1. Introduction
IRONVEST Digital Ltd ("IRONVEST", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use our trading platform, website, mobile applications, and related services (collectively, the "Services").
IRONVEST operates across the United Kingdom, the European Union, and Canada. We are subject to the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.
2. Information We Collect
We collect the following categories of personal data in connection with providing our Services:
2.1 Personal Identification Information
- Full legal name, date of birth, nationality, and gender
- Residential address and postal address
- Email address, telephone number, and other contact details
- Tax identification number (TIN) and national insurance / social insurance number where required
2.2 Know Your Customer (KYC) Documents
- Government-issued photo identification (passport, driving licence, national ID card)
- Proof of address documentation (utility bill, bank statement dated within the last three months)
- Selfie or biometric verification images for identity matching
- Source of funds and source of wealth documentation
2.3 Financial Information
- Bank account details and payment card information
- Transaction history, trading activity, and order records
- Portfolio holdings, account balances, and profit/loss data
- Investment experience, risk tolerance, and financial objectives
2.4 Technical and Device Information
- IP address, browser type and version, operating system, and device identifiers
- Login timestamps, session duration, and pages viewed
- Referring URLs, search queries, and clickstream data
- Geolocation data (derived from IP address or, with your consent, GPS)
2.5 Cookies and Tracking Technologies
We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your interactions with our Services. For further details, please see Section 9 (Cookies) of this Policy.
3. How We Use Your Information
We process your personal data for the following purposes:
- Account creation and management: To register your account, verify your identity, and maintain your profile on our platform.
- Service delivery: To execute trades, process transactions, manage your portfolio, and provide the core functionality of our trading platform.
- Regulatory compliance: To comply with applicable anti-money laundering (AML), counter-terrorist financing (CTF), and know-your-customer (KYC) obligations under UK, EU, and Canadian law.
- Security and fraud prevention: To detect, prevent, and investigate fraudulent activity, unauthorised access, and other threats to the security of our Services.
- Communication: To send you account notifications, trade confirmations, service updates, and respond to your enquiries and support requests.
- Analytics and improvement: To analyse usage patterns, monitor platform performance, and improve the functionality and user experience of our Services.
- Marketing: With your consent, to send you promotional communications about our products and services. You may opt out at any time.
- Legal obligations: To comply with court orders, regulatory requests, and other legal requirements applicable to our business.
4. Legal Basis for Processing
Under the GDPR and UK GDPR, we rely on the following legal bases to process your personal data:
- Performance of a contract (Article 6(1)(b)): Processing is necessary to perform our contractual obligations to you, including the provision of our trading platform and execution of your transactions.
- Legal obligation (Article 6(1)(c)): Processing is necessary to comply with our legal and regulatory obligations, including AML/KYC requirements, tax reporting, and financial regulations.
- Legitimate interests (Article 6(1)(f)): Processing is necessary for our legitimate interests, such as fraud prevention, platform security, analytics, and improving our Services, provided those interests are not overridden by your rights and freedoms.
- Consent (Article 6(1)(a)): Where you have given explicit consent, such as for marketing communications or the use of non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
For Canadian users, we process personal information in accordance with PIPEDA's principles of consent, limiting collection, and accountability. We obtain meaningful consent before collecting, using, or disclosing your personal information, unless an exception under PIPEDA applies.
5. Data Sharing
We may share your personal data with the following categories of recipients, solely for the purposes described in this Policy:
- Service providers and processors: Third-party companies that perform services on our behalf, including payment processors, identity verification providers, cloud hosting providers, customer support platforms, and analytics services. These processors are contractually bound to process your data only on our instructions and in accordance with applicable data protection law.
- Regulatory and supervisory authorities: Financial regulators, tax authorities, law enforcement agencies, and other governmental bodies where we are required to disclose data by law or regulatory obligation (e.g., the FCA, ESMA, FINTRAC, HMRC, or equivalent authorities).
- Legal and professional advisors: Solicitors, auditors, and compliance consultants who require access to your data to advise us in connection with legal proceedings, regulatory enquiries, or audit requirements.
- Corporate transactions: In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the successor entity, subject to this Privacy Policy.
We do not sell, rent, or trade your personal data to third parties for their marketing purposes. Under no circumstances will your data be monetised or shared for advertising purposes.
6. International Data Transfers
Your personal data is stored on servers located within the European Union. Our primary data centres are situated in EU member states to ensure the highest level of data protection compliance under the GDPR.
Where it is necessary to transfer your personal data outside the European Economic Area (EEA) or the United Kingdom -- for example, to service providers located in other jurisdictions -- we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses as approved under the GDPR, and the UK's International Data Transfer Agreement (IDTA) or Addendum where applicable, to provide adequate protection for data transferred to third countries.
- Adequacy decisions: Where the European Commission or the UK Secretary of State has determined that a third country provides an adequate level of data protection, we may rely on that adequacy decision.
- Additional safeguards: We conduct transfer impact assessments and implement supplementary technical and organisational measures where necessary to ensure the effective protection of your data.
For Canadian users, cross-border transfers are handled in accordance with PIPEDA requirements, ensuring that personal information receives a comparable level of protection regardless of where it is processed.
7. Data Retention
We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are determined by the following criteria:
- Active accounts: We retain your personal data for the duration of your account relationship with us and for as long as needed to provide you with our Services.
- Regulatory requirements: Under anti-money laundering regulations, we are required to retain KYC documentation, transaction records, and related data for a minimum of five years after the end of the business relationship, or longer where required by specific regulatory frameworks.
- Tax and financial records: Financial records may be retained for up to seven years in accordance with applicable tax legislation in the UK, EU, and Canada.
- Legal claims: Where data may be relevant to actual or anticipated legal proceedings, we may retain it for the duration of the applicable limitation period.
- Anonymised data: We may retain anonymised or aggregated data indefinitely, as such data can no longer identify you and falls outside the scope of data protection legislation.
Upon expiry of the applicable retention period, your personal data will be securely deleted or anonymised in accordance with our data destruction procedures.
8. Your Rights
Depending on your jurisdiction, you have the following rights with respect to your personal data:
8.1 Rights under the GDPR and UK GDPR
- Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
- Right to rectification (Article 16): You have the right to request the correction of inaccurate personal data or the completion of incomplete data.
- Right to erasure (Article 17): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing, subject to our legal and regulatory obligations.
- Right to restriction of processing (Article 18): You have the right to request the restriction of processing in certain circumstances, such as where you contest the accuracy of your data.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
- Right to object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
- Right not to be subject to automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
8.2 Rights under PIPEDA (Canada)
- Right of access: You may request access to the personal information we hold about you and be informed of how it has been used and to whom it has been disclosed.
- Right to correction: You may challenge the accuracy and completeness of your personal information and request appropriate amendments.
- Right to withdraw consent: You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
- Right to complain: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe your rights under PIPEDA have been violated.
To exercise any of these rights, please contact us at privacy@ironvest.io. We will respond to your request within one month (GDPR/UK GDPR) or 30 days (PIPEDA), as required by applicable law. We may request proof of identity before processing your request.
9. Cookies
Our Services use cookies and similar tracking technologies. Cookies are small text files stored on your device that help us provide, secure, and improve our Services. We use the following types of cookies:
- Strictly necessary cookies: Essential for the operation of our platform, including session management, authentication, and security. These cookies cannot be disabled.
- Functional cookies: Enable enhanced functionality and personalisation, such as remembering your preferences and settings.
- Analytics cookies: Help us understand how visitors interact with our platform by collecting and reporting information anonymously. We use these insights to improve our Services.
- Marketing cookies: Used to deliver relevant advertisements and measure the effectiveness of our marketing campaigns. These are only set with your explicit consent.
You can manage your cookie preferences through our cookie consent banner when you first visit our website, or at any time via your browser settings. Please note that disabling certain cookies may affect the functionality of our Services.
For more information about cookies and how to control them, visit www.allaboutcookies.org.
10. Security
We take the security of your personal data seriously and implement robust technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. Our security measures include:
- Encryption: All data transmitted between your device and our servers is encrypted using TLS 1.3. Sensitive personal data stored in our databases is encrypted at rest using AES-256 encryption.
- Access controls: We enforce strict role-based access controls, ensuring that only authorised personnel with a legitimate business need can access your personal data. All access is logged and regularly audited.
- Infrastructure security: Our EU-based servers are hosted in ISO 27001-certified data centres with physical security controls, redundant power supplies, and 24/7 monitoring.
- Regular testing: We conduct regular penetration testing, vulnerability assessments, and security audits to identify and remediate potential threats.
- Incident response: We maintain a comprehensive data breach response plan. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by the GDPR and UK GDPR.
- Employee training: All staff undergo regular data protection and information security training to ensure compliance with our policies and applicable legislation.
While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We encourage you to use strong passwords, enable two-factor authentication, and remain vigilant against phishing attempts.
11. Children's Privacy
Our Services are not intended for, and are not directed at, individuals under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. Use of our trading platform requires users to be at least 18 years old, which is verified as part of our KYC onboarding process.
If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will take immediate steps to delete that data from our systems. If you believe that a minor has provided personal data to us, please contact us at privacy@ironvest.io so that we can take appropriate action.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes, we will:
- Update the "Effective Date" and "Last Updated" dates at the top of this Policy.
- Notify you via email or through a prominent notice on our platform before the changes take effect.
- Where required by law, obtain your consent to the updated terms before continuing to process your data under the new policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Policy.