Legal
Privacy Policy
Last updated: February 18, 2026
This privacy policy explains how Hugo's Signals collects, uses, stores, and protects your personal data. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR), Spain's Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales (LOPDGDD), and the Ley de Servicios de la Sociedad de la Información (LSSI-CE).
1. Data Controller
The data controller responsible for your personal data is:
Hugo Bento (sole proprietor)
Operating as: Hugo's Signals
Location: Pontevedra, Spain
Contact: hello@hugobento.com
Website: signals.hugobento.com
If you have any questions about how we handle your data, you can contact us at the email address above.
2. Data We Collect
We collect and process the following categories of personal data:
2.1 Account data
When you create an account, we collect:
- Email address
- Password (stored encrypted, never in plaintext)
- Account role and subscription plan
2.2 Waitlist data
When you join the waitlist, we collect:
- Email address
- Trader persona/experience level (optional)
- IP address (for rate limiting and anti-abuse only)
2.3 Subscription and billing data
When you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. We do not store your credit card number, CVV, or full payment details on our servers. We store:
- Stripe customer ID (a reference identifier)
- Subscription plan and status
- Billing history (invoices, amounts, dates)
Stripe's privacy policy is available at stripe.com/privacy.
2.4 Trading configuration data (Premium plan only)
If you use the Auto-Trader Premium plan and choose to connect a trading exchange account, we store:
- Exchange API keys (encrypted at rest using application-level encryption)
- Trading parameters and risk configuration
- Trade execution history and portfolio data retrieved from your exchange
We never store exchange passwords. API keys are configured with trade-only permissions (no withdrawal access) and are encrypted before being written to the database.
2.5 Usage and technical data
When you use the platform, we automatically collect:
- IP address
- Browser type and version
- Pages visited and features used
- Timestamps of interactions
- Error and performance logs (via Sentry)
2.6 Communication data
If you contact us by email, we store the content of your communications for the purpose of responding to your inquiry.
3. How We Use Your Data
We process your personal data for the following purposes, each with a corresponding legal basis under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the platform (account management, signal delivery, trade execution) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (signal notifications, account updates, billing) | Performance of contract (Art. 6(1)(b)) |
| Sending marketing communications (product updates, new features) | Consent (Art. 6(1)(a)) |
| Preventing fraud, abuse, and ensuring platform security | Legitimate interest (Art. 6(1)(f)) |
| Monitoring errors and improving platform reliability | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (tax, regulatory) | Legal obligation (Art. 6(1)(c)) |
We do not sell, rent, or trade your personal data to third parties for marketing purposes. We never have and never will.
4. Third-Party Services
We use the following third-party services to operate the platform. Each processes data on our behalf or as an independent controller:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, billing details | US (EU SCCs in place) |
| Sentry | Error monitoring | User ID, email, error context | US (EU SCCs in place) |
| OpenAI / DeepSeek | AI signal generation | Market data only (no personal data) | US / China |
| Hosting provider | Infrastructure | All platform data | EU |
| Email service | Transactional email delivery | Email address, message content | EU/US |
Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions.
5. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy:
- Account data: retained while your account is active and for 30 days after deletion request, to allow for recovery.
- Waitlist data: retained until you unsubscribe or until the waitlist is no longer needed, whichever comes first.
- Billing data: retained for the period required by Spanish tax law (minimum 4 years under Ley General Tributaria; 6 years under Código de Comercio for commercial records).
- Trading API keys: deleted immediately upon account deletion or when you remove the exchange connection.
- Error logs: retained for up to 90 days.
- Communication data: retained for up to 2 years after the last interaction.
6. Your Rights Under GDPR
As a data subject under the GDPR and LOPDGDD, you have the following rights:
Right of access
Request a copy of all personal data we hold about you.
Right to rectification
Request correction of inaccurate or incomplete personal data.
Right to erasure
Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction
Request that we limit how we process your data in certain circumstances.
Right to data portability
Receive your data in a structured, commonly used, machine-readable format.
Right to object
Object to processing based on legitimate interests, including profiling.
Right to withdraw consent
Withdraw consent at any time where processing is based on consent, without affecting prior processing.
Right to lodge a complaint
File a complaint with the Spanish Data Protection Authority (AEPD) at aepd.es.
To exercise any of these rights, contact us at hello@hugobento.com. We will respond within 30 days as required by GDPR.
7. Cookies and Similar Technologies
Hugo's Signals uses the following types of cookies:
| Cookie type | Purpose | Required? |
|---|---|---|
| Essential / session cookies | Authentication, CSRF protection, session management | Yes (strictly necessary) |
| Preference cookies | Remember user settings and display preferences | No (consent-based) |
We do not currently use analytics cookies, advertising cookies, or third-party tracking pixels. If this changes in the future, we will update this policy and implement a cookie consent mechanism as required by the LSSI-CE and the ePrivacy Directive.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Application-level encryption for sensitive data at rest (exchange API keys, credentials)
- Encrypted password storage using bcrypt hashing
- Rate limiting on authentication and API endpoints
- Role-based access control within the platform
- Regular dependency updates and security monitoring
No system is 100% secure. If you discover a security vulnerability, please report it to hello@hugobento.com and we will address it promptly.
9. Children's Privacy
Hugo's Signals is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
10. International Data Transfers
Some of our third-party service providers are based outside the EEA (see Section 4). Where personal data is transferred outside the EEA, we rely on:
- EU Standard Contractual Clauses (SCCs) adopted by the European Commission
- Adequacy decisions where available
- The specific safeguards described in each provider's data processing agreement
11. Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users by email if the changes materially affect how we process their data
- Where required by law, obtain fresh consent before applying new processing activities
We encourage you to review this page periodically.
12. Contact
For any privacy-related questions, requests, or concerns:
Email: hello@hugobento.com
Supervisory authority: Agencia Española de Protección de Datos (AEPD) — www.aepd.es