GDPR (Privacy)
1. introductory
1.1. These Privacy Policies (hereinafter referred to as ‘principley GDPR‘) determine how the company XHEDGERS CORPORATION s.r.o., with registered office at Příčná 1892/4, Nové Město, 11000 Prague 1, ID number: 22579222, registered in the commercial register maintained by the Municipal Court in Prague under file no. C 418754 (hereinafter referred to as ‘Company‘), handles the personal data of natural persons, when providing services (in more detail, see the terms and conditions) to its customers or providers, in connection with the use of the online platform operated by the company through the website https://www.xhedgers.com (hereinafter referred to as ‘site”).
1.2. The company operates an online platform for simulated trading in trading skills verification programs. The company provides virtual resources, does not provide investment services, does not foreclosure or investment advice via the website (hereinafter referred to as ‘service”).
1.3. In its activities, the company provides services, while in connection it processes the personal data of customers, business partners, their representatives or employees, as well as other persons whose data is necessary for the proper provision of services. These persons are collectively referred to in this document as ‘Subject data‘.
1.4. These GDPR principles also apply to cases where the company receives services from other persons.
the 2. who we are A where you can contact us
Xhedgers Corporation s.r.o.,
ID number: 22579222,
Registered office: Příčná 1892/4, Nové Město, 11000 Prague 1,
Email: info@xhedgers.com
3. the purpose of these GDPR principles
3.1. The aim of these GDPR principles is to clearly explain how the company obtains, processes and protects personal data in connection with the provision of services, the operation of the Webuo by concluding contractual relations.
3.2. The GDPR policy applies to all personal data provided by the data subjects to the Company, in particular through registration or use of the services offered on the website of the company. The company’s services are not intended for persons under the age of 18. The company does not knowingly collect the data of minors. If the company finds that a person under the age of 18 has been registered, it will cancel the account and delete the data without undue delay.
4. personal data manager
4.1. The administrator of personal data is the company. It is responsible for the fact that personal data is handled in accordance with applicable legal regulations.
4.2. The data subject is obliged to provide the Company with true and up-to-date data and to notify the Company of any changes without undue delay.
5. What data do we collect
5.1. Personal data means any information about a natural person by which it is possible to directly or indirectly identify the person. Anonymous or fully aggregated information, for which a specific individual cannot be identified, is not considered personal data.
5.2. As part of the provision of services, the Company may collect, store and continue to use various categories of data. These can be divided in particular into the following groups:
5.2.1. Technical data – includes, for example, IP address, location, login data, type and version of the browser, operating system, language settings, time zone, type and model of the device, unique device identifiers (e.g. session ID, Cookies, tokens), data on interactions with the service and diagnostic records (logs) that the data subject uses to access the services.
5.2.2. Profile data – username and password, settings and preferences or personal interests.
5.2.3. Contact information – especially e-mail address, phone number and possibly also a postal address.
5.2.4. Transaction data – information about made or received payments and other financial operations.
5.2.5. Marketing and communication data – data on preferences related to receiving marketing messages or other forms of communication from the company.
5.2.6. Data on the use of services – detailed information on how the data subject uses the service.
5.2.7. Identification data – first name, surname, possibly birth name, username or other similar identifier.
5.2.8. financial information – include the data necessary for processing payments, in particular the bank account number or information about the payment made. Payment transactions are processed through an external payment gateway, while the company does not store the full payment card number or CVC code and works exclusively with tokens provided by the payment gateway.
5.3. In addition to the above, the company also works with so-called aggregated data, i.e. statistical or demographic data. This data may be derived from personal data, but they are no longer considered personal by themselves because they do not allow to identify a specific person. Aggregated data is used exclusively by the Company for analytical, operational and statistical purposes (e.g. to improve functionality and security of services) and the company never associates it with the data subject to lead to its direct identification.
6. data subject rights
6.1. Each data subject has the following rights in relation to his data:
6.1.1. Right of access – to find out what information about it the company keeps
6.1.2. Right to correction – request the correction of inaccurate or incomplete data.
6.1.3. The right to erasure (the right to be forgotten) – in justified cases, request the deletion of data.
6.1.4. The right to object – in particular to processing based on legitimate interest or for the purposes of direct marketing.
6.1.5. The right to restrict processing – in certain situations, request a temporary stoppage of processing.
6.1.6. The right to portability – to obtain your data in a structured form and to pass it on to another organization.
6.1.7. The right to withdraw consent – if the processing is based on consent.
6.1.8. The right not to be the subject of automated decision-making – the data subject has the right not to be the subject of decisions that are based solely on automated processing, including profiling, if such decisions have legal effects or otherwise significantly influence it, unless such processing is necessary for the conclusion or performance of the contract, required by legal regulations, or if the data subject has given express consent to it.
6.2. Applications for the exercise of rights under Articles 12-22 GDPR (access, correction, erasure, limitation, portability, objection, revocation of consent, objection to marketing, objection to an automated decision) may be submitted by the data subject Email: info@eliteways.com. The processing time is 1 month from delivery; In complex cases, the company can extend it for up to another 2 months. Before processing the application, the company reserves the right to verify the identity.
7. accounts at xhedgers
7.1. If the data subject opens an account with the company, it is essential that the company collects certain personal data, in particular:
7.1.1. First and last name
7.1.2. email address
7.1.3. residency address
7.1.4. Telephone number
7.1.5. Bank account or payment gateway data (e.g. IBAN, tokenized card data or other payment identifiers) necessary for payment processing.
7.2. In some cases, the provision of personal data is a legal or contractual requirement. Therefore, if the data subject refuses to provide this data, the company may not be able to enter into a contract or fulfill obligations from an already concluded contract. In exceptional cases, this may also lead to the need to cancel the contract, while the data subject will always be informed of this step.
8. How do we collect data
8.1. The company uses various methods of obtaining personal data, which depend on the nature of the relationship with the data subject. These methods include in particular:
8.1.1. The data subject provides his data himself, for example when filling out the registration form, when communicating with the company via e-mail, telephone or personal negotiations, when submitting a request for a specific service.
8.1.2. In some cases, personal data may be provided by third parties (intermediaries or partners) who are authorized to share it in order to enable the provision of services. In such a case, the data subject acknowledges that this data will be processed together with the data that the company is already collecting.
8.1.3. When using the company’s website, technical data is automatically collected via cookies, server logs and other similar technologies. This data mainly concerns the browser, device, location and patterns of behavior when viewing pages.
I. Collecting this data serves to improve security, functionality and user experience.
8.1.4. Exceptionally, data can also be obtained from publicly available registers or from business partners, such as analytical service providers (e.g. Google) or advertising and marketing networks operating in the EU and beyond.
I. Personal data may also be shared with hosting, payment gateway and communication tools providers, only to the extent necessary for the operation of the Services.
8.1.5. If the company does not obtain personal data directly from the data subject, it informs him of their processing no later than 1 month after acquisition (or during the first communication, or when the data is first made available to another recipient). In such a case, the company will provide the data source, purposes and legal basis of the processing, the category of processed data and the category of recipients.
I. The Company does not sell personal data and does not transfer it to unauthorized persons.
9. To What do we use personal data
9.1. Personal data is used exclusively in accordance with legal regulations. The company processes them only in cases where there is a legal basis for this. Typically the following situations are:
• If necessary for the conclusion or fulfillment of a contract with the data subject,
• If necessary to protect the legitimate interests of the Company or its partners, while these interests do not outweigh the fundamental rights of the data subject,
• If processing is required by law or other legal regulation,
• If the data subject has given his express consent (for example, in the case of marketing communications).
10. consent to data processing
10.1. If the processing is not based on a contract, law or legitimate interest, consent is required by data subject. Typically, this applies to marketing activities (sending e-mail newsletters, business messages or targeted offers). In such a case, the company needs the consent of the data subject. The data subject has the right to revoke the consent at any time, in a simple way through the company’s contact details.
I. Newsletters and commercial communications are sent by the company only on the basis of the consent granted (Article 6, paragraph 1, letter a) GDPR), or in the so-called customer exemption regime according to § 7 of Act No. 480/2004 Coll., if the data subject is already a customer of the company and the communication concerns similar services of the company. A single-click logout is available in each email. Once deregistered, the company ceases to use the data for this purpose.
II. Profiling for direct marketing purposes is carried out only by the company.
11. purposes for which the company processes personal data
11.1. The company handles personal data exclusively to the extent necessary to fulfill a specific purpose and always in accordance with legal regulations. Individual purposes can be divided into several areas:
11.1.1. Conclusion and fulfillment of contracts
I. Registration of new clients – to create an account and conclude a contract, the company mainly processes identification and contact data.
II. Fulfillment of contractual relationships – includes the provision of services, communication regarding changes to the terms, sending notifications or requesting feedback. The company mainly processes identification and contact data, possibly also marketing data, if it is related to the fulfillment of the contract.
11.1.2. Administration and security of society and services
I. Management and operational security of the company – administrative and IT support, testing and maintenance of systems, solving incidents, prevention of fraud and activities necessary for the smooth running of the company.
II. Website operation and security – processing of technical data to ensure functionality, stability and protection against security threats.
III. Legal claims and obligations – in the case of disputes, insolvency proceedings or criminal investigations, identification, contact or other data needed to defend the company’s rights may be processed.
IV. Prevention of misuse of services and fraudulent behavior (anti-fraud) – the company is not an obligated person according to § 2 of Act No. 253/2008 Coll. (AML). Processing in this area is therefore carried out on the basis of a legitimate interest pursuant to Article 6, paragraph 1, letter f) GDPR, which is to ensure platform security, protection of users and rewards, prevention of fraud, cheat and circumvention of program rules.
v. As part of user account verification (KYC), the company may process identification data from identity documents and biometric data (e.g. selfie photography) for the purpose of verifying the user’s identity. Processing takes place on the basis of the legitimate interest of the Company according to Article 6 paragraph 1 letter f) GDPR, with the aim of preventing fraud and misuse of accounts.
11.1.3. Improving Services and Customer Experience
I. Service analysis and optimization – technical, contact or profile data are used to evaluate user behavior, improve products and improve marketing.
II. Website Behavior Analysis – The company monitors how users use the website and services to keep them up-to-date and tailored to needs.
III. Offline conversion measurement – if the data subject provides its contact information via the website or forms, it can be used to compare online and offline activities with the aim of more accurate campaign evaluation.
11.1.4. Marketing and Business Development
I. Personalization and marketing – the company uses technical, profile or user data to target ads and evaluate their effectiveness.
II. Offers and recommendations of products or services – the company may submit new products or services to clients that meet their needs and preferences.
III. Cooperation with business partners – identification and contact data can be shared to a limited extent for the purposes of distributing services through intermediaries or partner programs (e.g. cashback, discount events).
Each data subject has the right to ask the company at any time to stop sending marketing messages – either in their own name or through third parties. Unsubscribing can be done simply by clicking on the unsubscribe link provided in each marketing message, or by contacting the company via the official e-mail address within the company’s contact details, see article. the 2 of these GDPR principles.
11.1.5. Automated Decision and Profiling in Programs
I. As part of trading skills verification programs, the company uses automated systems to continuously evaluate the performance of the account (e.g. Profit/Loss, Drawdown, the number and size of trades, compliance with the rules). Based on these metrics, the system automatically identifies the fulfillment or non-fulfillment of the program conditions, while in the final stage there may also be a manual control aimed at verifying fair and transparent trading (e.g. analysis of trades carried out during significant economic times events, etc.) and assessment of any right to reward.
II. Processing is necessary for the fulfillment of the contract (Article 6(1)(b) GDPR). The data subject has the right to request a human review of the decision, to express his opinion and to challenge the decision on the company’s email in ČL. the 2 of these GDPR principles.
12. Cookies A Similar technologies
12.1. The company uses so-called cookies and other similar technologies on the website. These files help the company to ensure the correct functionality of the site, adapt it to the needs of the users and evaluate their use.
12.2. Each user has the option to set their browser to:
12.2.1. rejected any cookies that are not necessary for the operation of the website,
12.2.2. allowed only some,
12.2.3. or was notified every time they were used.
i. The user acknowledges that some cookies are technically necessary for the proper functioning of the website and cannot be deactivated in the browser without limiting the functionality of some parts of the website (e.g. logging in, saving preferences or shopping cart).
12.3. It should be noted that if cookies are completely rejected, some parts of the website may not work properly or may become unavailable. Details of the cookies used and their management options are given in separate cookie policies.
13. Changing the purpose of processing
13.1. Personal data is always processed only for the purposes for which it was originally collected. If the company had the need to use the data for another purpose in the future, it is possible only on the condition that this purpose is compatible with the original legal basis.
13.2. If the new purpose is not compatible, the data subject shall inform the data subject in time and explain the legal reason for the processing. If the law requires the consent of the data subject, it will be requested before the start of such new processing.
14. Sharing data with by third parties
14.1. Personal data may be made available only in the necessary cases and always in accordance with legal regulations. These are mainly:
14.1.1. service providers – eg IT suppliers, legal and accounting advisors, telecommunications service providers, printing and logistics solutions or marketing tools,
14.1.2. Public administration bodies – if required by law or regulatory obligations (e.g. tax authorities, courts, law enforcement agencies),
14.1.3. business partners and intermediaries – within the framework of contractual cooperation, if they participate in the provision of the company’s services,
14.1.4. Other recipients – only based on the consent of the data subject or if it corresponds to the legitimate interest of the Company.
14.2. Every third party with whom the company shares data is obliged to maintain confidentiality and respect the rules of personal data protection established by the Company.
15. data security
15.1. The company takes technical and organizational measures to ensure the protection of personal data against unauthorized access, loss, change or destruction. Only authorized persons who are bound by the duty of confidentiality have access to the data.
15.2. If the company were to record a security incident or suspected occurrence, it shall proceed according to internal regulations and take immediate corrective action.
15.3. If the processing of the Company includes a provider based outside the European Economic Area (EEA), in particular in the US, the Company only transmits personal data if an adequate level of protection is ensured.
16. Data retention time
16.1. The company stores personal data only for the time necessary to fulfill the purpose for which it was collected and in accordance with legal and accounting requirements.
16.2. The company keeps the data relating to the contractual relationship for the duration of its duration and then usually for another 5 years after its termination, unless otherwise specified.
16.3. Accounting and tax documents (including VAT documents) are kept by the company according to legal regulations, i.e. for a period of 10 years from the end of the tax period in which the obligation to maintain or keep such documents arose.
16.4. The company usually keeps security and operating logs for a period of 12 to 24 months from their creation, unless longer storage is needed (e.g. to defend legal claims).
16.5. If the processing is based on consent (e.g. marketing, cookies), the company keeps the data until the moment it is revoked, or no longer than 2 years after the last interaction.
16.6. After the specified retention periods have passed, the company either safely deletes the data, or anonymizes it and further uses it exclusively for statistical or analytical purposes.
17. Complaint
17.1. If the data subject believes that the company is processing his personal data in violation of the relevant legal regulations, he may file a complaint with the relevant supervisory authority. The competent supervisory authority according to the address of the company headquarters is the Office for the Protection of Personal Data, based in Plk. Sochora 27, Prague 7, zip code 170 00, Czech Republic, email posta@uoou.cz. More information about the office is available on the website www.uoou.cz.
18. Final provisions
18.1. The decisive wording of these GDPR principles is the Czech language. In the event of a conflict between the Czech version and the translation into another language, the Czech version has priority.
18.2. These GDPR principles take effect on XX. XX. 2025. The Company will inform data subjects in a reasonable manner, for example by e-mail or by notification within its website, about significant changes in the way personal data is processed.
