How Validraft handles personal and engagement data.

Validraft collects information that you provide directly, information generated by using the website or workspace, and information needed to provide, secure, bill, and support the service.

Please do not submit special-category personal data, unnecessary personal financial details, passwords, broker credentials, API keys, or third-party confidential material unless we have expressly agreed to receive it.

The exact legal basis depends on the context. The table below describes the expected purposes and likely bases for a pre-launch Validraft service.

A trading hypothesis, parameter set, data assumption, report, or run artifact may be commercially sensitive even when it is not personal data. We treat client strategy materials as confidential by default and keep them scoped to the relevant engagement.

• We do not publish client-specific strategy details without permission.
• We do not add client hypotheses to a public template library.
• We do not use your strategy logic for cross-client benchmarking or marketing unless separately agreed.
• For standard briefs, confidentiality is part of the operating model. For sensitive work, an NDA can be put in place before detailed materials are exchanged.

An NDA, or Non-Disclosure Agreement, is a written confidentiality agreement that defines what information is confidential, who may access it, what it may be used for, how long the duty lasts, and what happens if confidential information is misused.

The practical rule is simple: you can submit a normal brief without a heavy legal step. If the material is sensitive, institutional, or commercially proprietary, ask for an NDA before sending the details.

We do not sell client personal data. We may share data with service providers and professional advisers where needed to operate, secure, bill, support, or legally protect the service.

• Hosting, infrastructure, database, authentication, storage, email, analytics, support, billing, and payment providers needed to operate the service.
• Professional advisers, accountants, legal counsel, auditors, insurers, or regulators where necessary.
• Data vendors or technical providers where needed to perform a scoped engagement, subject to applicable terms and confidentiality controls.
• A successor entity if Validraft is involved in a merger, acquisition, restructuring, or asset transfer.

Some providers may process or access data outside your country or outside the European Economic Area. Where GDPR applies, international transfers should rely on an adequacy decision, standard contractual clauses, or another recognized safeguard where required.

• Briefs, engagement records, reports, and workspace records are kept while your account or engagement remains active and for a reasonable period afterward for audit, support, dispute, legal, and accounting purposes.
• Billing and tax records may be retained for the period required by applicable accounting and tax law.
• Security logs are generally kept for shorter periods unless needed to investigate abuse, incidents, or legal claims.
• You may request deletion, but we may retain information where required for legal obligations, dispute handling, security, or legitimate business records.

Validraft may use strictly necessary cookies or local storage for authentication, security, session continuity, theme preferences, and workspace operation. Optional analytics, marketing, or tracking cookies should not be used without a proper consent mechanism where legally required.

Before public launch, this section should be synchronized with the actual cookie banner, analytics stack, and consent records used in production.

No system is perfectly secure, but Validraft is designed around engagement isolation and limited access to sensitive materials.

• TLS encryption in transit for website, workspace, brief intake, and report delivery.
• Authenticated workspace access for reports and engagement updates.
• Least-privilege internal access to engagement materials.
• Operational separation between client engagements.
• No public reuse of client strategy logic or client-specific materials without permission.

Depending on your location and the basis for processing, you may have rights over your personal data. These rights may be limited in some circumstances, for example where we must keep records for legal, security, accounting, or dispute reasons.

• Access personal data we hold about you.
• Ask us to correct inaccurate or incomplete data.
• Ask for deletion where the law allows it.
• Object to or restrict certain processing.
• Request portability for data you provided, where applicable.
• Withdraw consent where processing is based on consent.
• Complain to a competent data protection authority.

We may need to verify your identity before responding to a privacy request. Requests can be sent to legal@validraft.net.

The legal boundary for Validraft services is described in the legal notice.