Privacy Policy

Last updated: 18 May 2026 · Effective date: 18 May 2026

1. Data Controller

The data controller of personal data processed through MyRA (my-ra.com and its sub-domains crop.my-ra.com, fund.my-ra.com, quant.my-ra.com, risk.my-ra.com) is:

BQuant S.r.l., a limited-liability company incorporated in Italy. Contact for privacy matters: info@my-ra.com.

2. What personal data we collect

We collect and process the following categories of personal data:

  • Account data: email address, hashed password, account creation timestamp, subscription tier, language preference.
  • Billing data: when you subscribe to a paid plan, billing data (name, billing address, VAT number, payment instrument) is collected and processed by our payment processor Paddle.com Inc. (or its affiliate) acting as Merchant of Record. We receive transaction status, customer ID and invoicing data necessary to provision and document the subscription.
  • Usage data: server-side access logs (IP address, user-agent, timestamp, requested URL) retained for security and operational diagnostics.
  • Communications: any content you send us by email or contact form.

We do not intentionally collect special categories of personal data (health, religion, political opinions, biometrics).

3. Purposes and lawful bases

  • Provide the service (authentication, subscription, customer support) — Art. 6(1)(b) GDPR (performance of a contract).
  • Invoice and tax records — Art. 6(1)(c) GDPR (legal obligation under Italian tax law).
  • Security, fraud prevention and abuse detection — Art. 6(1)(f) GDPR (legitimate interest in keeping the service secure).
  • Service communications (security notices, material changes to terms or pricing) — Art. 6(1)(b) and Art. 6(1)(f) GDPR.
  • Marketing emails — Art. 6(1)(a) GDPR (consent, where applicable). You can opt out at any time.

4. Retention

Account data is retained for the lifetime of the account and for ten (10) years thereafter as required by Italian commercial and tax law (Art. 2220 Civil Code). Access logs are retained for up to twelve (12) months for security and diagnostic purposes. Marketing-consent records are retained for the period needed to demonstrate consent under GDPR.

5. Sharing with third parties

We share personal data only with the following categories of recipients, each bound by appropriate data-processing agreements:

  • Payment processor: Paddle.com Inc. (or its affiliate) acting as Merchant of Record for subscription payments.
  • Hosting and infrastructure: our European hosting provider, which stores the MyRA database and application servers.
  • Transactional email: third-party email-delivery service for password resets, billing notices, and security alerts.
  • Public authorities: where required by law, court order, or regulator request.

We do not sell personal data to advertisers or data brokers.

6. International transfers

Where our processors are located outside the European Economic Area (e.g. Paddle, which has US operations), transfers are made on the basis of the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision, with supplementary measures where required by the EDPB.

7. Your rights under GDPR

If you are a data subject in the EU/EEA, you have the right to:

  • access your personal data (Art. 15);
  • request rectification of inaccurate data (Art. 16);
  • request erasure of your data (Art. 17), subject to legal retention requirements;
  • request restriction of processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interest (Art. 21);
  • withdraw consent at any time (Art. 7), without affecting prior lawful processing;
  • lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, www.garanteprivacy.it) or your local supervisory authority.

To exercise any right, write to info@my-ra.com. We will respond within thirty (30) days.

8. Cookies

We use only the cookies and similar technologies strictly necessary for the operation of the service (authentication tokens, session, language preference). We do not currently use third-party advertising, analytics, or tracking cookies. When this changes (e.g. when our payment processor sets transactional cookies on checkout), a cookie consent banner will be displayed in accordance with EU/Italian Garante guidelines.

9. Security

We apply industry-standard technical and organisational measures to protect personal data, including TLS encryption in transit, hashed passwords, server hardening, access controls, and regular security updates. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

10. Changes to this Policy

Material changes will be notified by email to active subscribers and posted on this page at least thirty (30) days before taking effect.

11. Contact

Questions about this Policy or your data? Write to info@my-ra.com.