Privacy Policy  

1. Introduction

Capital Com SV Investments Limited (hereinafter the “Company”, “we”, “Capital Com”, “Capital.com”) is an investment firm regulated by the Cyprus Securities and Exchange Commission (“the CySEC”) for the provision of investment and ancillary services under the license #319/17 and registered in the Republic of Cyprus under the registration number 354252. Our business address is Vasileiou Makedonos, 8, Kinnis Business Center, 1-3rd floor, 3040, Limassol, Cyprus.

This privacy policy (the “Policy” or “Privacy Policy”) explains how Capital Com collects, processes and discloses personal information through its websites, mobile applications, and other online products and services that fall under this Policy (collectively, the “Services”) or when you otherwise interact with us.

The Services include providing: (i) the Capital.com trading platform for investing in stocks & for CFDs trading which users can sign up for an account with Capital.com; (ii) the Capital.com educational app Investmate (iii) any other site, web platform, mobile application or other service facilitated by Capital.com.

Capital Com is responsible for the protection of the privacy and the safeguarding of the personal data of our Clients including (i) Retail Clients and/or (ii) Professional Clients and/or (iii) Eligible Counterparties, acting as the counterparty of the Company having agreed to the Terms and Conditions of the Company, as well as website visitors (hereinafter “you”).

Your privacy is important to us. This Privacy Policy outlines how we collect, process, and manage the personal data we collect from your use of our services, applications, or our website capital.com, through your interaction with us on social media, or your other dealings with us. When doing that we act as data controller in accordance with the principles contained in The General Data Protection Regulation (GDPR) (EU) 2016/679.

Should you have any questions or concerns regarding your personal data, please contact us at: gdpr@capital.com. We have appointed a Data Protection Officer to assist us with compliance with applicable privacy regulations. To communicate with our DPO, please email dpo@capital.com.

2. What kind of personal data do we collect?

  • Identity data includes full name or its parts, username or similar identifier, marital status, title, date and place of birth, nationality, tax number, gender, information from your identity document(s), employment status and related information and your pictures/pictures of your identity (including biometric information such as a visual image of your face) or other document(s) we may request from time to time.
  • Contact data includes billing address, residential address, email address and telephone number.
  • Screening data includes close connections, political background and information pertaining to sanctions and adverse media.
  • Risk assessment data includes client risk score and client risk categorisation.
  • Economic and appropriateness data includes employment status, annual income source of income, current value of wealth, annual, investment plans, investment objectives, trading experience, level of education
  • Financial data includes bank account and payment card details.
  • Transaction data includes details about payments to-and-from you in relation to our services.
  • Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Services.
  • Communication data includes communication between you and Capital, including chats, call recordings and emails.
  • Profile data includes your username and password, your interests, preferences, feedback and survey responses.
  • Usage data includes information about how you access our Services and use our Services, including user sessions (screen) recordings in some cases.

3. Purposes for which we use personal data

Capital.com, as a data controller, may only use your personal data if there is a lawful basis for such use. The most common lawful bases used by Capital.com are:

  • Consent: in some cases, we may process your personal data only if we obtain your prior consent;
  • Performance of a contract: we will require your personal data to be able to offer you the Services in accordance with the contract terms between you and us;
  • Compliance with a legal obligation: due to the nature of the Services we provide, the laws applicable to our activities require us to collect and store certain data about you; and
  • Legitimate interests: sometimes we rely on our legitimate interests to process your data (e.g. to improve our Services) and we will do so except where such interests are overridden by your interests or fundamental rights and freedoms.

Below you will find a table describing how we may use your personal data and which of the legal bases are used by Capital to ensure lawful data processing.

Purpose/Activity Type of data Lawful basis for processing
To create your account
  • Identity data
  • Contact data
  • Technical data
Performance of a contract when we provide our Services to you
To verify your identity, carry out checks that we are required to conduct by applicable laws and regulations, including: “know your customer” (KYC), anti-money laundering, fraud, sanctions, politically exposed person (PEP) and liveness checks and perform client risk categorisation
  • Identity data
  • Contact data
  • Screening data
  • Transaction data
  • Risk assessment data
  • Technical data
  • Communication data
  • Financial data
  • Usage data
  • Compliance with our legal obligations under applicable AML/CFT obligations, namely the Prevention and Suppression of Money Laundering and Terrorist Financing Laws (2007-2021)
To obtain and assess economic profile and appropriateness information and categorise the client
  • Economic and Appropriateness data
  • Compliance with our legal obligations under applicable laws regulating the provision of investment services, namely the Investment Services and Activities and Regulated Markets Law of 2017 and AML/CFT obligations, namely the Prevention and Suppression of Money Laundering and Terrorist Financing Laws (2007-2021)
To provide our services and process transactions including, payments, fees and charges.
  • Identity data
  • Contact data
  • Financial data
  • Transaction data
  • Technical data
  • Profile data
  • Performance of a contract when we provide our services to you
To monitor your transactions for the purposes of detection, storage and reporting of fraudulent activities
  • Identity data
  • Contact data
  • Screening data
  • Risk assessment data
  • Financial data
  • Transaction data
  • Technical data
  • Usage data
  • Compliance with our legal obligations under applicable AML/CFT obligations, namely the Prevention and Suppression of Money Laundering and Terrorist Financing Laws (2007-2021)
To provide customer support
  • Identity data
  • Contact data
  • Financial data
  • Transaction data
  • Technical data
  •  
  • Performance of a contract when we provide our Services to you
To send you service notifications related to your use of the Services
  • Contact data
  • Communication data
  • Performance of a contract when we provide our Services to you
To record and store communication with you
  • Identity data
  • Contact data
  • Communication data
  • Compliance with our legal obligations under applicable laws regulating the provision of investment services, namely the Investment Services and Activities and Regulated Markets Law of 2017
To send you updates and marketing communication as well as to deliver relevant content to you, including ads, suggestions, personalised offers and recommendations
  • Identity data
  • Contact data
  • Financial data
  • Transaction data
  • Technical data
  • Profile data
  • Usage data
  • Consent, or
  • Our legitimate interests to promote our Services
To perform data analytics with respect to our Services for improvement purposes
  • Technical data
  • Usage data
  • Our legitimate interests to improve our Services
To manage and protect our business and website including system maintenance
  • Identity data
  • Technical data
  • Usage data
  • Our legitimate interests to improve our Services and protect personal data and the Services;
  • Performance of a contract when we provide our Services to you
To help us improve our Services by completing a survey, feedback, or review
  • Identity data
  • Profile data
  • Consent

If you fail or refuse to provide the personal data we need to deliver the Services to you and/or to meet our legal obligations (i.e. compliance with anti-money laundering rules and legislation); you will be unable to access the Services.

4. Cookies

We may use cookies for various purposes when you access or use the Services. Please review our Cookie Policy to find out more about our use of cookies.

5. Sources of personal data

Most of the personal data we process about you is received directly from you. For example, when you register to use the Services or communicate with us, we may receive your identity and contact data from you.

In other cases, we may receive personal data about you from various third parties and publicly accessible sources, including but not limited to social media, search engines, company registers, banks, payment service providers, KYC service providers, advertising networks, analytics providers and screening data vendors.

If you choose to sign in to our Services using a third-party service, such as Google, Facebook, and Apple, you direct the service to send us certain social account information such as your email address.

To enable you to invite your friends to our app, we may request access to the contacts' personal data in your phone book, including their name and phone number.

When you use the Services we may also automatically collect technical data through the use of cookies and similar technologies.

6. Automated decision-making with respect to your personal data

To offer you the Services and comply with our obligations under applicable laws, we will make a decision about you based solely on automated processing. Such cases include:

  1. When you submit your economic and appropriateness data in the relevant questionnaire, our system will automatically make a decision whether you can be allowed to trade. We may deny your access to the Services due to lack of experience and/or knowledge.
  2. Our anti-fraud systems may automatically detect patterns that may suggest fraudulent activities with respect to your account. We will warn you about such activities to prevent possible fraud.
  3. Our systems automatically determine the client’s risk profile based on a number of risk factors we consider in accordance with the laws and our internal procedures. The risk score allows Capital to determine the appropriate customer due diligence procedures it must follow.

7. How do we protect your personal data?

We take all reasonable and appropriate technical and organisational measures to protect all personal data collected by us from loss, theft, misuse and unauthorised access, disclosure, alteration and destruction.

8. How long do we keep your personal data?

Generally, we will retain your personal data for as long as necessary to fulfill the specific purpose we collected it for, including the purpose of satisfying any legal, accounting, reporting requirements, and our legitimate interests. For example, your personal data will generally be stored for the period required by the Prevention and Suppression of Money Laundering and Terrorist Financing Laws (2007-2021), namely not less than 5 years after the end of the business relationship with Capital Com. We may store certain personal data for not less than 6 years to meet our bookkeeping obligations under the tax legislation of Cyprus.

In certain cases, the authorities may require us to store the personal data longer if they deem necessary (e.g., in case of an ongoing investigation). If you have not been actively making use of our financial services for 5-6 years (depending on the data), we will remove any details that will identify you or we will securely destroy the records unless we substantiate why we need the data for a longer period of time.

9. Your rights

With regards to our collection and processing of your personal data you have the right to (subject to applicable exceptions):

  1. Obtain confirmation from us as to whether we process your personal data.
  2. Access your personal data processed by Capital Com.
  3. Correct your personal data.
  4. Withdraw consent and remove your personal data we collected on the basis of your consent.
  5. Obtain restriction of processing, for instance, where you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data,
  6. Have your personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
  7. Erasure of your personal data under certain circumstances. Capital Com is obligated to keep records of client’s details and trades for a minimum period of seven (7) years from the end of business relationship with you according to the relevant regulations. See more information about our data retention obligations in section “How long do we keep your personal data” above.
  8. Object to our processing of your personal data when the processing is related to the performance of our task carried in the public interest or the exercise of official authority vested in us. The other case is if we process your data for the purposes of the legitimate interests pursued by us or by a third party and you believe that such interests are overridden by your interests or fundamental rights and freedoms. If you make a request objecting to the processing, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing.

If you wish to make use of any of the above rights please contact our compliance department stating your account number and question related to any of the above rights at: gdpr@capital.com.

Capital Com will endeavour to provide you with information on the actions it has taken on your request related to your rights, specified above, within one month of receipt of the request. That period may be extended by two further months if the request is complex, or if Capital Com is in the process of resolving a large number of requests. We will inform you if any such extension is required within one month of receipt of the request, together with the reasons for the delay.

10. How do we share your personal data?

We do not share your personal information with third parties, except as described in this Privacy Policy.

Capital Com is part of the Capital Com Group of companies that all have a role in offering a complete service to our clients. For this reason, the Company may share information with its subsidiaries and affiliated companies, including those located outside the European Economic Area (EEA), in the event such information is reasonably required by the subsidiary to provide the Services to you.

Capital Com may also engage service providers and partners to assist with delivery of the Services:

Category Purpose
Identity verification service providers
  • Document validation and verification
  • Liveness checks
  • PEP (politically exposed persons) and sanctions screening
  • Risk assessment and scoring
Anti-fraud system providers
  • Detection and prevention of fraudulent transactions/activities
Payment service providers
  • Payment processing
  • Anti-fraud/risk check system
  • Application logs for payment system
Banks
  • Facilitation of money transfers
Marketing
  • Marketing analytics and reporting
  • Marketing attribution automation
Business intelligence providers
  • Product analytics
Project management and customer support providers
  • Automation of customer support processes
Cloud service providers
  • Hosting of personal data
  • Storage/Backup
Communication providers
  • Email and voice communication
  • Sending transactional emails and SMS
  • Call recording, monitoring and transcription
Performance monitoring providers
  • User sessions (screen) recording and monitoring
Social network platforms
  • Managing our relationships with clients
  • Promoting the Services
Professional Consultants
  • Receiving professional services

In case your personal data is provided to subsidiaries and service providers outside the EEA, we will implement appropriate safeguards to protect your personal data, including Standard Contractual Clauses as adopted by the European Commission. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. Moreover, Capital requires its service providers to implement appropriate security measures to ensure the protection of your personal data in accordance with applicable data protection legislation.

When required by the applicable laws, we may disclose your personal data to the relevant government agencies and regulatory authorities, including the Unit for Combating Money Laundering (MOKAS) and the CySEC.

Some of our service providers require us to include information about their privacy practices in our Privacy Policy:

  • ComplyAdvantage. We may use ComplyAdvantage for customer screening and monitoring. Please refer to ComplyAdvantage’s Privacy Policy to learn more about how ComplyAdvantage handles your personal data.
  • GBG. We may use GBG to verify information you give to us during the onboarding process. We do so to prevent fraud and comply with our AML obligations. Please refer to GBG’s Privacy Policy to learn more about how GBG handles your personal data.

11. Privacy Policy updates

Capital Com may update this Privacy Policy from time-to-time. In the event we materially change this Policy including how we collect, process or use your personal information, active clients will be notified as in accordance with Capital Com’s Terms & Conditions. Potential clients are notified by means of the publication of the updated Privacy Policy on our website capital.com.

12. Contact information

If you have questions about this Privacy Policy or our privacy practices, or if you are seeking to exercise any of your rights you can contact us. You may contact us at gdpr@capital.com.

You can also reach out to our Data Protection officer by email: dpo@capital.com

You have the right to lodge a complaint at the Office of the Commissioner or Personal Data Protection of Cyprus.

Office address: 1 Iasonos str., 1082 Nicosia
Postal address: P.O.Box 23378, 1682 Nicosia
Tel: +357 22818456
Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy

Privacy Policy_V9.1_20240606