MANTIS

Privacy Policy

Mantis Strategies B.V. ("Mantis") Last updated: 7 June 2026

1. Introduction

Mantis Strategies B.V. ("Mantis", "we", "us", or "our"), a company registered in the Netherlands, operates the Mantis trading intelligence platform, including the web dashboard and mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

This policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Dutch data protection laws.

2. Data Controller

The data controller for the purposes of GDPR is:

Mantis Strategies B.V. Email: privacy@mantisstrat.com

3. Information We Collect

3.1 Account Information

  • Registration data: First name, last name, email address, date of birth (required for age verification — minimum 18 years)
  • Authentication credentials: A salted, hashed password (we never store, log, or transmit plaintext passwords) or Google account identifier (for Google Sign-In users)
  • Google Sign-In data: Google account identifier, email, and name — received as part of the Google Sign-In flow. We do not receive or store your Google password
  • Organization and billing data: Organization name, subscription tier (Free/Essential/Pro), and a payment-processor customer reference

3.2 Trading and Usage Data

  • Trade journal entries: Trades, positions, entry/exit prices, P&L calculations, notes, and trade theses you create
  • Watchlists and labels: Symbols you track, custom watchlist names, and label metadata
  • Signal Scorecard history: Per-symbol scorecard snapshots (composite score, per-signal readings, timestamp) saved when you trigger or view a scorecard. Snapshots created before historical feature changes are retained for continuity of your own history.
  • Imported broker data: When you import a broker CSV (Essential tier and above), we parse the file on our infrastructure to extract trades and exits in a normalised form, with no broker-specific identifiers such as full account numbers retained. A short-lived preview is held while you review the import before confirming. The original CSV file contents are not persisted — only the parsed trade records are stored, under your account, in the same place as trades you log manually. We retain a metadata-only audit log entry per import event (broker name, row count, timestamp, success/fail status, and the parsed trades that were committed) for operational and compliance purposes. You can revert any past import via the import history screen, which deletes every trade and exit that originated from that import session.
  • Portfolio data: Risk settings, position sizes, account configurations you input
  • Feature usage: Pages visited, tools used, and interaction patterns within the Service

3.3 Technical Data

  • Device information (operating system, app version, screen dimensions)
  • IP address and approximate geolocation (country/region level)
  • Browser or app user agent string
  • Short-lived session tokens (rotated regularly)

3.4 Financial Market Data

  • Market data requests: Symbols searched, instruments viewed, historical data retrieved
  • This data is used to fulfill your requests and is not shared with third parties in a personally identifiable manner

3.5 Biometric Data (Mobile Only)

  • When you enable biometric lock, the Service uses your device's native biometric authentication. Biometric data never leaves your device — we only receive a pass/fail result from the operating system. We do not collect, transmit, or store any biometric templates or fingerprint data.

3.6 Payment Information

Payments are processed exclusively by Stripe, Inc. We do not store your credit card number, bank account details, or full payment information. We store only a payment-processor customer reference and subscription metadata. Stripe's privacy policy governs their handling of your payment information: https://stripe.com/privacy

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

Data Category Legal Basis Purpose
Account information Contract performance (Art. 6(1)(b)) Necessary to create and maintain your account
Trade and portfolio data Contract performance (Art. 6(1)(b)) Core functionality of the Service
Payment data Contract performance (Art. 6(1)(b)) Processing subscriptions
Usage analytics Legitimate interest (Art. 6(1)(f)) Improving the Service, detecting abuse
Security logs Legitimate interest (Art. 6(1)(f)) Fraud prevention, security monitoring
Marketing communications Consent (Art. 6(1)(a)) Only if you opt in (we do not currently send marketing emails)
Legal compliance Legal obligation (Art. 6(1)(c)) Tax reporting, law enforcement requests

5. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To process transactions and manage your subscription
  • To generate signal scorecards, screener results, and other analytics based on market data
  • To authenticate your identity and secure your account
  • To send service-related notifications (account, billing, security alerts)
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations and enforce our Terms of Service
  • To respond to your support requests

6. Data Storage and Security

6.1 Infrastructure

Your data is hosted on enterprise-grade cloud infrastructure within the European Union. We apply a defence-in-depth approach to security, including:

  • Encryption at rest using customer-managed encryption keys with regular automatic rotation
  • Encryption in transit using modern transport-layer encryption for all client and internal connections
  • Short-lived session tokens with rotation and revocation on sign-out, password change, or account deletion
  • Optional biometric lock on mobile, using your device's native authentication (biometric data never leaves your device)
  • Strict access controls for our infrastructure, applied on a least-privilege basis and audited
  • Production databases isolated on private networks and accessible only over encrypted connections, with regular automated backups

We continuously review and update our security controls. We do not publish further details of our infrastructure design, configuration, or supplier identities in this document, because doing so would materially assist anyone attempting to target the Service. A current list of our processors and sub-processors is available to data subjects on written request to privacy@mantisstrat.com, subject to reasonable verification of identity.

6.2 Password Security

Passwords are hashed using industry-standard cryptographic hashing functions with a per-user salt before storage. We never store, log, or transmit plaintext passwords. Users who authenticate exclusively via Google Sign-In do not have a password stored with us.

6.3 Token Security (Mobile)

On mobile devices, authentication tokens are held in your device's native hardware-backed secure storage (the operating system's encrypted credential store). They are bound to your install of the app and are cleared on sign-out and on account deletion.

7. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

We share data with the following categories of third-party service providers, solely to operate the Service:

Category Purpose Data Shared
Cloud infrastructure provider Hosting, compute, storage, database All Service data (encrypted at rest, EU region)
Stripe, Inc. Payment processing Email, name, billing address, payment method
Google Sign-In Authentication Identity assertion (during sign-in only)
Market data providers Quotes, fundamentals, options chain, ETF data Symbol lookups only — no personal data
Financial identifier registry Identifier-to-ticker resolution Financial identifiers only — no personal data
AI / LLM providers Transcript summary, strategy analysis Anonymous text payloads — no persistent storage by vendor

The specific identities of our processors and sub-processors are not published here. A current list is available to data subjects on written request to privacy@mantisstrat.com.

We may also disclose information if required by law, court order, regulatory request, or governmental regulation applicable in the Netherlands or the EU.

8. International Data Transfers

Your data is primarily stored within the European Union. Where personal data is processed by sub-processors outside the EU (for example, to support payment processing or authentication), such transfers are governed by appropriate safeguards under GDPR Chapter V, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with our processors and sub-processors
  • Supplementary technical and organisational measures where required (such as encryption in transit and at rest)

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your account and all associated personal data
  • Right to data portability (Art. 20): Request your data in a structured, machine-readable format (JSON)
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances
  • Right to object (Art. 21): Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time
  • Right to lodge a complaint: File a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at https://autoriteitpersoonsgegevens.nl

To exercise any of these rights, contact us at privacy@mantisstrat.com. We will respond within 30 days as required by GDPR.

9.1 Account Deletion

You can delete your account directly from the Settings screen in the mobile app or by contacting us. Account deletion:

  • Permanently removes all personal data, trade history, watchlists, theses, and predictions
  • Revokes Google Sign-In grant (if applicable)
  • Cancels any active subscription
  • Is completed within 30 days of the request
  • Anonymized, aggregated analytics data may be retained (this data cannot identify you)

10. Data Retention

Data Type Retention Period
Account data Lifetime of the account
Trade history, predictions, theses Lifetime of the account
Authentication logs 90 days
Billing records 7 years (Dutch tax obligation)
Anonymized analytics Indefinite

Upon account deletion, personal data is removed within 30 days. Billing records required for tax compliance are retained for the statutory period with access restricted to authorized personnel.

11. Cookies and Local Storage

Web Dashboard

The web dashboard uses your browser's local storage to persist:

  • Your signed-in session
  • Theme preference (dark/light mode)
  • Layout and interface preferences

We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

Mobile App

The mobile app uses:

  • Your device's native secure credential store for sign-in tokens
  • Local on-device storage for your preferences (theme, settings)
  • No cookies or web-based tracking

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We enforce a minimum age of 18 at registration (date of birth verification). We do not knowingly collect personal information from children. If we learn that we have collected data from a person under 18, we will delete it promptly.

13. Automated Decision-Making

The Service includes ML-powered features (predictions, screeners, sentiment analysis) that use automated processing of market data. These automated systems:

  • Process market data only (not your personal data) to generate predictions
  • Do not make decisions that produce legal or similarly significant effects on you
  • Are provided for informational and educational purposes only
  • Do not restrict your access to or use of the Service

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

  • Notify the Autoriteit Persoonsgegevens within 72 hours (GDPR Art. 33)
  • Notify affected users without undue delay (GDPR Art. 34)
  • Document the breach, its effects, and remedial actions taken

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy in the app
  • Updating the "Last updated" date at the top of this document
  • Sending an email notification for significant changes

Your continued use of the Service after changes constitutes acceptance of the modified policy.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights:

Mantis Strategies B.V. Email: privacy@mantisstrat.com

For data protection complaints, you may also contact the Dutch Data Protection Authority: Autoriteit Persoonsgegevens Website: https://autoriteitpersoonsgegevens.nl