Privacy Policy
Last updated: as published on the Platform. We may update this Policy to reflect legal, technical, or business changes. Material changes will be communicated as required by Applicable Law.
1. Introduction and scope
1.1. This Privacy Policy (“Policy”) describes how DeciPoin and its affiliates, subsidiaries, and service providers (“DeciPoin”, “we”, “us”, “our”) collect, use, store, share, transfer, and otherwise process personal data when you access or use our websites, mobile applications, client portals, trading platforms, APIs, support channels, and related services (collectively, the “Platform”).
1.2. This Policy applies to visitors, registered users, prospective clients, beneficial owners, corporate representatives, and individuals whose data we receive in the context of compliance checks, even if they do not directly use the Platform.
1.3. Capitalized terms used in GDPR jurisdictions follow GDPR definitions. Where local law uses different terminology (for example “personal information” under U.S. state law), this Policy should be read consistently with those definitions.
1.4. If you do not agree with this Policy, you must discontinue use of the Platform. Certain processing is necessary to provide regulated services; refusing may prevent onboarding or continued use.
2. Data controllers and contact points
2.1. The primary data controller responsible for your personal data is the DeciPoin entity identified in the legal notices, registration disclosures, or contract you accept at onboarding (“Controller”).
2.2. For EU/UK data subjects, where required we will identify any EU or UK representative and/or Data Protection Officer (“DPO”) contact details in the client area or legal notices.
2.3. General privacy inquiries: support@decipoin.com. For security-sensitive matters (e.g., suspected account compromise), use the dedicated security channel if published on the Platform.
2.4. Supervisory authorities: EEA residents may lodge complaints with their local supervisory authority; UK residents with the ICO; other jurisdictions as listed in applicable addenda.
3. Categories of personal data we process
We process personal data proportionate to our legal bases and risk-based approach. Categories may include:
3.1 Identity and biographical data
- Full legal name, former names, aliases; date of birth; place of birth; gender (where required for verification); nationality(ies); government ID numbers; photographs; selfie or liveness imagery; video identification recordings.
3.2 Contact and account data
- Postal address; email; telephone; social handles if you choose to provide them; account username; marketing preferences; language settings.
3.3 Financial, trading, and transactional data
- Payment instrument metadata (masked PAN, BIN, tokenized references); bank account details; deposit and withdrawal instructions; transaction IDs; chargeback records; trading history; profit and loss; balances; margin utilization; copies of invoices or contracts you upload.
3.4 Compliance and fraud-prevention data
- PEP and sanctions screening results; adverse media hits; risk scores; source-of-funds and source-of-wealth narratives; corporate structure charts; beneficial ownership percentages; watchlist match explanations; fraud network associations; device reputation signals.
3.5 Technical, device, and usage data
- IP address; approximate geolocation derived from IP; device identifiers; browser user-agent; OS; screen resolution; time zone; cookies and similar technologies; session logs; clickstream; crash diagnostics; API call metadata; anti-automation signals.
3.6 Communications content
- Support tickets; chat transcripts; emails; call recordings where lawful and notified; survey responses; NPS feedback.
3.7 Special categories and sensitive data
- We generally do not seek special categories of data under GDPR Article 9. If you voluntarily disclose health or other sensitive information in free-text fields, we will process it only where necessary for support, legal claims, or with explicit consent as required.
4. Sources of personal data
We collect data: (a) directly from you; (b) automatically via the Platform; (c) from payment processors and banks; (d) from identity verification vendors; (e) from credit reference or fraud databases where permitted; (f) from public registers; (g) from corporate clients’ representatives; (h) from advertising or analytics partners subject to your choices; (i) from law enforcement or regulators when lawfully served.
5. Purposes and legal bases (GDPR and equivalent)
Depending on context, we rely on one or more of the following legal bases:
- Performance of a contract — onboarding, account servicing, trade execution, payments.
- Legal obligation — AML/CTF, tax reporting, sanctions, court orders, record-keeping.
- Legitimate interests — network security, fraud prevention, product improvement, enforcing terms, business analytics, corporate transactions, and asserting legal claims, balanced against your rights.
- Consent — certain marketing, non-essential cookies, optional surveys, or processing that law requires to be consent-based.
- Vital interests — rare emergency situations involving health or safety.
5.1 Detailed purpose list (non-exhaustive)
- registering and authenticating users; password resets; 2FA;
- processing deposits and withdrawals; reconciling ledgers;
- monitoring trading for market abuse and terms violations;
- conducting sanctions, PEP, and adverse media screening;
- responding to data subject requests;
- conducting internal audits and regulatory reporting;
- improving models for risk scoring (with governance and, where applicable, human review);
- sending service announcements and policy updates;
- defending legal claims and enforcing arbitration or judgments.
6. Automated decision-making and profiling
6.1. We may use rules-based systems and statistical models to assess fraud risk, automate parts of KYC triage, prioritize support queues, or personalize interface defaults. These systems may produce legal or similarly significant effects in limited cases (e.g., rejection of onboarding).
6.2. Where required by law, we will inform you of automated decisions, provide meaningful information about the logic, and offer human review or the ability to contest the decision.
7. Cookies and similar technologies
7.1. We use cookies, local storage, pixels, SDKs, and server-side tags for essential authentication, preferences, analytics, advertising (where enabled), and fraud prevention.
7.2. You can manage non-essential cookies via our cookie tool where available and via browser settings. Essential cookies may be strictly necessary and cannot be disabled without impairing core functionality.
7.3. Our Cookie Policy provides granular descriptions of cookie names, purposes, and retention.
8. Sharing and disclosure
We disclose personal data only as described below:
- Processors and service providers — hosting, CDN, databases, email delivery, customer support SaaS, analytics, identity verification, payment acquiring, banking partners, telecommunications.
- Professional advisers — lawyers, accountants, auditors, insurers.
- Group companies — for shared services, treasury, compliance, and IT security.
- Acquirers and counterparties — to complete payments you initiate.
- Regulators and law enforcement — when required or permitted by law, including subpoenas, production orders, and suspicious activity reporting.
- Corporate transactions — due diligence and transfer in mergers, acquisitions, financings, or asset sales, under confidentiality obligations.
We do not sell personal data for monetary consideration as defined under CPRA in the traditional sense. We may share data with advertising partners as described in cookie controls where you opt in.
9. International transfers
9.1. We operate globally. Your data may be processed in countries outside your residence, including countries without adequacy decisions.
9.2. Where GDPR/UK GDPR applies, we implement appropriate safeguards such as Standard Contractual Clauses, UK Addendum, supplementary measures (encryption, access controls), and transfer impact assessments.
9.3. You may request a summary of safeguards or copies of SCCs subject to redactions for confidentiality.
10. Retention
10.1. We retain personal data only as long as necessary for the purposes above, including statutory, regulatory, tax, AML, and limitation-period requirements. Retention windows vary by category:
| Category (illustrative) | Indicative retention |
|---|---|
| KYC documents and verification outcomes | Typically 5–10 years after relationship end, unless longer required |
| Transaction and trading records | Typically 5–10 years, per market rules |
| Support communications | Typically 3–7 years unless linked to litigation hold |
| Security and access logs | Typically 90 days to 24 months depending on system |
| Marketing consents and logs | Until withdrawn plus limitation period |
10.2. When retention expires, we delete or irreversibly anonymize data where feasible. Backup copies may persist for a technical window before overwrite.
11. Security measures
We implement administrative, technical, and organizational measures including role-based access, MFA for staff, encryption in transit, segmentation, vulnerability management, logging and monitoring, incident response plans, vendor due diligence, and staff training. No method is 100% secure; you must also protect credentials.
12. Your rights
Rights vary by jurisdiction. Subject to exceptions, you may have the right to access, rectify, erase, restrict, port, object, and withdraw consent. You may also object to direct marketing at any time.
To exercise rights, contact support@decipoin.com. We may need to verify identity. We will respond within statutory timelines (e.g., 30 days under GDPR, subject to extension).
13. California residents (CPRA — summary)
If California law applies, you may have rights to know, delete, correct, and opt out of certain sharing for cross-context behavioral advertising, and not to receive discriminatory treatment for exercising rights. We describe categories collected and purposes above. You may designate an authorized agent with proper proof. Contact us to submit requests.
14. Other U.S. state privacy laws
Residents of Colorado, Virginia, Connecticut, Utah, and other states with comprehensive privacy laws may have analogous rights. Where required, we honor universal opt-out mechanisms for sale/sharing as technically feasible.
15. Brazil (LGPD)
Where LGPD applies, we process data under legal bases such as contract, legal duty, legitimate interest, credit protection, and consent where required. You may have rights under Articles 18–19, including confirmation, access, correction, anonymization, portability, deletion, and information about sharing.
16. Children
The Platform is not directed to individuals under the age of majority. We do not knowingly collect personal data from children. If you believe we have collected such data, contact us for prompt deletion.
17. Marketing
We may send promotional communications where permitted. You can unsubscribe via links in emails or account settings. Service and compliance messages may continue.
18. Third-party links
The Platform may link to third-party sites. Their privacy practices are independent. Review their policies before providing data.
19. Data breach notification
We maintain incident response procedures. Where required, we will notify regulators and affected individuals without undue delay, describing nature, likely consequences, and mitigation measures in accordance with Applicable Law.
20. Changes to this Policy
We may update this Policy to reflect operational, legal, or regulatory changes. We will post the revised version with an updated effective date and, where required, provide additional notice or obtain consent.
21. Processor and subprocessor transparency
We maintain records of processing activities and subprocessor lists as required by GDPR Article 30. A high-level description of categories of processors appears in Section 8. Detailed subprocessor names may be published in the client area or provided upon request subject to confidentiality.
22. Lawful access requests
We may be compelled to retain or disclose data pursuant to lawful process. Where not prohibited, we may provide aggregate transparency reporting on government requests.
23. Analytics, testing, and product telemetry
We may use aggregated or de-identified data for benchmarking, feature flags, A/B testing, reliability engineering, and training internal fraud models. We apply data minimization and access controls to such pipelines.
24. Financial messaging and transaction monitoring records
To satisfy AML obligations, we may record transaction narratives, counterparty identifiers, blockchain transaction hashes (if applicable), and travel rule information exchanged with counterparties, consistent with FATF recommendations and local travel-rule laws.
25. Your responsibilities
You must provide accurate data, notify us of changes, safeguard credentials, and ensure that if you supply third-party data (e.g., beneficial owners), you have lawfully informed them and obtained necessary permissions.
26. Contact
DeciPoin Privacy
Email: support@decipoin.com
For EU/UK representatives or DPO contacts (if appointed), see the legal notices section of the Platform.
27. Switzerland (FADP) and UK GDPR supplements
27.1. If the revised Swiss Federal Act on Data Protection applies, you may have rights analogous to GDPR, including information, rectification, deletion, objection, and data portability where technically feasible. Representative in the EEA/UK may be listed in legal notices.
27.2. UK GDPR and Data Protection Act 2018 rights mirror many GDPR rights. ICO complaints: ico.org.uk. International transfers from the UK may rely on the UK IDTA, Addendum, or adequacy regulations.
28. Canada (PIPEDA and provincial laws)
28.1. Where Canadian law applies, we collect, use, and disclose personal information with consent or as otherwise permitted by PIPEDA or provincial equivalents (e.g., Quebec Law 25). You may file complaints with the Office of the Privacy Commissioner of Canada or provincial commissioners as applicable.
29. Australia and New Zealand
29.1. If the Australian Privacy Act 1988 (Cth) applies, we comply with APPs where we are an APP entity or otherwise align practices to applicable privacy principles. Complaints may be directed to the OAIC after internal escalation.
29.2. If New Zealand’s Privacy Act 2020 applies, you may complain to the Office of the Privacy Commissioner.
30. Singapore, Japan, South Korea
30.1. PDPA (Singapore) rights may include access and correction; we may charge a reasonable fee for access where permitted.
30.2. APPI (Japan) may require additional disclosures about third-party provision and anonymized/pseudonymized processing; we provide such disclosures in Japanese where we market to Japan.
30.3. PIPA (South Korea) may require appointment of a domestic representative or chief privacy officer for certain operators; see legal notices if applicable.
31. South Africa, Kenya, Nigeria (illustrative)
31.1. Where POPIA (South Africa) applies, we process lawfully, minimize data, and enable objection to direct marketing. You may complain to the Information Regulator.
31.2. Other African data protection laws may impose localization or registration; we comply where we operate localized services.
32. Sensitive personal information (U.S. state law concepts)
32.1. We do not intentionally collect precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers for identification, health information, or sex life/orientation for ordinary Platform operation. If incidental processing occurs (e.g., you upload a medical document), we limit use to the purpose submitted.
32.2. Where states require opt-in for sensitive categories, we obtain consent when we must collect such data.
33. Profiling and targeted advertising
33.1. We may build segments (e.g., “users who viewed education on risk management”) for analytics and, where you opt in, advertising. You may control certain cookies and marketing preferences in the client area or via industry tools where available.
33.2. We do not use fully automated profiling that produces legal effects concerning you or similarly significantly affects you, except fraud and AML models subject to human oversight and rights described in Section 6.
34. Social features, widgets, and embedded content
34.1. Social login buttons, video embeds, maps, or chat widgets may load third-party scripts that collect data under those parties’ policies. Loading may occur only after interaction where we configure delayed loading.
35. Mobile applications
35.1. Our apps may request permissions (notifications, biometric unlock, storage). You may deny non-essential permissions, which may limit features. Crash logs may contain device metadata as described in vendor (Apple/Google) developer agreements.
35.2. App stores process payments and may collect usage analytics per their policies.
36. Push notifications and in-app messaging
36.1. Token identifiers allow delivery of alerts. You may disable marketing pushes while retaining critical security alerts where technically separable.
37. Employment and recruitment
37.1. If you apply for a role, we process CV data, references, and assessment results under separate fair processing notices provided at application.
38. Deceased users and representatives
38.1. Estates or lawful representatives may request access or deletion subject to proof of authority, inheritance law, and our obligation to retain certain financial records.
39. Unduly burdensome or abusive requests
39.1. Where permitted, we may charge a reasonable fee or refuse manifestly unfounded or excessive requests (e.g., repetitive). We may request additional verification to prevent disclosure to impersonators.
40. Appeals (U.S. states with appeal rights)
40.1. Where state law provides a right to appeal our refusal to act on a privacy request, instructions for appeal will be included in our response within the statutory timeframe.
41. Data localization and government access
41.1. Certain countries require local storage or local processing for specific categories. Where we offer a localized deployment, supplemental terms may apply.
41.2. We may publish transparency reports summarizing aggregate government requests where not prohibited.
42. Pseudonymization and key-coded data
42.1. We may pseudonymize identifiers in analytics pipelines while retaining reversible keys under access controls for security investigations.
43. Research and statistical disclosure
43.1. We may publish aggregate statistics (e.g., median session length by region) that do not identify individuals. Small-cell suppression may be applied to prevent re-identification.
44. Vendor and subprocessor diligence
44.1. We assess processors for security practices, data residency options, subprocessors, and subprocessors’ international transfers. Contracts include confidentiality, breach notification, assistance with data subject requests, and deletion/return at end of service.
45. Records of processing (ROPA) and DPIAs
45.1. We maintain internal records describing processing activities, purposes, categories, recipients, transfers, and retention. Data protection impact assessments are conducted for high-risk processing as required.
46. Cookieless and server-side tracking
46.1. We may use server-side measurement, probabilistic attribution, or first-party identifiers to respect browser restrictions on third-party cookies while still measuring security and product performance.
47. Financial identifiers and device binding
47.1. To prevent account takeover, we may bind sessions to device fingerprints, IP reputation, and payment instrument hashes. This processing supports legitimate interests in fraud prevention.
48. Whistleblower and ethics hotlines
48.1. If you report misconduct through an ethics channel, we process your report and identity (if provided) under strict confidentiality and whistleblower protections where applicable.
49. Policy accessibility
49.1. This Policy is available in HTML and may be offered in downloadable PDF. If you need an alternate format, contact support@decipoin.com.
50. Further reading and layered notices
50.1. At onboarding, short layered notices may summarize key points; this Policy remains the comprehensive description. Cookie banners, KYC screens, and payment checkout may present just-in-time notices for specific collections.