Option Defense (Paid Edition, Worldwide) — Version v5.1 — Last Updated: 3 April 2026
N. A. Invest GmbH
Ratinger Str. 3
40213 Düsseldorf, Germany
Commercial Register: HRB 96136, Local Court (Amtsgericht) of Düsseldorf
Data Protection Contact: privacy@nainv.de
Website: https://option-defense.com
N. A. Invest GmbH ("Company," "we," "us," "our") is the data controller within the meaning of Article 4(7) of the General Data Protection Regulation ("GDPR") for all personal data processing described in this Privacy Policy.
This Privacy Policy applies to all personal data processing in connection with:
This Privacy Policy applies to all Users worldwide, regardless of location. Where this Privacy Policy refers to specific legal frameworks (e.g., GDPR, CCPA/CPRA), those provisions apply only to Users to whom those frameworks are legally applicable.
This Privacy Policy should be read together with the End-User License Agreement ("EULA"), which is provided as part of the Software installation package and may also be made available on the Company's website at https://option-defense.com. Defined terms used in this Privacy Policy (including "Software," "Subscription," "Subscription Fee," "Installation Identifier," "Consumer," "Business User," and "User Account") have the meanings given in the EULA unless otherwise defined herein.
The Company is committed to data minimization. The following categories of data are not collected, stored, or transmitted to Company servers:
The Software and licensing infrastructure may apply automated technical controls (such as rate limiting, activation validation, or abuse prevention mechanisms). These controls are designed solely to protect service integrity and do not constitute automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR.
The Company does not analyze, evaluate, or profile User trading strategies, decisions, or financial behavior. No personal data is processed for the purpose of investment analysis, trading optimization, or financial profiling.
| Category | Data Elements | Purpose | Legal Basis (EU) |
|---|---|---|---|
| Account Data | Email address (obtained during checkout), Stripe customer ID, subscription identifier, license identifiers (where applicable) | Subscription provisioning, license management, billing, and communications | Art. 6(1)(b) GDPR — contract performance |
| Billing Data | Payment instrument data and billing details are transmitted directly by the User to Stripe and are not stored on the Company's servers. Sensitive payment data is never stored by the Company. The Company may access within Stripe certain billing-related records, including transaction ID, payment confirmation status, invoice records, and VAT identification number where applicable, for billing administration, invoicing, tax compliance, and refund handling. The Company's servers automatically receive from the checkout webhook only the Stripe customer ID (stored in hashed form as described in Section 9.1) and the email address provided at checkout (classified as Account Data above; also stored in hashed form) | Subscription Fee processing, invoicing, tax compliance, refund processing | Art. 6(1)(b) GDPR — contract performance; Art. 6(1)(c) GDPR — legal obligation (tax/accounting) |
| Installation Identifier | Randomly generated pseudonymous identifier, transmitted to Company servers during activation and validation; the Company stores only a pseudonymized representation of the identifier. Not derived from hardware, OS fingerprinting, or device characteristics | License activation, validation, abuse prevention, concurrency enforcement | Art. 6(1)(b) GDPR — contract performance; Art. 6(1)(f) GDPR — legitimate interest (fraud/abuse prevention) |
| License Validation Data | Activation timestamps, license status, EULA acceptance timestamp, Software version, one-time nonce | License provisioning, periodic validation, compliance with EULA terms | Art. 6(1)(b) GDPR — contract performance |
| Server Log Data | IP address, user-agent string, access timestamps, request type | Technical support, security monitoring, rate limiting, abuse prevention | Art. 6(1)(f) GDPR — legitimate interest (security, service integrity) |
| Support Communications | Email address, message content, attachments voluntarily provided, timestamps; any name, signature, or identifying information voluntarily included by the User in the communication | Responding to inquiries, technical support, complaint resolution | Art. 6(1)(b) GDPR — contract performance |
| Marketing Consent Data | Email address, consent timestamp, consent status, opt-out timestamp | Sending marketing communications (product updates, feature announcements) | Art. 6(1)(a) GDPR — consent; § 7(3) UWG for existing customers |
| Security & Fraud Prevention Data | Rate-limiting counters (per-IP, per-installation), failed activation attempts, revocation records | Preventing unauthorized access, detecting abuse, enforcing license terms | Art. 6(1)(f) GDPR — legitimate interest (security, fraud prevention) |
| Update Check Data | Manifest checks: standard HTTP headers only (user-agent, Software version) — no license identifiers transmitted. Download authorization: license key, Installation Identifier, Software version | Delivering mandatory security and conformity updates | Art. 6(1)(b) GDPR — contract performance (Digital Content Directive conformity obligation); Art. 6(1)(f) GDPR — legitimate interest (security) |
The Software may generate and process a technical identifier necessary for license activation, validation, and service integrity.
This identifier is not derived from hardware characteristics and does not directly identify a natural person and is not used to identify the User.
The Company does not use this identifier for tracking across third-party services.
The Company uses this identifier solely for licensing, security, and abuse prevention purposes as described in this Privacy Policy.
For Users to whom the GDPR applies, the Company processes personal data on the following legal bases:
Processing necessary for the performance of the Subscription agreement, including:
Processing necessary to comply with legal obligations to which the Company is subject, including:
Processing necessary for the Company's legitimate interests, provided those interests are not overridden by the User's rights and freedoms. The specific legitimate interests pursued are:
Users may object to processing based on legitimate interests (see Section 11).
The Company has conducted a balancing test to ensure that its legitimate interests do not override the rights and freedoms of Users.
Marketing communications are sent only with the User's prior consent or, for existing customers, under the direct marketing exception of § 7(3) UWG (German Act Against Unfair Competition). Consent may be withdrawn at any time (see Section 14).
The Software includes a built-in update-check mechanism necessary to deliver security updates and conformity updates required under applicable law, including the Digital Content Directive (Directive (EU) 2019/770). This mechanism may not be disabled where necessary to maintain contractual conformity and security of the Software.
No data beyond what is described in this Section is transmitted during the update check. In particular, no trading data, portfolio information, or User-configured parameters are collected or transmitted as part of the update-check process.
The Software performs update checks necessary to deliver security updates and maintain legal conformity of the Software. Only minimal technical data strictly necessary for this purpose is transmitted. No trading data, portfolio information, or user-configured parameters are transmitted during update checks.
The Software may transmit limited operational data necessary for licensing and service integrity. Such data does not include trading data, portfolio information, financial activity, or broker credentials. This data is not used for behavioral analysis, profiling, marketing, or monetization.
| Data Category | Retention Period | Post-Expiry Action |
|---|---|---|
| Account Data | Duration of Subscription + 3 years (statutory limitation period under § 195 BGB) | Anonymized or deleted after retention period. User may request earlier deletion; Subscription will be terminated upon processing |
| Billing & Invoice Data | 10 years from end of calendar year of creation (§ 147 AO, § 257 HGB) | Deleted after statutory retention period. Cannot be deleted earlier due to mandatory tax retention obligations |
| Installation Identifier (server-side HMAC) | Duration of active license relationship and thereafter for as long as necessary for security, fraud prevention, and dispute resolution purposes, up to a maximum of 3 years after Subscription termination | Deleted or anonymized after retention period. User may request earlier deletion via privacy@nainv.de; license will become inoperative |
| Activation & Licensing Audit Logs | Minimum 90 days; longer where required by law or necessary for security, compliance, or dispute resolution (EULA Clause 4.7) | Anonymized or deleted after retention period |
| Server Logs (IP address, user-agent) | 90 days, followed by review for deletion or anonymization. Security-relevant log data may be retained beyond 90 days, up to a maximum of 12 months, where necessary for ongoing investigations, incident response, or legal proceedings, and will be deleted or anonymized when the purpose no longer applies or the 12-month maximum is reached | Reviewed and deleted or anonymized after the applicable retention period |
| Support Communications | Duration of Subscription + 3 years (limitation period), subject to periodic review. Longer retention is permitted for the duration of any ongoing dispute resolution process, legal claim, or legal obligation requiring retention; data will be deleted or anonymized promptly once the purpose ceases to apply | Deleted or anonymized after the retention period unless continued retention is required for ongoing dispute resolution or a legal obligation |
| Marketing Consent Records | Until consent is withdrawn + 3 years (proof of consent) | Consent status record retained for proof purposes; email address removed from marketing lists immediately upon opt-out |
| Security & Fraud Prevention Data | 12 months, subject to periodic review. Retention may be extended for the duration of any ongoing investigation, fraud prevention proceeding, or legal proceedings requiring continued retention; data will be deleted or anonymized promptly once the purpose ceases to apply | Deleted or anonymized after the retention period unless continued retention is required for an active investigation or legal proceedings |
Subscription Fee payments are processed by Stripe, Inc. ("Stripe"), 354 Oyster Point Blvd, South San Francisco, CA 94080, United States. Stripe acts as a data processor on our behalf and also as an independent data controller for its own fraud prevention and regulatory compliance purposes.
When the User provides payment information (e.g., credit card details, billing details), this data is transmitted directly to Stripe and is not stored on the Company's servers. Sensitive payment data (including full card numbers and card verification values) is never stored by the Company.
The Company may access within Stripe certain billing-related records — including transaction ID, payment confirmation status, invoice records, and VAT identification number where applicable — for billing administration, invoicing, tax compliance, refund handling, and customer support. These records are stored within Stripe's systems and are not automatically pushed to or stored on Company servers.
The Company's servers automatically receive from the checkout webhook only the Stripe customer ID and the email address provided at checkout. The email address is classified as Account Data (see Section 4). Both the Stripe customer ID and the email address are stored on the Company's servers in hashed form; the raw plaintext values are not retained on Company servers. See Section 13 for further detail on security measures.
Stripe's privacy policy is available at: https://stripe.com/privacy
The Company may engage sub-processors for hosting, email delivery, and customer support infrastructure. A current list of sub-processors is available upon request to privacy@nainv.de. Each sub-processor is bound by a data processing agreement in accordance with Article 28 GDPR.
The Company does not transmit personal data to Interactive Brokers ("IBKR"). The User's interaction with IBKR occurs directly between the User's device and IBKR's API, without the Company's involvement. The Company does not access, store, or process the User's IBKR credentials, account information, or trading data. IBKR is not a sub-processor of the Company.
In accordance with Article 13(1)(e) GDPR, the Company discloses personal data to the following categories of recipients:
Stripe, Inc., for the processing of Subscription Fee payments (see Section 9.1 for details).
Third-party providers of server infrastructure, cloud hosting, and content delivery services necessary for the operation of the Software's activation, licensing, and update systems.
Third-party providers of transactional email delivery (e.g., billing notifications, support responses) and customer support infrastructure.
Where applicable, third-party providers of security monitoring, log aggregation, or intrusion detection services.
Personal data may be disclosed to tax authorities, regulatory bodies, law enforcement agencies, or courts where the Company is legally obligated to do so under applicable law.
All recipients acting as data processors are bound by data processing agreements in accordance with Article 28 GDPR. A full and up-to-date list of individual sub-processors is available upon request at privacy@nainv.de.
Under the GDPR, Users have the following rights with respect to their personal data:
The User has the right to obtain confirmation as to whether personal data concerning them is being processed, and, where that is the case, access to the personal data and the information specified in Art. 15(1) GDPR.
The User has the right to obtain rectification of inaccurate personal data and to have incomplete personal data completed.
The User has the right to obtain the erasure of personal data where one of the grounds in Art. 17(1) GDPR applies. Erasure of the Installation Identifier data (server-side HMAC) will render the license inoperative. Erasure of billing data may be refused where retention is required by law (§§ 147 AO, 257 HGB).
The User has the right to obtain restriction of processing where one of the conditions in Art. 18(1) GDPR applies.
The User has the right to receive personal data provided to the Company in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.
The User has the right to object to processing based on legitimate interests (Art. 6(1)(f) GDPR) at any time. The Company will cease processing unless it demonstrates compelling legitimate grounds that override the User's interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
Where processing is based on consent, the User may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
The Software and licensing infrastructure may apply automated technical controls (such as rate limiting, activation validation, or abuse prevention mechanisms). These controls are designed solely to protect service integrity and do not constitute automated decision-making producing legal or similarly significant effects within the meaning of Art. 22 GDPR. No decision producing legal effects or similarly significantly affecting the User is based solely on automated processing, including profiling.
Requests may be submitted to: privacy@nainv.de. The Company will respond within one (1) month of receipt, extendable by two (2) further months where necessary due to the complexity or number of requests (Art. 12(3) GDPR). The Company may verify the requestor's identity before processing a request. Requests are free of charge unless manifestly unfounded or excessive.
The Company is based in Germany. Personal data may be transferred to countries outside the EU/EEA in the following circumstances:
Payment data is processed by Stripe, Inc. in the United States. The EU-U.S. Data Privacy Framework provides the adequacy basis for transfers to Stripe where Stripe has self-certified under the Framework. Where the Data Privacy Framework does not apply, transfers are safeguarded by Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR.
Where the Company engages sub-processors located outside the EU/EEA, transfers are protected by one of the following mechanisms in order of preference:
A copy of the applicable transfer mechanism may be obtained by contacting privacy@nainv.de.
The Company implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:
No system is completely secure. The Company cannot guarantee absolute security, but continuously reviews and improves its security posture.
The Company may send marketing communications (product updates, feature announcements, promotions) only with the User's prior consent. Consent is obtained at the time of checkout or through a separate opt-in mechanism.
For existing customers (Users with an active or recently expired Subscription), the Company may send marketing emails about similar products or services without additional consent, in accordance with § 7(3) of the German Act Against Unfair Competition (UWG), provided that:
The following are transactional communications (not marketing) and are sent without separate consent as they are necessary for the performance of the Subscription agreement:
Users may opt out of marketing communications at any time by:
Opt-out from marketing communications does not affect transactional communications.
The Software is not directed to individuals under the age of 18. By subscribing to the Software, the User represents that they are at least 18 years of age (as required by the EULA). The Company does not knowingly collect personal data from individuals under 18. If the Company becomes aware that it has collected personal data from a minor, the data will be deleted promptly.
The Software is a desktop application and does not use cookies or web-based tracking technologies.
The Company's Website may use the following types of cookies and similar technologies:
The Company does not use third-party advertising cookies or cross-site tracking technologies on the Website.
This Section 17 applies to residents of California and other U.S. states with comprehensive consumer privacy legislation (including the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), and comparable state laws).
In the preceding 12 months, the Company has collected the following categories of personal information (as defined under the CCPA):
Personal information is collected and used for the business purposes described in Section 4 of this Privacy Policy.
The Company does not sell personal information. The Company has not sold personal information in the preceding 12 months.
The Company does not share personal information for cross-context behavioral advertising. The Company has not shared personal information for cross-context behavioral advertising in the preceding 12 months.
Subject to applicable law, US residents have the following rights:
Requests may be submitted by emailing privacy@nainv.de. The Company will verify the requestor's identity before processing a request, which may require matching information provided in the request with information already maintained by the Company. The Company will respond within the timeframes required by applicable law.
US residents may designate an authorized agent to submit requests on their behalf. The Company may require the agent to provide proof of written authorization and may separately verify the identity of the consumer.
EU/EEA Users have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent supervisory authority for the Company is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestr. 2–4
40213 Düsseldorf, Germany
Website: https://www.ldi.nrw.de
Users may also lodge a complaint with the supervisory authority of their habitual residence or place of work.
The Company takes the security of personal data seriously and has implemented appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure.
In the event of a personal data breach, the Company will, without undue delay and where feasible within 72 hours of becoming aware of the breach, notify the competent supervisory authority (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, LDI NRW), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company will notify the affected data subjects without undue delay. Given the architecture of this Software, the personal data most likely to require direct notification is the email address collected at checkout, as this constitutes directly identifiable personal data. The Installation Identifier is stored server-side only as a one-way HMAC (a pseudonymous value that cannot by itself be reversed to identify an individual); a breach limited to HMAC values alone is therefore assessed as unlikely to result in a high risk to data subjects and would not ordinarily trigger direct notification obligations under Article 34 GDPR, though each incident will be assessed on its individual facts.
Any notification to data subjects will be communicated to the email address provided at checkout and will include: a description of the nature of the breach; the likely consequences; the measures taken or proposed to address the breach; and contact details for further information (privacy@nainv.de).
Under the Digital Content Directive (Directive (EU) 2019/770), the Company has an obligation to supply updates necessary to maintain the conformity of the Software throughout the User's Subscription period. The data processing described in Sections 4 and 7 of this Privacy Policy (including update checks) is carried out, in part, to fulfill this legal obligation.
Specifically:
The Company does not process personal data beyond what is necessary to fulfill its conformity and update obligations under the Digital Content Directive.
Users may request deletion of their personal data through any of the following channels:
Consequences of data deletion:
The Company will confirm completion of the deletion request within one (1) month.
This Privacy Policy and the EULA are complementary documents. In the event of any conflict between this Privacy Policy and the EULA on matters of personal data processing, this Privacy Policy prevails (as also stated in EULA Clause 5.4). In the event of any conflict on matters other than data protection (e.g., license terms, liability, payment), the EULA prevails.
This Privacy Policy does not create any obligations, rights, or duties beyond those established by the EULA and applicable data protection law. In particular, nothing in this Privacy Policy:
The Company does not provide investment advice, portfolio management, or financial recommendations, and does not process personal data for such purposes.
The Company may update this Privacy Policy from time to time. Changes will be indicated by updating the "Last Updated" date at the top of this document.
Minor or non-material updates (such as clarifications, formatting changes, or typographical corrections) may be made without prior notice.
For material changes that significantly affect the processing of personal data or the rights of Users, the Company will:
Continued use of the Software after the effective date of a material change constitutes acceptance of the updated Privacy Policy, except where the User's explicit consent is required by applicable law.
N. A. Invest GmbH
Ratinger Str. 3
40213 Düsseldorf, Germany
Email: privacy@nainv.de
Website: https://option-defense.com
