Privacy Policy

Last updated: December 2025

1. Introduction and Data Controller

SnipeRoute ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our trade instruction routing service ("Service").

Data Controller: SnipeRoute is the data controller responsible for your personal data. For data protection inquiries, you may contact our Data Protection Officer at:

Email: dpo@sniperoute.io

This policy complies with applicable data protection laws, including the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, the DIFC Data Protection Law 2020, the ADGM Data Protection Regulations 2021, and the EU General Data Protection Regulation (GDPR) where applicable.

2. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service you have requested, including receiving trade intents, routing order instructions to your broker, and managing your account.
  • Legitimate Interests: Processing necessary for our legitimate business interests, including service security, fraud prevention, system monitoring, and service improvement, where such interests are not overridden by your data protection rights.
  • Legal Obligations: Processing necessary to comply with legal requirements, including maintaining audit trails and responding to lawful requests from authorities.
  • Consent: Where required by law, we will obtain your consent for specific processing activities, such as marketing communications. You may withdraw consent at any time.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Authentication credentials (password hashes, OAuth tokens from identity providers like Google or GitHub)

3.2 Broker Connection Data

When you connect a broker account, we collect and store:

  • OAuth Access Tokens: Encrypted tokens that allow us to submit order instructions to your broker on your behalf
  • Broker Account Identifiers: Account IDs or identifiers provided by your broker
  • Connection Metadata: Timestamps, connection status, and token expiration information

Token Security: All OAuth tokens are encrypted at rest using AES-256 encryption. Tokens are stored separately from other account data and are never shared with upstream systems that submit trade intents. Access to decryption keys is strictly controlled.

We do NOT collect or store:

  • Your broker username or password
  • Your Social Security Number, Emirates ID, or other government-issued identification
  • Your bank account or payment card information
  • Portfolio holdings, account balances, or transaction history from your broker (unless required for order instruction delivery)

3.3 Trade Intent Data

We collect and process trade intents submitted to the Service, including:

  • Symbol, quantity, side (buy/sell), order type, and other order parameters
  • Timestamps of submission and delivery
  • Delivery status and broker responses
  • Source system identifiers (for upstream API integrations)

3.4 Usage and Log Data

We automatically collect:

  • IP addresses
  • Browser type and version
  • Device information and operating system
  • Pages visited and features used
  • Error logs and diagnostic data
  • API request logs (excluding sensitive parameters)

4. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Convert and route trade intents to your connected broker(s)
  • Authenticate your identity and broker connections
  • Communicate with you about the Service, including support and critical updates
  • Monitor and analyze usage patterns to improve the Service
  • Detect, prevent, and address technical issues, security threats, and fraudulent activity
  • Maintain audit trails for compliance and dispute resolution
  • Comply with legal obligations and respond to lawful requests

No Profiling or Automated Decision-Making: We do not use your personal data for automated decision-making that produces legal or similarly significant effects. Order routing is based solely on the explicit instructions you or your authorized systems provide.

5. Use of Aggregated and De-Identified Data

We may use aggregated or de-identified data for research, analytics, statistical reporting, and industry insights. Such data:

  • does not identify any individual user,
  • cannot be reasonably re-associated with any user,
  • and does not include personal data, account information, or specific trade history tied to a user.

Examples include:

  • overall platform volume,
  • distribution of order types,
  • the most frequently submitted symbols during a given period,
  • and general market trends based on aggregated usage.

We may share or publish these insights, including at events or in research publications, provided they do not identify any user or reveal any user-specific activity.

6. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption at Rest: Broker access tokens and sensitive data are encrypted using AES-256 encryption
  • Encryption in Transit: All data transmission uses TLS 1.3 (with TLS 1.2 minimum)
  • Access Controls: Role-based access controls limit who can access sensitive data
  • Key Management: Encryption keys are stored separately from encrypted data and rotated regularly
  • Infrastructure Security: Cloud infrastructure protected by firewalls, intrusion detection, and DDoS protection
  • Regular Audits: We conduct regular security assessments, penetration testing, and vulnerability scanning

7. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

  • Brokers: Order instructions are transmitted to your connected broker(s) for processing. We share only the information necessary for order submission.
  • Service Providers: Third-party vendors who assist in operating the Service under strict data processing agreements, including:
    • Cloud infrastructure providers (for hosting and data storage)
    • Analytics services (for service improvement)
    • Customer support tools
  • Legal Requirements: When required by law, subpoena, court order, or valid legal process
  • Regulatory Authorities: When required by regulatory or governmental bodies with appropriate jurisdiction
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality protections
  • Protection of Rights: To protect our rights, privacy, safety, or property, and that of our users and the public

Sub-Processor Notification: We maintain a list of sub-processors and will provide reasonable notice before adding new sub-processors that process personal data.

8. Data Retention

We retain your data for the following periods:

Data TypeRetention Period
Account informationAccount lifetime + 30 days after deletion
Trade intent data and audit logs7 years (regulatory compliance)
OAuth broker tokensUntil revocation + 30 days
Error logs90 days
Usage analytics (anonymized)Indefinite

After the retention period, data is securely deleted or anonymized. We may retain data longer if required by law, for ongoing legal proceedings, or to resolve disputes.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. Our primary data processing occurs in the United Arab Emirates and the European Union.

Transfer Safeguards: When transferring personal data internationally, we ensure appropriate safeguards are in place:

  • EU/EEA Transfers: Standard Contractual Clauses (SCCs) approved by the European Commission
  • DIFC/ADGM: Compliance with applicable cross-border data transfer requirements under DIFC Data Protection Law and ADGM Data Protection Regulations
  • Adequacy: Where possible, transfers to countries with adequate data protection laws
  • Contractual Protections: Data processing agreements with all service providers requiring equivalent protection

We do not transfer personal data to jurisdictions lacking adequate protections without implementing appropriate safeguards.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

10.1 Access and Correction

You have the right to access your personal data and request correction of inaccurate or incomplete data. You may access and update your account information through the dashboard or by contacting us.

10.2 Deletion (Right to be Forgotten)

You may request deletion of your personal data. We will comply unless we have a legal obligation or legitimate interest in retaining the data. Note that trade intent data may be retained for regulatory compliance.

10.3 Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

10.4 Restriction of Processing

You may request restriction of processing in certain circumstances, such as when you contest the accuracy of your data or object to processing.

10.5 Objection to Processing

You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

10.6 Broker Connection Revocation

You may revoke SnipeRoute's access to your broker account at any time by:

  • Disconnecting the broker in the SnipeRoute dashboard
  • Revoking access through your broker's account settings
  • Contacting us to request disconnection

10.7 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

10.8 Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

  • DIFC: Commissioner of Data Protection, DIFC
  • ADGM: Office of Data Protection, ADGM
  • UAE: UAE Data Office
  • EU: Your local Data Protection Authority

10.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@sniperoute.io. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • Regulatory Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (or as otherwise required by applicable law)
  • User Notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay
  • Notification Contents: We will describe the nature of the breach, likely consequences, measures taken or proposed, and contact information for further inquiries

We maintain incident response procedures and conduct regular testing to ensure effective breach detection and response.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service:

12.1 Essential Cookies

Required for the Service to function, including authentication, session management, and security. These cannot be disabled.

12.2 Analytics Cookies

Help us understand how you use the Service to improve functionality and user experience. We use privacy-focused analytics that do not track you across websites.

12.3 What We Do NOT Use

  • Third-party advertising or tracking cookies
  • Cross-site tracking technologies
  • Social media tracking pixels

12.4 Cookie Management

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality.

13. Third-Party Services

The Service may contain links to third-party websites and integrates with third-party services. This Privacy Policy does not apply to third parties. We encourage you to review the privacy policies of:

  • Your connected broker(s)
  • Any upstream systems you connect to SnipeRoute
  • Identity providers (Google, GitHub, etc.) used for authentication

We are not responsible for the privacy practices of third parties.

14. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete such information.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Updating the "Last updated" date
  • Sending email notification for significant changes

We encourage you to review this Policy periodically. Your continued use of the Service after any changes indicates your acceptance of the updated Policy.

16. Contact Us

For questions about this Privacy Policy or our data practices, please contact us:

SnipeRoute

We aim to respond to all privacy-related inquiries within 30 days.

← Back to Home