Skip to main content
Get early access
Working draft, subject to review and finalization by independent legal counsel before commercial launch. Counsel-ready, not counsel-approved. Questions: .

Privacy Policy

Last updated:

This Privacy Policy explains how EX7 Capital Corp. (o/a ex7capital) collects, uses, discloses, retains, and protects personal information when you use the Service. It should be read together with our Terms of Service and Risk Disclosure Statement.

1. Scope and Application

This Privacy Policy describes how EX7 Capital Corp. collects, uses, discloses, retains, and protects the personal information of individuals who access the Service at ex7capital.com or any connected application, dashboard, or interface (the "Service").

What the Service is. EX7 is impersonal, analytical software — in plain words, a complex "calculator" — for the quantitative research of futures contracts listed on the Chicago Mercantile Exchange (CME). The Service is not a broker-dealer, futures commission merchant (FCM), introducing broker, commodity trading advisor (CTA), commodity pool operator (CPO), registered investment adviser (RIA), portfolio manager, derivatives adviser, or custodian. It does not execute, route, or copy orders, does not custody funds, and does not provide personalized advice or recommendations. This characterization is material to how we process personal information: we do not collect brokerage account credentials, we do not hold client money, and we do not build individualized investment profiles.

This Policy is designed to comply with:

  • The Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5;
  • The Quebec Act respecting the protection of personal information in the private sector (Law 25), as amended;
  • The Alberta Personal Information Protection Act and the British Columbia Personal Information Protection Act;
  • The California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA");
  • The U.S. state comprehensive privacy laws of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Maryland (MODPA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), New Hampshire (NHPA), New Jersey (NJDPA), Kentucky (KCDPA), Minnesota (MNCDPA), and Rhode Island (RIDTPPA), to the extent applicable;
  • The CAN-SPAM Act (15 U.S.C. §§7701–7713) and Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23;
  • Other applicable privacy and data-protection statutes in jurisdictions where the Service is offered.

The Service is not directed to children under 13. We do not knowingly collect personal information from children. Account creation requires a representation that the user is at least 18 years of age. We are not a HIPAA-covered entity, and the Service is not designed to collect protected health information. We are not a "financial institution" under the U.S. Gramm-Leach-Bliley Act because we do not custody funds and are not registered as a CTA, CPO, broker-dealer, or investment adviser.

Jurisdictions where the Service is offered. The Service is offered only in the jurisdictions listed in Section 3 (Eligibility) of the Terms of Service (currently the United States, Canada, the United Kingdom, and Australia; the European Economic Area is geoblocked in v1). That list is single-sourced in the Terms of Service so the two documents cannot drift. Some of our subprocessors process data in the United States or the European Union (for example, Plausible, which processes cookieless analytics in the EU); this reflects a data-processing location only and does not mean the Service is offered to, or directed at, residents of those regions.

2. Privacy Officer

In accordance with PIPEDA Principle 4.1 and Quebec Law 25 §3.1, the function of Privacy Officer (the person in charge of the protection of personal information) has been delegated in writing by the person exercising the highest authority within EX7 Capital Corp. (the Chief Executive Officer, Vicente Carracedo) to [counsel to confirm: name/title of delegate], reachable at the address below. If no delegation is in effect, the Chief Executive Officer retains the function by default. The title and contact information of the person in charge are published on ex7capital.com as required by Law 25 §3.1.

Privacy Officer EX7 Capital Corp. Email:

You may contact the Privacy Officer with any question, access request, correction request, deletion request, portability request, or complaint regarding the handling of your personal information.

3. Personal Information We Collect

We collect only the personal information reasonably necessary to provide and improve the Service.

3.1 Information you provide

  • Account information: name, email address, country of residence, language preference, hashed password (bcrypt), and optional Telegram handle.
  • Billing information for your software subscription fee: Stripe customer ID and the last four digits of the card / card brand (tokenized — full card data never touches our systems and is held by Stripe under PCI-DSS). Billing address as required by Stripe Tax and tax-authority compliance. We charge only for access to the software; we never receive, hold, or transmit trading funds, margin, or deposits.
  • Strategy configurations: parameters, JSON blobs, natural-language descriptions, and other content you upload or create for analytical research within the software.
  • Communication preferences: opt-in to marketing email (revocable at any time).
  • Customer support content: anything you send us through email, ticket, or chat.

SMS / phone numbers. SMS alerts are not currently offered. We do not presently collect phone numbers. If SMS alerts are enabled in the future, a phone number will be collected only then, with express opt-in for CASL compliance, and the SMS provider (Twilio) will be added as a subprocessor through the subprocessor-update process described in Section 6.

3.2 Information collected automatically

  • Usage analytics: pages visited, features used, click events, and session duration. Collected via Plausible (cookieless) by default; we do not run Google Analytics with advertising features.
  • Device and connection metadata: IP address, browser type, operating system, device type, language, time zone, and screen resolution.
  • Cookies and similar technologies: session cookies (strictly necessary) and preference cookies (functional). See Section 9.
  • Error logs: server-side error reports with personal data minimized and scrubbed before logging.

3.3 Information from third parties

  • Stripe sends us transactional events (subscription created, payment failed, refund issued).
  • Telegram sends us a chat_id mapping when a user enables Telegram alerts.
  • Authentication providers (if you sign in with a third-party identity provider) provide your name and email per the OAuth permission you granted.

We do not buy data brokers' lists, scrape social media, or enrich profiles with third-party datasets.

4. Why We Collect Personal Information (Purposes)

We use personal information for the following purposes (PIPEDA Principle 4.2):

  • To operate the Service and provide its core analytical-software features (impersonal quantitative research, backtesting, configurable alerts, and general educational content), none of which constitute personalized advice or recommendations;
  • To process subscription-fee payments and prevent fraud (via Stripe; Stripe is the payment processor and EX7 never custodies funds);
  • To send transactional emails and notifications (account, billing, security, and alerts you have opted into);
  • To send marketing communications, with your express opt-in only, in compliance with CAN-SPAM and CASL;
  • To improve the Service and develop new features, using aggregated and de-identified usage data;
  • To provide customer support;
  • To detect, prevent, and respond to security incidents, fraud, and abuse;
  • To comply with legal, regulatory, and tax-reporting obligations.

We rely on the following legal bases under PIPEDA Principle 4.3 (meaningful, informed consent):

  • Express consent for marketing communications, Telegram integration, any future SMS alerts, and any processing of "sensitive" information.
  • Implied consent for account creation, payment processing, and provision of the Service, where the purpose is obvious from context.
  • Legal obligation for tax records and breach-response obligations.

5. How We Share Personal Information

We do not sell personal information for monetary consideration. We do not "share" personal information for cross-context behavioral advertising (within the meaning of CCPA/CPRA).

We disclose personal information only to the following categories of recipients:

  • Service providers and subprocessors that help us operate the Service, listed in Section 6.
  • Legal recipients, where required by law, subpoena, court order, or regulatory request, and only after reviewing the legal sufficiency of the request.
  • Successor entities, in connection with a merger, acquisition, or sale of substantially all of EX7's assets. Any such business-transaction disclosure is conditioned on a written agreement that limits use of the personal information to the transaction, imposes confidentiality, and requires the return or destruction of the information if the transaction does not proceed (Quebec Law 25 §18.4; PIPEDA s. 7.2). Where required, affected individuals will be notified after a completed transaction.

We will notify users in advance of any change to the categories of recipients to the extent required by applicable law.

5.1 CCPA Business-Purpose Disclosure Mapping

For the business purposes in Section 4, in the preceding 12 months we disclosed the following categories of personal information to the categories of service providers in Section 6 (CCPA §1798.130(a)(5)(C)–(D)):

  • Identifiers and contact data (name, email, IP, device metadata) — to hosting, transactional email, and cookieless analytics providers;
  • Commercial / billing information (Stripe customer ID, last-four/card brand, billing address) — to payment processing;
  • User-generated content (strategy configurations and natural-language descriptions) — to the LLM strategy-translation provider.

We disclosed no personal information for monetary or other valuable consideration. We did not sell or share personal information.

6. Subprocessors

We use the following subprocessors. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual protections.

  • Stripe, Inc. — Purpose: Payment processing, tax calculation, billing; Location: United States; DPA: Yes (auto-incorporated)
  • Supabase — Purpose: Database hosting; Location: Canada (ca-central-1) where available; DPA: Yes
  • Vercel, Inc. — Purpose: Web app hosting, CDN/edge, DDoS protection; Location: United States; DPA: Yes (auto-incorporated)
  • Resend — Purpose: Transactional email; Location: United States; DPA: Yes
  • Plausible — Purpose: Cookieless analytics; Location: European Union; DPA: Yes
  • Anthropic / alternative LLM provider — Purpose: Natural-language strategy translation ("Vix"); Location: United States or other (provider-agnostic architecture); DPA: Yes
  • Telegram Bot API (if user enabled) — Purpose: Telegram alerts; Location: User-chosen channel; no formal DPA available; DPA: See Section 7

The list above is maintained current in this Section 6 of the Privacy Policy and is available on request. Material additions to this list — including any future hosted error-monitoring vendor, any future CDN/security provider placed in front of our infrastructure, and any future SMS provider (Twilio) if SMS alerts ship — will be communicated in advance by email or in-app notification before that subprocessor begins processing personal information.

7. Cross-Border Data Transfers

Many of our subprocessors are based in or process data in the United States. We rely on contractual safeguards (DPAs incorporating standard contractual clauses or substantially equivalent protections) and limit data to the minimum necessary.

Quebec residents (Law 25 §17). For personal information of Quebec residents, EX7 conducts a privacy impact assessment before any communication of personal information outside Quebec. We communicate the information only where the assessment establishes that it will receive protection adequate in light of generally recognized principles, taking into account (i) the sensitivity of the information, (ii) the purpose of the transfer, (iii) the protections in place (including contractual safeguards), and (iv) the legal regime of the recipient jurisdiction. Each such transfer is governed by a written agreement that takes the conclusions of the assessment into account; the DPAs referenced in Section 6 serve as those written agreements. These assessments are available on request.

Telegram. Telegram is a user-chosen alert channel. Telegram does not offer a formal DPA. If you enable Telegram alerts, messages will transit Telegram's servers under their Bot API Terms of Service. You can disable Telegram alerts at any time.

8. Data Retention

We retain each category of personal information only as long as necessary to achieve the purpose for which it was collected. Once that purpose is achieved and no legal hold or applicable limitation period requires continued retention, we destroy or anonymize the information (Quebec Law 25 §23, including anonymization in accordance with the Quebec anonymization regulation; PIPEDA Principle 4.5). Purpose-limitation — not the mere existence of an account — governs how long any individual data element is kept.

  • Active account personal information — Retained while necessary to provide the Service to you and to support the account; destroyed or anonymized once that purpose is achieved and no legal hold applies
  • Closed account personal information (excluding billing) — 30-day grace period, then destroyed or anonymized within 30 days, subject to backups (maximum 12 months) and any legal hold
  • Strategy configurations and user content — Same as account, plus a user-initiated export window (60 days post-closure under Quebec Law 25 / CCPA portability rights), then destroyed or anonymized
  • Billing records (invoices, Stripe records) — 7 years (Canadian Income Tax Act §230; U.S. IRS recommended retention), then destroyed or anonymized
  • Server logs (IP, device metadata) — 90 days, then destroyed or anonymized
  • Error reports — 30 days, then destroyed or anonymized
  • Breach / confidentiality-incident records (PIPEDA §10.3; Law 25) — 24 months
  • Marketing-consent records (CASL) — 10 years from the most recent opt-in or interaction

9. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

  • Strictly necessary (session, CSRF, authentication). No consent required.
  • Functional (language preference, UI state). Consent required under Quebec Law 25 §8.1.
  • Analytics (Plausible — cookieless by default).

We do not use cookies for advertising or cross-context behavioral advertising. We do not sell or share personal information for cross-context behavioral advertising as defined by CCPA/CPRA.

Opt-in default for Quebec. Pursuant to Law 25 §8.1, any technology that identifies, locates, or profiles a user is disabled by default for Quebec residents. More broadly, for any EX7 technological product or service that collects personal information and offers privacy parameters, those confidentiality parameters are set to the highest level of confidentiality by default (Law 25 §9.1).

Universal opt-out / Global Privacy Control (GPC). We honor the Global Privacy Control (GPC) signal as an opt-out of the sale/share of personal information and of targeted advertising for all users in states whose laws require recognition of a universal opt-out mechanism — including California, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, and Minnesota — pursuant to CCPA Regulations 11 CCR §7025 and the universal-opt-out-mechanism provisions of the applicable state regulations. We honor GPC for all other users by default.

10. Automated Decision-Making

We do not make significant automated decisions about you that produce legal or similarly significant effects.

For clarity, the Service's analytical outputs — backtests, strategy evaluations, and alerts — are impersonal software computations applied to publicly available CME-listed futures data at your direction. They are not decisions about you as an individual, they do not profile you, and they do not constitute personalized advice or recommendations.

If we ever introduce a decision based exclusively on automated processing that produces legal or similarly significant effects about an individual (for example, automated account risk scoring), we will, in accordance with Quebec Law 25 §12.1:

  • inform the individual, at the time of or before the decision, that the decision is based exclusively on automated processing;
  • on request, disclose (a) the personal information used to render the decision, (b) the reasons and the principal factors and parameters that led to it, and (c) the individual's right to have that personal information corrected;
  • afford the individual the right to submit observations to a member of our staff who is in a position to review the decision; and
  • disclose the logic involved at a high level and update this Policy accordingly.

11. Your Rights

Subject to applicable law, you have the following rights regarding your personal information:

  • Right of access to personal information we hold about you (PIPEDA, Law 25, CCPA, and the VCDPA family);
  • Right of correction of inaccurate or incomplete data;
  • Right of deletion (also called the "right to be forgotten") in Quebec, California, and VCDPA-family states. Under PIPEDA, this right is fulfilled via consent withdrawal;
  • Right of portability — to receive a copy of your data in a machine-readable format (JSON or CSV), per Quebec Law 25 §27 (the data-portability component of the right of access) and the CCPA;
  • Right to de-indexing / cessation of dissemination (Quebec Law 25 §28.1);
  • Right to opt out of marketing, automated profiling, and (where applicable) the "sale" or "sharing" of personal information;
  • Right of appeal of any denial in jurisdictions that require it (VA, CO, CT, MD, and others);
  • Right to a default of highest confidentiality — for any EX7 product or service offering privacy parameters, those parameters are set to the highest level of confidentiality by default (Law 25 §9.1);
  • Right to complain to a regulator: the Office of the Privacy Commissioner of Canada (OPC), the Commission d'accès à l'information du Québec (CAI), the Information and Privacy Commissioner of Alberta, the Information and Privacy Commissioner for British Columbia, the California Attorney General, or any other relevant authority.

Response timelines. We respond to verified requests within the timelines set by each applicable law:

  • PIPEDA: within thirty (30) days of receipt, extendable by up to a further thirty (30) days in the circumstances permitted by PIPEDA s. 8(3)–(4), with notice of the extension.
  • Quebec Law 25: within thirty (30) days, with written reasons for any refusal and notice of your recourse to the CAI.
  • Alberta PIPA and British Columbia PIPA: within forty-five (45) business days, extendable as permitted by those statutes.
  • CCPA/CPRA: we will acknowledge receipt within ten (10) business days and substantively respond within forty-five (45) days, extendable once by an additional forty-five (45) days with notice.
  • VCDPA-family states: within forty-five (45) days, extendable once by an additional forty-five (45) days with notice.

Appeals (VCDPA family). If we deny your request, you may appeal by emailing with the subject line "Privacy Appeal." We will respond to your appeal within sixty (60) days. If your appeal is denied, you may submit a complaint to your state Attorney General.

To exercise these rights, contact the Privacy Officer at . We will not discriminate against you for exercising your privacy rights.

12. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use, or modification. These include:

  • TLS encryption in transit;
  • Encryption at rest for stored personal information;
  • Bcrypt-hashed passwords;
  • Access controls and least-privilege provisioning;
  • Routine security review and dependency monitoring;
  • PII minimization and scrubbing in error logs;
  • Subprocessor due diligence;
  • Internal incident-response procedures.

No security system is impenetrable. If we become aware of a breach of security safeguards involving personal information, we will respond pursuant to our breach-response plan and applicable law.

13. Breach Notification

If we determine that there has been a breach of security safeguards (a "confidentiality incident" under Quebec Law 25) involving personal information that poses a "real risk of significant harm" (RROSH) under PIPEDA §10.1, or a risk that serious injury is caused under Quebec Law 25 (Private Sector Act §3.5–3.8), we will:

  • Notify affected individuals promptly / with diligence;
  • Notify the Office of the Privacy Commissioner of Canada;
  • Notify the Commission d'accès à l'information du Québec promptly / with diligence (we aim to notify as an internal operational target within 72 hours, consistent with CAI guidance; Law 25 itself sets no fixed statutory hour-deadline);
  • Notify the relevant state attorney general or other authority as required by applicable U.S. state breach laws;
  • Take reasonable measures to reduce the risk of injury and to prevent recurrence; and
  • Maintain a register of all confidentiality incidents — not only those reaching the notification threshold — and provide that register to the CAI on request (Law 25, Private Sector Act §3.8), and maintain a record of all breaches of security safeguards for at least 24 months (PIPEDA §10.3).

14. CAN-SPAM and CASL — Email and SMS

For commercial electronic messages, we comply with both CAN-SPAM (United States) and CASL (Canada).

  • We send marketing messages only with express opt-in from the recipient (CASL standard).
  • Every marketing message includes a functional unsubscribe link that takes effect within ten (10) business days under CAN-SPAM and immediately under CASL.
  • We maintain consent records for at least 10 years (CASL).
  • Our postal address (see Section 17) appears in every marketing email; that address must be finalized before any marketing email is sent.
  • Transactional messages (password reset, billing receipts, security notifications, and user-configured strategy alerts) are exempt from the marketing-consent rules but remain subject to general accuracy and non-deception requirements.

SMS marketing and SMS alerts are not currently offered. If SMS is enabled in the future, it will be sent only with express opt-in and will be subject to the same CAN-SPAM and CASL requirements above, and Twilio will be added as a subprocessor under Section 6.

15. Children

The Service is not directed to children under 13, and we do not knowingly collect their personal information. Account creation requires a representation that the user is at least 18 years of age. If we learn that we have collected information from a child under 13 without verifiable parental consent, we will delete it.

16. Modifications

We may amend this Policy from time to time. The "Effective date" at the top of this document will be updated. For material changes, we will provide reasonable advance notice by email or in-app notification. For Quebec residents, if a change introduces a new purpose or a new use of previously collected information (including any new use of sensitive information), we will obtain consent as required by Law 25 §12–§14 before that new use takes effect for those individuals; for other material changes we provide advance notice and updated terms.

17. Contact

Privacy Officer EX7 Capital Corp. (o/a ex7capital) Email: Legal / general:

[counsel to confirm: registered postal address of EX7 Capital Corp.'s registered office in the Province of Ontario, Canada]

You may also contact the:

  • Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, QC K1A 1H3, www.priv.gc.ca
  • Commission d'accès à l'information du Québec, www.cai.gouv.qc.ca
  • Office of the Information and Privacy Commissioner of Alberta, www.oipc.ab.ca
  • Office of the Information and Privacy Commissioner for British Columbia, www.oipc.bc.ca
  • California Attorney General — Privacy Enforcement, oag.ca.gov/privacy

Last updated: