As part of our daily business operations we need to collect personal information from our clients and prospective clients in order to provide them with our products and services and ensure that we can meet their needs when providing these products and services as well as when providing them with respective information.
Please note that if you are a contractor to the Company or a third-party service provider, your personal information will be used in connection with your contractual relationship.
The Company respects the privacy of Data Subjects and it is therefore committed to taking all reasonable steps to safeguard their personal data and to process the same in accordance with the GDPR and all other relevant applicable Cyprus and EU law (collectively referred to as “Applicable DP Laws”).
The personal information you provide us with when registering yourself as a user of the Company’s site(s) or of its services is classified as registered information, which is protected in several different ways. You can access your registered information after logging into the Members Area by entering a username and a password that you select. It is your responsibility to make sure that your password is only known to you and not disclosed to anyone else. Registered information is securely stored in a safe location and only authorised personnel have access to it via a username and a password. All personal information is transferred to the Company over a secure 128-bit SSL connection and thus all reasonable measures are taken to prevent unauthorised parties from viewing any such information. Personal information provided to the Company that does not classify as registered information is also kept in a safe place and accessible by authorised personnel only via a username and a password.
Transmission of information via the internet is not always completely secure but the Company tries to protect your personal data by taking significant precautions. Once we have received your information, we will apply procedures and security features to try to prevent unauthorised access.
In order to establish a business relationship with us, you must first complete and submit an application form (i.e., Suitability Questionnaire) along with the required information. By completing this application form, you are requested to disclose personal data in order to enable the Company to assess your application and comply with the relevant laws and pertinent regulations. The information you provide may also be used by the Company to inform you regarding its services, in response to specific requests from you.
The information that we may collect regarding:
a) physical persons opening or maintaining an individual account;
b) physical persons opening or managing a corporate account on behalf of a legal entity (i.e. “authorised persons/signatories”); and
c) physical persons who effectively direct the legal entity that wishes to open or maintains a corporate account (i.e., directors) and the legal entity’s shareholders;
during the account opening procedure or throughout our business relationship, includes:
We obtain this information in a number of ways through your use of our services including through our website, the Account Opening Application, when you deposit and withdraw funds and from information provided in the course of the ongoing communication between us. We may also collect this information about you from third parties such as your payment service providers and through publicly available sources.
We also keep records of your trading behaviour, including records regarding:
If you choose not to provide the necessary information we need to fulfil your request for a specific product or service, we may not be able to provide you with the requested product or service.
We may record any communications, electronic, by telephone, in person or otherwise, that we have with you in relation to the services we provide to you and our business relationship with you. These recordings will be our sole property and will constitute evidence of the communications between us. Further, if you visit any of our offices or premises, we may have CCTV which will record your image.
We may process your personal data on the following bases and for the following purposes:
a) Performance of a contract
We process personal data in order to provide our services and products, as well as information regarding our products and services based on the contractual relationship with our clients (i.e., so as to perform our contractual obligations). In addition, processing of personal data takes place to be able to complete our client on-boarding/acceptance procedures.
In view of the above, we need to verify your identity in order to accept you as our client and we will need to use those details in order to effectively monitor your trading account with us. This may include third parties carrying out credit or identity checks on our behalf. The use of your personal information is necessary for us to know who you are as we have a legal obligation to comply with ‘Know Your Customer’ and customer due diligence’ regulatory obligations.
b) Compliance with a legal obligation
There are a number of legal obligations imposed by relevant laws to which we are subject as well as specific statutory requirements (e.g., anti-money laundering laws, financial services laws, corporation laws, privacy laws and tax laws). There are also various supervisory authorities whose laws and regulations apply to us. Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, payment processing, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls.
These obligations apply at various times, including client on-boarding/acceptance, payments and systemic checks for risk management.
c) For the purposes of safeguarding legitimate interests
We process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. Despite that, it must not unfairly go against what is right and best for you. Examples of such processing activities include:
d) You have provided your consent
Our storage and use of your personal data is based on your consent (other than for the reasons described or implied in this policy when your consent is not required). You may revoke consent at any time; however, any processing of personal data prior to the receipt of your revocation will not be affected.
e) To assess the suitability of our services/products for the Clients
f) To provide you with products and services, or information about our products and services, and to review your ongoing needs
Once you successfully open an account with us we will need to use your personal information to perform our services and comply with our obligations to you. It is also in our legitimate interests to try to ensure that we are providing the best products and services, so we may periodically review your needs based on our assessment of your personal information to try to ensure that you are getting the benefit of the best possible products and services from us.
g) To investigate or settle enquiries or disputes
We may need to use personal information collected from you to investigate issues or to settle disputes with you because it is in our legitimate interests to ensure that issues and disputes get investigated and resolved in a timely and efficient manner.
h) To comply with applicable laws, court orders, other judicial process, or the requirements of any applicable regulatory authorities
We may need to use your personal information to comply with any applicable laws and regulations, court orders or other judicial process, or the requirements of any applicable regulatory authority. We do this not only to comply with our legal obligations but because it may also be in our legitimate interest to do so.
i) Data analysis
Our website and e-mails may contain web beacons or pixel tags or any other similar type of data analysis tools which allow us to track receipt of correspondence and to count the number of users that have visited our website or opened our correspondence. We may aggregate your personal information (such as trading history) with the personal information of our other clients on an anonymous basis (that is, with your personal identifiers removed) so that more rigorous statistical analysis of general patterns may lead to us providing better products and services.
If your personal information is completely anonymised, we do not require a legal basis as the information will no longer constitute personal information. If your personal information is not in an anonymised form, it is in our legitimate interest to continually evaluate that personal information to ensure that the products and services we provide are relevant to the market.
j) Internal business purposes and record keeping
We may need to process your personal information for internal business and research purposes as well as for record keeping purposes. Such processing is in our own legitimate interests and is required in order to comply with our legal obligations. This may include any communications that we have with you in relation to the services and products we provide to you and our relationship with you. We will also keep records to ensure that you comply with your contractual obligations pursuant to the agreement governing our relationship with you.
k) Legal Notifications
Often the law requires us to advise you of certain changes to products or services or laws. We may need to inform you of changes to the terms or the features of our products or services. We need to process your personal information to send you these legal notifications. You will continue to receive this information from us even if you choose not to receive direct marketing information from us.
l) Corporate restructuring
If we undergo a corporate re-structuring or part or all of our business is acquired by a third party, we may need or choose to use your personal information in association with that re-structuring or acquisition. Such use may involve sharing your information as part of a due diligence enquiries or disclosures pursuant to legal agreements. It is our legitimate interest to use your information in this way, provided we comply with any legal obligation we have to you.
m) Physical Security
If you enter any of our premises we may record your image on our CCTV for security reasons. We may also take your details to keep a record of who has entered our premises on any given day. It is in our legitimate interest to do this to maintain a safe and secure working environment.
The Company will not disclose any of its clients’ confidential information to a third party, except: (a) to the extent that it is required to do so pursuant to any applicable laws, rules or regulations; (b) if there is a duty to disclose; (c) if our legitimate business interests require disclosure; or (d) at your request or with your consent or to Persons described in this policy. The Company will endeavour to make such disclosures on a ‘need-to-know’ basis, unless otherwise instructed by a regulatory authority. Under such circumstances, the Company will notify the third party regarding the confidential nature of any such information.
As part of using your personal data for the purposes set out above, the Company may disclose your personal information to the following:
If the Company discloses your personal information to business parties, such as card or other payment processing companies or banks, in order to perform the services requested by clients, such third parties may store your information in order to comply with their legal and other obligations.
Clients accept and consent that the Company may, from time to time, analyse the data collected while visiting our website or by other means for statistical purposes in order to improve the Company’s business activities.
If we transfer your personal information outside the European Economic Area (EEA) to other XM Group companies as well as service providers (i.e., processors) who are engaged on our behalf, we will ensure that the transfer is lawful and that processors in third countries are obliged to comply with the European data protection laws or other countries’ laws which are comparable and to provide appropriate safeguards in relation to the transfer of your data in accordance with GDPR Article 46. If we make transfers to processors in the USA, we may in some cases rely on applicable standard contractual clauses, binding corporate rules, the EU-US Privacy Shield or any other equivalent applicable arrangements and provided always that the necessary notifications have been made to and/or the necessary authorisations or approvals have been obtained by the relevant supervisory authority, if applicable.
Tracking systems used on the Company’s website may collect your personal data in order to optimise the services provided to you. The website collects information in the following ways:
Cookies are text files with a small amount of data sent from our website to your browser and stored on your computer’s hard drive. Cookies help us improve the performance of our website(s) and our website visitors’ experience, track your referrer (if any) and improve our future advertising campaigns.
Internet cookies are small pieces of data sent from our website(s) to your browser and stored on your computer’s hard drive when using our website(s), and they may include a unique identification number. The purpose of collecting this information is to provide you with a more relevant and effective experience on our website(s), including the presentation of our web pages according to your needs or preferences.
Cookies are frequently used on many websites on the internet, and you can choose if and how a cookie will be accepted by changing your preferences and options in your browser. You may not be able to access some parts of our website(s) if you choose to disable the cookie acceptance in your browser, particularly in the Company’s Members Area and other secure parts of our website(s). We therefore recommend that you enable cookie acceptance in order to benefit from all our online services.
The Company uses session ID cookies and persistent cookies. A session ID cookie expires after a set amount of time or when the browser window is closed. A persistent cookie remains on your hard drive for an extended time period. You can remove persistent cookies by following directions provided in your web browser’s ‘Help’ file.
If our use of your personal information requires your consent, such consent will be provided in accordance with the express written terms which govern our business relationship, or any other contract we may have entered into with you or as set out in our communication with you from time to time.
Safeguarding the privacy of your information is of utmost importance to us, whether you interact with us personally, by phone, by mail, over the internet or any other electronic medium. We will hold personal information, for as long as we have a business relationship with you, in a combination of secure computer storage facilities and paper-based files and other records and we take the necessary measures to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure.
When we consider that personal information is no longer necessary for the purpose for which it was collected, we will remove any details that will identify you or we will securely destroy the records. However, we may need to maintain records for a further period of time (after you cease being our client). For example, we are subject to certain anti-money laundering laws which require us to retain the following, for a period of 5 years after our business relationship with you has ended:
Also, the personal information we hold in the form of a recorded communication, by telephone, electronically, in person or otherwise, will be held in line with local regulatory requirements or longer if you have legitimate interests (such as handling a dispute with you).
We may keep your data for longer than the aforementioned retention periods if we cannot delete it for legal, regulatory or other lawful grounds.
The rights that might be available to you in relation to the personal information we hold about you are outlined below.
Information and Access
If you ask us, we will confirm whether we are processing your personal information and, if so, what information we process and, if requested, provide you with a copy of that personal information (along with certain other details) within a maximum period of thirty (30) days from the date of your request. If you require additional copies, we may need to charge a reasonable administration fee.
It is an important to us that your personal information is up to date. We will take all reasonable steps to make sure that your personal information remains accurate, complete and up-to-date. If the personal information we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have disclosed your personal information to others, we will let them know about the rectification where possible. If you ask us, if possible and lawful to do so, we will also inform you with whom we have shared your personal information so that you can contact them directly.
You may inform us at any time that your personal details have changed by e-mailing us at firstname.lastname@example.org. The Company will change your personal information in accordance with your instructions. To proceed with such requests, in some cases we may need supporting documents from you as proof, i.e. personal information that we are required to keep for regulatory or other legal purposes.
You can ask us to delete or remove your personal information in certain circumstances such as if we no longer need it or you withdraw your consent (if applicable) provided that we have no legal obligation to retain that data. Such request will be subject to any retention limits we are required to comply with in accordance with applicable laws and regulations and subject to section ‘Storage of Your Personal Information and Retention Period’. If we have disclosed your personal information to others, we will let them know about the erasure where possible. If you ask us, if possible and lawful to do so, we will also inform you with whom we have shared your personal information so that you can contact them directly.
You can ask us to ‘block’ or suppress the processing of your personal data in certain circumstances such as if you contest the accuracy of that personal information or object to us processing it. It will not stop us from storing your personal information. We will inform you before we decide not to agree with any requested restriction. If we have disclosed your personal information to others, we will inform about the restriction if possible. If you ask us, if possible and lawful to do so, we will also tell you with whom we have shared your personal information so that you can contact them directly.
Under the General Data Protection Regulation (679/2016), you have the right, in certain circumstances, to obtain personal information you have provided us with (in a structured, commonly used and machine readable format) and to re-use it elsewhere or ask us to transfer this to a third party of your choice.
You can ask us to stop processing your personal information, and we will do so, if we are:
Automated decision-making and profiling
If we have made a decision about you based solely on an automated process (e.g. through automatic profiling) that affects your ability to use the services or has another significant effect on you, you can request not to be subject to such a decision unless we can demonstrate to you that such decision is necessary for entering into, or the performance of, a contract between you and us. Even if a decision is necessary for entering into or performing a contract, you may contest the decision and require human intervention. We may not be able to offer our services or products with you, if we agree to such request (i.e., end our relationship with you).
If you do not want us to use your personal information, you must inform the Company by sending an email to email@example.com. If you decide to do so, we may not be able to continue to provide information, services and/or products requested by you and we will have no liability to you in this respect.
Our Data Protection Officer’s contact details are:
Email Address: firstname.lastname@example.org
Address: 12 Richard & Verengaria Street, Araouzos Castle Court, 3042 Limassol, Cyprus
The Company reserves the right to disclose your personally identifiable information as required by rules and regulations and when the Company believes that disclosure is necessary to protect our rights and/or to comply with any judicial and/or other proceedings, court order, legal process served or pursuant to governmental, intergovernmental and/or other regulatory bodies. The Company shall not be liable for misuse or loss of personal information and/or otherwise on the Company’s website(s) that the Company does not have access to or control over. The Company will not be liable for unlawful or unauthorised use of your personal information due to misuse or misplacement of your passwords, negligent or malicious intervention and/or otherwise from your end.
If you have a concern about any aspect of our privacy practices, you can submit a complaint. This will be acted upon promptly. To make a complaint, please contact us via email at email@example.com.
If you are not satisfied with our response to your complaint, you have the right to submit a complaint with our supervisory authority, the Office of the Commissioner for Personal Data Protection (the “Commissioner”). You can find details about how to do this on the Commissioner’s website at http://www.dataprotection.gov.cy or by calling them on +357 22818456.