Privacy Policy (Datenschutzerklärung)

Last updated: December 2025.

## Option Defense Software

**Last Updated:** December 2025

—–
## INTRODUCTION

N.A. Invest GmbH (“we”, “us”, “our”, or “Company”) is committed to protecting your personal data and respecting your privacy rights. This Privacy Notice explains how we collect, use, store, and protect your personal information when you use the Option Defense software (“Software”).

This Privacy Notice should be read together with our End-User License Agreement (EULA), which governs your use of the Software.

**Please read this Privacy Notice carefully to understand our practices regarding your personal data.**

—–
## 1. WHO WE ARE (DATA CONTROLLER)

**Data Controller:**

N.A. Invest GmbH

Ratinger Str. 3

40213 Düsseldorf

Germany

**Commercial Register:** Local Court of Düsseldorf, HRB 96136

**Contact for Privacy Matters:**

Email: privacy@nainv.de

Subject line: “Privacy / Data Protection”

Contact for Data Protection / GDPR matters: privacy@nainv.de

Data Protection Officer: We have not appointed a dedicated DPO because Art. 37 GDPR does not require one; privacy inquiries should be sent to privacy@nainv.de.

**Supervisory Authority:**

If you are located in Germany, the competent data protection supervisory authority is:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)

Website: https://www.bfdi.bund.de

If you are located in another EU/EEA country, you may contact your local data protection supervisory authority.

—–

## 2. SCOPE OF THIS NOTICE

This Privacy Notice applies to persons who download, install, activate or use the Software, visitors to our product website, and individuals who voluntarily contact us via the website live chat or submit logs for support. Activation does not require an email address.

This Notice covers personal data we collect:

– Directly from you (email address, communications)

– Automatically through the Software (device fingerprint, IP address)

– From voluntary submissions (activity logs, feedback)

– Through sanctions screening processes

—–

## 3. WHAT PERSONAL DATA WE COLLECT

We collect and process the following categories of personal data:

### 3.1 Contact Information

What we collect:

– Email address only if you voluntarily provide it (for optional support or communications).

Source: Provided directly by you when you choose to supply it (not required for activation).

Purpose: Support or optional communications.

Mandatory/Optional: Optional — activation does not require an email address.

—–

### 3.2 Technical and Device Information

What we collect:

– Device identifier / installation identifier: a pseudonymised identifier derived from hardware data that is double-hashed on-device and HMAC-encrypted on the server before storage.
– Activation events and timestamps.
– App version.

Source: Generated and recorded automatically by the Software during installation and first launch.

Mandatory/Optional: Device identifier is mandatory for automatic license provisioning.

Purpose: License management, fraud prevention, product security, and support.

Note: A DPIA will be performed before any scaling of fingerprint-based processing in production.

—–

### 3.3 Usage and Activity Data

What we collect:

– Voluntary activity logs, error logs, and crash reports only if you explicitly submit them via the website live chat.
– Screenshots or screen recordings only when you explicitly provide them for support.

Source: Voluntarily submitted by you.

Mandatory/Optional: Optional — you remain in control of whether logs are submitted.

Purpose: Debugging, product improvement, and technical support.

Special Note: Remove or redact sensitive financial identifiers (account numbers, full order IDs) before submission unless you are asked to include them for debugging.

—–

### 3.4 Communication Data

**What we collect:**

– Contents of emails or messages you send to us

– Support ticket information

– Feedback and suggestions

**Source:** Directly from you when you contact us

**Mandatory/Optional:** Optional – only if you choose to contact us

**Purpose:** Responding to inquiries, providing support, improving the Software

—–

### 3.5 Data We Do NOT Collect

We do NOT collect during automatic activation:

– Email addresses (unless voluntarily provided),
– Brokerage login credentials,
– Trading account numbers or live account credentials,
– Specific trading positions or portfolio details, unless you voluntarily include them in logs,
– Payment card information,
– Sensitive personal data (e.g., health data, political opinions).

Market Data: We do not receive or process market data; the Software connects directly to your broker’s API on your behalf.

—–

## 4. HOW WE COLLECT YOUR PERSONAL DATA

### 4.1 Information You Provide Directly

– When you request an activation code (email address)

– When you contact us for support

– When you voluntarily submit logs or feedback

### 4.2 Information Collected Automatically

Automatic activation data collected on first launch:
– Double-hashed device identifier (hashed on-device, then HMAC-encrypted on the server),
– Locally recorded EULA acceptance timestamp,
– App version,
– Originating IP address,
– One-time nonce for integrity and replay protection.

Transmission method: All activation data is sent over TLS/HTTPS to the Company’s activation service. No email address is required for activation.

### 4.3 Information We Do NOT Collect from Third Parties

We do NOT purchase or receive personal data about you from data brokers or other third parties.

—–

## 5. WHY WE PROCESS YOUR PERSONAL DATA (PURPOSES AND LEGAL BASIS)

Under GDPR, we must have a lawful basis for processing your personal data. Here are the purposes for which we process your data and the corresponding legal bases:

### 5.1 License Activation and Management

Purpose: Verifying device identity, issuing automatic testing licenses, and preventing unauthorized license sharing.

Data used: Double-hashed device identifier (hashed locally, HMAC-encrypted on the server), EULA acceptance timestamp, app version, and IP address (email only if voluntarily provided).

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for activation and license provisioning.

Retention: Device fingerprints are retained for up to 30 days after license revocation; activation/audit logs (including EULA timestamp, app version and IP) are retained for 90 days. See the retention table in Clause 8 for details.

—–

### 5.2 Fraud Prevention and Security

Purpose: Detecting and preventing unauthorized copying, license sharing, replay attacks, and other abuse.

Data used: Double-hashed device identifier, activation patterns, and IP address.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — protecting the Software and preventing fraud.

Safeguards: Activation uses one-time nonces, per-IP and per-device rate limits, HMAC integrity checks on server storage, and pseudonymisation of identifiers to minimise impact on privacy.

—–

### 5.3 Technical Support and Product Improvement

**Purpose:** Debugging issues, improving Software functionality, responding to your support requests

**Data Used:** Voluntarily submitted logs, email communications, feedback

**Legal Basis:**

– Consent (Art. 6(1)(a) GDPR) – for voluntary log submissions

– Legitimate interests (Art. 6(1)(f) GDPR) – for product improvement based on aggregated, anonymized data

**Your Control:** You decide whether to submit logs. You can withdraw consent at any time by requesting deletion of previously submitted logs.

—–

### 5.4 Communication and Updates

**Purpose:** Sending activation codes, responding to inquiries, notifying you of important changes (e.g., transition to paid model, security updates)

**Data Used:** Email address, communication history

**Legal Basis:**

– Performance of a contract (Art. 6(1)(b) GDPR) – for transactional communications

– Legitimate interests (Art. 6(1)(f) GDPR) – for important security or legal updates

**Marketing:** We do NOT currently use your data for marketing purposes. If we introduce marketing communications in the future, we will obtain your explicit consent and provide easy opt-out mechanisms.

—–

### 5.5 Legal Compliance and Defense

**Purpose:** Complying with legal obligations, responding to lawful requests from authorities, defending against legal claims

**Data Used:** Any relevant personal data

**Legal Basis:**

– Legal obligation (Art. 6(1)(c) GDPR)

– Legitimate interests (Art. 6(1)(f) GDPR) – establishing, exercising, or defending legal claims

—–

## 6. WHO WE SHARE YOUR PERSONAL DATA WITH (RECIPIENTS)

### 6.1 Internal Access

Within N.A. Invest GmbH, access to personal data is restricted to:

– Technical staff responsible for license management

– Support staff responding to inquiries (access to support tickets, voluntarily submitted logs)

– Management for compliance and legal purposes

Access is provided on a need-to-know basis and subject to confidentiality obligations.

—–

### 6.2 Third-Party Service Providers (Processors)

Processing location: As of the date of this Notice all processing and storage of personal data related to activation is performed within the EU (Germany) on infrastructure operated or controlled by the Company.

Sub-processors: If we engage third-party processors, we will ensure EU-based processing where feasible and require processors to provide sufficient guarantees under Art. 28 GDPR; a current list of sub-processors is available upon request from privacy@companyx.de and we will inform you of material changes in accordance with Clause 13.

—–

### 6.3 Legal and Regulatory Authorities

We may disclose your personal data to:

– Law enforcement agencies (upon valid legal request)

– Regulatory authorities (e.g., BaFin, if applicable)

– Courts and tribunals (in legal proceedings)

– Tax authorities

**Legal Basis:** Legal obligation (Art. 6(1)(c) GDPR) or legitimate interests in complying with lawful requests (Art. 6(1)(f) GDPR)

—–

### 6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of such transfer and ensure the recipient is bound by data protection obligations equivalent to this Privacy Notice.

—–

### 6.5 Parties We Do NOT Share Data With

We do NOT:

– Sell your personal data to third parties

– Share data with advertisers or marketing companies

– Provide data to data brokers

– Share your data with your broker (Interactive Brokers) – the Software connects directly on your behalf

—–

## 7. INTERNATIONAL DATA TRANSFERS

### 7.1 Current Processing Location

Current processing location: All personal data is processed and stored within the European Union (Germany). If we later transfer personal data outside the EU/EEA, we will implement appropriate safeguards (e.g., SCCs) and notify Users in advance as required by law.

### 7.2 Your Rights Regarding Transfers

If data is transferred outside the EU/EEA, you have the right to:

– Obtain information about the safeguards in place (Art. 15 GDPR)

– Object to the transfer (Art. 21 GDPR)

– Request a copy of the safeguards (e.g., SCCs)

—–

## 8. HOW LONG WE KEEP YOUR PERSONAL DATA (RETENTION PERIODS)

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

### 8.1 Retention Periods by Data Type

### 8.2 Criteria for Determining Retention Periods

We determine retention periods based on:

– The nature and sensitivity of the data

– Risk of harm from unauthorized use or disclosure

– Purposes for which we process the data

– Whether we can achieve those purposes through other means

– Legal, regulatory, tax, or accounting requirements

### 8.3 Secure Deletion

When retention periods expire, we securely delete or anonymize personal data using industry-standard methods (e.g., secure overwriting, cryptographic erasure).

### 8.4 Exceptions

We may retain data beyond standard periods if:

– Required by law (e.g., legal hold in litigation)

– Necessary for legal claims (Art. 17(3)(e) GDPR)

– You have requested restricted processing (Art. 18 GDPR)

—–

## 9. YOUR RIGHTS UNDER GDPR

As a data subject, you have the following rights regarding your personal data:

### 9.1 Right of Access (Art. 15 GDPR)

**What it means:** You can request a copy of the personal data we hold about you.

**What we provide:**

– Categories of data processed

– Purposes of processing

– Recipients of data

– Retention periods

– Your other rights

– A copy of the data in a commonly used format

**How to exercise:** Email privacy@nainv.de with subject “Data Access Request”

—–

### 9.2 Right to Rectification (Art. 16 GDPR)

**What it means:** You can request correction of inaccurate or incomplete personal data.

**How to exercise:** Email privacy@nainv.de with subject “Data Correction Request”

—–

### 9.3 Right to Erasure / “Right to be Forgotten” (Art. 17 GDPR)

**What it means:** You can request deletion of your personal data in certain circumstances:

– Data no longer necessary for the purposes collected

– You withdraw consent (where processing was based on consent)

– You object to processing (Art. 21)

– Data processed unlawfully

– Legal obligation to delete

**Limitations:** We may refuse deletion if processing is necessary for:

– Compliance with legal obligations

– Establishment, exercise, or defense of legal claims

– Archiving purposes in the public interest

**How to exercise:** Email privacy@nainv.de with subject “Data Deletion Request”

**Timeline:** We will delete data within 30 days of a valid request, subject to any legal retention requirements.

—–

### 9.4 Right to Restriction of Processing (Art. 18 GDPR)

**What it means:** You can request that we limit how we use your data while we:

– Verify accuracy of contested data

– Determine whether our legitimate interests override your objection

– Respond to your request for data retention (instead of deletion) for legal claims

**Effect:** We will store the data but not further process it (except with your consent or for legal claims).

**How to exercise:** Email privacy@nainv.de with subject “Restrict Processing Request”

—–

### 9.5 Right to Data Portability (Art. 20 GDPR)

**What it means:** You can receive personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller.

**Applies to:** Data processed based on consent or contract, and processed by automated means.

**Format:** We provide data in JSON or CSV format.

**How to exercise:** Email privacy@nainv.de with subject “Data Portability Request”

—–

### 9.6 Right to Object (Art. 21 GDPR)

**What it means:** You can object to processing based on legitimate interests (Art. 6(1)(f)) or for direct marketing.

**Our Response:** We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for legal claims.

**How to exercise:** Email privacy@nainv.de with subject “Object to Processing”

—–

### 9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

**What it means:** Where processing is based on consent (e.g., voluntary log submissions), you can withdraw consent at any time.

**Effect:** Withdrawal does not affect lawfulness of processing before withdrawal. We will cease processing and delete data unless another legal basis applies.

**How to exercise:** Email privacy@nainv.de with subject “Withdraw Consent”

—–

### 9.8 Right to Lodge a Complaint (Art. 77 GDPR)

**What it means:** You can file a complaint with a data protection supervisory authority if you believe we have violated your data protection rights.

**German Authority:**

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)

Graurheindorfer Str. 153

53117 Bonn, Germany

Website: https://www.bfdi.bund.de

Email: poststelle@bfdi.bund.de

**Your Local Authority:** If you reside in another EU/EEA country, you may contact your local supervisory authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en

**We encourage you to contact us first:** While you have the right to lodge a complaint at any time, we encourage you to contact us first at privacy@nainv.de so we can attempt to resolve your concerns directly.

—–

### 9.9 How to Exercise Your Rights

To exercise GDPR rights (access, rectification, erasure, restriction, portability, objection), email privacy@nainv.de with the subject line indicating the right you wish to exercise (e.g., “Data Access Request”). We may request reasonable information to verify your identity. We will respond within 30 days, extendable by up to two months for complex requests with notice.

—–

## 10. AUTOMATED DECISION-MAKING AND PROFILING

**We do NOT engage in:**

– Automated decision-making that produces legal or similarly significant effects (Art. 22 GDPR)

– Profiling for marketing or other purposes

—–

## 11. SECURITY MEASURES

Technical measures:
– All activation and support traffic is encrypted in transit using TLS/HTTPS.
– Device identifiers are double-hashed on-device prior to transmission and HMAC-encrypted on the server using a server-held secret.
– Activation requests include a one-time nonce to prevent replay attacks.
– Access to production systems is restricted by role-based controls and logged.

Organisational measures:
– Staff with access to personal data receive data protection training and are bound by confidentiality obligations.
– Regular reviews and an incident response plan are in place.

Data breach: We will notify the relevant supervisory authority within 72 hours where feasible and notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

### 11.3 Data Breach Notification

Notification channels: In the event of a notifiable personal data breach we will notify the supervisory authority and affected individuals via the contact channel we maintain (website announcement).

—–

## 12. CHILDREN’S PRIVACY

The Software is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.

**If You Are Under 18:** Do not use the Software or provide any personal data to us.

**If We Learn We Have Collected Data from a Child:** We will delete it promptly. If you believe we have inadvertently collected data from a child, please contact us at privacy@nainv.de.

—–

## 13. CHANGES TO THIS PRIVACY NOTICE

### 13.1 Right to Update

We may update this Privacy Notice from time to time to reflect:

– Changes in data processing practices

– New legal requirements

– Introduction of new features or services

– Feedback from supervisory authorities or users

### 13.2 Notice of Material Changes

For material changes affecting your rights, we will provide at least 30 days’ notice via a prominent website announcement; where you have voluntarily provided an email address we will also notify that address.

### 13.3 Your Options

If you do not agree to material changes:

– You may cease using the Software and request deletion of your data under Clause 9.3

– Continued use after the effective date of changes constitutes acceptance

### 13.4 Version History

**Current Version:** December 2025

**Previous Versions:** None (initial version)

Latest version will be available at https://option-defense.com/privacy-policy. You may request the previous document versions by contacting privacy@nainv.de.

—–

## 14. CONTACT US

### For Privacy and Data Protection Inquiries:

**Email:** privacy@nainv.de

**Subject Line:** “Privacy / Data Protection”

**Postal Address:**

N.A. Invest GmbH

Ratinger Str. 3

40213 Düsseldorf

Germany

### Response Time:

We aim to respond to all privacy inquiries within **7 business days** for acknowledgment and within **30 days** for substantive responses (as required by GDPR for data subject rights requests).

—–

## 15. ADDITIONAL INFORMATION FOR SPECIFIC REGIONS

### 15.1 For Users in the European Union / European Economic Area

This Privacy Notice complies with the General Data Protection Regulation (GDPR) (EU) 2016/679. All rights and procedures described herein apply to you.

### 15.2 For Users in the United Kingdom

If you are in the UK, this Privacy Notice complies with the UK GDPR and Data Protection Act 2018. You may contact the UK Information Commissioner’s Office (ICO) at https://ico.org.uk for complaints.

### 15.3 For Users in Switzerland

If you are in Switzerland, this Privacy Notice complies with the Swiss Federal Act on Data Protection (FADP). You may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) for complaints.

### 15.4 For Users in Other Jurisdictions

While this Privacy Notice is designed to comply with GDPR (which provides a high standard of protection), we also respect privacy laws applicable in your jurisdiction. If you have questions about how local laws apply, please contact us.

—–

## 16. LEGAL BASIS SUMMARY TABLE

For quick reference, here is a summary of our processing activities and their legal bases:

|Processing Activity|Legal Basis |Your Rights |

|——————-|———————————————————————|———————————————————|

|License Activation |Contract (Art. 6(1)(b)) |Access, Rectification, Erasure (with limits), Restriction|

|Fraud Prevention |Legitimate Interests (Art. 6(1)(f)) |Object, Access, Restriction |

|Technical Support |Consent (Art. 6(1)(a)) for logs |Withdraw Consent, Erasure, Access |

|Product Improvement|Legitimate Interests (Art. 6(1)(f)) |Object, Access |

|Communication |Contract (Art. 6(1)(b)) + Legitimate Interests (Art. 6(1)(f)) |Object (for non-essential comms), Access |

—–

## ACKNOWLEDGMENT

By using the Option Defense Software, you acknowledge that you have read and understood this Privacy Notice and agree to the collection, use, and disclosure of your personal data as described herein, to the extent permitted by applicable law.

**For Consumers:** This acknowledgment does not limit your statutory rights under applicable consumer protection and data protection laws.

—–

**END OF PRIVACY NOTICE**

—–

## Document Information
**Version:** December 2025
**Document Type:** Privacy Notice / Data Protection Information (Art. 13/14 GDPR)
**Language:** English (Authoritative Version)
**Availability:**
– Available online: https://option-defense.com/privacy-policy
– Available upon request: privacy@nainv.de