We collect the minimum needed to deliver and license the Software. Strategies, set files, and backtest reports never leave your machine. License activation and periodic validation — routed through Lemon Squeezy — are the only things we transmit. We don't sell or rent your data, ever.
§ 1Who we are
The data controller is INFINITYDEV, S.L. (NIF B-44974798), Plaça Jardí Enric Morera 2, 17600 Figueres, Girona, Spain. Data-protection contact: legal@trendsurfers.io.
§ 2Scope & what we collect
This Privacy Policy covers all websites and products operated by INFINITYDEV, S.L. under the TrendSurfers brand:
| Surface | What it is | Domain / location |
|---|---|---|
| trendsurfers.io | Suite marketing site, documentation, EULA, master Privacy Policy and Legal Notice | trendsurfers.io |
| strategy-lens.app | StrategyLens — browser-based MetaTrader 5 backtest analyzer | strategy-lens.app |
| TrendSurfers Software | Desktop applications (Portfolio Manager, MT Manager) licensed via Lemon Squeezy | Installed locally on the Licensee's machine |
The data-processing activities differ by surface. The sub-sections below describe what we collect on each.
2.1 trendsurfers.io visitors
The TrendSurfers marketing site is a static site hosted on Cloudflare Pages. We do not operate a web server for this site and have no access to server-level access logs. The site uses Microsoft Clarity for behavioural analytics (heatmaps and anonymised session replays), but only after you explicitly opt in via our cookie banner. When consent is given, Clarity sets first-party cookies (_clck, _clsk) and may set third-party cookies on clarity.ms and c.bing.com — see our Cookie Policy for the full list. Reject the banner and no Clarity script is loaded; you can change your decision at any time from the "Manage cookie preferences" link in the footer.
- Cloudflare infrastructure data — Cloudflare, Inc. may process IP addresses and request metadata as part of their CDN and DDoS protection service. This processing is governed by Cloudflare's own privacy policy; INFINITYDEV, S.L. does not receive or store this data.
- Email contact — if you email us directly, the contents and your reply-to address. We have no web-based contact form.
2.2 strategy-lens.app users
StrategyLens is a browser-based tool hosted on Microsoft Azure Static Web Apps in the West Europe region (Netherlands), which is inside the European Economic Area. No account creation is required to use StrategyLens. The parsing and computation of backtest reports happens client-side in your browser; uploaded files and computed statistics remain local to your browser.
StrategyLens makes a small number of server-side requests that are described in its own Terms of Use:
- TSPA decryption endpoint — when you upload a
.tspaportfolio artifact, the encrypted file is sent to an Azure Function (West Europe region) for in-memory decryption. The decrypted content is returned to your browser and the server copy is discarded immediately. No content is logged or retained. - CSV parsing endpoint — large CSV trade logs may be sent to an Azure Function (West Europe region) for in-memory parsing. The parsed result is returned and the server copy is discarded immediately. No content is logged or retained.
- Microsoft Clarity — the same opt-in behavioural-analytics service used on trendsurfers.io is also used on strategy-lens.app, subject to a separate, domain-specific cookie banner. The cookie inventory for strategy-lens.app is published at strategy-lens.app/cookies.
- Microsoft Azure Application Insights — opt-in client-side telemetry on strategy-lens.app that captures anonymous error reports, performance (Web Vitals), and feature-usage events. It runs cookieless (uses
sessionStorageonly and sets no cookies), and initialises only after you grant analytics consent via that site's cookie banner. No trade data, backtest results, or financial figures are transmitted.
StrategyLens does not transmit, store, or have access to MT5 login credentials, broker account details, live-trading data, or any data extracted from the reports beyond the transient in-memory processing described above.
2.3 Buyers (via Lemon Squeezy)
Lemon Squeezy LLC is the Merchant of Record. It collects payment data, billing address, and tax identifiers directly; we do not receive your full payment details. From Lemon Squeezy we receive: order ID, purchase date, billing email, billing country (for VAT compliance), license key issued, and refund/chargeback events.
2.4 Software users (desktop applications)
- License key and the one-way Hardware Fingerprint generated at activation. The Fingerprint is a hash of selected hardware identifiers — it cannot be reversed to its underlying components. Both are transmitted to Lemon Squeezy LLC (the Merchant of Record and license API provider) for activation and ongoing validation.
- License validation pings — periodic check via the Lemon Squeezy API whether the License Key is still valid (refunded keys are revoked).
- Periodic validation pings — approximately every 4 hours, the Software contacts the Lemon Squeezy license API to verify the License Key is still valid (not refunded or revoked). An active internet connection is required for this check. A 7-day offline grace period applies if connectivity is temporarily unavailable.
The Software does not transmit your strategies, set files, EA parameters, backtest reports, MT5 credentials, broker information, account balances, or any trading data. These remain on your local machine.
2.5 Machine hardware fingerprint (desktop applications)
On activation, the Software computes a one-way hardware fingerprint hash from a combination of: motherboard serial number, CPU identifier, Windows MachineGuid (registry), system-drive volume serial number, and Windows installation ID. The resulting hash is stored only as a hashed value — it cannot be reversed to reconstruct the underlying hardware identifiers.
- Categories of data processed: hardware fingerprint hash (a pseudonymous identifier derived from device hardware — not a personal identifier in isolation, but capable of being associated with a natural person in context).
- Lawful basis: legitimate interest (GDPR Art. 6.1.f) — preventing license abuse, enforcing the single-machine activation model agreed at purchase, and protecting InfinityDev SL's intellectual property from unauthorised distribution.
- Retention: the fingerprint hash is retained by Lemon Squeezy for the lifetime of the license; upon a valid erasure request, we will request deletion from Lemon Squeezy subject to any overriding retention obligation under applicable commercial law.
- Recipients: Lemon Squeezy LLC (Merchant of Record and license API provider). The hardware fingerprint hash is transmitted to Lemon Squeezy's API solely for license activation and validation. INFINITYDEV, S.L. does not operate its own license-validation backend and does not store the fingerprint hash independently. Lemon Squeezy's processing is governed by their own privacy policy and the Data Processing Agreement between the parties.
§ 3Why we collect it & legal basis
| Purpose | Data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Operating strategy-lens.app and serving its static assets | Request metadata (IP, user-agent) — processed by Microsoft Azure as host | Legitimate interest (6.1.f) — operating the requested service |
Transient in-memory processing of .tspa and CSV uploads on strategy-lens.app | Uploaded file content, processed in memory and discarded; no retention | Legitimate interest (6.1.f) — providing the requested analysis |
| Delivering the Software you bought | Order data, license key, fingerprint | Contract (6.1.b) |
| License validation & revocation on refund | License key, fingerprint, validation timestamp, periodic poll result | Contract (6.1.b) |
| Tax compliance & bookkeeping | Order data, billing country | Legal obligation (6.1.c) |
| Customer support | Email, ticket content | Contract (6.1.b) |
| Behavioural analytics (Microsoft Clarity) on trendsurfers.io and strategy-lens.app | Anonymised session interactions; cookies _clck, _clsk et al. | Consent (6.1.a) — opt-in via cookie banner |
| Client-side error, performance, and usage telemetry (Microsoft Azure Application Insights) on strategy-lens.app | Anonymous error/exception data, Web Vitals metrics, and feature-usage events; cookieless (sessionStorage) | Consent (6.1.a) — opt-in via cookie banner |
§ 4Sub-processors
We use the following sub-processors. Each operates under a written data-processing agreement and an appropriate legal-transfer mechanism.
| Sub-processor | Role | Location |
|---|---|---|
| Lemon Squeezy LLC | Merchant of Record — payment processing, invoicing, tax collection, refund handling, license key issuance and API (activation, periodic validation, revocation enforcement), hardware fingerprint storage. Used by the desktop Software only. | USA (Standard Contractual Clauses) |
| Cloudflare, Inc. | Static website hosting (Cloudflare Pages), CDN, DDoS protection, DNS — for trendsurfers.io. | USA / EU (SCCs + Data Processing Addendum) |
| Microsoft Corporation (Azure) | Static-site and Azure Functions hosting for strategy-lens.app, including the transient TSPA decryption and CSV parsing endpoints. | EU — West Europe (Netherlands). Microsoft Online Services DPA + EU Data Boundary; no third-country transfer for hosting. |
| Microsoft Corporation (Clarity) | Opt-in behavioural analytics (heatmaps, anonymised session replays) on trendsurfers.io and strategy-lens.app. | USA — EU–US Data Privacy Framework + Standard Contractual Clauses |
| Microsoft Corporation (Azure Monitor / Application Insights) | Opt-in client-side telemetry (errors, performance, usage) for strategy-lens.app. Cookieless — sets no cookies. | EU — West Europe (Netherlands). Microsoft Online Services DPA + EU Data Boundary |
Microsoft Corporation appears multiple times because it acts as a sub-processor in several distinct roles, in different regions, under different transfer mechanisms. This list is updated whenever we add or remove a sub-processor that processes personal data.
§ 5International transfers
Some sub-processors are based outside the European Economic Area. For all such transfers we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, on adequacy decisions. Copies of the SCCs are available on request.
§ 6Retention
- strategy-lens.app uploads (TSPA, CSV) — zero retention. Processed in memory by an Azure Function (West Europe region) and discarded immediately on response. No copy is written to disk, logs, or any persistent store.
- Order & invoice data — 6 years (Spanish bookkeeping requirement, Código de Comercio Art. 30). Held by Lemon Squeezy as Merchant of Record; INFINITYDEV, S.L. retains the minimum required for tax compliance.
- License key & fingerprint — retained by Lemon Squeezy for the lifetime of the license; deletion on request, subject to the 6-year commercial-records obligation above.
- Support emails — 24 months after last contact.
§ 7Your rights
Under GDPR Articles 15–22, you have the right to:
- Access — obtain a copy of the personal data we hold about you;
- Rectification — correct inaccurate data;
- Erasure — request deletion ("right to be forgotten"), subject to legal-retention obligations;
- Restriction — limit how we process your data;
- Portability — receive your data in a structured, machine-readable format;
- Object — to processing based on legitimate interest;
- Withdraw consent — for processing based on consent, at any time, with no effect on prior processing.
To exercise any right, email legal@trendsurfers.io. We respond within one month (extendable by two months for complex requests, with notice).
§ 8Cookies & similar technologies
Cookies are set per-domain, as required by the EU ePrivacy Directive. Each TrendSurfers website maintains its own consent banner and its own cookie inventory:
- trendsurfers.io — see the trendsurfers.io Cookie Policy.
- strategy-lens.app — see the strategy-lens.app Cookie Policy.
Both sites set a strictly-necessary cookie (cc_cookie, 30 days) to remember your cookie-banner choice on that domain. If you opt in to analytics, Microsoft Clarity additionally sets _clck and _clsk as first-party cookies on the domain you visit, plus a small set of third-party cookies on clarity.ms / c.clarity.ms / c.bing.com (MR, SRM_B, ANONCHK, SM, CLID, MUID) used by Microsoft for analytics correlation. The full list — names, domains, purposes, retention — is published on each site's Cookie Policy page.
You can grant, refuse, or withdraw consent at any time using the consent banner, the Cookie Policy page on the relevant domain, or the "Manage cookie preferences" link in that site's footer. Consent is recorded per-domain — a decision on trendsurfers.io does not propagate to strategy-lens.app. Withdrawal is processed immediately: existing Clarity cookies are deleted and the active session is downgraded to no-cookie mode.
The desktop Software itself does not set cookies.
§ 9Local-first design (desktop Software)
We've designed the desktop Software (Portfolio Manager, MT Manager) so the most sensitive data stays out of our reach by default. Specifically:
- Strategies, EA parameters, and set files remain on your local disk in folders you control.
- Backtest reports are written to a folder of your choice; we don't upload them anywhere.
- MT5 login credentials are managed by MT5 itself — we don't read or store them.
- Account balances and trade data aren't transmitted; the Software doesn't connect to live broker accounts for execution.
For the analogous principles applied to strategy-lens.app — where parsing and computation happen client-side and uploads are zero-retention transient — see §2.2 above.
§ 10Security
We implement appropriate technical and organisational measures to protect personal data: TLS in transit for all API calls (via Lemon Squeezy), principle-of-least-privilege access for staff, regular dependency updates, and secrets isolated from source repositories. The Software's installer is digitally signed.
§ 11Children
The Software is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we'll delete it.
§ 12Updates to this policy
We may update this policy. The "Effective" date at the top reflects the latest revision. Material changes will be announced on the website and, where appropriate, by email to active Licensees.
§ 13Contact & complaints
For data-protection questions or to exercise your rights:
INFINITYDEV, S.L.
Plaça Jardí Enric Morera 2, Bajos
17600 Figueres, Girona — Spain
Data-protection & GDPR rights: legal@trendsurfers.io
Legal notices (DMCA, trademark, general legal): legal@trendsurfers.io
You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD): www.aepd.es, C/ Jorge Juan, 6, 28001 Madrid.
§ 14AI Features — data flows
The AI Features (Ralph Loop Optimizer and Optimizer Set Generator) are opt-in and disabled by default. This section describes the additional data-processing activities that occur only when the AI Features are enabled.
14.1 What is transmitted to Anthropic
When the AI Features are active, the Software invokes the Anthropic Claude Code CLI ("Claude Code") installed on your machine. Claude Code transmits content to Anthropic's servers to generate AI responses. The content of these prompts includes:
- EA parameter names and values from the .set files you load into the tool;
- Backtest performance metrics extracted from the HTML backtest reports you provide (profit, drawdown, number of trades, recovery factor, etc.);
- Optimization context such as the symbol, timeframe, and iteration history used to guide the AI's suggestions;
- Generated .set file contents from prior iterations, passed back to Claude Code as context.
This data flows directly between Claude Code (running on your machine) and Anthropic's servers. InfinityDev SL does not intercept, log, or receive copies of these prompts or responses. InfinityDev SL has no visibility into what is transmitted during AI Feature sessions.
Your use of Claude Code is subject to Anthropic's Terms of Service and Privacy Policy. You should review Anthropic's data-retention and training policies before enabling AI Features, particularly if your backtest data is confidential or proprietary.
14.2 What stays local
The following data is never transmitted by the Software to InfinityDev SL or to Anthropic (except as you explicitly include in files passed to Claude Code):
- MT5 login credentials, broker account details, and live-account data;
- Portfolio artifact (.tspa) files or calibration data;
- HTML backtest reports not explicitly loaded into an AI Features session;
- Your Anthropic API key — stored locally, AES-256 encrypted, never transmitted by the Software itself (Claude Code uses it directly via its own authentication mechanism).
14.3 Sub-processor for AI Features
| Sub-processor | Role | Location |
|---|---|---|
| Anthropic, PBC | AI inference provider — receives Claude Code prompts containing strategy data and returns parameter suggestions; operates independently of InfinityDev SL | USA (Standard Contractual Clauses where applicable) |
Anthropic, PBC operates Claude Code under its own Terms of Service and Privacy Policy. InfinityDev SL has no data-processing agreement with Anthropic for data transmitted by end users through Claude Code; such data is processed under the contractual relationship between you and Anthropic established when you create your Anthropic account.
14.4 Disabling AI Features
You can disable AI Features at any time in Settings. When disabled, no data is transmitted to Anthropic. Disabling AI Features does not affect any other part of the Software or your license.