Privacy Policy
1. General provisions
We, XBD Group Ltd. and the Dubai registered office address (registered office: XBD Holdings Ltd. Reg no: 000009488. DD-14-122-023, 14th Floor, Al Khatem Tower, Wework Hub 71, Adgm Square, Al Maryah Island, Abu Dhabi, United Arab Emirates) (hereinafter — “We”) care not only about convenience of our Clients and opportunities provided by our services, but also about protecting the Privacy of the Clients. We invest resources so that our Clients would feel safe and take care of protecting Clients’ data in our daily operations.
The purpose of this Privacy Policy is to explain how we protect Clients’ privacy and to help Clients understand how their personal data are processed and what are our and Clients’ rights and responsibility in the course of processing their data.
In processing personal data, we observe the General Data Protection Regulation, as well as other laws and regulations and binding instructions applicable in the European Union.
This Privacy Policy applies to our relations with Clients, including any existing Client, buyer, applicant or any other person using or wishing to use any of our services, or addressing us with any request or claim, submitting any kind of document, visiting our home page or contacting us through remote means of communications, including post, e-mail or phone (all together hereinafter – the Client).
We have created this Privacy Policy to be as simple as possible; however, if there are unknown terms such as “anonymized data”, “personal data”, etc., please, first become acquainted with the following concepts used in this Privacy Policy:
- Personal data — any information related to an identified or identifiable natural person (data subject), for example, given name, surname, contact details etc.
- Anonymized data — information that is not personal data and is not more applicable to a natural person, since all personal identification elements are excluded from the information set.
- Processing — any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, organisation, structuring, storage etc.
2. How do we obtain personal data and what is the basis for data processing?
We can receive personal data in different ways, including as follows:
- The Client has provided us with his or her personal data, i.e. when the Client or a person authorised by the Client contacts or cooperates with us or our authorised persons, for example, submits its data during the process of purchase or uses our services or requests any information or submits an application for examination of a particular issue or request, or contacts us through the specified information channels.
- Personal data created using our service e.g. by visiting or using our website.
- Personal data received from legal entities, i.e. legal entity submits application which includes personal data of its employees and beneficiaries;
- Personal data collected from various databases and registers in the course of provision of services i.e. data received from databases and third parties in the course of analysing Client’s submitted application and implementing anti-money laundering and terrorist financing prevention requirements or sanctions requirements, know your customer requirements and implementing other legal obligations.
Data described in this paragraph is collected from following sources:
- List of entities and their groups subject to sanctions established by resolutions of the United Nations Security Council against terrorism (United Nations Security Council’s Resolution 1267(1999) as amended);
- List of financial sanctions of the European Union (the updated consolidated list is also published on the official websites of the United Nations Organization and of the European Commission);
- Lists of financial sanctions published by the Office of Foreign Assets Control of the U.S. Treasury Department and/or of the Republic of Lithuania and shall apply measures provided in this Policy to such entities (including entities of the European Union indicated in the Common Position 2001/931/CFSP, as amended);
- Website IDenfy.com for the purpose of politically exposed person screening; search engines and other public sources for the purpose of collecting data necessary for adverse media screening;
- Following databases: http://ec.europa.eu/taxation_customs/vies/viesquer.do?ms=LT&vat= (allows to check whether provided VAT is valid), www.consilium.europa.eu (allows to check what documents are valid in which countries), www.sanctionsmap.eu (general list of sanctions), https://complyadvantage.com (Information if the document is lost or stolen), company search registers of various countries; tax, customs, business, legal entity look up, corporate and enterprise databases and registers. Full list can be found here;
Data subjects have the right to refuse providing their personal data to us, but in this case it is possible that we will not be able to provide the services requested by the Client and the provision of the services will be refused. We are not able to provide our services without processing personal data requested in our applications forms and other documents.
We perform personal data processing only on specific applicable basis of data processing. We process personal data, which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Furthermore, we process personal data, which is necessary for compliance with applicable legal obligations, including anti-money laundering terrorist financing prevention requirements, as well as for the purposes of the legitimate interests pursued, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
3. What personal data do we collect
Types of personal data may differ depending on the method of collaboration. Generally types of personal data can be subdivided into the following categories of personal data:
- Personal data of a Client who is natural person. First name, last name, contact details, citizenship, address, city, Zip/postcode, employment status, signature, expectations regarding monthly trade amount, information on XBD services a person is interested in (Exchange, OTC, Custodianship), the purpose of XBD account (Investing, Trading on XBD, Trading on other exchanges, Online Purchases/payments, Payments to friends, Business, Other), source of funds and bank statement, industry of work, tax identification number, country of tax residence, information on politically exposed person status;
- Personal data of Directors and Owners of a legal person. First name, last name, e-mail, date of birth, citizenship (if a person does not have a citizenship – a country which has issued the identity document), signature, residential address, tax residency country, tax identification number TIN, personal number or another unique sequence of symbols attributed to the person for identification purposes (optional), information on politically exposed person status;
- Personal data of Ultimate Beneficial Owners of a legal person. First name, last name, date of birth, personal number or another unique sequence of symbols attributed to the person for identification purposes (optional), citizenship (if a person does not have a citizenship – a country which has issued the identity document), residential address, information on politically exposed person status, ownership and control structure (document proving the ownership and control structure of the company);
- Personal data of Employees of a legal person. Name, surname, contact details, position, signature, content of communication;
- Personal data related to the provision of services, for example, information about the services provided to the Client and data arising from the provision of these services, i.e. payment and currency exchange data; documents and information related to payments and data thereof; transaction data; Client’s contact details that we receive during personal or remote contact with the Client, such as e-mails addressed to us, or information provided during a telephone call, data identified in application forms and other personal data submitted to us directly by data subjects or by received legal entities, who submit identification data and contact details of their employees and beneficiaries;
- Personal data collected from public databases and registers for the purpose of compliance with various legal obligations, for example, data regarding applicability of international sanctions, data on applicability of anti-money loundering and terrorist financing prevention requirements, identities of directors, shareholders and ultimate beneficiary owners, their business ownership and control structure, information on political exposure, information on validity of identity documents. Such data shall be collected once a person submits application regarding provision of our service.
We do not deliberately collect and process personally identifiable information from persons younger than the age limit set in regulatory enactments, which gives the right to act independently. We respect the rights of such persons, if service is necessary, we invite the parents or guardians of such persons to contact us.
4. How do we use personal data
We process personal data to provide our services, comply with legal obligations, cooperate and perform other activities important for our operations and Clients.
We process personal data only for specified, explicit and legitimate purposes:
- Conclusion and execution of the contract / provision of our services and ensuring the execution of the transaction. This aim refers to offering services on our website, including related services in any application form. We process data to ensure the concluded contracts (transactions) and performance of the related services. We process personal data in communication with Clients, for example, we send service-related service notifications to inform about the result of application or provide other important information to the Client. Likewise, we may need to contact the Client in order to clarify, for instance, information on the submitted application or to find out other additional information that promotes the progress of execution of the transaction. We conduct processing on the basis of regulatory enactments (laws) and contract (transaction). Personal data is being collected by the registration forms or during the purchasing process.
- Resolution of the submitted questions, including examination and resolution of various submitted questions or complaints. We conduct processing on the basis of regulatory enactments (laws), contract and legitimate interest.
- Fulfilment of binding regulatory enactments. We process personal data to fulfil the duties specified in regulatory enactments, for example, compliance with anti-money loundering and terrorist financing prevention, also to ensure the availability of data to competent institutions, including to provide answers to the requests of institutions and courts received within the framework of regulatory enactments, as well as to enforce the rights provided for Clients within the framework of regulatory enactments and the obligations imposed upon us. We conduct processing on the basis of regulatory enactments (laws).
- Provision of offers. We respect the right of each Client to give, revoke or change the possibilities of receiving information. In cases when the Client has expressed a wish to receive information or to provide an opinion on particular services, personal data may be processed in order to ensure the provision of information necessary for the Client. In such cases, Client’s consent is always important. In addition, under applicable laws we have the right to provide information about our services to existing clients, if our Clients did not object such processing at the moment of submitting their personal data to us. In case of such objection we always ask our Clients to inform us. We conduct processing based on legitimate interests and consent provided by the Client. We conduct processing on the basis of consent and legitimate interest.
- Accounting/financial and tax management. The aim refers to accounting records, payment of taxes, settlements, etc. We conduct processing on the basis of regulatory enactments (laws) and contract (transaction).
- Administration of settlements. The aim refers to the activities carried out within the framework of settlements with persons. We conduct processing on the basis of regulatory enactments (laws) and contract (transaction).
- Statistics and analysis of services, processes, information systems for the purpose of developing and improving thereof. The aim refers to the processing of personal data at our disposal in order to assess the results of provision of the service for the purpose of developing and improving our services, processes, systems and determining the goals and development directions of our Company. We can process data for statistical purposes and collection and analysis of business information to allow us to take informed decisions on the improvement and protection of operations, as well as to prepare reports on the results of our business activities. We conduct processing based on legitimate interests.
- Organisational management (including record keeping, accounting of processes, services, information systems and persons). The aim refers to measures for integrated management of the Company, including according to national and internationally recognised corporate management principles, ensuring the traceability, control and improvement of internal processes. We conduct processing on the basis of regulatory enactments (laws) and legitimate interest.
In all cases, we process personal data only to the extent necessary for the purpose, taking into account the privacy of any person.
5. How we protect personal data
We ensure the confidentiality of personal data by taking appropriate security measures and observing the requirements of regulatory enactments and the obligations provided for therein.
For the purposes of protecting the Client’s interests, we continuously develop our security processes and measures. Such security measures include protection of personnel, information and technical resources and IT infrastructure. Within the framework of these measures, we ensure appropriate level of information protection to prevent unauthorised access of third parties.
6. To whom we can provide personal data
Personal data exchange may be necessary in some cases when it has a specific intended purpose, for example, it may be necessary to provide personal data to the following categories of data recipients:
- Cooperation partners, including cooperation partners for the provision of services, as well as partners that ensure certain delivery services, personal, facilities and information protection and security services, financial, accountant and courier services, and other similar services. Such cooperation partners may only use personal data for the purposes on which we and our partner have agreed. We exercise due diligence to ensure that such cooperation partners act in accordance with this Privacy Policy and safety requirements provided for Clients in the laws and regulations.
- Supervisory and governmental authorities. In order to comply with the requirements laid down in laws and regulations, We may have a need to provide personal data to market surveillance authorities, law enforcement authorities, including for the protection of our lawful rights, for example, by pursuing a claim in court, in accordance with the provisions laid down in laws and regulations.
- Databases and registers. While checking information about our Clients in databases and registers, we submit name, surname, date of birth and personal identification number.
- Other service providers. Data may be transferred to attorneys, lawyers or consultants, who provide services to our Company.
In addition to the above, there may be cases where we can transfer personal data to another person in relation to the transfer of companies, any merger, acquisition, sale of our assets or transfer of provision of services to another merchant.
We ensure the confidentiality of personal data by taking security measures in accordance with the requirements of regulatory enactments.
We can also process anonymized data. Such data that do not allow identification of a person may be used for other purposes and transferred to other persons.
7. How long do we store data
We store personal data only for such period as is necessary to achieve the goals set forth in this Privacy Policy, unless longer storage thereof is determined or permitted by applicable laws and regulations. In order to determine the period of data storage, we use criteria that comply with the obligations laid down in laws and regulations, including we also take into account the rights provided for Clients, for example, determining the storage of data for the period during which claims related to the transaction may be applied, if any. If the Client has made a purchase of our services, we store such data for 8 (eight) years.
No limitations shall be applied for storing anonymized data, but we store them only to the necessary extent and duration.
Our aim is to ensure that information about the Client is correct and up-to-date. Therefore, we invite the Client to keep us informed about any changes in the information provided by the Client.
Likewise, in accordance with the procedures laid down in external laws and regulations, we can implement the protection of our legal interests (including, to submit objections and complaints or bring an action to the court until the limitation period for the fulfilment of obligations has set in) while any of the parties has a legal obligation to store data (for example, to store invoices for 10 years). After these circumstances cease (or upon the expiry of the deadline), the data shall be deleted.
8. What are Client’s rights and what we expect from the Client
Rights of the Client are as follows:
- to submit an application and receive information on data that we collect and store about the Client, unless applicable regulatory enactments provide for otherwise.
- to request access to his/her data, rectification or deletion thereof, if necessary, supplementing or restriction of processing.
- to exercise the right to object to processing, including to object to data processing carried out on the basis of legitimate interests, insofar as it is provided for in laws and regulations.
- to exercise the right to data portability. When choosing to receive information on himself/herself remotely, for example, by mail, the Client shall be responsible for the safety of the selected type of receipt and the actions of persons acting in the representation of the submitter.
- to revoke the consent given by the Client at any time. Giving or revocation of consent shall be the free choice of the Client and shall not impose mandatory additional duties. However, if the Client decides to withdraw any consent, it must be taken into account that the withdrawal does not affect processing carried out before the withdrawal and processing of data related to consent will no longer be ensured and the Client may not have access to possibilities in the previous extent.
- contact us and lodge a complaint to data protection supervisory authority regarding data processing issues. If support for wider receipt of information on this Privacy Policy, aspects of data processing or applicable data protection laws and regulations is necessary, we hereby request to address us so that we can carefully review the matter and provide an answer. In any case, the Client shall always have the right to submit a complaint to the responsible authority regarding matters related to data processing monitoring. Contact details of the supervisory authority in Lithuania are as follows: State Data Protection Inspectorate, L. Sapiegos street 17, Vilnius, LT-10312. Lithuania. More information available at: website https://vdai.lrv.lt/en/
- contact us on all matters topical to the Client, including Privacy Policy and applicable data protection. We will provide an answer within the shortest possible time, but not later than within one month from the receipt of the application, unless the scope of the question causes necessity for additional time.
We review applications of the Clients in relation to the said rights free of charge. Review of an application may be refused or proportionate payment may be applied thereto, if these have been submitted clearly unjustifiably or excessively, as well as in other cases provided for in laws and regulations. An application may be submitted at any point of acceptance of our equipment or remotely, ensuring a possibility to identify itself as a specific subject of personal data and to verify the essence and justification of the submitted request.
Responsibility of the Client:
- to inform us about changes in information and data provided. It is important for us that we have true and up-to-date information on the Client;
- to provide the necessary information to enable us to identify the Client in relation to the Client’s request and to be sure that the communication or cooperation is performed directly with the particular Client. It is necessary for the protection of the personal data of the Client and other persons, so that we might be certain that the Client is a data subject of the personal data and that information disclosed within the framework of communication and/or cooperation on the Client is provided only to the Client without prejudice to the rights of other persons. For example, in case the Client wishes to find out information about himself by sending a request to us. In this case, it is important for us to make sure that the Client is the one who has submitted and signed this request directly. Accordingly, we may ask for additional identifying information. However, if the Client has not provided additional information and/or we will have doubts of the person requesting the information, we may refuse disclosure of data to third parties for the purpose of protection of Client’s data (so that the data are not disclosed to third parties) until we are confident that the Client is the one who has requested the mentioned information.
- Prior to commencing cooperation with us, to become acquainted with this Privacy Policy, as well as to introduce it to any person related to the Client and whose interests may be affected in the process of processing of the Client’s data. We expect the Client to use the data provided by us in good faith and without affecting the legal interests of other persons. In cases where data directly refer to another person (in case of change of data subjects), the Client shall be liable to inform them without delay. Until full identification of persons, data shall be attributed to the Client as a data subject.
9. How can you find out about changes in this Privacy Policy?
We constantly improve and develop our operations by modifying and supplementing this Privacy Policy from time to time. Therefore, we invite Clients to regularly become acquainted with the current version of the Privacy Policy on our website and our other communication channels. Once we make changes to this Privacy Policy, we will inform thereof by notice on our website.
10. How to contact us
In case of any questions or uncertainties in relation to this Privacy Policy or Personal Data Processing, please contact us by using the contact details provided at the beginning of this Privacy Policy.