Legal · Data Processing Agreement

Data Processing Agreement.

This Data Processing Agreement ("DPA") governs how Backcandle collects, processes, and stores personal data in connection with your use of the service, in accordance with applicable data protection law including GDPR where applicable.

Effective 2026-01-01 Last updated 2026-04-21 Jurisdiction EU / EEA compatible

01 Parties

This DPA applies between you ("User" or "Data Subject") and Backcandle ("Data Controller"). Backcandle acts as the controller of personal data you provide when creating an account and using the service. Third-party sub-processors are listed in Section 06.

02 Categories of data processed

  • Identity data — your name and email address, obtained via Google OAuth at sign-in
  • Session data — replay sessions you create, including instrument, timeframe, duration, and configuration
  • Trade data — orders, fills, positions, and P&L records generated during replay sessions
  • Journal data — notes, tags, and annotations you attach to trades
  • Usage data — page visits, feature interactions, and error logs (no third-party analytics trackers)

03 Purposes and legal basis

  • Service delivery — processing your trade and session data to run the simulator (contractual necessity)
  • Account management — storing your identity data to authenticate you and persist your settings (contractual necessity)
  • Analytics & improvement — aggregated usage metrics to improve the product (legitimate interest)
  • Legal compliance — retaining records as required by applicable law (legal obligation)

04 Retention

Personal data is retained for as long as your account is active. If you delete your account, personal data is removed within 30 days, except where retention is required by law. Aggregated, anonymized performance data may be retained indefinitely as it cannot be linked back to you.

05 Your rights

Under GDPR and equivalent legislation you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your account and associated personal data
  • Portability — receive your trade and session data in a structured machine-readable format
  • Restriction — request that we limit processing of your data in certain circumstances
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, email privacy@backcandle.com. We will respond within 30 days.

06 Sub-processors

  • Google LLC — OAuth authentication (Google Sign-In)
  • Hosting provider — infrastructure and database hosting in the EU

We do not sell or share personal data with third parties for advertising purposes. We do not use third-party behavioral analytics trackers.

07 Contact

Data protection questions and requests: privacy@backcandle.com