Privacy Policy
Last updated: April 2026
This Privacy Policy explains how Pine2Expert ("we", "us", "the Service") collects, uses and protects your personal data when you use pine2expert.com. We comply with the EU General Data Protection Regulation (GDPR) and the French Loi Informatique et Libertés.
1. Data Controller
The data controller responsible for your personal data is:
No Limit Development SARL 1724 chemin de la Piole Paul Venel, 83110 Sanary-sur-Mer, France SIRET: 752 043 190 00038 — RCS Toulon Email: [email protected]
For any privacy-related question or to exercise your rights, contact us at the email above with the subject line "GDPR request".
2. Data we collect
We collect the minimum data needed to operate the service:
- Account data: email address, hashed password (if you set one), Google OAuth identifier (if you sign in with Google), session tokens, account creation and last login timestamps.
- Service data: Pine Script source code you upload, generated MQL5 /
.ex5binaries, build logs, build status, target symbol and timeframe. - Licensing data: MT5 broker login number and broker server name you provide to generate a license, license fingerprint of the MT5 instance.
- Billing data: purchase history (date, amount, plan). Payment card details are never stored on our servers — they are handled directly by Stripe (see §4).
- Technical data: IP address (for rate-limiting and abuse prevention), browser user-agent, request logs, error reports.
We do not collect special categories of data (health, religious, political opinions, etc.).
3. Why we process your data
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Create and maintain your account | Account data | Contract (Art. 6.1.b) |
| Transpile Pine Script and deliver MT5 binaries | Service data | Contract (Art. 6.1.b) |
| Generate and validate licenses | Licensing data | Contract (Art. 6.1.b) |
| Process payments and issue invoices | Billing data | Contract + legal obligation (Art. 6.1.b, 6.1.c) |
| Send transactional emails (magic link, receipts) | Email address | Contract (Art. 6.1.b) |
| Prevent abuse, fraud, ensure service security | Technical data, error reports | Legitimate interest (Art. 6.1.f) |
| Measure audience and improve the service | Analytics data (see §8) | Consent (Art. 6.1.a) |
| Comply with legal obligations (tax, accounting) | Billing data | Legal obligation (Art. 6.1.c) |
4. Sub-processors & third parties
We rely on the following sub-processors to operate the service. Each has its own privacy policy and provides appropriate guarantees under the GDPR:
| Provider | Purpose | Location |
|---|---|---|
| OVH SAS | Hosting (compute, storage) | France (EU) |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | USA (with EU edge nodes) |
| Stripe Payments Europe Ltd. | Payment processing | Ireland (EU) |
| Google LLC (Google Sign-In) | Authentication (optional) | USA |
| Google LLC (Google Analytics 4) | Audience measurement (with consent) | USA |
We do not sell or rent your personal data to third parties. We may disclose data when required by law (court order, lawful request from authorities).
5. International transfers
Some of our sub-processors are based outside the European Economic Area (EEA), specifically in the United States. Transfers to these providers are protected by appropriate safeguards as required by Article 46 GDPR:
- Cloudflare, Stripe, Google: EU Standard Contractual Clauses (SCCs) and, where applicable, certification under the EU–US Data Privacy Framework.
You can request a copy of the safeguards used by contacting us.
6. Retention periods
- Account data: kept for as long as your account is active. Deleted upon account closure (see §7) or after 3 years of inactivity.
- Pine Script source & build artifacts: retained as long as your account is active so that builds can be regenerated. Deleted with the account.
- Billing data and invoices: retained for 10 years as required by French commercial law (Art. L.123-22 Code de commerce).
- Technical logs (IP, error reports): 90 days, then deleted or anonymized.
- Sessions: deleted on logout or after token expiration.
7. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): obtain a copy of the data we hold about you.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17): request deletion of your data, subject to legal retention obligations (e.g. invoices kept 10 years).
- Right to restriction (Art. 18): ask us to suspend processing of your data in certain cases.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format (JSON).
- Right to object (Art. 21): object to processing based on legitimate interest.
- Right to withdraw consent at any time, when consent is the legal basis (e.g. analytics cookies). Withdrawal does not affect prior lawful processing.
How to exercise your rights
Send your request by email to [email protected] with subject "GDPR request". We will respond within one month (extendable to three months for complex requests, in which case we will inform you within the first month). We may ask you to verify your identity before fulfilling the request.
8. Cookies & analytics
We use the following types of cookies and similar technologies:
Strictly necessary cookies (no consent required)
- Session cookie (
session) — keeps you logged in. Expires when you log out. - CSRF protection — security cookie to prevent cross-site request forgery.
Analytics cookies (consent required)
We use Google Analytics 4 (GA4) to understand how visitors use the site (pages viewed, traffic sources, device types). GA4 is loaded only after you give your explicit consent via our cookie banner. IP addresses are anonymized. You can withdraw your consent at any time through the cookie settings link in the site footer.
If you decline analytics cookies, only strictly necessary cookies are set and the site continues to function normally.
You can also block cookies in your browser settings or install the Google Analytics Opt-out Browser Add-on.
9. Security
We implement industry-standard technical and organizational measures to protect your data:
- HTTPS / TLS 1.3 encryption for all traffic.
- Passwords stored hashed with bcrypt.
- Session tokens with limited lifetime and HttpOnly cookies.
- Rate-limiting and abuse detection.
- Regular backups, stored encrypted.
- Restricted access to production systems on a need-to-know basis.
- Stripe-managed payment data — we never see your full card number.
No system is perfectly secure. In case of a personal data breach likely to result in a high risk to your rights, we will notify you and the supervisory authority (CNIL) within 72 hours, as required by Art. 33–34 GDPR.
11. Changes to this policy
We may update this Privacy Policy to reflect changes in the service, in applicable law, or in our practices. The "Last updated" date at the top of this page indicates when the most recent change was made. Material changes will be notified by email to registered users at least 14 days before they take effect.
12. Contact & complaints
For any question about this Privacy Policy or about the processing of your personal data, contact:
No Limit Development SARL Email: [email protected] Mail: 1724 chemin de la Piole Paul Venel, 83110 Sanary-sur-Mer, France
If you believe your data is processed in violation of GDPR, you have the right to lodge a complaint with the French supervisory authority (CNIL).