Privacy Policy.

Operated by Lucerna Labs Limited
Company Registration Number: 16577262
Registered Address: 25 Dunkellin Way, South Ockendon, England, RM15 5ES

1. Introduction

Waterfall Markets ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

By using our services, you agree to the collection and use of information in accordance with this policy.

Your privacy is important to us. We are committed to protecting your personal information.

2. Information We Collect

We collect information you provide directly to us and information we obtain automatically when you use our services.

Personal Information:

• Name and contact information (email, phone number)

• Identification documents for verification purposes

• Payment information (processed securely through third-party providers)

• Trading account information and performance data

• Communication records with our support team

Automatically Collected Information:

• IP address and location data

• Browser type and version

• Device information

• Usage patterns and preferences

• Cookies and similar technologies

3. How We Use Your Information

We use the information we collect for various purposes related to providing and improving our services.

Service Provision:

• Create and manage your trading accounts

• Process payments and transactions

• Provide customer support and technical assistance

• Verify your identity and prevent fraud

• Comply with legal and regulatory requirements

Service Improvement:

• Analyze usage patterns to improve our services

• Develop new features and functionality

• Monitor system performance and security

• Conduct research and analytics

4. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in limited circumstances.

We May Share Information:

• With service providers who assist our operations (payment processors, hosting providers)

• To comply with legal obligations or court orders

• To protect our rights and prevent fraud

• In connection with a business transfer or acquisition

• With your explicit consent

We never sell your personal information to third parties for marketing purposes.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Security Measures:

• SSL/TLS encryption for data transmission

• Secure server infrastructure with regular security audits

• Access controls and authentication requirements

• Regular security updates and patches

• Employee training on data protection

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyze website usage.

Types of Cookies We Use:

Type Purpose Duration Essential Cookies Enable website functionality and security Session Analytics Cookies Track website usage and performance 2 years Preference Cookies Remember your settings and preferences 1 year

You can control cookie settings through your browser preferences. However, disabling certain cookies may affect website functionality.

7. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers.

When we transfer data internationally, we implement measures such as standard contractual clauses or adequacy decisions to protect your information.

8. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations.

Retention Periods:

• Account information: Retained while your account is active and for 7 years after closure

• Payment information: Retained for 7 years for tax and regulatory compliance

• Communication records: Retained for 3 years or as required by law

• Analytics data: Anonymized after 2 years

9. Your Rights

You have certain rights regarding your personal information, subject to applicable laws.

Your Rights Include:

• Access: Request a copy of your personal information

• Rectification: Correct inaccurate or incomplete information

• Erasure: Request deletion of your personal information

• Restriction: Limit how we process your information

• Portability: Receive your data in a structured format

• Objection: Object to processing based on legitimate interests

To exercise these rights, please contact us using the information provided below.

10. GDPR Compliance and Data Subject Rights

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR. We are committed to complying with these regulations and respecting your data subject rights.

GDPR Data Subject Rights:

• Right to Information: You have the right to be informed about how we collect and use your personal data

• Right of Access: You can request a copy of your personal data and information about how it's processed

• Right to Rectification: You can have inaccurate personal data rectified or incomplete data completed

• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data in certain circumstances

• Right to Restriction of Processing: You can request limitation of how we process your data

• Right to Data Portability: You can receive your data in a structured, commonly used format

• Right to Object: You can object to processing based on legitimate interests or for direct marketing

• Right to Withdraw Consent: You can withdraw consent at any time where processing is based on consent

• Right to Complain: You can lodge a complaint with a supervisory authority

Lawful Bases for Processing:

We process your personal data based on the following lawful bases:

• Contract: Processing necessary for the performance of our contract with you

• Legitimate Interests: Processing necessary for our legitimate business interests

• Legal Obligation: Processing necessary to comply with legal obligations

• Consent: Processing based on your explicit consent

• Vital Interests: Processing necessary to protect vital interests

• Public Task: Processing necessary for the performance of a public task

Exercising Your Rights:

To exercise any of these rights, please contact our Data Protection Officer using the information provided below. We will respond to your request within 30 days as required by GDPR.

If you are located in the EEA or UK, you have enhanced data protection rights. Contact our Data Protection Officer to exercise these rights.

11. Detailed Cookie Policy

Cookies are small text files that are stored on your device when you visit our website. We use cookies to enhance your browsing experience, analyze website traffic, and personalize content.

Cookie Categories:

Category Description Examples Legal Basis Essential Cookies Necessary for website functionality and security Session management, CSRF protection, authentication Legitimate interest Analytics Cookies Track website usage and performance metrics Google Analytics, visitor statistics, page views Consent Functional Cookies Remember your preferences and settings Language selection, theme preferences, layout choices Consent Marketing Cookies Deliver relevant advertisements and track campaigns Ad targeting, retargeting, conversion tracking Consent Third-Party Cookies Set by third-party services integrated with our site Social media plugins, payment processors, live chat Consent

Specific Cookies We Use:

• _ga: Google Analytics - Tracks website usage (2 years)

• _gid: Google Analytics - Session tracking (24 hours)

• __stripe_sid: Stripe - Payment processing security (30 minutes)

• waterfall_session: Our platform - User authentication (session)

• theme_preference: User interface - Remember theme choice (1 year)

• language: Localization - Remember language preference (1 year)

Managing Cookies:

• Browser Settings: Most browsers allow you to control cookies through settings preferences

• Opt-out Links: Use our cookie consent banner to manage preferences

• Third-Party Tools: Services like optout.aboutads.info for interest-based advertising

• Incognito Mode: Using private browsing prevents cookie storage

Please note that disabling certain cookies may affect the functionality of our website and limit your ability to use some features.

You can withdraw your consent for non-essential cookies at any time by updating your cookie preferences or contacting us.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals.

Our Breach Response Process:

• Detection: Continuous monitoring and automated alerts for security incidents

• Assessment: Immediate evaluation of breach scope, impact, and risks

• Containment: Rapid response to contain the breach and prevent further data exposure

• Notification: Inform affected individuals and authorities as required by law

• Remediation: Implement measures to prevent similar incidents

• Documentation: Maintain detailed records of all breaches and responses

What We Will Notify You About:

• The nature of the personal data breach

• Contact details of our Data Protection Officer

• Likely consequences of the personal data breach

• Measures we have taken or propose to take to address the breach

• Recommendations to mitigate potential adverse effects

Regulatory Compliance:

We comply with all applicable data breach notification requirements, including:

• GDPR Article 33-34 (EEA residents)

• UK GDPR (UK residents)

• ICO notification requirements

• Other relevant data protection regulations

In case of a data breach, we will notify affected individuals without undue delay and provide clear information about the incident.

13. International Data Transfers and Safeguards

Your personal data may be transferred to and processed in countries other than your own. We ensure that appropriate safeguards are in place to protect your data during international transfers.

Transfer Mechanisms:

• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission

• Standard Contractual Clauses: EU-approved contractual safeguards for data transfers

• Binding Corporate Rules: Internal rules governing data transfers within our corporate group

• Certification Schemes: Compliance with approved certification mechanisms

• Other Safeguards: Additional contractual or technical measures as needed

Data Processing Locations:

Your data may be processed in the following locations:

• United Kingdom: Primary data processing and storage (London data center)

• European Union: Backup facilities and cloud services (Ireland, Netherlands)

• United States: Analytics services and payment processing (with appropriate safeguards)

• Other Countries: As required for service delivery with GDPR-compliant protections

Third-Party Processors:

We use the following categories of third-party processors:

• Cloud Service Providers: Amazon Web Services (AWS), Google Cloud Platform (GCP)

• Payment Processors: Stripe, PayPal (certified for data protection)

• Analytics Services: Google Analytics, Mixpanel (with data processing agreements)

• Customer Support: Zendesk, Intercom (GDPR-compliant platforms)

• Email Services: SendGrid, Mailchimp (with data protection safeguards)

All third-party processors are contractually obligated to maintain appropriate technical and organizational measures to protect your personal data.

We only transfer data to countries that provide adequate protection or implement appropriate safeguards as required by GDPR.

14. Automated Decision Making and Profiling

We may use automated decision-making processes and profiling in certain circumstances to provide our services and improve user experience.

Automated Decision-Making:

• Fraud Detection: Automated systems to detect suspicious trading patterns and potential fraud

• Risk Assessment: Evaluation of trading account risk based on performance metrics

• Account Verification: Automated identity verification and document processing

• Payment Processing: Automated approval of payment transactions

Profiling Activities:

• User Segmentation: Grouping users based on trading behavior and preferences

• Personalized Content: Delivering tailored educational content and recommendations

• Risk Profiling: Assessing trading risk profiles for account management

• Performance Analytics: Analyzing trading patterns to provide insights

Your Rights:

You have the right to:

• Be informed about automated decision-making processes

• Obtain human intervention in automated decisions

• Express your point of view about automated decisions

• Contest automated decisions and request human review

• Withdraw consent for profiling activities

For high-risk automated decisions (such as account termination), we ensure human oversight and provide clear reasoning for decisions.

You can request human review of any automated decision that significantly affects you by contacting our support team.

15. Third-Party Services

Our services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties.

Third-Party Services Include:

• Payment processors (Stripe, PayPal)

• Trading platforms (WaterfallTrader)

• Analytics providers

• Customer support tools

16. Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

Data Portability Process:

• Request Submission: Contact us with your data portability request

• Verification: We will verify your identity and request details

• Data Compilation: We gather all your personal data in portable format

• Secure Delivery: Data provided via secure download or encrypted transfer

• Direct Transfer: Where technically feasible, direct transfer to another controller

Data Included in Portability:

• Account information and registration details

• Trading history and performance data

• Communication records and support tickets

• Payment information (redacted for security)

• Profile settings and preferences

• Educational progress and course completions

We will provide your data in JSON or CSV format, depending on the type of information. Direct transfers to other controllers are available for compatible services.

Data portability requests are processed within 30 days and are provided free of charge.

17. Data Subject Access Request (DSAR) Procedure

A Data Subject Access Request (DSAR) allows you to obtain information about the personal data we hold about you and how we process it.

How to Submit a DSAR:

• Email: Send your request to support@waterfallmarkets.com

• Portal: Use our online privacy portal for registered users

• Mail: Send written requests to our registered address

• Phone: Call our Data Protection Officer directly

Required Information:

• Full name and contact details

• Account email address or user ID

• Description of information requested

• Time period for the request (if applicable)

• Proof of identity (passport, driver's license, or other official document)

DSAR Response Timeline:

• Acknowledgment: Within 5 working days of receipt

• Processing: Up to 30 days for complex requests

• Extension: Additional 60 days for very complex requests (with notification)

• Response: Free of charge for initial requests

What We Will Provide:

• Confirmation of whether we process your personal data

• Copy of your personal data in our possession

• Purposes of processing and legal bases

• Recipients or categories of recipients of your data

• Retention periods for your data

• Your rights regarding the data

• Source of the data if not collected from you

We take DSARs seriously and ensure all requests are handled promptly and securely. There is no fee for the first DSAR in any 12-month period.

18. Children's Privacy

Our services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly and notify the child's parent or guardian.

We may collect information about children in limited circumstances, such as for account verification or legal compliance, but only with explicit parental consent where required by law.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification Methods:

• Updated "Last updated" date on this page

• Email notification to registered users for material changes

• In-app notifications for mobile users

• Website banner announcements

• Blog posts or news updates

Your continued use of our services after any changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

Material Changes:

We consider the following types of changes to be material:

• Changes to the types of personal data we collect

• New purposes for processing personal data

• Changes to data sharing practices

• Modifications to your rights or our obligations

• Updates to contact information or responsible parties

20. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Support: support@waterfallmarkets.com

• Website: waterfallmarkets.com

• Address: 25 DUNKELLIN WAY, SOUTH OCKENDON, ENGLAND RM15 5ES

We will respond to your inquiries within 30 days.

This Privacy Policy is effective as of November 27, 2025, and will remain in effect except with respect to any changes in its provisions in the future.