Last updated: March 2026
This Privacy Policy explains how PropGate ("we", "us", "our") collects, uses, processes, stores, and protects your personal data when you access or use our platform ("Platform"). We are committed to safeguarding your privacy and processing your personal data in full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Polish Act on Personal Data Protection of 10 May 2018, and all other applicable data protection laws and regulations. By using the Platform, you acknowledge that you have read and understood this Privacy Policy. We encourage you to read this Policy carefully and contact us if you have any questions.
PropGate is the data controller responsible for determining the purposes and means of processing your personal data within the meaning of Article 4(7) of the GDPR. This means we are accountable for how your personal data is collected, used, and protected. For any privacy-related inquiries, requests to exercise your data protection rights, or concerns about our data processing practices, please contact our data protection team at: [email protected]. We are committed to responding to all privacy-related communications promptly and thoroughly.
We collect and process the following categories of personal data: (a) Account Information: full name, email address, cryptographic password hash, account creation date, language preferences, and account status. (b) Payment Information: payment transaction identifiers, payment method type, billing details, and transaction history. Credit and debit card details are processed directly by Stripe (PCI DSS Level 1 compliant) and are never stored on PropGate's servers. (c) Cryptocurrency Payment Data: cryptocurrency wallet addresses used for payments, transaction hashes, payment amounts, and associated blockchain data. Wallet addresses are stored in encrypted form. (d) Trading Account Credentials: login credentials for third-party prop trading firm accounts, encrypted at rest using AES-256-GCM encryption with unique per-record initialization vectors. These credentials are only decrypted when operationally necessary and are never stored in plaintext. (e) Usage Data: pages visited, features accessed, actions performed on the Platform, session duration, click patterns, and user preferences. (f) Technical Data: IP address, browser type and version, operating system, device type, screen resolution, timezone, and referring URL. (g) Communication Data: content of support tickets, email correspondence, and any other communications with PropGate.
We process your personal data for specific, explicit, and legitimate purposes. Each processing activity is grounded in a specific legal basis under Article 6(1) of the GDPR: (a) Providing Platform services, managing your account, and processing transactions - Legal basis: Performance of a contract (Article 6(1)(b)). (b) Processing entry fee and success fee payments via Stripe and NOWPayments - Legal basis: Performance of a contract (Article 6(1)(b)). (c) Communicating with you about your account status, service updates, and transactional notifications - Legal basis: Performance of a contract (Article 6(1)(b)) and Legitimate interest (Article 6(1)(f)). (d) Monitoring trading account performance and risk management - Legal basis: Performance of a contract (Article 6(1)(b)). (e) Improving Platform functionality, user experience, and service quality - Legal basis: Legitimate interest (Article 6(1)(f)). Our legitimate interest is to continuously improve our services. (f) Ensuring Platform security, preventing fraud, and detecting unauthorized access - Legal basis: Legitimate interest (Article 6(1)(f)). Our legitimate interest is to protect our Platform and users. (g) Complying with legal, regulatory, tax, and accounting obligations - Legal basis: Legal obligation (Article 6(1)(c)). (h) Sending marketing communications about PropGate services - Legal basis: Consent (Article 6(1)(a)). You may withdraw consent at any time. (i) Measuring advertising campaign effectiveness through conversion tracking - Legal basis: Legitimate interest (Article 6(1)(f)). Our legitimate interest is to evaluate and optimize our marketing efforts. Where we rely on legitimate interest as a legal basis, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms.
Your personal data is stored on secure servers located within the European Union. We implement comprehensive technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction, including: (a) AES-256-GCM encryption for all sensitive credentials (trading account passwords, cryptocurrency wallet addresses) with unique initialization vectors per record; (b) SSL/TLS encryption (TLS 1.2 or higher) for all data transmitted between your browser and our servers; (c) Cryptographic hashing (bcrypt) for user passwords - we never store passwords in plaintext; (d) Regular security audits, vulnerability assessments, and penetration testing; (e) Strict access controls with role-based permissions and the principle of least privilege; (f) Database encryption at rest for all stored data; (g) Automated monitoring and alerting systems for detecting suspicious activity; (h) Regular backups with encrypted storage. While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents in accordance with our obligations under the GDPR.
We retain your personal data in accordance with the following principles: (a) Active accounts: Your data is retained for as long as your account remains active and is necessary to provide our services. (b) Post-closure retention: After account closure or termination, we retain your personal data for a period of 5 (five) years to comply with legal and regulatory obligations, including tax and accounting requirements (Polish Accounting Act), anti-money laundering regulations, fraud prevention purposes, and the statute of limitations for potential legal claims. (c) Success fee records: Financial records related to success fee calculations and payments are retained for the minimum period required by applicable tax and accounting laws. (d) Communication data: Support tickets and correspondence are retained for 3 (three) years after resolution for quality assurance and dispute resolution purposes. (e) Anonymous and aggregated data: Data that has been irreversibly anonymized or aggregated (so that it can no longer identify any individual) may be retained indefinitely for statistical and analytical purposes. Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized using industry-standard methods.
Under the General Data Protection Regulation, you have the following rights regarding your personal data: (a) Right of Access (Article 15) - You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data, along with information about the purposes and methods of processing. (b) Right to Rectification (Article 16) - You have the right to request correction of inaccurate personal data or completion of incomplete data without undue delay. (c) Right to Erasure (Article 17) - You have the right to request deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, or you withdraw consent. This right is subject to legal retention requirements. (d) Right to Restriction of Processing (Article 18) - You have the right to request that we limit the processing of your data in certain circumstances, such as when you contest the accuracy of the data. (e) Right to Data Portability (Article 20) - You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. (f) Right to Object (Article 21) - You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. (g) Right to Withdraw Consent (Article 7(3)) - Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing performed prior to withdrawal. To exercise any of these rights, please contact us at [email protected] with a clear description of your request. We will verify your identity and respond within 30 (thirty) calendar days. In complex cases, this period may be extended by an additional 60 days, of which we will inform you within the initial 30-day period. The exercise of these rights is free of charge, except in cases of manifestly unfounded or excessive requests.
The Platform uses the following categories of data collection technologies: ESSENTIAL COOKIES: The Platform uses only essential cookies that are strictly necessary for its operation: (a) Authentication cookies — to maintain your logged-in session securely; (b) Session management cookies — to ensure proper Platform functionality during your visit; (c) Language preference cookies — to remember your selected language (Polish or English). No cookie consent is required for strictly necessary cookies under the GDPR and the ePrivacy Directive, as these cookies are essential for providing the service you have requested. ANALYTICS: We use Plausible Analytics, a privacy-focused web analytics service that does not use cookies, does not collect personal data, and does not track users across websites. Plausible Analytics is fully GDPR compliant and provides only aggregate, anonymized website usage statistics. No consent is required for Plausible Analytics as it does not process personal data. ADVERTISING CONVERSION TRACKING: When you visit our website, we may load the X (Twitter) conversion tracking pixel to measure the effectiveness of our advertising campaigns on the X platform. This pixel may collect data such as your IP address, browser information, and the pages you visit. This data is processed by X Corp in accordance with X's Privacy Policy. The X pixel is loaded only in the production environment. We do NOT use: behavioral tracking cookies for profiling purposes, third-party advertising cookies for cross-site tracking, or any data collection technologies beyond those described above.
We engage the following third-party processors to provide our services, each bound by GDPR-compliant Data Processing Agreements (DPAs) where applicable: (a) Stripe, Inc. (United States) — Payment processing for credit and debit card transactions. Stripe is PCI DSS Level 1 certified. Data transfers to the US are governed by Standard Contractual Clauses (SCCs) approved by the European Commission. (b) Resend, Inc. (United States) — Transactional email delivery (account notifications, invoices, password resets). Data transfers to the US are governed by Standard Contractual Clauses. (c) NOWPayments (cryptocurrency payment processing) — Processing of BTC, ETH, and USDT payments. Transaction data is shared as necessary to complete payment processing. (d) Plausible Analytics (European Union) — Privacy-focused web analytics. Plausible does not collect personal data, does not use cookies, and processes only aggregate anonymized statistics. All data is processed within the EU. (e) X Corp (United States) — Conversion tracking pixel for measuring advertising campaign effectiveness. Data processed includes technical data (IP address, browser type) for visitors to our website. Data transfers to the US are subject to X Corp's data processing terms. (f) Hosting and infrastructure providers (European Union) — Server hosting, database management, and content delivery within the EU. We do NOT sell, rent, trade, or otherwise commercially transfer your personal data to any third party. Data is shared with processors only to the extent strictly necessary to provide the services described in this Privacy Policy.
Your personal data is primarily processed and stored within the European Union. Where it is necessary to transfer personal data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR: (a) Standard Contractual Clauses (SCCs) - We use the European Commission-approved Standard Contractual Clauses for transfers to Stripe and Resend in the United States. (b) Adequacy Decisions - Where available, we rely on European Commission adequacy decisions confirming that the recipient country ensures an adequate level of data protection. (c) Supplementary Measures - Where required, we implement additional technical and organizational measures (such as encryption) to ensure the security of transferred data. We regularly assess the data protection landscape in recipient countries to ensure continued adequacy of protection. You may request information about the specific safeguards applied to your data by contacting [email protected].
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, PropGate will: (a) notify the competent supervisory authority (UODO - Urząd Ochrony Danych Osobowych) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR; (b) notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the GDPR. Such notification will include: the nature of the personal data breach, the likely consequences of the breach, the measures taken or proposed to address and mitigate the breach, and contact details for obtaining further information. We maintain documented internal procedures for detecting, reporting, and investigating personal data breaches.
PropGate may use automated systems for certain operational processes, including: (a) Risk monitoring and anomaly detection for trading accounts, which may flag unusual trading activity or potential risk threshold breaches; (b) Automated fraud detection systems that analyze transaction patterns and account behavior. In accordance with Article 22 of the GDPR, we inform you that these automated processes may influence decisions related to your account, such as risk alerts or security flags. However, no solely automated decision that produces legal effects or significantly affects you will be made without human review and oversight. You have the right to: obtain human intervention in automated decision-making processes, express your point of view regarding any automated decision, and contest any decision made through automated processing. To exercise these rights, contact us at [email protected].
The Platform is intended exclusively for individuals aged 18 years and older. We do not knowingly collect, process, or store personal data from individuals under 18 years of age. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete such data from our systems and terminate any associated account. If you believe that a minor has provided personal data to PropGate, please contact us immediately at [email protected] so that we can take appropriate action.
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable laws, or regulatory requirements. For material changes that significantly affect how we process your personal data, we will provide notification via email to the address associated with your account or through a prominent notice on the Platform at least 14 days before the changes take effect. The "Last updated" date at the top of this Policy indicates the date of the most recent revision. We encourage you to review this Privacy Policy periodically to stay informed about our data protection practices.
For any questions regarding this Privacy Policy, to exercise your data protection rights, or to raise concerns about our data processing practices, please contact us at: [email protected]. We are committed to resolving all privacy-related matters promptly and thoroughly. If you believe that your data protection rights have been violated or that our processing of your personal data does not comply with the GDPR, you have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland, www.uodo.gov.pl. You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.