Privacy Policy

1. Controller

The controller responsible for data processing on this website is:
Tom Löbel
Gamigstraße 21, 01809 Heidenau, Germany
Email: contact@tlfx.trading

Personal data means any information relating to an identified or identifiable natural person. Providing personal data is generally voluntary; where data is required to conclude or perform a contract (for example to issue a license or run a paid subscription), this is indicated at the point of collection.

2. Server log data

When you visit this website, your browser automatically transmits information to the hosting server (IP address, date and time of access, the pages visited, browser type). This data is processed for the technical delivery and security of the website. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating the website reliably and securely).

3. Hosting via Netlify

This website is hosted by Netlify, Inc., 44 Montgomery Street, Suite 300, San Francisco, California 94104, USA. When the site is accessed, technical data is transferred to Netlify. Transfers to the USA take place on the basis of the EU Standard Contractual Clauses. More information: https://www.netlify.com/privacy/

4. License request form

When you submit a license request through the form, I process the data you provide (partner-broker MT5 account number, the email address used to open the broker account, your chosen Expert Advisor and broker, and a marketing opt-in if ticked) to verify your eligibility and issue your license. The legal basis is Art. 6(1)(b) GDPR (steps prior to / performance of a contract) and, for the optional marketing opt-in, Art. 6(1)(a) GDPR (consent).

The form is protected against spam by Cloudflare Turnstile, a privacy-friendly CAPTCHA that does not use tracking cookies (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA). Submissions are received via Netlify Forms, screened by a serverless function (which also enforces a short anti-duplicate rate limit), and the record is then stored in a Notion database (Notion Labs, Inc., San Francisco, CA, USA) that I use to manage and approve licenses. Data is deleted once it is no longer required and no statutory retention period applies.

5. License verification & software downloads

The Expert Advisors check their license at runtime and are downloaded through a Cloudflare Worker (Cloudflare, Inc., address above). For a license check, the software sends your MT5 account number, the chosen EA and the broker name reported by your terminal; the Worker compares this against the Notion license database and returns only whether the license is valid. Your IP address is processed transiently for delivery, security and rate-limiting of the download endpoint. A "last active" date may be stored on your license record so I can identify and clean up long-unused licenses. Legal basis: Art. 6(1)(b) GDPR (performance of the free-license arrangement) and Art. 6(1)(f) GDPR (security and abuse prevention).

6. Orbit System account & login

The premium Orbit System symbols require a passwordless account. When you request a login link, your email address is processed to send you a one-time "magic link" via Resend (transactional email provider; Plus Five Five, Inc., USA). Clicking the link issues a signed token that your browser stores in its local storage to keep you signed in; this token is sent with each request so the server can confirm which symbols you are entitled to. Your email and your current entitlement are cached by a Cloudflare Worker (in Cloudflare KV) and recorded in a Notion "subscribers" database so I have a readable overview of registered users. Legal basis: Art. 6(1)(b) GDPR (performance of the subscription contract). You can ask for your account and its data to be deleted at any time (see section 15).

7. Payment processing (Stripe)

Paid subscriptions are processed by Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland; with Stripe, Inc., USA). When you subscribe, you are taken to Stripe's hosted checkout and enter your payment details directly with Stripe — I do not receive or store your full card data. Stripe processes your name, email, payment information and transaction data as a (joint/independent) controller under its own privacy policy (https://stripe.com/privacy) to carry out the payment and meet legal obligations. I receive your email, subscription status and which products you bought in order to grant access and handle billing. Legal basis: Art. 6(1)(b) GDPR (performance of the contract) and Art. 6(1)(c) GDPR (legal/accounting obligations).

8. Contact by email

If you contact me by email, the data you provide (your email address, your name if given, and the content of your message) is processed solely to handle your enquiry. The legal basis is Art. 6(1)(b) GDPR where the enquiry relates to a contract, and otherwise Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). You may object to this processing at any time.

9. Web analytics (Pirsch)

This website uses Pirsch Analytics, a privacy-friendly, cookieless web-analytics service (Emvi Software GmbH, Germany), to understand aggregate traffic. Pirsch does not set cookies and does not store personal data such as full IP addresses; visits are counted using an anonymous, non-reversible hash. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in measuring reach).

10. Cookies & local storage

This website itself uses only technically necessary storage. In particular, if you log in to the Orbit System subscription, a sign-in token is kept in your browser's local storage so you stay logged in; it is removed when you log out. Third-party elements embedded on the site (see the YouTube and Buy-Me-a-Coffee sections) and Stripe's checkout may set their own cookies. You can manage or delete cookies and local storage through your browser settings.

11. Fonts (self-hosted)

The fonts used on this website are hosted directly on the website's own server. They are not loaded from Google Fonts or any other third party, so no data is transmitted to external font providers when you access the site.

12. YouTube video embeds

The Expert Advisor pages embed videos hosted on YouTube. When a page with an embedded video is loaded, a connection to YouTube's servers is established and your IP address is transmitted. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Processing by YouTube is governed by Google's own privacy policy.

13. Buy Me a Coffee widget

This website includes a "Buy Me a Coffee" support widget, which is loaded from the provider's servers and may transmit your IP address and set cookies. Provider: Buy Me a Coffee. Processing by the provider is governed by its own privacy policy.

14. Affiliate links

This website contains affiliate links to partner brokers. When you click such a link and open an account, the broker may set cookies or use tracking parameters to attribute the referral. This processing is carried out by the respective broker under its own privacy policy. TLFX does not receive your personal trading data through these links — only a referral confirmation.

15. International transfers

Several of the processors above (Netlify, Cloudflare, Notion, Stripe, Resend, Google/ YouTube) are based in or transfer data to the USA. Such transfers are based on the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework, together with the providers' own safeguards. Pirsch (analytics) and the controller are based in the EU/Germany.

16. Your rights

You have the right at any time to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). You can withdraw any consent you have given at any time with effect for the future. To exercise any of these rights, contact me using the details in section 1.

You also have the right to lodge a complaint with a supervisory authority. The authority responsible for the controller is: Der Sächsische Datenschutzbeauftragte, Devrientstraße 5, 01067 Dresden, Germany.