PRIVACY POLICY

This Privacy Policy explains how Chart Stalker (Pty) Ltd (Reg. 2022/298579/07), trading as Plug 'n Play Trading Tech and operating the Aura Terminal platform ("we", "us", "our", "Aura"), collects, uses, stores, and protects your personal information in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable South African legislation.

Chart Stalker (Pty) Ltd is an authorised Juristic Representative of 1st Fintech Capital (Pty) Ltd (FSP 51478, Reg. 2020/936466/07). By using Aura Terminal, you consent to the practices described in this policy.

1. Information We Collect

1.1 Personal Information You Provide

When you register for an Aura Terminal account, we collect:

• Full name, email address, and phone number
• Country of residence
• Trading experience level and preferred trading style
• Referral and affiliate information (affiliate slug, referral source)
• Communication preferences (email and WhatsApp opt-in status)

1.2 Information Collected Automatically

• IP address (collected on login for security and fraud prevention)
• Device information, browser type, and operating system
• Pages viewed, features used, and session duration within the terminal
• Scanner, chart, and signal usage patterns
• Login timestamps and activity frequency

1.3 Trading-Related Data

If you connect a broker account via our MetaTraderAPI.dev bridge, we access your trading data (account balance, equity, open positions, and trade history) and can execute trades that you explicitly initiate from Aura Terminal. We never auto-trade: every order, modification, and close is triggered by a deliberate tap inside the app, and close actions go through a confirmation pill by default.

Broker credential storage. So that you do not have to re-enter your MT5 master password on every visit, we store it encrypted using AES-256-GCM (the standard used by banks and password managers). The encryption key lives only in our hosting provider’s secure environment variables, never in the database, never in source control, and never in application logs. This means that a compromise of our database alone cannot reveal your password — an attacker would need to compromise both our database and our hosting provider’s secret store. Each encrypted credential has a unique initialisation vector and authentication tag, so even two users with the same password have entirely different ciphertext. You can delete your stored credentials at any time by clicking Disconnect in the MT5 panel, which wipes all four credential columns from the row. We also maintain an internal kill-switch that allows us to disable decryption platform-wide without a code deploy in the event of a suspected key compromise.

2. Purpose of Collection

In accordance with Section 13 of POPIA, we process your personal information for the following lawful purposes:

• To provide and maintain the Aura Terminal platform and its features
• To manage your account, subscription, and billing
• To personalise your experience (scanner preferences, pair watchlists, timezone)
• To calculate and display your engagement score and trading analytics
• To facilitate the affiliate and referral programme
• To send transactional communications (account verification, trial reminders, security alerts)
• To send marketing communications where you have opted in
• To detect and prevent fraud, abuse, and unauthorised access
• To comply with legal and regulatory obligations, including FICA and FSP requirements
• To improve our platform through aggregated, anonymised analytics

3. Legal Basis for Processing

Under POPIA Section 11, we process your personal information based on: (a) your consent, provided at registration and through explicit opt-in mechanisms; (b) contractual necessity, to fulfil our obligations under the Terms of Service; (c) legitimate interest, for platform security, fraud prevention, and service improvement; and (d) legal obligation, to comply with financial services regulations, FICA, and tax requirements.

4. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes outlined in this policy, subject to applicable legal requirements:

• Activity logs: 90 days, after which they are automatically deleted
• Profile data: Retained for the duration of your active account. Upon account deletion, personal data is removed within 30 days, except where legally required to be retained
• Financial records: 5 years in accordance with the Financial Intelligence Centre Act (FICA) and SARS requirements
• Aggregated analytics: Indefinitely, as this data is anonymised and cannot identify individuals
• Error logs: 30 days for debugging purposes

5. Third-Party Sharing

We do not sell your personal information. We share data with the following categories of third parties, strictly as necessary to operate our services:

• Supabase Inc. — cloud database hosting and authentication (data stored on AWS infrastructure, US-based with SOC 2 compliance)
• Vercel Inc. — application hosting and content delivery
• MetaTraderAPI.dev — broker account connectivity for live trading data and user-initiated trade execution
• Payment processors — Ozow and/or PayFast for subscription billing (we do not store card details)
• Partner brokers — OctaFX, Weltrade, and other IB partners, for referral commission tracking. We share only your referral code and subscription status, not trading data
• Cloudflare — for security, DDoS protection, and Turnstile CAPTCHA

Your referrer (the person whose affiliate link you used to sign up) may see your name, email, and phone number if you consented to referral data sharing during registration.

6. Cookies and Tracking

Aura Terminal uses essential cookies and localStorage for session management, theme preferences, and authentication. We do not use third-party advertising trackers. Campaign tracking uses first-party URL parameters (e.g., ?tag=campaign-name) to measure the effectiveness of marketing campaigns. No data is shared with advertising networks.

7. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights, which you may exercise at any time by contacting our Information Officer:

• Right of access: Request a copy of the personal information we hold about you (Section 23)
• Right to correction: Request that inaccurate or incomplete information be corrected (Section 24)
• Right to deletion: Request deletion of your personal information where it is no longer necessary for the purpose collected (Section 24)
• Right to object: Object to the processing of your personal information for direct marketing (Section 11(3)(a))
• Right to withdraw consent: Withdraw previously given consent at any time (Section 11(2)(a))
• Right to complain: Lodge a complaint with the Information Regulator of South Africa

You may unsubscribe from marketing emails at any time using the unsubscribe link in every email, or by toggling your preferences in your Aura Terminal settings.

8. Children's Data

Aura Terminal is not intended for use by persons under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it immediately. If you believe a minor has provided us with personal information, please contact us at the details below.

9. Cross-Border Data Transfers

Your personal information may be transferred to and processed in countries outside South Africa, including the United States (Supabase, Vercel) and the European Union (MetaAPI). In accordance with POPIA Section 72, we ensure that any such transfers are subject to adequate safeguards, including contractual obligations on the receiving party to maintain comparable levels of data protection.

10. Security Measures

We implement appropriate technical and organisational measures to protect your personal information, in accordance with POPIA Section 19:

• All data transmitted between your device and our servers is encrypted using TLS 1.3
• Database access is controlled through row-level security policies
• Authentication uses secure, industry-standard practices (Supabase Auth)
• Broker passwords are encrypted with AES-256-GCM before being written to the database. The encryption key lives only in hosting-provider secure environment variables and is never stored in the database, source control, or logs. See section 1.3 for details.
• Rate limiting and CAPTCHA protection on authentication endpoints
• Regular security reviews and error monitoring
• Content Security Policy headers to prevent XSS attacks

Account Access by Team Members

Your account manager and authorised team members may view your account interface for the purpose of providing technical support and account management services. This access is read-only — no changes can be made to your account during these sessions. All access is logged in an immutable audit trail. You may request a record of all access sessions by emailing babongilefx@gmail.com with the subject "POPIA Access Request".

11. Data Breach Notification

In the event of a data breach that may compromise your personal information, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with POPIA Section 22. Notification will include the nature of the breach, the categories of data affected, and the measures taken to address it.

12. Information Officer

For any privacy-related queries, requests, or complaints, please contact our designated Information Officer:

• Company: Plug 'n Play Trading Tech (Pty) Ltd
• Email: privacy@plugnplaytradingtech.com
• Address: Johannesburg, Gauteng, South Africa

If you are unsatisfied with our response, you may lodge a complaint with the Information Regulator of South Africa.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification. Continued use of Aura Terminal after changes are posted constitutes acceptance of the revised policy. We encourage you to review this page periodically.