Privacy Policy

  1. Introduction

1.1 Xtellus Europe Limited (hereinafter, “the Company”) is an Investment Firm regulated by the Cyprus Securities and Exchange Commission (hereinafter, “CySEC”) with License number ###/##, having its principal place of business at 26 Spyrou Kyprianou, 4040, Limassol, Cyprus and is registered with the Registrar of Companies in Nicosia under the number HE 447781.

1.2 The Company is compliant with the requirements of the Markets in Financial Instruments Directive (MiFID II), Investments Services Law 87(I) 2017, the Laws for the Prevention of Money Laundering and Terrorist Financing, Market Abuse and Insider Dealing, the General Data Processing Regulation (GDPR) as well as other legislation applicable in the Republic of Cyprus.

1.3 The Company needs to collect and use certain types of information about the Individuals or Service Users whom the Company come into contact to the extent that is necessary to perform its services to its Users in connection with its Products and Services. This personal information must be collected and dealt appropriately, whether is collected on paper, stored in computer database, or recorded on other material and there are safeguards to ensure this are under the Protection of Natural Persons Against the Processing of Personal Data and the Free Circulation of such Data Law L.125(I)/2018 and under the General Data Protection Regulation 2016/679 (2018).

1.4 The Company has established a Privacy Policy (the “Policy”) appropriate to the size and organization of the Company and the nature, scale and complexity of the Company’s business.

1.5 This Policy applies to former, existing and potential Clients (hereinafter referred to as the “Client” and/or “you”) as well as to any visitors of the Company’s website.

1.6 Client means any natural or legal person who has entered into a client relationship with the Company and is actively using, or has used, the services of the Company until the termination of the Client relationship. A prospective Client is a natural or legal person who intends to use our services and has made the initial registration for such use of services without concluding the Client relationship.

  1. Scope of the Privacy Policy

2.1   With the implementation of the Privacy Policy the Company aims to outline the Company’s responsibility to manage and ensure the protection of privacy and the clients’ personal and financial information and to behave in a fair and moral manner concerning the gathering, storing and handling of data. This process will be carried out with transparency and respect towards the rights of individuals who entrust it with their information. For the purpose of this Privacy Policy, Data Protection Legislation means: (i) the General Data Protection Regulation 2016/679 (the “GDPR”) applicable in the European Union, including the UK until any UK data protection legislation replaces or adopts the GDPR in the UK and (ii) then such UK data protection legislation replacing the GDPR once in force and applicable.
The clients’ privacy is considered and treated by Company with utmost importance and highest priority and this Policy applies to former, existing and potential clients as well as to any visitors of the Company’s website.

2.2    For the purpose of this Privacy Policy, Data Protection Legislation means: (i) the General Data Protection Regulation 2016/679 (the “GDPR”) applicable in the European Union, including Cyprus until any Cyprus data protection legislation replaces or adopts the GDPR in Cyprus and (ii) then such Cyprus data protection legislation replacing the GDPR once in force and applicable. For the purpose of the Data Protection Legislation, the data controller is the Company.

2.3   This Privacy Policy:

a)  provides an overview of how the Company collects, processes and uses your personal data and informs you about your rights under the local data protection law and the EU General Data Protection Regulation;

b)  is directed to natural persons who are either current or potential Clients of the Company, or are authorized representatives/agents or beneficial owners of legal entities or of natural persons which/who are current or potential Clients of the Company;

c)   is directed to natural persons who had such a business relationship with the Company in the past;

d)  contains information about when we share your personal data with other third parties (for example, our service providers or suppliers).

2.4   Through this Policy your data may be called either “personal data” or “personal information”. We may also sometimes collectively refer to handling, collecting, protecting and storing your personal data or any such action as “processing” such personal data.

2.5    For the purposes of this Privacy Policy, personal data shall mean any information relating to you which identifies or may identify you and which includes, for example, your name, address and identification number.

2.6   Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

  1. Consent

3.1   Consent refers to your right as a data subject to freely and unambiguously agree to a specific condition related to our primary or supporting services by making a positive action. Such action might be a tick box in your client area, signature on a document, electronic signature or name placement in online questionnaires or other similar action. Most of the services provided by our company do not require a separate or explicit consent by data subjects to process their information in connection to the core services of the company when requesting to become a client of a regulated Cyprus investment firm based on the definitions for legal grounds of processing found in Article 6 of the GDPR.

3.2   By using (collectively, “Using” or “Use”) our Websites and/or our Apps, registering with us or submitting information to us you consent and agree with the terms of this Policy and you hereby consent to the collect, process, storage, use and disclosure of your personal data by the Company whether such use is by the Company or by another third party which may be required by them in order to effectively perform Services in connection with the Company’s Terms and Conditions or effectively execute any related operational function performed by the Company to its Clients (e.g. refunding Clients with their funds)in accordance with this Policy and as explained below herein. If you do not agree with this Privacy Policy, you must not use our Website and our Apps, access our services or submit information to us.

For more details about our Privacy Policy click here.

  1. Personal Information/Data We May Collect (or Receive) About You

4.1 The Company will only use clients’ personal data in accordance with international data protection practices. In particular, the Company is registered as a Data Controller with the Office of the Commissioner for Personal Data Protection and will collect, process, maintain, store, use and handle clients’ personal information in accordance with the Processing of Personal Data (Protection of the Individual) Law of 138(1) 2001 and General Data Protection Regulation (2018) as amended from time to time (the “Law”) this Privacy Policy and the Company’s Trading Terms and Conditions.

4.2 During the online registration procedure as well as following the completion of the online registration procedure clients are required to provide personal information and to attach a series of required documents. In the event the client intends to deposit money to the Company’s client account using his payment card, in accordance with the recommendations of Payment Card Industry Security Standard Council, customer card details are protected using Transport Layer encryption – TLS 1.2.

4.3 We may collect such Personal Information from other persons including, for example, fraud prevention agencies, banks, other financial institutions, third authentication service providers and the providers of public registers and such other services that may from time to time be required for Company’s legitimate purposes.

4.4 “Personally identifiable information” (or “Personal Information”) means any information that may be used, either alone or in combination with other information, to personally identify, contact or locate any Customer of the Company (referred to as “User”).

4.5 Personal Information includes, but is not limited to:
a. First and Last name
b. ID/Passport numbers
c. Physical address
d. Date of Birth
e. Contact information such as telephone number and email address
f. Identity and Address verification documents such as passport and ID, utility bills and/or bank statements
g. Company information, company incorporation documents/certificates/details in case of a corporate account
h. Financial data such as estimated annual income and net worth, trading experience and investment knowledge including but not limited to trading data, deposits, withdrawals, and credit.
i. Payment details and bank account details

4.6 We are required by law to identify you if you are opening a new account or adding a new signatory to an existing account. Anti-money laundering laws require us to sight and record details of certain documents (i.e. photographic and non-photographic documents) in order to meet the standards, set under those laws. Identification documentation, as required under anti-money laundering legislation or other legislation relevant to the services we provide to you, includes, but not limited to (see Account Handling Procedure):
a) passport;
b) driver’s license;
c) national identity card (if applicable);
d) utility bills;
e) trust deed;
f) other information we consider necessary to our functions and activities.

4.7 Where it is necessary to do so, we also collect data regarding the following individuals:
a) trustees;
b) partners;
c) company directors and officers;
d) officers of co-operatives and associations;
e) client agents; or
f) individuals dealing with us on a “one-off” basis.

4.8 You have the option of not identifying yourself, or of using a pseudonym, when dealing with us in relation to a particular matter. However, we can only provide you with this option when it is not impracticable for us to do so and when no law requires identification.

4.9 In addition to the above, if you are an existing client of the Company and you wish to have online access to view statements and other information relating to your account, we will ask you to provide some information about yourself for security, identification and verification purposes.

  1. How We Collect Your Personal Data

5.1 We may collect (or receive) and process your personal data when:
a) You contact us, whether through our Website, our Apps or otherwise (for example, via our online form, by e-mail, post, fax or phone), as we may keep a record of that correspondence. For example, if you submit a complaint, report a problem with our services or our website(s) and/or our Apps or otherwise liaise with our customer service, technical support or any other department in our company. This includes information provided by you when you update a customer account such as your name, e-mail, country, password, etc.;
b) We ask you to complete surveys that we use for research purposes, although you do not have to respond to them;
c) You use and interact with our website or our Apps including your device’s manufacturer and model, IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system, web browser, platform, mobile carrier, and your Internet Service Provider. We may collect details of your visits to our website or our Apps (including, but not limited to, traffic data, location data, weblogs and other communication data). We do this via email and website cookies, and similar tracking technology built into our Websites and Apps. We make cookie policies available on each of our Websites and Apps to give you more detailed information on how we use them;
d) You use your customer account to login to and use our platform technology and other features and functionalities;
e) You use the online trading products we provide to you. Under no circumstances are these details disclosed to any third parties other than those who need to know this information in the context of the services we provide; or
f) You use social media, including “like” buttons and similar functions made available by social media platforms.

  1. Duties and Responsibilities of the Data Protection Officer

6.1 Main duties, responsibilities and powers of the DPO:
a) Provide advice and guidance to the Company and its employees on the requirements of the GDPR.
b) Monitor the organization’s compliance with the GDPR provisions.
c) Be consulted and provide advice during Data Protection Impact Assessments.
d) Decide if the DPIA is necessary based on the specific conditions.
e) Be the point of contact for data subjects and for cooperating and consulting with national supervisory authorities, such as the Office of the Commissioner for Data Protection.
f) Provide training to employees and awareness of how their duties are connected to the protection of rights of data subjects.
g) to hold a register of all categories of processing activities carried out on behalf of the Company.
h) To create and hold a register of all complaints, responses and results.
i) To create, update and improve regularly the procedures and policies relating to the compliance with GDPR and other local data protection principles and laws.
j) To create a procedure of reporting directly to the Commissioner of Data Protection.
k) To deal and respond to all data subjects’ complaints and be the main contact point for GDPR.
l) DPOs should also take responsibility for carrying out data audits and oversee the implementation of compliance tools.
m) The DPO must be able to act independently, be adequately resourced and be able to report directly to senior management to raise concerns.

6.2 Responsible for all changes, deletion and protection of rights. In the event that clients’ personal information changes at any given time, clients are responsible to inform the Company by emailing the Compliance Officer at AGeorgiou@XtellusEurope.com.

  1. Use of Personal Information/Data

7.1 The collection personal Information (not in the public domain or already possessed by us without a duty of confidentiality) which we hold is to be treated by us as confidential and will not be used for any purpose other than in connection with the provision, administration and improvement of our Services to you or the furthering of our Agreement between us, establishing and managing your Client Trading Account or a relationship between us, reviewing your ongoing needs, enhancing customer service and products, giving your ongoing information or opportunities that we believe may be relevant to you, improving our relationship, anti-money laundering and due diligence checks, for research and statistical purposes and for marketing purposes (according to the Agreement between us and as described in this Privacy Policy), as applicable.

7.2 We will use your personal information for the purposes of providing the services you have requested, for administration and customer services, for credit scoring, for marketing, for research/statistical analysis purposes and to ensure that the content, services and advertising that we offer are tailored to your needs and interests. We may keep your information for a reasonable period for these purposes. We may need to share your information with our service providers and agents for these purposes.

7.3 In assessing your application to open an account, to prevent fraud, to check your identity and to prevent money laundering, we may search the files of credit reference agencies that will record any credit searches on your file.

7.4 In order for the Company to provide, monitor and improve the quality service and security to its clients, the Company may use the clients’ personal information/data for one or more of the following purposes:
a. Verify the identity of clients;
b. To maintain clients’ personal profile;
c. Assess and improve the products and services provided to clients;
d. To such an extent as reasonably required so as to execute Orders and for purposes ancillary to the provision of the Services;
e. Company’s transmission/execution and post transaction/order services;
f. Assess and improve clients’ browsing experience;
g. Analysis of statistical data which will aid the Company to provide clients with better suited products and services in the future;
h. To pass clients’ personal information/data to third parties for marketing purposes without prior written consent;
i. To the Company’s professional advisors provided that in each case the relevant professional shall be informed about the confidential nature of such information and commit to the confidentiality herein obligations as well;
j. To other service providers who create, maintain or process databases (whether electronic or not), offer record keeping services, email transmission services, messaging services or similar services which aim to assist the Company collect, storage, process and use Client information or get in touch with the Client or improve the provision of the Services under this Agreement;
k. To a Trade Repository or similar under the Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central;
l. Counterparties (CCPs) and trade repositories (TRs) (EMIR);
m. To other service providers for statistical purposes in order to improve the Company’s marketing, in such a case the data will be provided in an aggregate form;
n. To an Affiliate of the Company or any other company in the same group of the Company;
o. To market research call centers that provide telephone or email surveys with the purpose to improve the services of the Company, in such a case only the contact details the data will be provided;
p. Inform clients of additional products, services or promotions relevant to its clients.

7.5 In regards to point (o) above and should for any reason clients do not consent to receive information of this nature, the client can inform us accordingly by contacting the Company on the contact details provided by the Company on its Trading Terms and Conditions or at the following address: AGeorgiou@XtellusEurope.com.

7.6 We may disclose personal data in order to comply with a legal or regulatory obligation.

7.7 We may contact you by mail, telephone, fax, e-mail or other electronic messaging service with offers of services or information that may be of interest to you. By providing us with your fax number, telephone numbers or email address you consent to being contacted by these methods for these purposes. If you do not wish to receive marketing information from us, you may not subscribe to our marketing services through the client’s area or if you are already subscribed you may press the “unsubscribe” button found on the bottom of our emails. For marketing emails, you can choose Unsubscribe button to stop receiving emails.

7.8 Any information, which we send to you by email, will not be encrypted. We cannot guarantee confidentiality of emails that you send to us.

7.9 You may ask us to provide you with information about our services or about services offered jointly with or on behalf of other organizations by sending us an email to AGeorgiou@XtellusEurope.com.
You have the following Rights:
a. The right to be informed
b. The right of access
c. The right to rectification
d. The right to erasure
e. The right to restrict processing
f. The right to data portability
g. The right to object
h. Rights in relation to automated decision making and profiling

7.10 Those whose Personal Data we keep, have the right at any time to obtain confirmation of the existence of the same from the Data Controller, to know the content and origin, to check its accuracy or request its integration, deleting, updating, rectification, erasure, anonymisation or blocking of Personal Data processed in violation of law, and to oppose in any case, for legitimate reasons, to their treatment.

7.11 To make a request, please contact us, verifying your identity and specifying what information you require. The Company may provide you a form to fill in, in order to process your request. We may charge an administrative fee.

7.12 Data controller and Data processor: The Company*

7.13 We may authorize another natural person, legal person, public administration or any other body, association or organization authorized to process the Personal Data in compliance with this Privacy Policy, on its behalf.

7.14 The Company does not provide any services to children, nor processes any personal data in relation to children, where ‘children’ are individuals who are under the age of eighteen (18).

  1. Statistical Data

8.1 The Company may, from time to time, combine clients’ personal information/data with information from other users of the Company’s website in order to create impersonalized statistical data. The Company may provide this statistical data to Third Parties solely for statistical purposes and in an effort to better improve the Company’s marketing campaign and to the extent allowed by the Company’s Trading Terms and Conditions already accepted by the clients.

8.2 The Company will take all reasonable measures in order to ensure that in no circumstances will clients be identifiable from this statistical data and consequently for clients to remain anonymous.

  1. Retention of Personal Data

9.1 In accordance with the Company’s regulatory requirements and as required by Law all clients’ personal information/data will be required to be kept and retained on record for a minimum period of five (5) years, which will commence on the transmission/execution of a client transaction or the date of which the business relationship between both parties is terminated in accordance to the Company’s Trading Terms and Conditions.

  1. Protection and Security of Personal Data

10.1 The Company takes reasonable precautions to protect personal information/data from loss, theft, misuse, unauthorized access or disclosure, alteration, or destruction. The Company employs physical, electronic, and procedural safeguards to protect personal information/data and it does not store personal information/data for longer than necessary for the provision of services or as permitted bylaw.

10.2 The Company’s datacenter(s) contain both internal and external servers. Access to the Company’s internal server is restricted to authorised personnel (i.e. employees and authorised service providers), servers and locations; our external servers can be accessed via the Internet. Any personal information/data provided by clients to the Company will be strictly protected under enhanced measures of security, protected against loss, misuse, unauthorized access or disclosure, alteration, or destruction with use various security measures such as encryption during data transmission, strong authentication mechanisms and separation of machines and data to provide secure areas in order to protect clients’ personal information from unauthorised users and such personal information will be treated as confidential and shared only with the Company and its affiliates and/or authorised service providers and shall not be disclosed to any third parties except, and without notice, in accordance with the provisions of this Policy as well as under any regulatory or legal proceedings.

10.3 The Company also informs all clients to serve and protect their personal data and advises all clients to maintain confidentiality and not share with others its usernames and passwords provided by the Company. The Company bears no responsibility for any unlawful or unauthorised use of clients’ personal information due to the misuse or misplacement of clients’ access codes (i.e. passwords/credentials), irrespective of the way such use was conducted including without limitation negligent or malicious use.

10.4 We will use reasonable endeavors to implement appropriate policies, rules and technical measures to protect the personal data that we have under our control (having regard to the type and amount of that data) from unauthorized access, improper use or disclosure, unauthorised modification, unlawful destruction or accidental loss. For instance, our security measures include, but are not limited to:
a) educating our employees as to their obligations with regard to your personal data;
b) requiring our employees to use passwords and two-factor authentication when accessing our systems;
c) encrypting data sent from your computer to our systems during internet transactions and client access codes transmitted across networks;
d) employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses entering our systems;
e) using dedicated secure networks or encryption when we transmit electronic data for purposes of outsourcing;
f) practicing a clean desk policy in all premises occupied by us and our related bodies corporate and providing secure storage for physical records; and
g) employing physical and electronic means such as alarms, cameras and guards (as required) to protect against unauthorized access to buildings.

10.5 We will ensure that your information will not be disclosed to government institutions or authorities except if required by law (e.g. when requested by regulatory bodies or law enforcement organisations in accordance with applicable legislation).

10.6 Certain services may include social networking, chat room or forum features. When using these features please ensure that you do not submit any personal data that you do not want to be seen, collected or used by other users.

  1. IT Department

11.1 The company requires that all computer equipment is connected to a Firewall, anti-malware software, and automatic updating facilities that are all up to date and meet the corporate minimum business standards acceptable in the financial industry. The company also requires:
a) deployment of the corporate policy on usernames and passwords, to have a password protected screensaver, and to password protect and encrypt all folders containing confidential corporate information, sensitive personal information, personably identifiable information, and to disable folder and printer sharing.
b) All notebook computers that carry personal data or are able to connect to systems that store or process personal data, use full-disk encryption.
c) that notebook computers are physically protected against theft and damage while in transit, in storage or in use and that, in cases of loss or theft.
d) That the IT departments ensures that all the recent operating system and application security- related patches, fixes and updates have been installed.
e) Employees to comply with the corporate requirements on the means of connecting to public access points and accessing corporate information.
f) That all computers and notebooks are protected by an anti-virus and antimalware software.

  1. Changes in Personal Information/Data

12.1 Under the Agreement between us, we have the right to disclose Your Information (including recordings and documents of a confidential nature, card details) in certain circumstances. According to the Agreement between us, Your Information may be disclosed:
a) Protect the Company’s rights and/or to comply with judicial proceedings and/or court order;
b) Protect and defend the rights or property of the Company’s website;
c) Protect the safety of Company’s clients, all users of the Company’s website and/or the public.
d) Where required by law or a court order by a competent Court;
e) Where requested by the Cyprus Securities and Exchange Commission or any other regulatory authority having control or jurisdiction over the Company or the Client or their associates or in whose territory the Company has Clients;
f) To relevant authorities to investigate or prevent fraud, money laundering or other illegal activity;
g) To credit reference and fraud prevention agencies, third authentication service providers, banks and other financial institutions for credit checking, fraud prevention, anti-money laundering purposes, identification or due diligence checks of the Client. To do so they may check the details the Client supplied against any particulars on any database (public or otherwise) to which they have access. They may also use Client details in the future to assist other companies for verification purposes. A record of the search will be retained by the Company;
h) Where necessary in order for the Company to defend or exercise its legal rights to any court or tribunal or arbitrator or Ombudsman or governmental authority;
i) At the Client’s request or with the Client’s consent;
j) To successors or assignees or transferees or buyers, with ten Business Days prior Written Notice to the Client;

  1. Your Rights in Relation to Your Personal Data

13.1 The Company may, from time to time, combine clients’ personal information/data with information from other users of the Company’s website in order to create impersonalized statistical data. The Company may provide this statistical data to Third Parties solely for statistical purposes and in an effort to better improve the Company’s marketing campaign and to the extent allowed by the Company’s Trading Terms and Conditions already accepted by the clients.

13.2 The Company will take all reasonable measures in order to ensure that in no circumstances will clients be identifiable from this statistical data and consequently for clients to remain anonymous.

13.3 Under the General Data Protection Regulation (679/2016), you have the right, in certain circumstances, to obtain personal information you have provided us with (in a structured, commonly used and machine-readable format) and to re-use it elsewhere or ask us to transfer this to a third party of your choice.

13.4 Please note that these rights do not apply in all circumstances. You are entitled to:
a) request access to your personal data (commonly known as a “data subject access request”);
b) request correction of the personal data that we hold about you;
c) request erasure of your personal data. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request;
d) object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information, which override your rights and freedoms;
e) request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
i. if you want us to establish the data’s accuracy;
ii. where our use of the data is unlawful, but you do not want us to erase it;
iii. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
iv. you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it;
f) request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine- readable format. Note that this right only applies to automated information (i.e. not to hard copies) which you initially provided consent for us to use or where we used the information to perform a contract with you; and
g) withdraw consent at any time where we are relying on consent to process your personal data. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Please email us at AGeorgiou@XtellusEurope.com.

13.4 Please quote your name and address. We should be grateful if you would also provide brief details of the data that you would like a copy of or which you would like to be corrected (this helps us to more readily locate your data).

13.5 We will require proof of your identity before providing you with details of any personal data we may hold about you.

13.6 We try to respond to all legitimate requests within 1 (one) month. Occasionally, it may take us longer than 1 (one) month if your request is particularly complex or you have made a number of requests. In this case, we will notify you within 1 (one) month of the receipt of your request and keep you updated.

13.7 We may charge you a reasonable fee to you when a request is manifestly unfounded, excessive or repetitive, or we receive a request to provide further copies of the same data. Alternatively, we may refuse to comply with your request in these circumstances.

13.8 Not all types of data can be deleted or amended per request of the data subject. The Company’s may retain your data, information and documentation based for the period of 5 to 7 years after the termination of employment on the requirements:
a) The Anti-money laundering Directive (as amended from time to time) or any subsequent amendment or change of this legislation.
b) The Investment Service Law 87(I)/2017, or any subsequent amendment or change of this legislation.
c) Inland Revenue Department legislation.
d) Any legislation issued by the Unit for Combating Money Laundering (MOKAS), The Cyprus Securities and Exchange Commission, the Office of the Commission of Data protection in Cyprus or any other legislative or supervisory authority, which may be empowered by Law to supervise us.

  1. Affiliates and Partners

14.1 The Company uses a card processing companies for clients’ deposits and withdrawals to and from clients trading account.

14.2 Clients acknowledge and consent that the Company and its partners, affiliates and/or associates may share information in a manner that is useful and relevant only to do so and in relation to one of the following purposes:
a. Reasonably required by such affiliate, partner and/or associate of the Company to provide products and services to its clients;
b. To offer additional similar products and services that meet clients’ needs.

14.3 The Company may disclose clients’ personal information to any organization at the clients’ request or to any persons acting on behalf of clients, including clients’ financial adviser, broker, solicitor or accountant.

14.4 The Company may disclose clients’ personal information to companies hired by the Company to provide limited services on behalf of the Company, including but not limited to packaging, mailing and delivering purchases, postal mail. The Company will take all reasonable measures to ensure that the said companies will be subject to such personal information/data necessary to deliver the service and are prohibited from using personal information for any other purpose.

  1. Non-Affiliate Third Parties

15.1 The Company may disclose information to non-affiliated third parties where necessary in order to carry out the following internal functions of the Company:
a. Service providers such as third parties providing internal audit, risk management, accounting or any other services that we may require from time to time;
b. Use of specialized agencies to help carry out certain internal functions such as account processing, fulfilment, client service or other data collection activities relevant to our business.

  1. Warranties

16.1 For any purpose mentioned above (i.e. paragraphs 10, 11 and 12), the use of the shared information is strictly limited to the performance of the services expected and assigned to be undertaken by all third parties, affiliated or non-affiliated with which the Company.

16.2 All third parties, affiliated or non-affiliated are required and shall ensure that:
a. Their employees are informed of the confidential nature of the personal information/data and that usage of the shared information is strictly limited to the performance of the relevant services expected and assigned to be undertaken on behalf of the Company
b. Processing of personal information/data is in accordance and in compliance with all relevant legislation, applicable laws and regulation
c. All third parties, affiliated or non-affiliated agree and consent to indemnify and keep indemnified at their own cost and expense the Company against all costs, claims, damages or expenses incurred by the Company or for which the Company may become liable due to any failure by any third party, affiliated or non-affiliated or their employees to comply with any of their obligations under this Policy as well as with all relevant legislation, applicable laws and regulation.
d. The Company will not share personal information with third parties which it considers will not provide its clients with the required level of protection similar to that of its own and in compliance with all relevant legislation, applicable laws and regulation.

  1. Links to Other Websites

17.1 The Company’s website will not be normally linked to other websites. However, in the event they are ensure that at all times you are on the right domain address. This Policy is not applicable to those other sites. The Company recommends and encourages clients to read, understand and familiarize themselves with the privacy policies (if any) available on these other sites.

17.2 The Company cannot be held responsible or liable for the privacy policies or content of such sites and therefore, has no control over the protection and use of information provided by the clients on such sites.

17.3 This site may contain hyperlinks to websites owned and operated by third parties. Where this is the case, we urge you to review the equivalent data protection, privacy and cookie policies available on such websites. We do not accept any responsibility or liability for the data protection of privacy practices of third parties in relation to such websites and your use of third-party websites is entirely at your own risk.

  1. Use of Cookies

18.1 The Company may use cookies to assess and improve the performance of the website and its products and services offered to its clients. Cookies are used by most internet browsers and are small pieces of information which use a unique identification tag and are stored on clients’ device as a result of clients using the Company’s website or other services the Company provides to its clients.

18.2 Clients may be able to refuse to have cookies stored on their device they may be able to change the setting of their browser to refuse all cookies, and/or have their device to notify them each time a cookie is sent to their device. By controlling their cookies in this way may impair the quality of service provided by the Company to its clients and therefore, it is recommended for clients to allow cookies on their device to ensure the best possible experience and quality services provided by the Company.

18.3 For more information about cookies, clients may refer to the Company’s “Cookie Policy” available on the Company’s website.

18.4 The Company’s (“THE COMPANY”, “we”, “our”, “us”) website uses cookies.

18.5 What is a cookie?
Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device. Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. They can also help to ensure that adverts you see online are more relevant to you and your interests. The cookies used on this website have been categorised based on the categories found in the International Chamber of Commerce (“ICC”) REPUBLIC OF CYPRUS Cookie guide. A list of all the cookies used on this website by category is set out below.

18.6 The categories of cookies we use are:
a) Essential cookies are required for the operation of the Company’s website. These cookies allow clients to access various secured areas of the Company’s website. Clients by opt to disable these cookies, this may have a negative impact on their browsing experience and in particular, they will not be able to fully access secure areas of the Company’s website.
b) Analytical/performance cookies are used to recognize, monitor and track the number of visitors, how clients use the Company’s website and for how long. This helps the Company to improve the way its website works and consequently to improve how the Company provides the Company’s website content to clients. These cookies are not used to determine the personal identity of clients.
c) Functionality cookies are used to allow the Company to remember clients’ preferences and to recognize when a client returns to the Company’s website. This helps the Company to personalize its website content for clients. For example, these cookies remember clients’ username and the customization preference previously selected by clients such as language of region.
d) Targeting cookies are cookies that record clients’ visits on Company’s websites, pages visited, and links followed. This information is shared with third parties such as advertising and social media websites for the provision of services such as:
a. Use information about clients’ visits to target advertising to clients on other websites
b. Use information about clients’ visits in order to present clients with advertisements that might be in clients’ interest
c. Use information about clients’ visits for the purposes of matching, audience research and creation of audience segments. Outsourcing

  1. Setting your Cookie Preferences

19.1 You can control how cookies are placed on your device from within your own browser. You can also delete existing cookies from your browser. However, refusing and/or deleting cookies may mean some sections of our site will not work properly.

  1. Contact Clients/Recordings

20.1 The Company may contact clients by telephone, email or other means of medium for the purpose of offering them further information about the Company’s product and services and/or informing clients of unique promotional offerings. By registering and providing agreement to the Trading Terms and Conditions of the Company, clients consent to be contacted in such manner and for such purposes by the Company’s Employees, Affiliates and Partners.

20.2 For regulatory and quality assurance purposes any type of communication between the clients and the Company whether in writing, email or by telephone or other means of medium shall be monitored and recorded by the Company without any prior warning (unless required to do so by the applicable rules and regulations). Clients acknowledge and accept that such recordings are the sole property of the Company. Clients further accept that such recordings constitute conclusive evidence of the Orders/Instructions/Requests or conversations so recorded.

20.3 Any person who wishes not to be contacted further by telephone, email or other means of medium, can inform the Company accordingly by contacting the Company on the contact details provided by the Company on its Trading Terms and Conditions or at the following address: AGeorgiou@XtellusEurope.com.

  1. Clients Rights

21.1 RIGHT TO ACCESS
a) You have the right to request copies of your personal data. Information must be provided without delay and at the latest within one month of receipt. The Company will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
b) We must provide a copy of the information free of charge. However, the Company can charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee if applied will be based on the administrative cost of providing the information.
c) If at any time we refuse to respond to a request, we will explain why to the individuals, informing them of their right to complaint to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
d) The Company will verify the identity of the person making the request, using reasonable means.

21.2 RIGHT FOR RECTIFICATION
a) The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. You can make a request for rectification verbally or in writing.
b) If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the individuals about these recipients.
c) We must respond within one month after your request for rectification has been submitted. This can be extended by two months where the request for rectification is complex.
d) Where the Company is not taking action in response to a request for rectification, we must explain why to the individuals, informing them of their right to complain to the supervisory authority and to a judicial remedy.

21.3 RIGHT TO ERASURE
a) The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
b) Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
c) When the individual withdraws consent.
d) When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
e) The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
f) The personal data has to be erased in order to comply with a legal obligation.
g) The personal data is processed in relation to the offer of information society services to a child.
h) There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request.
i) We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
• to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
• the exercise or defense of legal claims.
j) If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the erasure of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the individuals about these recipients.

21.4 RIGHT TO RESTRICT PROCESSING
a) We will be required to restrict the processing of personal data in the following circumstances:
i. Where an individual contests the accuracy of the personal data, we should restrict the processing until you have verified the accuracy of the personal data.
ii. Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our Company’s legitimate grounds override those of the individual.
iii. When processing is unlawful, and the individual opposes erasure and requests restriction instead.
iv. If the Company no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.
b) We may need to review procedures to ensure we are able to determine where we may be required to restrict the processing of personal data.
c) If the Company has disclosed the personal data in question to others, we must contact each recipient and inform them of the restriction on the processing of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the individuals about these recipients.
d) The Company must inform individuals when we decide to lift a restriction on processing.

21.5 RIGHT TO DATA PORTABILITY
a) The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
b) It allows them to move, copy or transfer personal data easily from one IT environment to another in
a safe and secure way, without hindrance to usability.
c) It enables Clients to take advantage of applications and services which can use this data to find them
a better deal or help them understand their spending habits.
d) We will respond without undue delay, and within one month. This can be extended by two months where the request is complex or where the Company may receive a number of requests. We will inform the individual within one month of the receipt of request and explain why the extension is necessary, if applicable.
e) Where we are not taking action in response to a request, we will explain why to the individuals, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

21.6 RAISING A CONSERN
a) You have the right to be confident that we handle your personal information responsibly and in line with good practice.
b) If you have a concern about the way we are handling your information, for example if you feel we may not be keeping your information secure or holding inaccurate information about you or have disclosed information about you or keeping information about you for longer than is necessary or have collected information for one reason and are using it for something else you can contact us. We take all concerns seriously and will work with you to resolve any such concerns.
c) In case any of the clients’ personal information have changed at any given time or they wish from the Company to delete any personal data, they may do so by informing the Company via email at AGeorgiou@XtellusEurope.com. The Company to the extent permitted by law including those cases where the Company is required to hold clients’ personal data for regulatory and legal purposes for the provision of services and/or maintenance of adequate business records, will proceed with changing or deleting clients’ personal data in accordance with the instructions received.

  1. Data Protection Impact Assessment (“DPIA”)

22.1 The Company must perform a Data Protection Impact Assessment (‘DPIA’) for any and all new projects and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR.

22.2 The Company is responsible for ensuring that the DPIA is carried out. The DPO is responsible for performing necessary checks on personal data to establish the need for conducting a DPIA.

22.3 The Company must also seek the advice of the DPO, where designated and this advice, and the decisions taken by the Company, should be documented within the DPIA. The DPO should also monitor the performance of the DPIA. The Company’s DPO will be responsible for checking appropriate controls are implemented to mitigate any risks identified as part of the DPIA process and subsequent decision to proceed with the processing.

22.4 The Company should document its actions and decisions regarding DPIAs in order to be in a positionto prove its compliance with the GDPR.
a) Identify the need for a DPIA
b) Describe the information flow
c) Identify data processing and related risks
d) Identify solutions to reduce or eliminate these risks
e) Sign off the outcomes of the DPIA
f) Integrate data protection solutions into the project

22.5 Why should organisations conduct a DPIA? The GDPR mandates a DPIA to be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:
a) A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
b) Processing of special categories of data or personal data relating to criminal convictions and offences on a large scale.
c) Systematic monitoring of a publicly accessible area on a large scale. Examples of personal data processing where a DPIA is likely to be required:
a) The archiving of pseudonymised sensitive data from research projects or clinical trials.
b) An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
c) An organisation systematically monitoring its employees’ activities, including their workstations and Internet activity.
d) The gathering of public social media data for generating profiles.
e) An institution creating a national-level credit rating or fraud database.

  1. Amendment/Review of the Policy

23.1 The Company reserves the right to review and/or amend this Policy at any given time it deems suitable and appropriate without notice to the Client. The Policy is available for review by clients upon request and it is uploaded on the Company’s website.

  1. General Information

24.1 For further details with regards to the Company’s Privacy Policy and procedures, clients may contact AGeorgiou@XtellusEurope.com.

  1. How to Make a GDPR Complaint?

25.1 If you have a complaint about the way in which your personal data is being processed, please email AGeorgiou@XtellusEurope.com. In the event that you are not satisfied with our handling of your complaint, you have the right to report your concern to the Data Protection Commissioner at 1, Iasonos Street, 1082 Nicosia, P. O. Box 23378, 1682 Nicosia Tel: (+357) 22818456, Fax: (+357) 22304565 email: commissioner@dataprotection.gov.cy

  1. Governing Law

26.1 Use of this site shall be governed by the Laws of the Republic Cyprus.

26.2 By accessing the Company (“We” or “us” or “the Company”) website and any pages linked thereto, you the User agree to be bound by the terms and conditions as described above. By continuing to use of this website you are also consenting for the use of cookies.

  1. Definitions

a) consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
b) GDPR – General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
c) Personally identifiable information (or “Personal Information”) means any information that may be used, either alone or in combination with other information, to personally identify, contact or locate any Customer of the Company.
d) You, User, data subject, client, customer refers to you as the party agreeing to becoming subscribed to the investment services of the company.
e) We, the company, controller refers to Xtellus Europe Limited (see Section 1.1.)
f) EMIR refers to the European Market Infrastructure Regulation (EU) No 648/2012
g) MiFIR refers to the Markets in Financial Instruments Regulation EU) No 600/2014
h) DPIA Data Protection Impact Assessment
i) DPO Data Protection Officer
j) IT Information Technology

  1. Monitoring and Review

28.1 The Company will monitor the effectiveness of this Policy on a regular basis, at least annually. The review will also be carried out whenever any material changes occur.

28.2 The existing Clients will be notified of any material changes or amendments to this Policy which may be made from time to time. The latest version of the document will also be available at the Company’s website.

Original Issue Date June 2024
Approver(s) Board of Directors
Contact Person Chief Executive Officer/Compliance Officer
Classification GDPR Privacy Policy
Operational Applicability All Personnel
Geographic applicability Cyprus
Last Reviewed Date 05/06/2024
Next Review Date End of 2024
Recipients Executive Directors
Internal Auditor
Version 1
Other Languages N/A

info@xtelluseurope.com
Tel. +357 25 735190

26 Spyrou Kyprianou Street, Prestigio Plaza, 1st Floor

4040 Germasogeia, Limassol, Cyprus

Risk Warning: Investment in financial instruments involves a high degree of risk. As such, they may not be suitable for everyone. Potential clients should ensure they fully understand the risks associated with investing in financial instruments before deciding to invest as they may lose partial or all invested capital. You can also check our Risk Disclosure Statement for more details.

Xtellus Europe Limited is a Cyprus Investment Firm incorporated under the laws of Cyprus, has its principal place of business at 26 Spyrou Kyprianou, 4040, Limassol, Cyprus and is registered with the Registrar of Companies in Nicosia under the number: HE 447781. Xtellus Europe Limited is regulated as a Cyprus Investment Firm (‘CIF’) by the Cyprus Securities and Exchange Commission (‘CySEC’) under the license number 446/24 and operates in accordance with the Markets in Financial Instruments Directive II (‘MiFID II’) of the European Union.

© 2024 Xtellus Europe LTD. All Rights Reserved