Privacy Policy

1 Introduction and Controller

This Privacy Policy ("Policy") describes how personal data is collected, processed, stored, and protected in connection with the operation of the website IsYourTraderReal.com ("Platform"). The Platform is a trader verification and investigation service that publishes editorial assessments and consumer protection reports about individuals and entities operating in the financial trading education and services industry.

The data controller responsible for the processing of personal data on the Platform is:

The Controller has appointed a Data Protection Officer ("DPO") who can be contacted for any questions, requests, or complaints regarding the processing of personal data:

This Policy applies to two distinct groups of data subjects whose personal data the Platform processes: (1) Users, visitors, and reporters who access or interact with the Platform; and (2) Subjects — traders, mentors, signal providers, and other individuals or entities who are the subject of investigations, reports, or assessments published on the Platform. Each group is addressed separately throughout this Policy due to the fundamentally different nature of the processing and the legal bases that apply.

2 Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set out below:

• "Platform" means the website IsYourTraderReal.com, including all pages, subdomains, APIs, tools, databases, and any related services operated by the Controller.
• "User" means any individual who accesses, browses, uses, or interacts with the Platform, including visitors, registered users, and individuals who submit reports, evidence, testimonials, or other information through the Platform ("Reporters").
• "Subject" means any individual, trader, mentor, signal provider, company, group, or entity that is the subject of an investigation, report, assessment, profile, or editorial content published on the Platform.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of Regulation (EU) 2016/679 (GDPR).
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) of the GDPR.
• "Controller" means Signal Core s.r.o., the entity which determines the purposes and means of the processing of Personal Data on the Platform.
• "Investigation Report" means any assessment, analysis, rating, verdict, or editorial content produced by the Controller's editorial team regarding a Subject.

3 Data We Collect

3.1 Data from Users, Visitors, and Reporters

When Users interact with the Platform, the Controller may collect and process the following categories of Personal Data:

• IP addresses — collected automatically when you access the Platform. IP addresses are partially masked (last octet anonymized) when displayed publicly on the Platform (e.g., in connection with user submissions displayed as "192.168.1.xxx");
• Country of origin — derived from IP address geolocation using the ip-api.com service. Country information may be displayed publicly alongside submissions to provide geographic context;
• Browser and device information — including browser type and version, operating system, screen resolution, language preferences, and referring URL. This data is collected for security, anti-abuse, and platform optimization purposes;
• Names or pseudonyms — provided voluntarily by Users when submitting reports or evidence. Only first names are displayed publicly on the Platform;
• Email addresses — provided voluntarily by Users when submitting reports or contacting the Controller. Email addresses are used solely for communication regarding submissions and are never published or displayed publicly on the Platform;
• Submission content — any text, descriptions, evidence, testimonials, attached files, screenshots, or other materials submitted by Users through the Platform's reporting and submission forms;
• reCAPTCHA data — the Platform uses Google reCAPTCHA to prevent automated abuse. reCAPTCHA may collect hardware and software information (such as device and application data), cookies, and usage data. This processing is governed by Google's Privacy Policy and Terms of Service;
• Cookies and similar technologies — as described in detail in Section 11 of this Policy.

3.1.1 Security and Fraud Prevention Data

When you submit any content through our platform (reports, community opinions, evidence, contributor submissions), we automatically collect the following technical data for fraud prevention, abuse detection, and potential cooperation with law enforcement:

• Network data: IP address, proxy headers
• Browser data: User agent string, language preferences, encoding capabilities
• Device data: Screen resolution, color depth, platform identifier, touch capability, hardware concurrency, available memory
• Browser environment: Timezone, installed plugins, Do Not Track setting, cookie support
• Technical identifiers: Canvas rendering hash, WebGL renderer information, composite browser fingerprint

This data is collected under our legitimate interest in preventing abuse, protecting the integrity of our platform, protecting the reputation of investigated subjects from false or malicious reports, and cooperating with law enforcement authorities when required. This data is stored for a minimum of 3 years and may be disclosed to law enforcement upon valid legal request.

3.2 Data about Subjects (Investigated Traders and Mentors)

In connection with its investigative and editorial activities, the Controller may collect and process the following categories of Personal Data about Subjects:

• Names and aliases — real names, trading aliases, usernames, stage names, and any other identifiers used by the Subject in connection with their public commercial activities in the financial services industry;
• Photographs and visual representations — profile pictures, photographs, avatars, and other images sourced exclusively from publicly available materials, including the Subject's own websites, public social media profiles, marketing materials, and public appearances;
• Trading platform profiles — publicly accessible information from trading platforms, including usernames, performance statistics displayed by the platform, account histories (where shared publicly by the Subject), and any information the Subject has voluntarily made available on such platforms;
• Social media information — publicly available information from the Subject's social media accounts (including but not limited to Instagram, Twitter/X, YouTube, TikTok, Facebook, LinkedIn, Telegram, and Discord), including posts, claims, follower counts, engagement metrics, and publicly shared content;
• Trading performance data — where voluntarily provided by the Subject through investor-password access (read-only) to trading accounts, or through verified broker statements and independently auditable documentation. This data is processed solely for the purpose of performance verification;
• Country and location — the Subject's country of residence or operation, as disclosed publicly by the Subject or as reasonably inferable from publicly available information;
• Publicly available business information — company registrations, regulatory filings, domain registration data (WHOIS), publicly available financial records, regulatory warnings or sanctions issued by financial regulators, court records, and other information available through public registers and databases.

The Controller does not collect sensitive or special categories of personal data (as defined in Article 9 of the GDPR) about Subjects, such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation. If such data is inadvertently submitted by Users, it will be redacted and not published.

4 Legal Basis for Processing

4.1 Legal Basis for Processing User Data

The Controller processes User Personal Data on the following legal bases under Article 6(1) of the GDPR:

• Consent (Article 6(1)(a)) — for the placement and reading of non-essential cookies and similar tracking technologies. Consent is obtained through the Platform's cookie consent mechanism and can be withdrawn at any time;
• Legitimate interest (Article 6(1)(f)) — for security measures, fraud prevention, anti-abuse protections (including reCAPTCHA), IP logging for legal defense purposes, and the general operation and improvement of the Platform. The Controller's legitimate interest in maintaining a secure, functional, and trustworthy platform outweighs the minimal impact on Users' privacy, particularly given that technical data is collected in anonymized or pseudonymized form where possible;
• Performance of a contract or pre-contractual measures (Article 6(1)(b)) — for processing data necessary to handle User submissions, respond to inquiries, and provide the services requested by Users through their interactions with the Platform.

4.1.1 Legal Basis for Security Data

Legitimate Interest (Art. 6(1)(f) GDPR): We collect technical device and browser data to protect our platform from abuse, prevent defamatory or malicious submissions, and maintain evidence for potential law enforcement cooperation. We have conducted a balancing test and determined that our interest in platform integrity and protection of investigated subjects' reputations outweighs the minimal privacy impact of collecting technical browser metadata. This data is not used for advertising, profiling, or any purpose other than security and fraud prevention.

4.2 Legal Basis for Processing Subject Data

The Controller processes Subject Personal Data on the following legal bases:

• Journalistic exemption (Article 85 GDPR; Section 17 and Section 18a of Act No. 110/2019 Coll.) — the Controller engages in journalistic, editorial, and investigative activities within the meaning of Article 85 of the GDPR and the implementing provisions of Czech national law. The Platform's Investigation Reports constitute editorial content produced for purposes of informing the public about matters of legitimate public concern, namely the conduct of individuals and entities offering financial services, trading education, and investment advice to consumers. Under the journalistic exemption, the Controller is permitted to process Subject Personal Data without the Subject's consent where such processing is necessary for the purposes of journalistic and editorial activity, and certain data subject rights (including the right to erasure and the right to object) may be restricted to the extent necessary to reconcile the right to protection of personal data with the right to freedom of expression and information;
• Legitimate interest (Article 6(1)(f)) — the Controller has a compelling legitimate interest in processing Subject Personal Data for the purposes of consumer protection, public interest transparency, and fraud prevention in the financial services industry. The Controller has conducted a legitimate interest assessment and determined that the significant public interest in protecting consumers from potentially fraudulent, deceptive, or misleading trading services outweighs the privacy interests of Subjects who have voluntarily entered into public commercial activity by offering financial services to the public;
• Public figures engaged in commercial activity — Subjects who publicly offer financial services, trading signals, mentorship, courses, or investment education through websites, social media, advertising, or other public channels have voluntarily reduced their expectation of privacy with respect to their commercial activities. The processing of their Personal Data in connection with their public commercial conduct is proportionate and necessary for the Platform's consumer protection mission.

The Controller explicitly states that the journalistic exemption, as implemented by Section 17 and Section 18a of Act No. 110/2019 Coll. (Czech Act on the Processing of Personal Data), allows the processing of Subject Personal Data without consent for purposes of journalistic and editorial activity. This exemption does not grant the Controller unlimited rights; rather, it requires the Controller to balance the right to protection of personal data against the fundamental right to freedom of expression and information, which the Controller does on a case-by-case basis.

5 Purpose of Processing

The Controller processes Personal Data for the following specific purposes:

5.1 User Data

• IP addresses and technical data: security monitoring, prevention of automated abuse (bots, scrapers), identification of fraudulent or malicious submissions, legal defense in the event of disputes, and compliance with legal obligations;
• Country of origin: geographic context for user submissions, statistical analysis of Platform usage, and identification of coordinated inauthentic behavior;
• Names and email addresses: communication with Users regarding their submissions, follow-up inquiries for clarification or additional evidence, notification of publication of Investigation Reports related to their submissions, and response to data subject access requests;
• Submission content: editorial review and verification, incorporation into Investigation Reports where appropriate, evidence archival for legal defense;
• reCAPTCHA data: prevention of automated form submissions, bot detection, and spam prevention;
• Cookies: essential Platform functionality (session management), analytics and Platform improvement (where consent is obtained).

5.2 Subject Data

• Names, aliases, and photographs: accurate identification of Subjects in Investigation Reports, prevention of mistaken identity, enabling consumers to identify the individuals and entities under investigation;
• Trading platform profiles and social media information: verification of claims made by the Subject, assessment of the Subject's public representations, documentation of evidence supporting editorial conclusions;
• Trading performance data: independent verification of claimed trading results using GIPS-aligned methodology, assessment of whether public claims are substantiated by actual performance;
• Country and business information: contextual information for Investigation Reports, verification of regulatory status, identification of jurisdictional considerations.

6 Data Retention

The Controller retains Personal Data only for as long as necessary for the purposes for which it was collected, subject to the following retention periods:

6.1 User Submissions

Reports, evidence, testimonials, and other materials submitted by Users are retained for the duration of the related investigation plus 5 (five) years following the completion or closure of the investigation. This retention period is necessary for the Controller's legitimate interest in legal defense against potential claims related to published Investigation Reports (limitation periods under Czech law for defamation and personality rights claims are generally 3 years, with the additional 2 years providing a reasonable buffer).

6.2 Subject Data

Personal Data relating to Subjects that has been published as part of an Investigation Report is retained for as long as the Investigation Report remains published on the Platform. Given the Platform's public interest archival function, this may be an indefinite period. The Controller considers this proportionate given that:

• Investigation Reports serve a lasting public interest in consumer protection;
• Historical records of fraudulent or deceptive conduct remain relevant to future consumers;
• Removal of published reports could enable previously investigated Subjects to resume deceptive practices without public scrutiny;
• Subjects retain the right to request updates, corrections, and the publication of their response (see Section 10).

6.3 IP Addresses and Technical Data

IP addresses, browser information, device data, and other technical data collected automatically from Users and visitors are retained for a maximum period of 12 (twelve) months from the date of collection, after which they are permanently deleted or irreversibly anonymized.

6.4 Cookies

Cookie retention periods vary by type and are detailed in Section 11 of this Policy. In general:

• Strictly necessary cookies (session cookies): expire at the end of the browser session or within 24 hours;
• Functional cookies: retained for up to 12 months;
• reCAPTCHA cookies: retention periods are determined by Google and are governed by Google's Privacy Policy.

6.5 Email Correspondence

Email correspondence with Users or Subjects (including data subject requests, right of response submissions, and general inquiries) is retained for 3 (three) years from the date of the last communication in the thread, after which it is permanently deleted unless retention is required for ongoing legal proceedings or regulatory compliance.

7 Data Sharing and Recipients

The Controller does not sell, rent, trade, or otherwise commercially transfer Personal Data to third parties. Personal Data may be shared with the following categories of recipients only to the extent necessary for the purposes described in this Policy:

• Hosting provider (DigitalOcean, Inc.) — the Platform is hosted on infrastructure provided by DigitalOcean, Inc. (101 6th Avenue, New York, NY 10013, USA). DigitalOcean processes data as a data processor on behalf of the Controller. DigitalOcean's EU-region data centers are used where available, and transfers are covered by Standard Contractual Clauses (SCCs) and DigitalOcean's Data Processing Agreement;
• Google reCAPTCHA (Google LLC / Google Ireland Limited) — the Platform uses Google reCAPTCHA for anti-abuse purposes. When Users interact with reCAPTCHA-protected forms, certain data (including IP address, browser information, and cookies) is transmitted to Google. This processing is governed by Google's Privacy Policy (https://policies.google.com/privacy) and Terms of Service;
• ip-api.com — the Platform uses the ip-api.com service to determine the geographic location (country) associated with IP addresses. Only IP addresses are transmitted to this service; no other Personal Data is shared. ip-api.com processes data in accordance with its own privacy policy;
• Law enforcement and judicial authorities — the Controller may disclose Personal Data to law enforcement agencies, regulatory authorities, courts, or other governmental bodies when required to do so by applicable law, valid court order, subpoena, or binding legal process, or when the Controller reasonably believes that disclosure is necessary to comply with a legal obligation, protect the Controller's legal rights, prevent fraud or illegal activity, or protect the safety of any person;
• Legal advisors — the Controller may share Personal Data with its legal counsel and advisors in connection with legal proceedings, disputes, or the defense of legal claims, subject to professional privilege and confidentiality obligations.

All third-party recipients acting as data processors on behalf of the Controller are bound by data processing agreements (Article 28 GDPR) or equivalent contractual safeguards ensuring the confidentiality, integrity, and security of Personal Data. The Controller conducts due diligence on all processors to ensure adequate data protection standards.

The Controller does not sell Personal Data to third parties. The Controller does not share Personal Data with data brokers, advertising networks, or marketing platforms. The Controller does not engage in profiling for automated decision-making that produces legal effects concerning data subjects.

8 International Data Transfers

The Platform's primary hosting infrastructure is located within the European Union (DigitalOcean EU-region data centers). The Controller endeavors to process and store all Personal Data within the EU/EEA wherever possible.

Where Personal Data is transferred to recipients located outside the EU/EEA (for example, to Google LLC in the United States for reCAPTCHA processing, or to DigitalOcean's US-based infrastructure), the Controller ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Adequacy decisions — transfers to countries or territories that the European Commission has determined provide an adequate level of data protection (including the United States under the EU-U.S. Data Privacy Framework, where applicable);
• Standard Contractual Clauses (SCCs) — transfers covered by the Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR;
• Binding Corporate Rules — where the recipient has adopted Binding Corporate Rules approved by a competent EU supervisory authority;
• Derogations — in exceptional cases, transfers based on derogations under Article 49 of the GDPR (e.g., explicit consent, necessity for the establishment, exercise, or defense of legal claims).

Users may obtain further information about the specific safeguards applied to international data transfers by contacting the DPO at dpo@isyourtraderreal.com.

9 Your Rights (Users and Visitors)

If you are a User, visitor, or reporter, you have the following rights under the GDPR with respect to your Personal Data:

• Right of access (Article 15) — you have the right to obtain confirmation as to whether the Controller processes your Personal Data, and if so, to access that data and receive information about the processing, including the purposes, categories of data, recipients, and retention periods;
• Right to rectification (Article 16) — you have the right to request the correction of inaccurate Personal Data and the completion of incomplete Personal Data;
• Right to erasure (Article 17) — you have the right to request the deletion of your Personal Data where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (where processing is based on consent), where you object to processing and there are no overriding legitimate grounds, or where the data has been unlawfully processed. This right is subject to the exceptions set out in Article 17(3) of the GDPR;
• Right to restriction of processing (Article 18) — you have the right to request the restriction of processing where you contest the accuracy of the data, where the processing is unlawful, where the Controller no longer needs the data but you require it for the establishment, exercise, or defense of legal claims, or where you have objected to processing pending verification of legitimate grounds;
• Right to data portability (Article 20) — where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller;
• Right to object (Article 21) — you have the right to object to processing based on legitimate interest. The Controller will cease processing unless it demonstrates compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims;
• Right to withdraw consent — where processing is based on consent (e.g., cookies), you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact the Data Protection Officer at:

The Controller will respond to your request within 30 (thirty) days of receipt, in accordance with Article 12(3) of the GDPR. This period may be extended by a further 60 days where necessary, taking into account the complexity and number of requests, in which case you will be informed of the extension and the reasons for the delay within the initial 30-day period. The Controller may request additional information to verify your identity before processing your request.

10 Rights of Subjects (Investigated Traders and Mentors)

Subjects of Investigation Reports are data subjects under the GDPR and have certain rights with respect to their Personal Data. However, due to the journalistic nature of the Platform's activities and the public interest served by the Platform, certain rights may be restricted in accordance with Article 85 of the GDPR and the implementing provisions of Czech national law. The Controller assesses each request individually, balancing the Subject's privacy rights against the public interest in consumer protection and freedom of expression.

10.1 Right of Access

Granted. Subjects have the right to obtain confirmation as to whether the Controller processes their Personal Data, and if so, to access that data. Given that Investigation Reports are published publicly on the Platform, much of the data is already accessible. The Controller will provide, upon request, a summary of any additional non-published data held about the Subject.

10.2 Right to Rectification

Granted for factual inaccuracies. Subjects have the right to request the correction of factually inaccurate Personal Data. The Controller will review rectification requests in good faith and correct any demonstrable factual errors. However, this right does not extend to the Controller's editorial opinions, assessments, verdicts, or subjective evaluative judgments, which are protected as expressions of editorial freedom. Subjects must provide evidence supporting the claimed inaccuracy.

10.3 Right to Erasure (Right to be Forgotten)

Restricted. The Controller may refuse requests for erasure of Subject Personal Data under Article 17(3)(a) of the GDPR, which provides that the right to erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information. The Controller's processing of Subject data for the purposes of journalistic and editorial activity falls within this exception.

The Controller will consider erasure requests on a case-by-case basis, taking into account:

• Whether the Subject remains engaged in public commercial activity in the financial services industry;
• The severity and nature of the findings in the Investigation Report;
• The passage of time since the investigation and whether the information remains relevant to public interest;
• Whether the Subject has ceased the conduct that gave rise to the investigation and taken verifiable remedial steps;
• The potential harm to consumers if the Investigation Report were to be removed.

Where the Controller refuses an erasure request, it will provide the Subject with a reasoned decision in writing, including the legal basis for the refusal and information about the Subject's right to lodge a complaint with the supervisory authority or seek judicial remedy.

10.4 Right to Object

Restricted. The Controller may refuse objections to the processing of Subject Personal Data where it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject (Article 21(1) GDPR). The Controller considers that the public interest in consumer protection, the prevention of financial fraud, and the right of the public to be informed about potentially deceptive commercial practices constitute compelling legitimate grounds that override the privacy interests of Subjects who have voluntarily engaged in public commercial activity.

10.5 Right to Restriction of Processing

Requests for restriction of processing are evaluated on a case-by-case basis. The Controller will restrict processing where required by Article 18 of the GDPR (e.g., where the accuracy of data is contested, pending verification). However, the Controller may continue to store the data and may lift the restriction where processing is necessary for the establishment, exercise, or defense of legal claims, for the protection of the rights of another person, or for reasons of important public interest.

10.6 Right of Response

In addition to the rights provided under the GDPR, the Controller offers Subjects a right of response. Subjects may submit a written response, rebuttal, or statement in connection with any Investigation Report published about them. Subject to editorial review for compliance with applicable law (including defamation and hate speech laws), the Controller will publish the Subject's response alongside the relevant Investigation Report, clearly identified as the Subject's statement. This right of response is offered voluntarily by the Controller as a matter of editorial fairness and does not limit or replace any rights under the GDPR.

10.7 Assessment Process

Each request from a Subject is assessed individually by the Controller (and, where necessary, by the Controller's legal advisors). The Controller applies a proportionality test, weighing the Subject's right to privacy and data protection (Articles 7 and 8 of the EU Charter of Fundamental Rights) against the right to freedom of expression and information (Article 11 of the EU Charter) and the public interest in consumer protection. The outcome of this assessment depends on the specific circumstances of each case, including the nature and seriousness of the findings, the Subject's public profile, and the potential impact on consumer safety.

Subjects are encouraged to direct all data protection requests to the DPO at dpo@isyourtraderreal.com. The Controller will respond within 30 days of receipt. If the Subject is not satisfied with the Controller's response, they have the right to lodge a complaint with the competent supervisory authority — in the Czech Republic, the Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7 (www.uoou.cz) — or with the supervisory authority of the EU/EEA member state where the Subject resides (Article 77 GDPR).

11 Cookies and Tracking Technologies

The Platform uses cookies and similar technologies to ensure proper functionality, enhance user experience, and protect against abuse. A cookie is a small text file stored on your device by your web browser when you visit a website.

11.1 Types of Cookies Used

• Strictly necessary cookies (session cookies) — these cookies are essential for the operation of the Platform and enable basic functions such as page navigation, session management, and form submissions. They do not require consent as they are necessary for the Platform to function. These cookies expire at the end of the browser session or within 24 hours;
• Functional cookies — these cookies remember your preferences and choices (such as cookie consent status and language preferences) to provide a more personalized experience. They are retained for up to 12 months;
• reCAPTCHA cookies — Google reCAPTCHA sets cookies to distinguish between human users and automated bots. These cookies are set by Google and are governed by Google's cookie policy. reCAPTCHA cookies include _GRECAPTCHA and related tokens. The retention period and scope of these cookies are determined by Google;
• Analytics cookies (if applicable) — should the Controller implement analytics tools in the future, such cookies will only be placed with your explicit prior consent. Currently, the Platform does not use third-party analytics tracking services.

11.1.1 Browser Fingerprinting

In addition to cookies, we use browser fingerprinting technology on submission forms (reports, community opinions, evidence, contributor portal) to create a technical identifier of your browser and device. This is used exclusively for:

• Detecting and preventing fraudulent or abusive submissions
• Identifying repeat offenders who attempt to circumvent bans
• Providing evidence to law enforcement in cases of defamation, harassment, or other illegal activity

Browser fingerprinting for security purposes is exempt from consent requirements under Art. 5(3) of the ePrivacy Directive as it is strictly necessary for the legitimate purpose of fraud prevention. No consent is required for this processing.

11.2 Cookie Consent

Upon your first visit to the Platform, you will be presented with a cookie consent mechanism that allows you to accept or reject non-essential cookies. Strictly necessary cookies cannot be disabled as they are required for the Platform to function. You may change your cookie preferences at any time by clearing your browser cookies and revisiting the Platform, which will trigger the consent mechanism again.

11.3 How to Disable Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

• View what cookies are stored and delete individual cookies;
• Block third-party cookies;
• Block cookies from specific websites;
• Block all cookies;
• Delete all cookies when you close your browser.

Please note that disabling or deleting cookies may affect the functionality of the Platform, and certain features (such as form submissions protected by reCAPTCHA) may not work correctly without cookies enabled. For instructions on managing cookies in your specific browser, please consult your browser's help documentation.

12 Protection of Reporter Identity

The Controller recognizes that individuals who report potentially fraudulent or deceptive traders may face retaliation, harassment, or intimidation. The Controller is committed to protecting the identity of Reporters to the greatest extent possible under applicable law.

12.1 Data Stored About Reporters

For each submission, the Controller stores the following data about the Reporter:

• First name (as provided by the Reporter) — displayed publicly alongside the submission. Reporters may use a pseudonym if they prefer;
• Email address — stored securely and never displayed publicly. Used solely for follow-up communication regarding the submission;
• Partially masked IP address — the full IP address is logged internally for security and anti-abuse purposes. Only a partially masked version (e.g., "192.168.xxx.xxx") is displayed publicly;
• Country of origin — derived from IP geolocation and displayed publicly alongside the submission;
• Timestamp — date and time of submission.

Technical fingerprint data: In addition to the data listed above, we store a composite browser fingerprint for each submission. This fingerprint does not contain personally identifiable information on its own, but may be used in combination with other data (such as IP address) to identify a device in cooperation with law enforcement authorities investigating illegal activity such as defamation or harassment.

12.2 Disclosure of Reporter Identity

The Controller will not voluntarily disclose the full identity or contact details of a Reporter to any Subject, third party, or member of the public. The Controller will only disclose Reporter identity information in the following circumstances:

• Valid court order — where a court of competent jurisdiction issues a binding order requiring the disclosure of Reporter identity information, the Controller will comply with such order to the extent required by law;
• Legal proceedings — where the Controller is compelled by law to disclose Reporter information in connection with criminal proceedings, regulatory investigations, or civil litigation in which the Controller is a party;
• Prevention of serious harm — where the Controller reasonably believes that disclosure is necessary to prevent imminent serious harm to any person.

The Controller will, where legally permitted, notify the affected Reporter before any such disclosure takes place and will resist any requests for disclosure that it considers overbroad, disproportionate, or lacking valid legal basis.

12.3 Metadata Warning

Users who submit evidence files (including screenshots, PDF documents, images, email exports, and other digital files) are solely responsible for removing any embedded metadata, EXIF data, author information, file properties, GPS coordinates, or other identifying information from such files before submission. The Platform does not perform automatic forensic sanitization or metadata stripping of uploaded files. The Controller cannot guarantee that metadata or embedded information will be removed and bears no liability for any consequences arising from a Reporter's failure to sanitize uploaded files before submission. Reporters are strongly advised to use metadata removal tools before uploading any evidence files.

13 Children's Privacy

The Platform is not intended for, and is not directed at, individuals under the age of 16 (sixteen) years. The Controller does not knowingly collect Personal Data from children under 16. If the Controller becomes aware that it has inadvertently collected Personal Data from a child under 16, it will take immediate steps to delete such data from its systems.

If you are a parent or guardian and believe that your child under 16 has provided Personal Data to the Platform, please contact the DPO at dpo@isyourtraderreal.com so that the Controller can take appropriate action.

14 Security Measures

The Controller implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, destruction, loss, and other forms of unlawful processing, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:

• SSL/TLS encryption — all data transmitted between your browser and the Platform is encrypted using industry-standard SSL/TLS protocols (HTTPS);
• Encrypted connections — all connections to the Platform's servers, databases, and third-party services are encrypted in transit;
• Access controls — access to Personal Data is restricted to authorized personnel on a need-to-know basis. Administrative access is protected by strong authentication mechanisms;
• Server security — the Platform's hosting infrastructure is protected by firewalls, intrusion detection systems, and regular security patching;
• Data minimization — the Controller collects only the minimum Personal Data necessary for the purposes described in this Policy;
• Regular review — security measures are reviewed and updated periodically to address evolving threats and vulnerabilities;
• Incident response — the Controller maintains procedures for detecting, reporting, and responding to personal data breaches in accordance with Articles 33 and 34 of the GDPR.

While the Controller takes all reasonable precautions to protect Personal Data, no method of transmission over the Internet or method of electronic storage is completely secure. The Controller cannot guarantee absolute security of Personal Data and is not liable for any unauthorized access that occurs despite the implementation of reasonable security measures.

15 Changes to This Policy

The Controller reserves the right to modify, amend, or update this Privacy Policy at any time to reflect changes in the Controller's data processing practices, applicable law, or regulatory guidance. When material changes are made to this Policy:

• The "Last Updated" date at the top of this Policy will be updated to reflect the date of the most recent revision;
• A notice of the change may be displayed prominently on the Platform for a reasonable period;
• Where changes materially affect the processing of Personal Data in a way that requires renewed consent, the Controller will obtain such consent before implementing the changes.

Users are encouraged to review this Policy periodically to stay informed about how their Personal Data is being processed. Continued use of the Platform following the publication of changes to this Policy constitutes acceptance of those changes, except where applicable law requires explicit consent.

16 Supervisory Authority

If you are not satisfied with the Controller's response to your data protection request, or if you believe that the Controller is processing your Personal Data in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for the Controller is:

You also have the right to lodge a complaint with the supervisory authority of the EU/EEA member state where you reside, where you work, or where the alleged infringement occurred, in accordance with Article 77 of the GDPR. You also have the right to an effective judicial remedy against the Controller or a processor (Article 79 GDPR).

17 Contact

For any questions, requests, complaints, or correspondence regarding this Privacy Policy, the processing of your Personal Data, or the exercise of your data protection rights, please contact:

This Privacy Policy was last updated on March 21, 2026. The Controller reserves the right to modify this Policy at any time. Material changes will be indicated by updating the "Last Updated" date above.