the internet. Copies may persist in backups, archives, caches, and third-party indexes we do not control. We will use reasonable efforts to remove or de-identify our copies but cannot recall content saved by others.

16.7 If you believe public content on our properties infringes rights, contains personal data published without consent, or violates law, contact info@neurocloud.co with a specific URL, a description of the issue, and any supporting documentation. Where legally required or appropriate, we will remove or restrict access and may notify the original poster. Nothing in this clause limits statutory notice-and-takedown processes available in your jurisdiction.

16.8 Where public features are provided through third-party platforms (for example, social networks), your use is also governed by that platform’s terms and privacy policy. Changes you make on a third-party platform may not automatically propagate to our copies and vice versa.

16.9 We may retain logs and moderation records relating to public content for a period consistent with Clause 9 and our incident and compliance obligations.

16.10 Community features are not intended for individuals under 18. We do not knowingly solicit or publish content from children under 13. If you believe a child has posted personal data, contact us and we will take appropriate steps.

17. CHILDREN’S PRIVACY

17.1 Our services are intended for adults. They are not directed to individuals under 18 years of age, and account creation by minors is not permitted.

17.2 We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe a child under 13 has provided personal data to us, contact info@neurocloud.co and we will take appropriate steps to verify the situation and delete the data where required.

17.3 Where local law imposes additional protections for minors (for example, the U.S. Children’s Online Privacy Protection Act (COPPA) for under-13s, or state laws governing the use of data for targeted advertising for under-16s), we comply with those requirements. Without limiting Clause 12, we do not knowingly sell or share personal information of consumers under 16 for cross-context behavioural advertising.

17.4 We do not knowingly market our products or services to children, and we do not purposefully design user journeys to target children. If we become aware that a communication channel has reached an audience that predominantly includes children, we will adjust our practices to prevent further outreach to that audience.

17.5 Community features, testimonials, and public posting are not intended for use by minors. If you believe a child has posted personal data publicly on our properties, notify us with the specific URL or location; we will act in accordance with Clause 16 and applicable law.

17.6 We do not use age-based profiling to make decisions about children, and we do not engage in automated decision-making that produces legal or similarly significant effects concerning any individual, including children.

17.7 If we must process personal data relating to a minor in the course of handling a support request, legal enquiry, or other exceptional circumstance, we will limit processing to what is strictly necessary, apply heightened confidentiality, and delete or anonymise the data once the purpose is fulfilled unless retention is required by law.

17.8 If a jurisdiction requires parental consent for the processing of a minor’s personal data and we become aware that such processing is contemplated, we will seek verifiable parental consent or cease processing, as applicable.

17.9 Requests to access, delete, or restrict personal data relating to a minor should be submitted by a parent or legal guardian to info@neurocloud.co. We may request additional information to verify the requester’s identity and authority before acting.

17.10 Nothing in this clause limits your non-waivable rights under applicable law. This clause operates together with Clauses 11 and 12 regarding privacy rights and U.S. minors’ protections, and with Clauses 9 and 16 regarding retention and public content.

18. CHANGES TO THIS POLICY

18.1 We may update this Policy from time to time to reflect changes in our services, technology, regulatory requirements, industry practice, or our internal processes. The effective date at the top of this Policy indicates when the latest version took effect.

18.2 We will provide notice of material changes by email to the primary address associated with your account and/or by in-product notice within the Ancillary Platform or our websites. We will also make the updated Policy available for review. Notices are deemed received in accordance with our standard notice provisions.

18.3 Changes that are administrative, clarificatory, or that do not adversely affect your rights (for example, improved drafting clarity, reorganisation of clause numbering, or addition of contact details) may take effect upon posting without advance notice.

18.4 For changes that materially affect your rights or our processing in a way that requires notice, we will provide reasonable advance notice before the effective date, unless a shorter period is required to comply with law or address security, safety, or operational needs.

18.5 Where a proposed change would introduce a new purpose for processing that is not compatible with the purpose for which personal data were originally collected, or would otherwise require consent under applicable law, we will seek your consent before implementing the change for you. If you do not provide consent, we will not apply the change to your data where consent is legally required.

18.6 Continued access to or use of our services after the effective date of a change constitutes acknowledgement of the updated Policy. This does not waive any non-waivable statutory rights you may have. If you do not agree to the updated Policy, you should discontinue use of the services and adjust your cookie and marketing settings as appropriate; contractual rights and obligations under the EULA remain governed by that agreement.

18.7 If a change materially reduces your ability to exercise a right already available under applicable law, we will implement the change only to the extent permitted by law and will continue to honour any statutory rights that cannot lawfully be limited.

18.8 We will maintain or make available a record of the effective date of the current version and, where practicable, an archive or summary of prior versions. Copies of prior versions may be requested by contacting info@neurocloud.co.

18.9 Updates to cookie practices will be reflected in our Cookie Settings and any cookie policy or annex we publish from time to time. If a change requires renewed consent for non-essential cookies or SDKs, we will prompt you to review your preferences.

18.10 This clause operates together with the purpose and lawful basis provisions in Clause 5, the international transfer safeguards in Clause 8, and your rights in Clauses 11 and 12. Nothing in this clause limits your non-waivable statutory rights under applicable law.

19. HOW TO CONTACT US

19.1 For questions about this Policy or our privacy practices, email info@neurocloud.co.

19.2 To exercise your rights (for example, access, erasure, objection), follow the steps in Clause 11 (UK/EU) or Clause 12 (U.S. state laws) and submit your request to info@neurocloud.co. Include the email address associated with your account and enough detail for us to identify the data or processing in question.

19.3 To report a suspected security issue or incident, email info@neurocloud.co with sufficient technical detail to reproduce the concern. Please do not include your MT5 trading password or other credentials.

19.4 You may lodge a complaint with the UK Information Commissioner’s Office (ICO). Details are available on the ICO website. If you are in the EEA and we have appointed an EU representative, you may also contact the competent supervisory authority in your Member State.

19.5 If Article 27 GDPR applies to us, we will appoint an EU representative and publish the representative’s contact details on our website and in the latest version of this Policy. Contacting the representative does not limit your ability to contact us directly.

19.6 We may request reasonable information to verify your identity and authority before acting on a request, and we will communicate over secure channels where appropriate. Do not send full payment card numbers, trading passwords, or other highly sensitive information in email.

19.7 If you need this Policy or our responses in an alternative format or if you require reasonable adjustments to exercise your rights, contact privacy@neurocloud.co and we will make reasonable efforts to accommodate your needs.

20. KEY DEFINITIONS (PLAIN LANGUAGE)

20.1 Ancillary Platform means the password-protected online interface you use to connect your trading account to the Licensed Software and view related information.

20.2 APVS means Alpha Performance Verification Services, an independent provider we may engage for third-party performance verification.

20.3 Automated decision-making means decisions produced solely by automated processing without human involvement that have legal or similarly significant effects on an individual. This Policy states we do not conduct such decision-making.

20.4 Business customer means a legal entity that purchases or uses our services for business purposes and may instruct us to process personal data about its end users.

20.5 Controller means the person or organisation that determines the purposes and means of processing personal data. Neurocloud is a controller for most processing described in this Policy.

20.6 Cookie and similar technologies means small files or identifiers stored on a device or in a browser (for example, HTTP cookies, local storage, SDKs, pixels, and web beacons) used for security, functionality, analytics, and advertising as described in Clause 6.

20.7 Data subject means the identified or identifiable person to whom personal data relate.

20.8 De-identified data means data that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual, provided we maintain and use the data in de-identified form and do not attempt to re-identify it except to test our processes.

20.9 EEA means the European Economic Area.

20.10 ICO means the UK Information Commissioner’s Office, the UK’s data protection supervisory authority.

20.11 IDTA/Addendum means the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses used to safeguard international transfers.

20.12 Legitimate interests means a lawful basis under UK/EU data protection law that allows processing where our interests in running and protecting our services are not overridden by your rights and interests.

20.13 Licensed Software means the Expert Advisor trading algorithm and related functionality we provide, including updates and maintenance releases that we supply from time to time.

20.14 MT5 means MetaTrader 5, a third-party trading platform on which your trades are executed if you choose to connect it.

20.15 Personal data means any information relating to an identified or identifiable person, such as a name, email address, device identifiers, IP address, or account telemetry that can be linked to a person.

20.16 Personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

20.17 Processing means any operation performed on personal data, such as collection, recording, storage, use, disclosure, transfer, or deletion.

20.18 Processor means a person or organisation that processes personal data on behalf of a controller according to documented instructions. Our hosting and connectivity providers typically act as our processors.

20.19 Profiling means automated processing of personal data to evaluate certain personal aspects (for example, usage patterns) without producing legal or similarly significant effects.

20.20 Sensitive personal information (U.S. state laws) means categories such as government identifiers, precise geolocation, racial or ethnic origin, religious beliefs, genetic or biometric data, health data, sex life or sexual orientation, and certain financial account details, as defined by applicable state law. We do not seek to collect such data.

20.21 Special category data (UK/EU) means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic and biometric data used to uniquely identify a person; health data; and data concerning a person’s sex life or sexual orientation. We do not seek to collect such data.

20.22 Standard Contractual Clauses (SCCs) means the European Commission’s model clauses used to safeguard international transfers of personal data outside the EEA where no adequacy decision applies.

20.23 Targeted advertising, sale, and sharing (U.S. state laws) means making personal information available to third parties for cross-context behavioural advertising, or exchanging personal information for valuable consideration, as defined by applicable state law. We do not sell personal information for money; where advertising cookies are enabled, you may opt out of sharing/targeted advertising as described in Clauses 6 and 12.

20.24 UK GDPR means the UK General Data Protection Regulation as incorporated into UK law and read with the Data Protection Act 2018.

20.25 UK-U.S. Data Bridge and EU-U.S. Data Privacy Framework means government-recognised frameworks that permit transfers of personal data to certified U.S. organisations.

20.26 User-generated content means testimonials, reviews, comments, images, or similar content you choose to publish on our properties or official pages, which may be visible to others as described in Clause 16.

20.27 Global Privacy Control (GPC) means a browser or extension-based signal that expresses a user’s choice to opt out of sale/sharing or targeted advertising; we honour supported GPC signals as described in Clauses 6 and 12.

20.28 Do Not Track (DNT) means a browser preference indicating a user’s desire not to be tracked across websites; our services do not respond to DNT signals at this time.

20.29 Third-party controller means an independent organisation (for example, a broker, trading platform, payment service provider, social platform, or APVS) that determines its own purposes and means of processing personal data under its own privacy policy.

20.30 Aggregated data means information combined so that it cannot reasonably be used to identify any person, such as summary metrics or statistics. Aggregated data are not treated as personal data once properly aggregated.

©2025 NeuroCloud. All rights reserved.

Privacy Policy

Terms of Use

Legal Disclaimer

EULA

This Is Not Investment Advice

The information contained in this document is for informational purposes only and does not constitute investment advice, a recommendation, or an offer to sell or a solicitation of an offer to buy any securities, financial products, or instruments. The opinions expressed herein are based on our current understanding of the market and are subject to change without notice. Always consult with a qualified financial advisor before making any investment decisions. Neurocloud Limited ("Neurocloud") does not accept liability for any direct or consequential loss arising from the use of this document or its contents.

Novel Technologies

Neurocloud utilizes advanced and novel technologies, including but not limited to generative artificial intelligence and other algorithmic trading systems, which are at the forefront of technological development. These technologies are inherently experimental and may have unpredictable outcomes. Risks associated with these technologies include but are not limited to system errors, algorithmic biases, unexpected market behaviors, and potential software vulnerabilities. By engaging with Neurocloud, you acknowledge and accept these risks. It is essential to thoroughly understand the implications of utilizing these novel technologies before proceeding.

Legal & Jurisdictional Disclaimer

The services provided by Neurocloud are subject to applicable laws and regulations in the jurisdictions in which they operate. Clients are responsible for ensuring that their use of Neurocloud's services complies with the laws and regulations applicable to them. Neurocloud does not provide legal or tax advice, and clients should seek independent legal and tax advice as needed. The terms and conditions of Neurocloud's services are governed by the laws of the jurisdiction in which Neurocloud operates, and any disputes arising from the use of these services will be subject to the exclusive jurisdiction of the courts in that jurisdiction.

Regulation

For the avoidance of doubt, Neurocloud is not independently regulated by the Financial Conduct Authority (FCA) or Securities & Exchange Commission (SCC). Neurocloud operates as a Technology (Software As Service) Provider. Neurocloud’s role is strictly limited to product delivery & client service, and it does not directly manage client funds. Any strategies or technologies provided by Neurocloud are implemented under the regulatory framework of the partner Asset Management firms.

Fund Custody

Neurocloud Limited does not hold or otherwise have control over client funds. All funds deposited by clients for the purposes of engaging with Neurocloud are held by the brokers that Neurocloud partners with. Specifically, the funds are held with the Neurocloud-approved broker that the client chooses to deposit with. These chosen brokers maintain segregated client trust accounts with top-tier banks as an additional layer of protection for client funds. Furthermore, these brokers are required to be fully regulated entities, holding licenses from reputable regulatory authorities, including but not limited to the Financial Conduct Authority (FCA) in the UK and the Australian Securities and Investments Commission (ASIC) in Australia.

Risk Warning

Trading carries high risks and may result in the loss of your capital. Neurocloud employs advanced technologies, including generative artificial intelligence, which are novel and continuously evolving. The application of these technologies introduces additional risks associated with system errors, algorithmic biases, and the complexity of market dynamics. It is crucial that you fully understand these risks before engaging with them. Neurocloud oes not accept clients who do not fully comprehend the risks involved in trading, including those posed by novel technologies. Seek independent financial advice if necessary. By engaging with Neurocloud, you acknowledge that you have read, understood, and accepted these risks.

©2025 NeuroCloud. All rights reserved.

Privacy Policy

Terms of Use

Legal Disclaimer

EULA

This Is Not Investment Advice

The information contained in this document is for informational purposes only and does not constitute investment advice, a recommendation, or an offer to sell or a solicitation of an offer to buy any securities, financial products, or instruments. The opinions expressed herein are based on our current understanding of the market and are subject to change without notice. Always consult with a qualified financial advisor before making any investment decisions. Neurocloud Limited ("Neurocloud") does not accept liability for any direct or consequential loss arising from the use of this document or its contents.

Novel Technologies

Neurocloud utilizes advanced and novel technologies, including but not limited to generative artificial intelligence and other algorithmic trading systems, which are at the forefront of technological development. These technologies are inherently experimental and may have unpredictable outcomes. Risks associated with these technologies include but are not limited to system errors, algorithmic biases, unexpected market behaviors, and potential software vulnerabilities. By engaging with Neurocloud, you acknowledge and accept these risks. It is essential to thoroughly understand the implications of utilizing these novel technologies before proceeding.

Legal & Jurisdictional Disclaimer

The services provided by Neurocloud are subject to applicable laws and regulations in the jurisdictions in which they operate. Clients are responsible for ensuring that their use of Neurocloud's services complies with the laws and regulations applicable to them. Neurocloud does not provide legal or tax advice, and clients should seek independent legal and tax advice as needed. The terms and conditions of Neurocloud's services are governed by the laws of the jurisdiction in which Neurocloud operates, and any disputes arising from the use of these services will be subject to the exclusive jurisdiction of the courts in that jurisdiction.

Regulation

For the avoidance of doubt, Neurocloud is not independently regulated by the Financial Conduct Authority (FCA) or Securities & Exchange Commission (SCC). Neurocloud operates as a Technology (Software As Service) Provider. Neurocloud’s role is strictly limited to product delivery & client service, and it does not directly manage client funds. Any strategies or technologies provided by Neurocloud are implemented under the regulatory framework of the partner Asset Management firms.

Fund Custody

Neurocloud Limited does not hold or otherwise have control over client funds. All funds deposited by clients for the purposes of engaging with Neurocloud are held by the brokers that Neurocloud partners with. Specifically, the funds are held with the Neurocloud-approved broker that the client chooses to deposit with. These chosen brokers maintain segregated client trust accounts with top-tier banks as an additional layer of protection for client funds. Furthermore, these brokers are required to be fully regulated entities, holding licenses from reputable regulatory authorities, including but not limited to the Financial Conduct Authority (FCA) in the UK and the Australian Securities and Investments Commission (ASIC) in Australia.

Risk Warning

Trading carries high risks and may result in the loss of your capital. Neurocloud employs advanced technologies, including generative artificial intelligence, which are novel and continuously evolving. The application of these technologies introduces additional risks associated with system errors, algorithmic biases, and the complexity of market dynamics. It is crucial that you fully understand these risks before engaging with them. Neurocloud oes not accept clients who do not fully comprehend the risks involved in trading, including those posed by novel technologies. Seek independent financial advice if necessary. By engaging with Neurocloud, you acknowledge that you have read, understood, and accepted these risks.