Privacy Policy CCEU | Capital.com EU

HomePrivacy Policy CCEU

II. Introduction

Capital Com Group Ltd ( the “Company”, “we”, “Capital Com”, “Capital.com”) is an investment firm regulated by the Cyprus Securities and Exchange Commission (the “CySEC”) for the provision of investment and ancillary services under the license number 463/25 and registered in the Republic of Cyprus under the registration number HE 446198. Our business address is Vasileiou Makedonos, 8, Kinnis Business Center, 2nd floor, 3040, Limassol, Cyprus.

II. Purpose

This privacy policy (the “Policy” or “Privacy Policy”) explains how Capital Com collects, processes and discloses personal information through its websites, mobile applications, and other online products and services that fall under this Policy (collectively, the “Services”) or when you otherwise interact with us.

The Services include providing:

(i) the Capital.com trading platform, through which users can open an account and invest in Contracts for Difference (the “CFDs”)and Knock Out Options (the “KOs”);

(ii) the Capital.com educational application, Investmate;

(iii) any other website, web platform, mobile application or other related service offered by Capital.com/en-eu.

Capital Com is responsible for the protection of the privacy and the safeguarding of the personal data of our Clients including (i) Retail Clients and/or (ii) Professional Clients (elective or per se) and/or (iii) Eligible Counterparties, acting as the counterparty of the Company having agreed to the Terms and Conditions of the Company, as well as website visitors ( “you”).

III. Legal Framework

Your privacy is important to us. This Privacy Policy outlines how we collect, process, manage the personal data we collect from your use of our services, applications or our website capital.com/en-eu, through your interaction with us on social media or your other dealings with us. When doing that we act as data controller in accordance with the principles contained in The General Data Protection Regulation (GDPR) (EU) 2016/679 (the “GDPR”).

We have appointed a Data Protection Officer (the “DPO”) to assist us with compliance with applicable privacy regulations. To communicate with our DPO, please email dpo.eu@capital.com.

IV. What kind of personal data do we collect?

Identity data includes full name or its parts, username or similar identifier, marital status, title, date and place of birth, nationality, tax number, gender, information from your identity document(s), employment status and related information and your pictures / pictures of your identity (including biometric information such as a visual image of your face) or other document(s) we may request from time to time.
Contact data includes billing address, residential address, email address and telephone number.
Screening data includes close connections, political background and information pertaining to sanctions and adverse media.
Risk assessment data includes client risk score and client risk categorisation.
Economic and appropriateness data includes employment status, annual income source of income, current value of wealth, annual, investment plans, investment objectives, trading experience, level of education.
Financial data includes bank account and payment card details.
Transaction data includes details about payments to and from you in relation to our services.
Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Services.
Communication data includes communication between you and Capital, including chats, call recordings and emails.
Profile data includes your username and password, your interests, preferences, feedback and survey responses.
Usage data includes information about how you access our Services and use our Services, including user sessions (screen) recordings in some cases.
Marketing preferences about receiving marketing communications about trading, new products and services.

For corporate and institutional clients, we collect information such as corporate documents of address, shareholders, directors, secretary etc. including additional personal information of key persons, as well as any other additional documentation that we may deem necessary to comply with our legal and regulatory obligations.

V. Purposes for which we use personal data

Capital com, as a data controller, may only use your personal data if there is a lawful basis for such use. The most common lawful bases used by Capital.com are:

Consent: in some cases, we may process your personal data only if we obtain your prior consent;
Performance of a contract: we will require your personal data to be able to offer you the Services in accordance with the contract terms between you and us;
Compliance with a legal obligation: due to the nature of the Services we provide, the laws applicable to our activities require us to collect and store certain data about you; and
Legitimate interests: sometimes we rely on our legitimate interests to process your data (e.g. to improve our Services) and we will do so except where such interests are overridden by your interests or fundamental rights and freedoms.

Below you will find a table describing how we may use your personal data and which of the legal bases are used by Capital to ensure lawful data processing.

Purpose/Activity	Type of data	Lawful basis for processing
To create your account	- Identity data - Contact data - Technical data	Performance of a contract when we provide our Services to you
To verify your identity, carry out checks that we are required to conduct by applicable laws and regulations, including KYC, anti-money laundering, fraud, sanctions, politically exposed person (PEP) and liveness checks and perform client risk categorisation	- Identity data - Contact data - Screening data - Transaction data - Risk assessment data - Technical data - Communication data - Financial data - Usage data	Compliance with our legal obligations under applicable AML/CFT obligations, namely the Prevention and Suppression of Money Laundering and Terrorist Financing Laws, as amended from time to time
To obtain and assess economic profile,appropriateness information, target market information and categorise the client	- Economic,Appropriateness and target market information	Compliance with our legal obligations under applicable laws regulating the provision of investment services, namely the Investment Services and Activities and Regulated Markets Law of 2017 and AML/CFT obligations, namely the Prevention and Suppression of Money Laundering and Terrorist Financing Laws, as amended from time to time
To provide our services and process transactions including payments, fees and charges	- Identity data - Contact data - Financial data - Transaction data - Technical data - Profile data	Performance of a contract when we provide our Services to you
To monitor your transactions for the purposes of detection, storage and reporting of fraudulent activities	- Identity data - Contact data - Screening data - Risk assessment data - Financial data - Transaction data - Technical data	Compliance with our legal obligations under applicable AML/CFT obligations, namely the Prevention and Suppression of Money Laundering and Terrorist Financing Laws, as amended from time to time
To provide customer support	- Identity data - Contact data - Financial data - Transaction data - Technical data	Performance of a contract when we provide our Services to you
To send you service notifications related to your use of the Services	- Contact data - Communication data	Performance of a contract when we provide our Services to you
To record and store communication with you	- Identity data - Contact data - Communication data	Compliance with our legal obligations under applicable laws regulating the provision of investment services, namely the Investment Services and Activities and Regulated Markets Law, as amended from time to time
To send you updates and marketing communication as well as to deliver relevant content to you, including ads, suggestions, personalised offers and recommendations	- Identity data - Contact data - Financial data - Transaction data - Technical data - Profile data - Usage data	- Consent - Our legitimate interests to promote our Services
To perform data analytics with respect to our Services for improvement purposes	- Technical data - Usage data	Our legitimate interests to improve our Services
To manage and protect our business and website including system maintenance	- Identity data - Technical data - Usage data	- Our legitimate interests to improve our Services and protect personal data and the Services - Performance of a contract when we provide our Services to you
To help us improve our Services by completing a survey, feedback, or review	- Identity data - Profile data	Consent

If you fail or refuse to provide your personal data we need to provide the Services to you or if the processing of personal data is necessary for compliance with our legal obligations (e.g. compliance with anti money laundering rules), you will not be able to access the Services.

VI. Cookies

We may use cookies for various purposes when you access or use the Services. Please review our Cookie Policy to find out more about our use of cookies and further information, including your right to withdraw consent or object to our use of third-party tracking at any time but doing so, may affect the functionality of Services we are able to provide you with.

VII. Sources of personal data

Most of the personal data we process about you is received directly from you. For example, when you register to use the Services or communicate with us, we may receive your identity and contact data from you.

In other cases, we may receive personal data about you from various third parties and publicly accessible sources, including but not limited to social media, search engines, company registers, banks, payment service providers / electronic money institutions, KYC service providers, advertising networks, analytics providers and screening data vendors.

If you choose to sign in to our Services using a third-party service, such as Google, Facebook, and Apple, you direct the service to send us certain social account information such as your email address. We use this data only to set up, where needed, and authenticate your account with us. Google, Facebook, Apple etc. are independent controllers of the personal data they process to provide their authentication services.

When you use the Services we may also automatically collect technical data through the use of cookies and similar technologies.

VIII. Automated decision-making with respect to your personal data

To offer you the Services and comply with our obligations under applicable laws, we will make a decision about you based solely on automated processing. Such cases include:

When you submit your economic and appropriateness data in the relevant questionnaire, our system will automatically make a decision whether you can be allowed to trade. We may deny your access to the Services due to lack of experience and/or knowledge.
Our anti-fraud systems may automatically detect patterns that may suggest fraudulent activities with respect to your account. We will warn you about such activities to prevent possible fraud.
Our systems automatically determine the client’s risk profile based on a number of risk factors we consider in accordance with the laws and our internal procedures. The risk score allows Capital to determine the appropriate customer due diligence procedures it must follow.

IX. How do we protect your personal data?

We take all reasonable and appropriate technical and organisational measures to protect all personal data collected by us from loss, theft, misuse and unauthorised access, disclosure, alteration and destruction.

X. How long do we keep your personal data?

Generally, we will retain your personal data for as long as necessary to fulfil the specific purpose we collected it for, including the purpose of satisfying any legal, accounting, reporting requirements and our legitimate interests. For example, your personal data will be generally stored for the period required by the Prevention and Suppression of Money Laundering and Terrorist Financing Law, as amended from time to time, namely not less than 5 - 7 years after the end of the business relationship with Capital Com. On a separate note, we may store certain personal data for not less than 6 years to meet our book keeping obligations under the tax legislation of Cyprus.

In certain cases the authorities may require us to store the personal data longer if they deem necessary (e.g. in case of an ongoing investigation). If you have not been actively making use of our financial services for 5 - 7 years (depending on the data), we will remove any details that will identify you or we will securely destroy the records, unless we substantiate why we need the data for a longer period of time on the basis of another regulatory obligation.

XI. Your rights

With regards to our collection and processing of your personal data you have the right to (subject to applicable exceptions):

Obtain confirmation from us as to whether we process your personal data.
Access your personal data processed by Capital Com.
Correct your personal data.
Withdraw consent and remove your personal data we collected on the basis of your consent.
Obtain restriction of processing, for instance, where you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data,
Have your personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
Erasure of your personal data under certain circumstances. Capital Com is obligated by the Cyprus authorities to keep records of clients’ details and trades for a minimum period of five to seven (5-7) years from the end of business relationship with you according to the relevant regulations. See more information about our data retention obligations in section “How long do we keep your personal data” above.
Object to our processing of your personal data when the processing is related to the performance of our task carried in the public interest or the exercise of official authority vested in us. The other case is if we process your data for the purposes of the legitimate interests pursued by us or by a third party and you believe that such interests are overridden by your interests or fundamental rights and freedoms. If you make a request objecting to the processing, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing.

If you wish to make use of any of the above rights please contact our compliance department stating your account number and question related to any of the above rights at: gdpr.eu@capital.com.

Capital Com will endeavour to provide you with information on the actions it has taken on your request related to your rights, specified above, within one month of receipt of the request. That period may be extended by two further months if the request is complex, or if Capital Com is in the process of resolving a large number of requests. We will inform you if any such extension is required within one month of receipt of the request, together with the reasons for the delay.

XII. How do we share your personal data?

We do not share your personal information with third parties, except as described in this Privacy Policy.

Capital Com is part of the Capital Com Group of companies that all have a role in offering a complete service to our clients. For this reason, the Company may share information with its group and/or affiliated companies (the “associated entities”), including those located outside the European Economic Area (the “EEA”), in the event such information is reasonably required by the said party to provide the Services to you.

Capital Com may also engage service providers and partners to assist with delivery of the Services:

Category	Purpose
Identity verification service providers	- Document validation and verification - Liveness checks - PEP (politically exposed persons) and sanctions screening - Risk assessment and scoring
Anti-fraud system providers	- Detection and prevention of fraudulent transactions/activities
Payment service providers	- Payment processing - Anti-fraud/risk check system - Application logs for payment system
Banks	- Facilitation of money transfers
Marketing	- Marketing analytics and reporting - Marketing attribution automation
Business intelligence providers	- Product analytics
Project management and customer support providers	- Automation of customer support processes
AI system providers	- Assistance with customer support requests
Cloud service providers	- Hosting of personal data - Storage/Backup
Communication providers	- Email and voice communication - Sending transactional emails and SMS - Call recording, monitoring and transcription
Performance monitoring providers	- User sessions (screen) recording and monitoring
Social network platforms	- Managing our relationships with clients - Promoting the Services
Professional Consultants	- Receiving professional services

In case your personal data is provided to associated entities and service providers outside the EEA, we will implement appropriate safeguards to protect your personal data, including Standard Contractual Clauses as adopted by the European Commission. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. Moreover, Capital requires its service providers to implement appropriate security measures to ensure the protection of your personal data in accordance with applicable data protection legislation.

When required by the applicable laws, we may disclose your personal data to the relevant government agencies and regulatory authorities, including the Unit for Combating Money Laundering (the “MOKAS”) and the CySEC.

Some of our service providers require us to include information about their privacy practices in our Privacy Policy:

ComplyAdvantage: We may use ComplyAdvantage for customer screening and monitoring. Please refer to ComplyAdvantage’s Privacy Policy to learn more about how ComplyAdvantage handles your personal data.
GBG: We may use GBG to verify information you give to us during the onboarding process. We do so to prevent fraud and comply with our AML obligations. Please refer to GBG’s Privacy Policy to learn more about how GBG handles your personal data.
Fabrick: In some cases we may use Fabrick for IBAN verification services in relation to our clients. Specifically, we may share the client’s IBAN and tax code with Fabrick. We perform IBAN checks based on our legitimate interest in preventing payment fraud. Please refer to Fabrick’s Privacy Policy for more details on how Fabrick processes personal data.

XIII. Link to other websites (Hyperlinks)

Our Website(s), from time to time, contain hyperlinks to and from other websites. You should be aware that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. You should check these policies before you disclose any personal data with these websites. If you choose to link to one of these websites, you may be asked to supply registration or other information. It is important that you realise this information is going to a third-party, and you should become familiar with the privacy policy provided by that third-party.

XIV. Privacy Policy updates

Capital Com may update this Privacy Policy from time to time. In the event we materially change this Policy including how it collects, processes or uses your personal information, active clients will be notified as in accordance with the Capital Com’s Terms & Conditions. Potential clients are notified by means of the publication of the updated Privacy Policy on our website capital.com/en-eu.

XV. Contact information

If you have questions about this Privacy Policy or our privacy practices, or if you are seeking to exercise any of your rights you can contact us. You may contact us at gdpr@capital.com. You can also reach out to our Data Protection officer by email: dpo.eu@capital.com You have the right to lodge a complaint at the Office of the Commissioner or Personal Data Protection of Cyprus.

Office address: Kypranoros 15, Nicosia 1061 , Cyprus

Postal address: P.O.Box 23378, 1682 Nicosia

Tel: +357 22818456

Fax: +357 22304565

Email: commissioner@dataprotection.gov.cy

Privacy Policy_V1_March_2026

Annex 1 - Definitions

“CIF” shall mean a Cyprus Investment Firm.

“CFDs” shall mean Contract for Differences.

“Client(s)” or “you” shall mean the natural person or legal entity or the union of persons or group of assets devoid of legal personality who are clients of Capital.com.

“Company” or “we” or “Capital Com” or “Capital.com” shall mean Capital Com Group Ltd.

“Cyprus Securities and Exchange Commission” or the “Commission” or the “CySEC” shall mean the Cyprus Securities and Exchange Commission.

“DPO” shall mean the Data Protection Officer of Capital.com.

“EEA”shall mean the European Economic Area.

“GDPR” shall mean The General Data Protection Regulation (GDPR) (EU) 2016/679.

“KOs” shall mean Knock Out Options.

“KYC” shall mean Know Your Client.

“MOKAS” shall mean the Unit for Combating Money Laundering.

“PEP” shall mean politically exposed person.