Privacy Policy — Smart Scalping Life

Smart Scalping Life (scalping.life) Last updated: 1 May 2026 Effective from: 1 May 2026

Introduction

This Privacy Policy (the "Policy") describes how Smart Scalping Life / ARTIO SSL (the "Operator", "we", "us", "data controller") collects, uses, stores, transfers and protects the personal data of users of the platform located at https://scalping.life (the "Platform", the "Services").

The Platform operates and is provided under the trade names "Smart Scalping Life" and "ARTIO SSL" (see Terms of Use §1, §2).

This Policy has been prepared having regard to the requirements of:

Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR);
the California Consumer Privacy Act (CCPA), where applicable;
the United Kingdom Data Protection Act 2018 (UK Data Protection Act / UK GDPR);
other applicable personal-data protection laws.

By using the Services, you confirm that you have read and understood this Policy.

1. Identity of the data controller

1.1. The data controller, within the meaning of GDPR Art. 4(7), is the Operator of the Platform, acting under the trade names "Smart Scalping Life" and "ARTIO SSL".

1.2. Disclosure of the controller's identity. In accordance with GDPR Art. 13/14, the Operator's identification details (full legal name, country of tax residence, taxpayer identification number, contact postal address) are disclosed:

(a) to verified registered users — within the user dashboard following completion of identity verification (KYC), in connection with the first Payout request, when filing any formal complaint, and in any official correspondence; (b) to any data subject — upon a request sent to legal@scalping.life with the subject "Controller Identity Request", processed within a reasonable period (ordinarily up to five (5) business days from receipt); (c) to competent supervisory or law-enforcement authorities — pursuant to lawful requests, without prior notice to the user.

This approach to disclosure is intended to protect the Operator (a natural person) from automated scraping and the unlawful processing of personal data. It does not limit the rights of data subjects guaranteed by GDPR.

1.3. Contact channels.

Email (privacy queries): legal@scalping.life
Email (general support): support@scalping.life
Secure web channel for GDPR requests — the "Support" section of the user dashboard
Telegram: @artio_ssl — used for general first-contact only; formal data-protection requests must be sent by email.

1.4. EU representative (GDPR Art. 27). Where Processing of Personal Data of Data Subjects in the European Economic Area is carried out at a scale or frequency that triggers the obligation under GDPR Art. 27, the Operator shall appoint an external EU representative to facilitate communication with Data Subjects and supervisory authorities. Once appointed, the identification and contact details of the EU representative shall be published in this Section and shall additionally be provided on request to legal@scalping.life with the subject "EU Representative Contact". Pending such appointment, all matters concerning Data Subjects within the EEA may be addressed to legal@scalping.life, which is monitored daily.

1.5. Data Protection Officer. A formal Data Protection Officer within the meaning of GDPR Art. 37 is appointed where Processing falls within the categories mandating such appointment. As at the date of this Policy, the Operator's Processing has been assessed and a formal DPO appointment is not mandatory; the matters that a DPO would otherwise handle are addressed by the Operator personally and may be raised by writing to legal@scalping.life with the subject "DPO Contact". Where the Operator's activity changes such that an appointment becomes mandatory, the appointment shall be made and the contact details published in this Section.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation, or set of operations, performed on Personal Data (collection, storage, use, transmission, deletion, etc.).
"Controller" means the Operator, who determines the purposes and means of Processing.
"Processor" means a third party that processes Personal Data on behalf of the Controller.
"Data Subject" or "you" means a natural person whose Personal Data is being Processed.
"Third Party" means any person other than the Data Subject, the Controller and the Processor.
"Consent" means a freely given, informed, specific and unambiguous statement of will of the Data Subject.

3. Categories of data that we collect

3.1. Account data (via Google OAuth)

When you register via Google OAuth, we receive the following from Google:

email address;
full name (as set in your Google account);
profile-picture URL;
Google account identifier (used solely for authentication).

We do not receive or store the password of your Google account. Authentication is handled in full by Google.

3.2. User profile

After registration, you may add or amend:

nickname / display name;
trader tagline;
notification preferences;
preferred time zone and currencies;
terminal, chart and indicator settings;
personal Risk Matrix and Fibonacci presets.

3.3. Platform activity data

In the course of using the Services we collect:

subscription plan and Subscription history;
crypto-payment history (USDT/USDC transaction hashes, BEP-20/ERC-20 networks, USD amounts);
participation in Prop Challenges (status, progress, simulated-trading metrics);
participation in Custom Pools (role, stakes, results);
Trade Journal entries (trades, tags, emotions, notes — where you make them);
features used and pages visited (for Service improvement);
notification and alert preferences;
log of Marketplace product downloads.

3.4. Technical data

Each time you access the Services, the following data is collected automatically:

IP address and approximate geographic region;
browser type, version and language;
device type, screen resolution, operating system;
session timestamps and duration;
referrer URL;
technical identifiers (session ID, CSRF token).

3.5. Exchange API keys (optional, where copy trading is used)

If you use the copy-trading feature, we receive:

the API key and secret of a compatible cryptocurrency exchange (the current list is available in the user dashboard) — in encrypted form;
the exchange-account identifier — for compliance purposes and to detect duplicate participation;
the exchange environment label;
copy-trading settings (risk %, limits).

API keys are stored in encrypted form using contemporary industry-standard encryption. Decryption occurs only at the moment a trading order is executed.

3.6. Telegram data (optional)

If you connect Telegram notifications, we receive:

Telegram chat ID (numeric);
a one-off binding token used to link the chat to your Account;
notification preferences (types, frequency).

We do not store your Telegram username, profile photo or any other profile data.

3.7. KYC data (only where Payout thresholds are met)

In connection with a request for a Performance Reward that exceeds the threshold set out in the KYC/AML Policy, we may request:

a scan or photograph of an identification document (passport / national ID / driving licence / residence permit);
a selfie with the document, or live video, to confirm identity;
proof of address (utility bill, bank statement — not older than three (3) months);
a declaration of the source of funds (for larger Payouts).

KYC data is processed by a certified KYC provider that meets applicable AML/CTF and data-protection requirements. The name of the provider is disclosed on request to legal@scalping.life. See also the KYC/AML Policy.

3.8. User-generated content

Where you use the public features of the Platform:

chat messages in live broadcasts (/live);
comments and public journal entries;
bug reports and screenshots submitted via the in-app reporting tool.

3.9. Cookies and similar technologies

See Section 11 of this Policy and the Cookie Policy for further detail.

4. Purposes of Processing and lawful bases

In accordance with GDPR Art. 6, we Process Personal Data on the following lawful bases:

#	Purpose	Data category	Lawful basis (Art. 6)
1	Creation and management of an Account	3.1, 3.2	(b) performance of a contract
2	Authentication and access provision	3.1, 3.4	(b) performance of a contract
3	Provision of services in line with the Subscription	3.2, 3.3	(b) performance of a contract
4	Billing and processing of crypto-payments	3.3	(b) performance of a contract + (c) legal obligation
5	Conduct of Prop Challenges and calculation of Payouts	3.3, 3.5	(b) performance of a contract
6	KYC/AML compliance	3.7	(c) legal obligation + (f) legitimate interests
7	Fraud, manipulation and multi-account detection	3.3, 3.4, 3.5	(f) legitimate interests — preserving the integrity of the Services
8	Transactional email notifications	3.1, 3.6	(b) performance of a contract
9	Marketing communications (where applicable)	3.1	(a) consent
10	Analytics and Service improvement	3.3, 3.4	(f) legitimate interests
11	Platform security and protection against attacks	3.4	(f) legitimate interests
12	Compliance with lawful requests of governmental authorities	All	(c) legal obligation
13	Dispute resolution and protection of the Operator's rights	All	(f) legitimate interests

4.1. Legitimate-interests assessment. Where Processing is based on legitimate interests (Art. 6(1)(f)), we have carried out a balancing test and are satisfied that our interests are not overridden by the rights and freedoms of Data Subjects. You may object to such Processing (see Section 9.5).

4.2. Consent. Where Processing is based on consent (Art. 6(1)(a)), you may withdraw your consent at any time, without affecting the lawfulness of Processing carried out before withdrawal.

4.3. What we do not do:

we do not sell Personal Data to third parties;
we do not transfer data to advertising networks, data brokers or data aggregators;
we do not use data for targeted advertising;
we do not make solely automated decisions producing legal or similarly significant effects on you (see Section 12);
we do not profile Users for commercial purposes.

5. Third-party services (processors and recipients of data)

To deliver the Services we engage third-party services. Each acts as a Processor or as an independent Controller, depending on the role. The data shared with each is minimised to that necessary for the specific purpose.

Category of service	Purpose	Data shared	Role
Authentication provider (Google OAuth)	Account login	email, name, photo, account identifier	Controller
Cryptocurrency exchanges (for simulated trading in Challenges and for copy trading)	Challenge demo accounts; copy trading (optional)	encrypted API keys, exchange-account identifier, trading data	Controller
Transactional email-delivery provider	Sending transactional notifications	email address, notification content	Processor
Cryptocurrency payment processor (optional)	Processing of inbound stable-coin payments	wallet address, amount, transaction hash	Processor
Public block-chain explorers	Verification of crypto-payments	transaction hash (public information)	Controller
Push-notification provider (optional)	Notifying participants	channel identifier, notification text	Controller
Video platform	Live broadcasts and archives	minimal technical requests	Controller
KYC provider	Identity verification for larger Payouts	identification documents, selfie	Processor
CDN / DDoS-protection provider (where applicable)	Content protection and delivery	IP address, technical data	Processor

Identified sub-processors and recipients (named in this Policy in accordance with GDPR Art. 13(1)(e) transparency expectations):

Authentication provider: Google LLC (Google OAuth);
Public block-chain explorers (BSCScan, Etherscan and equivalents) — used solely for the verification of crypto-payment transaction hashes (publicly available on-chain information);
Video platform: YouTube (Google LLC) — used for live broadcasts and archives.

Other categories of provider (cryptocurrency exchanges, transactional email-delivery, crypto-payment processor, push notifications, KYC and CDN/DDoS protection) are engaged on the basis of category as listed in the table above. The specific names and jurisdictions of these providers — together with any change of provider — are disclosed on request to legal@scalping.life with the subject "Sub-processors List", within a reasonable period (ordinarily up to five (5) business days from receipt). The Operator undertakes to give Users no less than 14 days' prior notice of a change of any sub-processor that materially affects the Processing of their Personal Data, except where the change is required by law or operational emergency. This disclosure model is used as a defence against the automated scraping of vendor lists; it does not limit the rights of Data Subjects under GDPR.

5.1. Data Processing Agreements (DPAs). Data Processing Agreements have been entered into, or are required to be entered into, with all Processors in accordance with GDPR Art. 28.

5.2. Other disclosures. In addition to the providers listed above, we may disclose data:

(a) to law-enforcement and regulatory authorities — where lawful requests are received; (b) to professional advisers (legal, audit, tax) — under confidentiality obligations; (c) to a successor in interest — in connection with a corporate reorganisation, sale of assets or merger; (d) to protect the rights, property or safety of the Operator, our Users or the public.

6. International transfers of data

6.1. Because the Platform serves a global audience and uses global infrastructure, your data may be transferred to countries outside the European Economic Area (EEA), including the United States, the United Kingdom, countries in Asia and others.

6.2. For each such transfer we apply appropriate safeguards under GDPR Chapter V:

(a) Standard Contractual Clauses (SCCs) — for transfers to countries that are not the subject of an adequacy decision; (b) Adequacy decision — for countries recognised by the European Commission as ensuring an adequate level of protection (the United Kingdom, Switzerland, the commercial sector in Canada, etc.); (c) Supplementary technical measures — encryption, pseudonymisation, access controls.

6.3. Primary data hosting is on a private VPS within the EEA. Backups and logs may be stored in other regions, subject to the safeguards described above.

7. Data storage and retention

7.1. We retain Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, or to comply with legal obligations.

Category	Retention period	Basis
Active-Account data	For the lifetime of the Account	Contractual
Data after Account deletion	Up to 30 days (then deleted / anonymised)	Backups and rollback windows
Financial records (payments, Payouts)	Up to 7 years	Legal obligation (taxation, AML)
KYC data	Up to 5 years after end of relationship	AML/CTF compliance
Email-notification logs	Up to 90 days	Operational necessity
Access logs (IP, technical)	Up to 180 days	Security
Exchange API keys	Until revoked by you or the Account is deleted	Contractual
Anonymised analytics	Indefinite	Contains no Personal Data

7.2. Erasure on request. Where you request the erasure of your data (see Section 9.3), we will erase all data that we are not required to retain by law. Data subject to mandatory retention (financial, KYC) is erased after the applicable retention periods.

7.3. Extension of retention periods. The retention periods set out in Section 7.1 may be extended only in any of the following cases:

(a) an open investigation by a law-enforcement or regulatory authority for which the data may be required; (b) a court order or other order for the preservation of data; (c) active or imminent court or arbitration proceedings in which you are a party — for the establishment, exercise or defence of legal claims (GDPR Art. 17(3)(e)); (d) mandatory requirements of applicable law (e.g. tax filings); (e) reasonable suspicion of unresolved fraud for which the data may be required as part of an investigation.

We will notify you of any extension of retention periods to the extent legally permitted (some investigations and court orders may prohibit such notification).

7.4. Backups. Backups may contain your data for up to 30 days after deletion, after which they are automatically overwritten.

8. Data security

8.1. We implement technical and organisational measures of protection commensurate with the risks:

(a) Encryption in transit — TLS over HTTPS for all connections to the Platform; (b) Encryption at rest — contemporary industry-standard algorithms for sensitive data (API keys, sensitive database fields, backups); (c) Authentication is delegated to Google OAuth — we do not store passwords; (d) Access controls — production data is accessible only to authorised administrators on a least-privilege basis; (e) Infrastructure isolation and layered perimeter security; (f) Logging and monitoring — regular security audits and monitoring of anomalous behaviour; (g) Attack mitigation — rate limiting, brute-force protection, request filtering; (h) Regular dependency updates and security patches.

The detailed architecture and specific technical stack are internal information of the Operator and are not disclosed publicly, in order to protect the Platform's perimeter.

8.2. Notification of personal-data breaches. In the event of an incident causing a breach of Personal Data security, with a risk to the rights and freedoms of Data Subjects, we will notify:

(a) the supervisory authority (where applicable) within 72 hours of becoming aware, in accordance with GDPR Art. 33; (b) affected Users without undue delay, where the risk is high, in accordance with GDPR Art. 34; (c) the notification will set out a description of the incident, the categories and approximate number of affected persons, the likely consequences and the measures taken in response.

8.3. Your responsibilities. You are responsible for:

(a) using strong, unique passwords for your Google account; (b) enabling two-factor authentication (2FA) on your Google account; (c) not sharing your credentials with any third party; (d) notifying us promptly of any suspected compromise.

9. Your rights as a Data Subject

In accordance with GDPR (and analogous laws in other jurisdictions), you have the following rights:

9.1. Right of access (Art. 15)

You have the right to obtain confirmation as to whether we Process your Personal Data, to receive a copy of that data, and to obtain information regarding the purposes of Processing, the categories of data, the recipients and the retention periods.

9.2. Right to rectification (Art. 16)

You have the right to require the rectification of inaccurate Personal Data and the completion of incomplete data.

9.3. Right to erasure (Art. 17, the "right to be forgotten")

You have the right to require the erasure of your Personal Data, including where:

the data is no longer necessary for the purposes for which it was collected;
you withdraw consent and there is no other lawful basis;
you object to Processing carried out on the basis of legitimate interests;
the data has been Processed unlawfully.

Exceptions: we will not be able to delete data where retention is required for compliance with a legal obligation, for the establishment, exercise or defence of legal claims, or for any other purpose specified in Art. 17(3).

9.4. Right to restriction of Processing (Art. 18)

You have the right to require the temporary restriction of Processing in defined circumstances (e.g. where the accuracy of the data is contested).

9.5. Right to object (Art. 21)

You have the right at any time to object to the Processing of your data on the basis of legitimate interests (Art. 6(1)(f)) or for direct marketing.

9.6. Right to data portability (Art. 20)

You have the right to receive your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) and to transmit it to another controller.

9.7. Right to withdraw consent (Art. 7(3))

Where Processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of Processing prior to withdrawal.

9.8. Right to lodge a complaint with a supervisory authority (Art. 77)

You have the right to lodge a complaint with the data-protection supervisory authority of the country of your residence, place of work or alleged infringement. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

9.9. How to exercise your rights

To exercise any of the rights listed above:

send an email to legal@scalping.life with the subject "GDPR Request" (or, where applicable, "CCPA Request");
specify the type of request and the data to which it relates;
we may request additional information for the purpose of verifying your identity (in order to prevent disclosure to the wrong person).

Time for response. We will review the request and provide a response within thirty (30) calendar days of receipt. In complex cases, the period may be extended to sixty (60) days, with notice.

No fee. Exercising your rights is free of charge, except in cases of manifestly unfounded or repetitive requests, where a reasonable fee may be charged or the request may be refused.

10. Additional rights for California residents (CCPA)

If you are a resident of California, you also benefit from rights under the California Consumer Privacy Act (CCPA), including:

the right to know what data is collected and for what purposes;
the right to request the deletion of data;
the right to opt out of the sale of data (we do not sell data);
the right to non-discrimination for the exercise of CCPA rights.

To exercise CCPA rights, send a request to legal@scalping.life with the subject "CCPA Request".

11. Cookies and similar technologies

11.1. We use only a strictly necessary set of technical cookies required for the operation of the Services. All cookies set by us fall into the category of "strictly necessary" and do not require separate consent under the ePrivacy Directive 2002/58/EC and the corresponding national implementations of EU Member States.

Categories of cookies used

Category	Purpose	Source	Duration
Authentication session cookies	Maintaining login state after authentication via Google OAuth. Protection against cross-site request forgery (CSRF). Without these, you cannot work in the protected sections of the Platform.	First-party	Until logout, or up to 30 days (where "remember me" is enabled)
OAuth login process cookies	Short-lived cookies that secure the exchange with Google during login (protection against the interception of the authorisation code).	First-party	Up to 15 minutes; deleted automatically after login completes
Language preference cookie	Stores the user-interface language you have selected. Set when you use the language switcher in the site header.	First-party	Up to 1 year, or until reset via your browser settings

11.2. Specific cookie names, technical attributes and exact lifetimes may change with software updates to the Platform. The current list of cookies set on your device is always available via your browser's developer tools (DevTools → Application → Cookies, or the equivalent panel).

What we do not set or use

We do not use the following categories of cookies and similar technologies:

third-party analytics cookies (Google Analytics, Yandex.Metrica, Mixpanel, Amplitude and the like);
advertising cookies (Facebook Pixel, Google Ads, retargeting, look-alike audiences);
behavioural profiling (heat-maps, session recording, fingerprinting);
third-party trackers on partner domains;
cross-site tracking.

Because we do not set cookies that require consent under the ePrivacy Directive, the Platform does not display a cookie-consent banner — it is not required for strictly necessary cookies.

11.3. Cookie management. You may at any time:

(a) delete the cookies set on your device via your browser's settings; (b) prevent your browser from accepting new cookies (this will make Account login and the use of protected sections impossible); (c) use private-browsing / incognito mode for one-off sessions.

12. Automated decision-making and profiling

12.1. As part of the Services, we use automated systems for:

(a) fraud and manipulation detection in Prop Challenges (Simulated-Environment integrity-compliance systems); (b) calculation of trading metrics for participant performance; (c) processing of signals generated by the Platform's algorithmic engine.

The specific algorithms, formulas and thresholds are internal information of the Operator.

12.2. Decisions to disqualify, ban or withhold a Payout that are reached on the basis of automated detectors do not constitute solely automated decisions within the meaning of GDPR Art. 22. All such decisions are subject to human review before final application.

12.3. You are entitled to:

(a) request human intervention; (b) express your point of view; (c) contest the decision through the Complaints Procedure.

13. Children's privacy

13.1. The Services are not directed at persons under the age of 18 (or the higher age of legal majority in your jurisdiction). We do not knowingly collect Personal Data of minors under the age of 18.

13.2. Age-verification measures. Registration on the Platform includes a mandatory confirmation of legal majority at the time the Account is created (express user representation during onboarding). Additional objective age verification is carried out:

(a) when KYC is completed via the certified provider (the identification document contains the date of birth); (b) where objective indicators of minority are identified during use of the Services (the nature of communications, voluntarily disclosed information, indicia of dependent registration).

Where a User under the age of 18 is identified, the Account is suspended without delay and the Personal Data is deleted (save for the minimum necessary to document the deletion and prevent re-registration).

13.3. Requests by parents and guardians. If you are a parent or guardian and believe that a child has registered on the Platform:

(a) please contact us at legal@scalping.life with the subject "Minor Account" and provide the basis of your request; (b) the minor's data will be deleted within no more than five (5) business days of confirmation; (c) any amounts paid will be refunded in full to the original method of payment.

13.4. As regards Personal Data of persons aged 13–16 (in jurisdictions that have set a digital consent age below 16 — see GDPR Art. 8 national implementations), additional parental-consent requirements apply. Because the Services are not directed at persons under the age of 18, such cases will be treated as a breach of the registration conditions and will result in immediate suspension.

14. Amendments to this Policy

14.1. We may update this Policy from time to time. The date of the last update is shown at the top of this document.

14.2. Material changes will be notified to you:

(a) by notice within the Platform; (b) by email to the address associated with the Account; (c) at least fourteen (14) days before the changes take effect.

14.3. Continued use of the Services after a change takes effect constitutes your acceptance of the amended Policy.

14.4. Archived versions of this Policy are available on request to legal@scalping.life.

15. Governing law and dispute resolution

15.1. This Policy is governed by the laws of England and Wales, without prejudice to the mandatory provisions of the data-protection law of your jurisdiction (in particular GDPR for the EEA, UK GDPR for the United Kingdom, CCPA for California, and similar regimes).

15.2. Disputes concerning the Processing of Personal Data may be referred to the data-protection supervisory authority of your jurisdiction (see Section 9.8) or resolved in the manner set out in Terms of Use §18.

16. Contact

For any matters relating to the Processing of Personal Data:

Email: legal@scalping.life (using the subject "Privacy" or "GDPR Request" / "CCPA Request")
Telegram: @artio_ssl
Website: https://scalping.life

We will respond to requests within up to thirty (30) calendar days of receipt (with the possibility of extension to sixty (60) days in complex cases, with notice).