Version No.	Approval Date:	Revisions/Changes:
4.0	May 2021	Update of Policy
5.0	September 2022	Update of Policy

Data Protection and Privacy Policy

1. Introduction

Tradestone Ltd (hereinafter the “Company”, “we”, “our” or “us”) is a Cyprus Investment Firm (hereinafter the “CIF”) regulated by the Cyprus Securities and Exchange Commission (hereinafter the “CySEC”) under license number 331/17 and registered with the Registrar of Companies and Official Receiver in Cyprus under registration number HE353534.

The Company is registered with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus for the purpose of personal data processing.

The protection of the security and privacy of your personal information is important to us and to the way we conduct our business in compliance with the laws on privacy, data protection and data security.

1. Purpose

The purpose of this policy is to outline what information the Company may collect, how it uses and safeguards that information and with whom it may share it.

By registering with the Company’s website, you consent to the collection, use and processing of your personal data.

For the purposes of this Policy and as per Article 4(1) of the GDPR:

1. Personal data shall mean any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Controller shall meal the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
3. Processor shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
4. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

We collect, use, disclose, store and process your personal data for the performance of our services as required by law. We use your personal data to provide you with the services you request through our website(s) and platform(s) to perform our contractual obligations related to those services in accordance with the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018, Law 125(I)/2018, as this is amended or replaced from time to time and the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data an on the free movement of such data, known as the General Data Protection Regulation (hereinafter referred to as “GDPR”).

2. Data Protection Act

The Company may process information relating to you, including holding such information in hard-copy records or electronic database, to satisfy any contractual, regulatory or statutory requirements we may have. By opening a trading account with the Company, the client hereby gives consent to such collection, processing, storage and use of personal information by the Company as extendedly explained below. Unless we receive specific written instructions for the contrary, by providing this information you agree that we may process this information in order to fulfil such obligations.

2. Personally Identifiable Information

The information we collect during the on-boarding process may include but is not limited to your full name, e- mail, country of residence, contact numbers, tax identification numbers, financial information and so forth (hereinafter the “Personal Information”). During this process we are also required by Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, Law 188(I)/2007, as amended from time to time, and the CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing to collect certain documentation in order to verify your true identity which may include but is not limited to, proof of identity in the form of a Passport or Identification Card, proof of your permanent residential address in the form of a utility bill as well as your credit card details (we request both sides of the bank card. The front side must contain the first 6 digits and the last 4 digits of the card number, cardholder’s name, and expiry date. For security purposes, we request clients to cover the CVC/CVV codes at the back side). User’s card data are not stored in our systems since we do not have a PCI DSS certificate. For all that information we rely on our Payment Providers who are duly certified.

Through its website(s), the Company will not collect any Personal Information, unless you voluntarily choose to provide it (e.g., by registration, email enquiry, survey). If you do not want your personal information to be collected, please do not submit it.

By submitting your Personal Information, you grant us with your consent to use your Personal Information in the ways listed below. You also consent to the Company, transferring your Personal Information outside the European Economic Area where it is necessary for Tradestone Ltd to fulfil its contractual, regulatory, and legal obligations, according to the provisions of the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the free movement of such Data of 2018, Law 125(I)/2018. We will only transfer Personal Information to organizations outside the EEA upon our assessment that the organization we are sending the information to, has proper and appropriate controls and safeguards in place.

The Company may also collect information in regard to your use of our website(s), such as pages, visited, frequency, duration of visit and trading activities. The Company also keeps records of your trading behaviour, including a record of:

 Products you trade and their performance

 Historical data about the trades and investments you have made including the amount invested
 Historical data about your payment and your withdrawal activities.

1. How does the Company use your information

We may use your information for any one or more of the following purposes:  
to confirm your identity.

 to maintain your personal profile.

 to manage your account and keep you updated on all matters that concern your account.

 to provide the services that you have requested including processing transactions.

 to contact you when necessary or appropriate in relation to the services being provided to you.

 to provide you with information about our products and services and provide you with information or opportunities that we believe might be relevant for you.

 to deal with enquiries, complaints and feedback from you and our service providers.

 to tailor the website or other service we provide to you relating to your needs and interests; and  
to create anonymous statistical data.

2. What you are entitled to

 Obtain a confirmation as to whether or not we process personal information concerning you and request to provide you a copy of your Personal Information that we hold, upon we receive a written request by you via your registered email, specifying which data you require and after your identity is verified. We shall refuse to provide you the requested information if regulatory obligations prevent us from doing so. Please bear in mind that in case you require more than one copies of your Personal Information we are entitled to charge a reasonable fee based on the applicable administrative costs for fulfilling your request.

 Request without undue delay, the rectification of the Personal Information we hold on you in case of inaccurate personal data concerning you or provide a supplementary statement in case of incomplete personal data concerning you.

 Request your personal data to be obliterated through the “right to be forgotten” where there is no good reason for us in continuing to process them, you withdraw your consent for processing them or they have been unlawfully processed. Should you decide that you wish for your personal data to be forgotten we may not be able to provide you with our services. However, please note that we may not always be able to comply with such a request due to our regulatory obligations towards the CySEC whereby we have an obligation to retain data in our records/files for up to seven (7) years.

 Request restriction of processing where the accuracy of your personal data is contested, the processing of your personal is unlawful and you do not wish for an erasure, we no longer need your personal data but they are required by you for the establishment, exercise or defence of legal claims, you have objected to the processing of your personal data pending verification whether we override your legitimate grounds.

 Request transmission of your personal data directly to another controller, in a structured, commonly used and machine-readable format, if is technically feasible to be executed by our side.

You can request your personal data to be obliterated upon request by contacting by email our Customer Support team (please find the contact details on the Contacts page)

You may opt out of receiving marketing emails at any time by selecting the 'unsubscribe' link at the top of the emails or upon request by contacting by email our Customer Support team (please find the contact details on the Contacts page).

3. Contacting Clients

From time to time the Company may contact clients either by phone or email for the purpose of administering the terms of the Agreement between us and you as the client. The Company may, on occasion, seek to contact clients, either by phone or by email, for the purpose of informing them about market announcements and launch of new products provided by the Company. As per Directive DI87-09 Section 4(1)(d) the CIF cannot offer monetary or non-monetary promotions to client in regards to CFDs. Clients consent to the acceptance of such communication when they accept our terms and conditions of use while registering with the Company. Any

person wishing to opt out of further contacting by the Company, at any time whatsoever, is entitled to do so and may express his wish, simply by contacting the Company either by phone or email to request that no further contacting on behalf of the Company be made.

1. Non-Personal Information Collected Automatically

When you access the company’s website(s), we may automatically (i.e., not necessarily with registration) collect statistical information that is not personally identifiable (e.g., type of internet browser and computer operating system used; domain name of the website you come from; number of visits, average time spent, pages viewed, etc.). The Company may use this information and share it within the Company’s group for statistical reasons (i.e. measure the use of its website and/or improve its content).

4. Disclosure of Information

1. Who may we disclose Personal Information to

Your Personal Information may be disclosed to:

 the Cyprus Securities and Exchange Commission (CySEC) and other regulatory and governmental bodies the Company is required by law to disclose information to.

 financial institutions and other similar organizations that the Company deals with in the course of its business.

 service providers and specializing advisors that provide services to us (outsourcing partners).

 any third parties where it is required to process a transaction or provide services the client has requested.

 tied agents or other brokers who had been contracted to provide us with administrative, financial, insurance, research and/or other services.

 credit providers, courts, tribunals and regulatory authorities as agreed and/or authorized by law.
credit reporting or reference agencies; and

 anyone authorized by the client (such as the client’s financial advisor, broker, solicitor, or accountant).

Please note that we will never sell or provide the client’s Personal Information to third parties for marketing purposes.

In addition, the Company may engage third parties to help carry out certain internal functions such as account processing, fulfillment, client service, client satisfaction surveys or other data collection activities relevant to its business. Use of the shared information is strictly limited to the performance of the above and is not permitted for any other purpose.

In general, we require that any third-party service provider that we share any Personal Information with, undertakes to respect any individual’s right to privacy and comply with the Data Protection Principles. These third-party service providers may keep a record of any searches they performed on our behalf and they may use the search details to assist other companies in performing their own searches. Third parties are not covered by this privacy policy.

In any case, we require from organizations outside the Company who handle or obtain personal information to acknowledge the confidentiality of this information, undertake to respect any individual’s right to privacy and comply with all the relevant data protection laws and this privacy policy.

In cases where clients have been introduced by a Tied Agent, such Tied Agent may have access to clients’ information. Hence, clients hereby consent to the sharing of information with such Business Introducer.

2. Third Party Sites

Please be notified that Tradestone Ltd cannot be held responsible for the privacy practices of other web sites. We advise all visitors to be aware and read the privacy statements of each and every web site that collects personal identity information.

3. Payment Providers

In accordance with the recommendations of Payment Card Industry Security Standards Council, customer card details are protected using Transport Layer encryption - TLS 1.2 and application layer with algorithm AES and key length 256 bit.

4. Non-EEA Countries

We may transfer your personal information outside the European Economic Area. If we make such transfer, we will ensure that the transfer is lawful and that there are appropriate security arrangements in place to safeguard your personal data as provided by applicable Regulations. In addition, the Company follows the European Commission instruction in respect to this matter and it shall ensure that the third country in which your data may be transferred is recognised by the European Commission, as adequate in respect of the protection of your personal data.

5. Retention of records

We may be requested to retain and use your Personal Information to meet our legal obligations for data security purposes and as we believe to be fit and necessary or appropriate in order to either but not limited to comply with our requirements under applicable laws and regulations, to respond to requests from courts and/or other public and governmental authorities, for monitoring purposes through compliance and anti-money laundering processes.

We will not keep your information for any longer than the time required. In many cases, information must be kept for considerable periods of time. Retention periods will be decided, considering the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time. Under applicable regulations, we will keep records containing Personal Information, trading information, account opening documents, communication and anything else that is relative to the Client for a maximum of seven (7) years after termination of the Agreement between you and our company. In any event, we will keep your information for a minimum duration as provided in the applicable Limitation of Actions Law.

6. Security

The Company takes precautions to ensure the security of your personal information and strives to keep it accurate.

We act with care to protect the client’s personal information from loss, destruction, falsification, manipulation, and unauthorized access or unauthorized disclosure and has developed and will maintain security procedures to safeguard Personal Information against loss, theft, copying and unauthorized disclosure, use or modification.

Access to Personal Information is limited to the company employees and authorized service providers who require to receive it in order to perform their work.

While we will use all reasonable efforts to safeguard the client’s information, the client acknowledges that the use of the internet is not entirely secure and therefore, we cannot provide any guarantee concerning the security or integrity of any personal data transferred from the client, or to the client through the use of the internet.

7. Automated decision-making

The Company may use your Personal Information for the purpose of automated decision-making, including profiling. For such processing to take place, we request your explicit consent, and we provide you with the option to refuse or withdraw your consent. We use automated decision-making in order to fulfill our regulatory obligations imposed by law e.g. determining the appropriate maximum leverage at which you should permit to trade, and for which you may not receive an explicit notification. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you and/or significantly affects you. You can inform us of such a decision by contacting us at [email protected] . Pursuant to Article 22, your cannot exercise your right to object to the processing of your personal data for automated decision-making if the decision:

1. is necessary for entering into, or performance of, a contract between you and the Company;
2. is authorised by the European Union or Cyprus law and lays down suitable measures to safeguard your rights, freedoms and legitimate interests;
3. is based on your explicit consent.

5. Cookies

1. General

Cookies are small pieces of data sent from a website and stored in a user’s web browser whilst the user is browsing that website.

2. How we use Cookies on our Site and what Information we collect.

Like most websites, the Company uses cookies to improve the client’s experience on our website as the data received from cookies enables us to determine the type of browser and settings the client is using, when he has been on our website, when he returns to the website, where he came from and to ensure his information is secure. We do not link the information we store in cookies to any personal identification information the client submits while on our site. If he chooses to opt out of cookies the client may still use our site, but the ability to use some areas will be limited.

We would strongly recommend that the client allows cookies on our website to receive the best experience possible. Turning off cookies may result in reduced performance of our website and trading platform, however if he would still like to opt out of cookies, he can do this through the website browser used. Our customer support team would be happy to talk to the client through this process if assistance is required.

For more information about the types of cookies the Company uses please see our Cookie policy.

6. Your Consent

To use your personal information we require your consent, such consent will be provided in accordance with the Client Agreement that it is provided to you during the account opening procedure and is also available on the Company’s website(s). The Company shall rely on the provided consent as its legal basis for processing your personal data. You have the right at any time to withdraw that consent by contacting us via phone or via email at [email protected].

Where you are a natural person and the use of your personal data requires your consent, the Company will request for your consent to be provided freely, specific, informed and an unambiguous indication of your desires, which by statement or by clear affirmative action, signifies agreement to the processing.

If at any case you feel compelled to consent or you will endure negative consequences if you do not, then your consent will not be valid. Additionally, your consent shall not be bundled-up as a non-negotiable part of terms and conditions, because such action would indicate that you haven’t freely provided your consent.

In certain circumstances the company can process your data without your consent. The following are considered to be the most relevant:

 Processing is necessary for compliance with legal obligation to which the controller is subject.

 Processing is necessary for the performance of a contract to which the person is party, or in order to take measures of the person’s request prior entering into a contract.

 Processing is necessary in order to protect the vital interests of the data subject.

 Processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority or a third party to whom the data are communicated.

 Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the personal data are communicated, on condition that such interests override the rights, interests and fundamental freedoms of the persons.

7. Contact Details

1. Data Protection Officer

Under the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018, Law 125(I)/2018, as amended and/or replaced from time to time, the client as a natural person reserves the right to obtain a copy of any personal information which we hold about him and to advise us of any perceived inaccuracy.

To proceed with such request, the client should contact our DPO (Data Protection Officer), verify his identity and specify what information is required. An administrative fee may be charged.

Contact Details of DPO

Email Address:        [email protected] 
Telephone Number:                00357 25 313540

Postal address:        89 Vasileos Georgiou A’ Str, 1st floor, Office 101, 4048 Limassol, Cyprus

2. Data Commissioner of the Republic of Cyprus

Under the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018, Law 125(I)/2018, as amended and/or replaced from time to time, the client reserves the right to lodge a complaint with the independent supervisory authority which is the Office of the Commissioner for Personal Data Protection in Cyprus, provided the following contact information.

Contact Details of the Office of the Commissioner for Personal Data Protection

Email:        [email protected]

Telephone:        +357 22818456

Fax:        +357 22304565

Office address:        1 Iasonos, 1082 Nicosia, Cyprus
Postal address:        P.O.Box 23378, 1682 Nicosia, Cyprus

Website:        https://www.dataprotection.gov.cy

8. Privacy Statement Changes

The Company reserves the right to change this privacy statement at any time deemed necessary. In the event that, the Company materially changes this Policy including how it collects, processes or uses clients’ personal information, the revised Privacy Policy will be uploaded on the Company’s website. In this respect, the client hereby agrees to accept posting of a revised Privacy Policy electronically on the website as the actual notice of the Company to its clients. Any dispute over the Company’s Privacy Policy, is subject to this notice and the Client Agreement. The client is advised to read this statement each and every time he accesses the site so that he is satisfied with the privacy conditions under which his personal information is provided to the Company.