1. Who We Are
Vextor Capital is a global financial intelligence platform operating at vextorcapital.com. We provide real-time financial market data, professional-grade analysis, educational content, and financial tools covering equities (stocks and ETFs), cryptocurrency, foreign exchange (forex), commodities, bonds and fixed income, and macroeconomic indicators. Our platform is designed for retail investors, self-directed traders, financial professionals, students, and anyone seeking to understand global financial markets.
For the purposes of the General Data Protection Regulation (GDPR) and applicable data protection laws, Vextor Capital is the data controller responsible for determining the purposes and means of processing your personal information. As data controller, we are accountable for ensuring that all personal data processing complies with applicable privacy law.
Vextor Capital currently operates as a privately held platform. We do not have a physical office address; all correspondence should be directed to our email address. We do not currently have a formal Data Protection Officer (DPO) as our processing activities do not trigger mandatory DPO appointment under Article 37 of the GDPR (we do not carry out large-scale systematic monitoring of individuals or large-scale processing of special categories of data). However, we take data protection obligations seriously and will appoint a DPO if and when our processing activities require it.
You can contact Vextor Capital at any time regarding privacy matters at vextorcapital@vextorcapital.com. We aim to respond to all privacy inquiries within 30 days.
2. Information We Collect
We collect the minimum personal data necessary to operate our platform and provide the services our users request. This follows the principle of data minimization, one of the core principles of the GDPR (Article 5(1)(c)) and similar provisions in other privacy frameworks. Below is a complete description of every category of personal data we collect.
2.1 Information You Provide Directly
When you create an account or interact with Vextor Capital, you may voluntarily provide personal data that we collect and process. This category includes: email address (required for account creation and essential communications), display name or username (optional, chosen by you), password (stored only in encrypted, hashed form — we never store plaintext passwords), profile preferences and saved settings (such as watchlist assets, portfolio holdings you enter, theme preferences), and communications you send to us (support requests, feedback, correction reports, partnership inquiries).
We collect only the data you choose to provide. You can use most of Vextor Capital's features — browsing market data, reading news, using educational content — without creating an account and without providing any personal information. Account creation is optional and enables features such as saving watchlists and portfolio tracking.
2.2 Information Collected Automatically
When you visit Vextor Capital, certain technical information is automatically collected by our servers and third-party services as a standard part of internet communication. This category includes: IP address (we truncate the last octet before storage for analytics purposes, following Google Analytics 4's default IP anonymization); browser type, version, and the operating system of your device; the specific pages you visit, the time you spend on each page, and your navigation path through our site; the URL of the webpage that referred you to Vextor Capital (if any); device type (desktop computer, mobile phone, tablet); general geographic location derived from your IP address (country and region level — we do not collect precise GPS location); the date and time of your visits.
This automatic data collection is a technical necessity of how the internet works — when your browser requests a page from our servers, the request inherently includes this information. We collect it to operate the platform (server logs are required for security and infrastructure management) and to understand how our platform is used (analytics).
2.3 Cookies and Tracking Technologies
Vextor Capital uses cookies and similar web technologies (pixels, local storage, session storage) to operate the platform and, with your consent, to analyze usage and display relevant advertising. Cookies are small text files stored in your browser. A complete description of every cookie we use, including its purpose, provider, and retention period, is published in our Cookie Policy.
We use four categories of cookies: (a) Essential cookies, required for basic platform functionality such as maintaining your session and storing your consent preferences — these cannot be disabled without breaking core functionality; (b) Analytics cookies via Google Analytics 4, which help us understand platform usage patterns — these require your consent in the EU/UK; (c) Advertising cookies via Google AdSense, which enable personalized advertising based on your interests — these require explicit consent in the EU/UK/CA and can be declined without affecting your access to content; (d) Functional cookies that remember your preferences across sessions.
2.4 Financial Data You Input
If you use Vextor Capital's portfolio tracker or other financial tools, you may voluntarily input financial data such as asset holdings, purchase prices, and transaction history. This data is stored associated with your account to enable portfolio tracking functionality. Vextor Capital does not share this financial data with third parties for any purpose, does not use it for advertising targeting, and treats it as highly sensitive. You can delete this data at any time through your account settings or by contacting us.
Important: Vextor Capital does not have access to your actual brokerage accounts, bank accounts, or any external financial accounts. The financial data in your Vextor Capital profile is only what you manually enter. It is entirely separate from any actual investment accounts you may hold.
3. How We Use Your Information
We use the data we collect only for the specific purposes described below. We do not use personal data for purposes beyond those disclosed in this policy without first obtaining your consent or establishing a new legal basis for processing. This reflects the purpose limitation principle under GDPR Article 5(1)(b).
To operate Vextor Capital, authenticate your account, display market data, process your tool inputs, save your preferences, and deliver the core features of the platform. This processing is necessary to perform the contract with you (providing the service you have requested).
To analyze usage patterns, identify technical errors and performance bottlenecks, understand which features and content are most valuable to our audience, and continuously improve the platform. Analytics data is processed using Google Analytics 4, which anonymizes IP addresses by default. Aggregate, anonymized analytics data helps us make better product decisions.
To detect and prevent unauthorized access, abuse, fraud, and illegal activity. Server logs are retained for a limited period for security investigation purposes. We may use automated systems to flag suspicious activity patterns. Security processing is necessary for our legitimate interests in protecting the platform and our users.
To remember your preferences (such as saved watchlists, portfolio data, display settings) and provide a consistent, personalized experience across sessions. Personalization features require an account. We do not use behavioral profiling for content personalization without your knowledge.
To respond to your support requests, send transactional emails (account verification, password resets, security alerts), and — only with your explicit consent — send marketing newsletters or product updates. You can withdraw consent for marketing communications at any time by clicking the unsubscribe link in any marketing email.
To display relevant advertisements through Google AdSense and its associated advertising network. Advertising uses cookies set by Google, subject to your consent choices. We do not directly profile users for advertising; this is handled by Google's advertising systems under their privacy policy. We receive only aggregated, anonymized revenue data from Google.
To comply with applicable laws, respond to lawful requests from government authorities, enforce our Terms of Service, and protect our legal rights. We may retain data beyond normal retention periods when required by law or pending litigation.
4. Legal Basis for Processing (GDPR)
For users in the European Union, European Economic Area, and United Kingdom, the General Data Protection Regulation (EU) 2016/679 and the UK GDPR require that every processing activity has a specific legal basis as defined in Article 6 of the GDPR. The full text of the GDPR is publicly available at eur-lex.europa.eu. Vextor Capital processes personal data under the following legal bases:
Art. 6(1)(a) — Consent
Applies to: Analytics cookies (Google Analytics), advertising cookies (Google AdSense), marketing communications, optional personalization features.
We rely on your freely given, specific, informed, and unambiguous consent for non-essential processing activities. Consent is collected through our cookie consent banner for cookies and through a sign-up checkbox for marketing emails. You may withdraw consent at any time without detriment. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Art. 6(1)(b) — Contractual Necessity
Applies to: Account management, authentication, service delivery, transactional communications.
Processing necessary to perform the contract between us — specifically, providing the Vextor Capital platform and its features to users who have registered for an account. Without this processing, we cannot deliver the service.
Art. 6(1)(c) — Legal Obligation
Applies to: Compliance with court orders, regulatory requests, tax obligations, anti-money laundering requirements (if applicable).
Processing required to comply with a legal obligation under applicable law. We may be required by law to retain certain records or disclose information to public authorities.
Art. 6(1)(f) — Legitimate Interests
Applies to: Security monitoring, server logs, fraud prevention, platform analytics (non-EU users), platform improvement.
Processing necessary for our legitimate interests where those interests are not overridden by your fundamental rights and freedoms. We have conducted legitimate interest assessments (LIAs) for these processing activities. The legitimate interests pursued include: keeping the platform secure, preventing fraud and abuse, understanding platform performance, and improving the quality of our financial information. We do not use legitimate interests as a basis for advertising or for cross-site behavioral tracking.
6. Data Retention Periods
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. This reflects the storage limitation principle under GDPR Article 5(1)(e). Our specific retention periods are as follows:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data (email, name) | Duration of account + 90 days after deletion | Required to provide service; 90-day window allows account recovery |
| Authentication credentials | Duration of account only | Deleted immediately upon account deletion |
| Portfolio and watchlist data | Duration of account + 30 days | User-provided financial data; accessible for recovery period |
| Analytics event data (GA4) | 14 months from event | Google Analytics default; allows year-over-year comparison |
| Server access logs (security) | 90 days | Security incident investigation; standard industry retention |
| Support communications | 3 years from last interaction | Business record; reference for repeat issues |
| Consent records | 5 years from consent | GDPR requires demonstrable proof of consent |
| Legal hold data | Duration of legal matter + 1 year | Required by law or pending litigation |
| Anonymized/aggregated analytics | Indefinite | Cannot identify individuals; retained for product improvement |
When data reaches the end of its retention period, it is either permanently deleted or irreversibly anonymized. You may request early deletion of your data by submitting a data erasure request as described in the Your Rights section below.
7. Your Privacy Rights
Depending on your jurisdiction, you have significant rights with respect to the personal data we hold about you. We are committed to honoring these rights promptly and without discrimination. To exercise any right, contact us at vextorcapital@vextorcapital.com.
7.1 GDPR Rights (EU/EEA/UK Users)
Under the GDPR and UK GDPR, you have the following rights. The supervisory authority for EU residents is your national Data Protection Authority (DPA). The UK supervisory authority is the Information Commissioner’s Office (ICO) at ico.org.uk.
Request a copy of all personal data we hold about you, information on processing purposes, retention periods, and recipients. Response within 30 days.
Request correction of inaccurate personal data or completion of incomplete data. You can update most data directly in your account settings.
Request deletion of your personal data ('right to be forgotten') where there is no compelling reason for continued processing. Some data may be retained for legal compliance.
Request that we restrict processing of your data in specific circumstances — for example, while a rectification request is pending or you have objected to processing.
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transfer it to another controller.
Object to processing based on legitimate interests or for direct marketing. You can object to direct marketing at any time with absolute effect.
Withdraw consent at any time for processing activities based on consent. Withdrawal does not affect prior lawful processing.
File a complaint with your local Data Protection Authority if you believe we have violated your privacy rights.
7.2 CCPA / CPRA Rights (California Users)
Under the California Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798.100 et seq.) and the California Privacy Rights Act (CPRA), California residents have the following rights. The California Privacy Protection Agency (CPPA) oversees CCPA/CPRA enforcement. More information is available at ftc.gov.
- ✓ Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, the sources from which it is collected, the purposes of collection, and any third parties with whom it is shared.
- ✓ Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions (legal obligations, security, contract performance).
- ✓ Right to Correct: Request correction of inaccurate personal information.
- ✓ Right to Opt-Out of Sale or Sharing: While Vextor Capital does not 'sell' personal information in the traditional sense, certain advertising data uses may constitute 'sharing' under CPRA. California residents can opt out of this sharing via our Cookie Settings or by sending a Global Privacy Control (GPC) signal.
- ✓ Right to Limit Use of Sensitive Personal Information: Certain sensitive personal information may only be used for specific limited purposes.
- ✓ Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights. We do not charge different prices, provide different quality, or treat you differently for exercising privacy rights.
8. Data Security Measures
Vextor Capital implements technical and organizational security measures appropriate to the risk of the processing activities undertaken. While no security measure is completely infallible, our approach to security is based on industry best practices and the principle of security by design and default (GDPR Article 25).
Transport Encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). We implement HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.
Password Security
User passwords are hashed using bcrypt with appropriate cost factors before storage. We never store plaintext passwords. Password hashes are never transmitted or exposed through any API.
Access Controls
Database access is restricted to authorized services and personnel through role-based access control (RBAC). All administrative access requires multi-factor authentication (MFA). Access to production systems is logged and audited.
Infrastructure Security
Our infrastructure is hosted on Vercel (CDN/hosting) and cloud database providers with SOC 2 Type II certifications. We use environment variable management for secrets. No credentials are stored in source code.
Dependency Management
We maintain regular security updates for our software dependencies and monitor for known vulnerabilities through automated scanning tools. Critical security patches are applied within 48 hours of disclosure.
Data Minimization in Practice
We collect only the data necessary for each processing purpose. Analytics data uses IP anonymization. We do not collect sensitive personal data (health, biometric, financial account credentials) except as explicitly disclosed.
9. International Data Transfers
Vextor Capital operates as a global platform. Personal data collected from users in the European Economic Area, United Kingdom, and other jurisdictions with data transfer restrictions may be transferred to, and processed in, countries outside those jurisdictions — including the United States, where many of our service providers are based.
Under the GDPR, transfers of personal data to countries that have not received an EU adequacy decision (Commission Implementing Decision under Article 45 GDPR) must be made using appropriate safeguards. The UK has its own adequacy framework under the UK GDPR. For our processing activities:
- ▸ Google LLC (Analytics, Advertising): Transfers to the US are made under Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR and the EU-US Data Privacy Framework where applicable.
- ▸ Vercel, Inc. (Hosting): Data is primarily processed in data centers in Europe where possible. Cross-Atlantic transfers use SCCs.
- ▸ Other US-based processors: All US-based data processors are required under our DPAs to use approved transfer mechanisms (SCCs or adequacy decisions).
You can request information about the specific safeguards used for transfers affecting your personal data by contacting us at vextorcapital@vextorcapital.com.
10. Children's Privacy
Vextor Capital is a financial information platform designed and marketed exclusively for adults. We do not knowingly collect personal information from children under the age of 13 (the age threshold under the Children’s Online Privacy Protection Act (COPPA) in the United States) or under the age of 16 (the threshold for consent under Article 8 of the GDPR in most EU member states). The appropriate age threshold for your jurisdiction may differ — please consult your local data protection authority.
If you are a parent or guardian and believe that your child under the applicable age has provided personal information to Vextor Capital, please contact us immediately at vextorcapital@vextorcapital.com. We will promptly review the situation and, where confirmed, delete the information as required by COPPA, GDPR Article 8, and other applicable laws.
We do not use any personal information collected through our platform to direct advertising specifically at minors. Financial content on Vextor Capital is educational in nature and intended for adult decision-makers.
11. Third-Party Links and Services
Vextor Capital contains links to external websites, data sources, news outlets, regulatory bodies, and financial platforms. This Privacy Policy applies only to data we collect and process on vextorcapital.com. We are not responsible for the privacy practices, data security, or content of third-party websites. When you follow a link to an external site, that site’s own privacy policy governs the collection and use of your information.
Third-party financial data providers embedded in our platform (such as data widgets or API-driven content from CoinGecko, Polygon.io, Alpha Vantage, or FRED) may collect technical data through their own systems when their content is loaded. The privacy practices of these providers are governed by their respective policies, which we link to on our methodology page.
We recommend reviewing the privacy policy of any external site you visit through Vextor Capital, particularly those where you may be asked to create accounts or provide financial information.
12. California Privacy Rights (CCPA/CPRA)
This section provides additional disclosures required under California law, including the California Consumer Privacy Act (CCPA, effective January 1, 2020) as amended by the California Privacy Rights Act (CPRA, effective January 1, 2023). The California Privacy Protection Agency (CPPA) is the state agency responsible for enforcement.
Categories of Personal Information Collected in the Past 12 Months:
- · Identifiers (email address, user ID) — collected for account creation and management
- · Internet activity information (browsing history on Vextor Capital, interactions with features) — collected for analytics
- · Geolocation data (general, country/region level only) — derived from anonymized IP for analytics
- · Inferences drawn to create a user profile (analytical segments about content preferences) — used only for platform improvement, not sold
Do Not Sell or Share:Vextor Capital does not sell personal information. However, the use of advertising cookies by Google AdSense may constitute “sharing” of personal information for cross-context behavioral advertising under the CPRA. California residents can opt out of this sharing at any time by using the “Do Not Sell or Share My Personal Information” option in our Cookie Settings footer link. We also honor browser-based Global Privacy Control (GPC) signals.
To submit a CCPA/CPRA request, contact vextorcapital@vextorcapital.com. We will verify your identity before processing the request and will respond within 45 days (with an extension of up to 90 days for complex requests, with notice).
13. Brazil (LGPD) and Other Jurisdictions
Brazil’s Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018), effective September 2020, provides privacy rights for Brazilian residents that closely parallel the GDPR. Under the LGPD, Brazilian users have rights to access, correction, anonymization, portability, deletion, and information about sharing. The Brazilian data protection authority is the Autoridade Nacional de Proteção de Dados (ANPD).
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to our processing of personal information about Canadian residents. Canadian users have the right to access personal information, challenge its accuracy, and withdraw consent for collection or use.
Residents of other jurisdictions with applicable privacy laws (Australia, South Korea, Japan, India, etc.) are encouraged to contact us at vextorcapital@vextorcapital.com to understand how local privacy law applies to our processing and to exercise applicable rights. We will make good-faith efforts to comply with applicable local privacy requirements even where we are not formally established in a particular jurisdiction.
14. Automated Decision-Making and Profiling
Vextor Capital does not use automated decision-making that produces legal or similarly significant effects concerning individual users (as described in GDPR Article 22). We do not use personal data to make automated decisions about creditworthiness, employment, insurance eligibility, or any other high-stakes decision category. Financial tool outputs (portfolio calculations, risk metrics, screener results) are mathematical computations based on data you input, not AI-generated assessments about you as an individual.
We use basic analytics profiling (grouping users by behavior patterns for aggregate product improvement analysis), but this profiling does not result in differential treatment of individual users and is not used for automated decision-making. If we ever implement automated decision-making systems that could have legal or similar effects on users, we will update this policy and provide opt-out mechanisms as required by applicable law.
15. Data Breach Notification
In the event of a personal data breach that poses a risk to the rights and freedoms of affected users, Vextor Capital will comply with mandatory breach notification requirements under applicable law:
- ▸ GDPR (Art. 33/34): We will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, and notify affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms.
- ▸ CCPA/CPRA: We will notify affected California residents whose unencrypted personal information may have been acquired by unauthorized parties in accordance with California's data breach notification law (Cal. Civ. Code § 1798.82).
- ▸ Other jurisdictions: We will comply with applicable state and national breach notification requirements in jurisdictions where affected users are located.
Breach notifications will describe the nature of the breach, the categories and approximate number of affected individuals and records, the likely consequences, and the measures taken or proposed to address the breach. If you believe your Vextor Capital account has been compromised, please contact us immediately at vextorcapital@vextorcapital.com.
16. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our data practices, applicable law, or our services. The “Last Updated” date at the top of this page indicates when this policy was most recently revised. When we make material changes — particularly those that expand our use of personal data, introduce new third-party processors, or affect user rights — we will: (a) update the effective date; (b) where we have your email address and the change is material, notify you by email; and (c) prominently display a notice on Vextor Capital for a reasonable period.
Your continued use of Vextor Capital after changes become effective constitutes your acknowledgment of the updated policy. If you do not agree with material changes, you should stop using the platform and may request deletion of your data.
17. Contact and Data Requests
For all privacy inquiries, data subject requests, or concerns about this policy:
Vextor Capital
Email: vextorcapital@vextorcapital.com
Website: vextorcapital.com
GDPR requests: response within 30 days · CCPA requests: within 45 days · General inquiries: within 2 business days
Regulatory Authorities: