Privacy Policy

The controller of the personal data collected through this website and the NivelixPro platform (the "Platform") is:

NivelixPro LLC, a company incorporated under the laws of the State of Florida (United States), with its registered office at 407 Lincoln Road, Suite 708, Miami Beach, FL 33139, USA.

For any question relating to this policy or to the processing of your data, you may contact us at info@nivelixpro.com.

This policy applies to all personal data we collect when you visit our website, register on the Platform, subscribe to a plan or interact with any of our support channels.

If you are resident in the European Economic Area, the rights set out in Regulation (EU) 2016/679 (GDPR) also apply. If you reside in California (USA), the rights granted by the California Consumer Privacy Act (CCPA) as amended by the CPRA apply. Other US state privacy laws (such as the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA or Texas TDPSA) may also apply depending on your state of residence.

We collect only the data strictly necessary to deliver the service. Specifically:

• Account data: email address, password (stored solely as a bcrypt hash, never in plain text), preferred language, account creation date and subscription plan.
• Technical identification data: IP address, browser type, operating system, session identifier and time zone. Used for authentication, fraud prevention and diagnostics.
• Payment data: all payments are processed by Stripe Payments Europe Ltd. and third-party crypto gateways. NivelixPro does not store or have access to the card number, CVV or IBAN. We only retain the internal transaction identifier, amount, currency, date and the last four digits of the card when Stripe provides them for reconciliation purposes.
• Trading configuration: traded pairs, bot parameters, DCA plans, exchange API keys (stored encrypted at rest using AES-256-CBC and never requested with withdrawal permissions), order history and closed deals.
• Product usage data: aggregated analytics events (clicks, navigation, errors), masked session recordings via Microsoft Clarity ("Balanced" masking mode: password fields and sensitive content are hidden automatically) and performance metrics.
• Communications: support tickets opened from the panel, email conversations and, where the user expressly opts in, notifications linked to their Telegram account (chat ID).
• Referral program data: within the referral program we store the amount credited to the referrer as virtual balance (SVR), without exposing referred-user data beyond the internal identifier required for traceability.

We process your personal data for the following purposes:

• To create and manage your user account, authenticate you and securely maintain your session.
• To deliver the contracted service: executing the orders triggered by your bots on connected exchanges through your own API keys, displaying historical performance and allowing you to amend the configuration.
• To process subscription payments and issue the corresponding receipts.
• To handle your queries, incidents and technical support requests.
• To detect and prevent fraud, service abuse, undue account sharing and security breaches.
• To comply with our legal, accounting and tax obligations (in particular those arising under Florida and US federal law).
• To send you operational communications related to your account (bot status changes, security alerts, subscription renewals, service updates).
• To improve the product through aggregated analytics and, where applicable, masked session recordings that help us identify usability issues without exposing sensitive personal information.

The processing of your data is based on one of the following lawful bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)): processing is necessary to deliver the service you contracted by registering and accepting the Terms.
• Legal obligation (Art. 6(1)(c)): retention of accounting, tax and anti-fraud records as required by applicable law.
• Legitimate interest (Art. 6(1)(f)): maintaining the security of the Platform, preventing abuse, continuous product improvement and operational communications strictly connected to the service. In each case we have performed a balancing test that gives precedence to user rights.
• Consent (Art. 6(1)(a)): for optional purposes such as receiving Telegram notifications, activating non-essential analytics cookies or, where applicable, receiving marketing communications. You may withdraw your consent at any time without affecting the lawfulness of prior processing.

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected:

• Account data and bot configurations are retained while your account remains active. If you cancel your account, we erase operational data within a maximum of 30 days, except for records that the law requires us to keep.
• Billing data is retained for the statutory period (up to six years under US tax law and, where applicable, up to ten years under EU anti-money-laundering rules).
• Technical logs and security records are retained for a maximum of 12 months.
• Masked session recordings via Microsoft Clarity are automatically retained for 30 days and then deleted.
• Encrypted backups stored on Backblaze B2 follow a rotation policy: daily for 24 hours, weekly for 7 days and monthly for 4 weeks.

In order to deliver the service we rely on the following technology providers, all of which are bound by data processing agreements and, where applicable, by Standard Contractual Clauses:

• Stripe Payments Europe Ltd. (Ireland) — card payment gateway. Processing in accordance with its privacy policy available at stripe.com/privacy.
• Microsoft Clarity (Microsoft Corporation, USA) — aggregated behavior analytics and masked session recordings. Deferred loading that protects web performance.
• Hetzner Online GmbH (Germany) — primary server and infrastructure hosting. Data stored within the European Union.
• Backblaze, Inc. (USA) — encrypted backup storage (AES-256 encryption applied before upload).
• Resend, Inc. (USA) — sending of transactional emails (verification, password reset, alerts).
• Zoho Corporation (account hosted in Zoho's European region) — hosting of the info@nivelixpro.com mailbox.
• Telegram FZ-LLC (United Arab Emirates) — only if you enable Telegram notifications, the chat ID and message content are forwarded to its API.
• Exchanges connected by the user (Binance, KuCoin, Bybit, OKX, MEXC and others) — they receive the orders and balance requests generated by the Platform using the API keys you have entered yourself. NivelixPro acts solely as a technical intermediary; the agreement and the processing of your data by the exchange are governed by the terms you accepted with them.

As NivelixPro LLC is a US entity, part of the processing takes place outside the European Economic Area. In particular, account and billing data may be processed on servers located in the United States.

To ensure a level of protection equivalent to that required by the GDPR, we have signed the Standard Contractual Clauses approved by the European Commission in 2021 with all our US processors and apply additional technical measures (encryption at rest, encryption in transit and minimization of the transferred data). Several of our providers are also certified under the EU-US Data Privacy Framework.

As the owner of the personal data you have the following rights:

• Access: to know which personal data we process about you.
• Rectification: to request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten"): to request deletion of your data where it is no longer necessary for the purpose it was collected, unless there is a legal obligation to retain it.
• Objection: to object to processing based on legitimate interest where grounds related to your particular situation apply.
• Restriction: to request the temporary restriction of processing while the accuracy of the data is verified or an objection is resolved.
• Portability: to receive your data in a structured, machine-readable format (JSON) and transmit it to another controller.
• Withdrawal of consent: to withdraw any consent given for specific purposes (Telegram, marketing communications, non-essential cookies) at any time.
• Complaint to the supervisory authority: if you believe that the processing infringes the law, you may lodge a complaint with the supervisory authority of your country of residence, with the Federal Trade Commission (FTC) at ftc.gov where US privacy law applies, or with the Spanish Data Protection Agency (aepd.es) or other competent European authority where the GDPR applies.

To exercise any of the rights described above, send an email to info@nivelixpro.com clearly stating which right you wish to exercise and attaching a copy of a document evidencing your identity.

We will respond within a maximum of one month from receipt of your request, extendable by two further months for particularly complex requests, in which case we will inform you by email. Exercising your rights is free of charge, save for manifestly unfounded or excessive requests.

We apply reasonable technical and organizational measures to ensure a level of security appropriate to the risk, aligned with reference frameworks such as ISO 27001 and the NIST Cybersecurity Framework controls. These include:

• Encryption in transit via TLS 1.3 with HSTS preload.
• Encryption at rest of exchange API keys via AES-256-CBC with a rotatable master key.
• Storage of passwords solely as a bcrypt hash with a configurable cost factor.
• JWT session tokens with expiration and httpOnly cookies to mitigate XSS.
• Internal IP blocking system against brute-force attempts (banManager).
• Continuous audit of administrative actions and traceability through immutable logs.
• Encrypted off-site backups with daily, weekly and monthly rotation.
• Least-privilege policy for internal accesses and immediate revocation when a person no longer needs access to a system.

We use strictly necessary cookies for the operation of the session (authentication and language preferences), as well as deferred-loading analytics cookies operated by Microsoft Clarity.

Full details are set out in our Cookies Policy. You may manage your preferences at any time from your browser settings.

The Platform is intended exclusively for users aged 18 or over. We do not knowingly collect personal data from minors. If you become aware that a minor has provided personal data to NivelixPro, please contact us and we will proceed to delete it immediately.

If you reside in California, you have additional rights under the CCPA and the CPRA, in particular:

• To know the categories of personal information we collect, the sources and the purposes.
• To request the deletion of your personal information subject to statutory exceptions.
• To request the correction of inaccurate personal information.
• To limit the use and disclosure of sensitive personal information.
• Not to be subject to discrimination for exercising your rights.

NivelixPro does not sell users' personal information within the meaning of the CCPA nor does it disclose it to third parties for cross-context behavioral advertising. The only data disclosures to third parties are those described in section 7, all of which are necessary to deliver the service.

We may update this Privacy Policy to reflect legal changes or service improvements. We will always publish the prevailing version at https://nivelixpro.com/legal/privacy indicating the date of the last revision. If the changes are substantial, we will notify the user by email at least 30 days before they take effect.

For any matter relating to this policy or to the processing of your personal data you may contact us at:

NivelixPro LLC
407 Lincoln Road, Suite 708, Miami Beach, FL 33139, USA
Email: info@nivelixpro.com