XDAT International Limited (XDAT) shall endeavour to comply with the General Data Protection Regulation (GDPR 2016/679) (GDPR) in relation to personal data processing rules within the European Union (EU) and European Economic Area (EEA).
XDAT ensures that in the event that any Personal Data of Data Subjects is transferred outside of the EU or EEA countries or an international organisation, the legal regime of the relevant country provides an “adequate” level of Personal Data protection as stipulated by the European Commission or has provided appropriate safeguards or under binding corporate rules or satisfies one of the conditions in Article 49 of the GDPR.
- Complies with data protection law and follows good practice.
- Protects the rights of users, visitors and customers.
- Is open about how it stores and processes individuals’ Personal Data.
- protects itself from the risk of a data breach.
The following terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing Activity/ies”, “Pseudonymisation”, “Anonymisation”,“Cross-Border processing of Personal Data”, “Supervisory Authority” used in this document shall have the same meaning as in the European Union’s General Data Protection Regulation:
INFORMATION XDAT COLLECTS
We want you to understand the types of Personal Data we collect when you register for and use XDAT’s services.
Information you provide to us at registration
When you create an XDAT Account, you provide us with Personal Data that includes your contact information (email address, name, and a password). You can also choose to add a phone number for SMS or Google Authenticator account to be used for 2FA verification for improved security. We ensure that the Personal Data collected is processed lawfully, fairly and in a transparent manner.
Information we collect when authenticating user identity
To comply with global industry regulatory standards including Anti-Money Laundering (AML), KnowYour-Customer (KYC), and Countering Terrorist Financing (CTF), XDAT requires user accounts to undergo user identity authentication for both Personal & Enterprise-level accounts. This entails collecting formal identification.
Information we collect as you use our services
Service Usage Information
Through your use of the XDAT platform, we ensure that we shall not monitor and collect tracking information related to usage such as access date & time, device identification, operating system, browser type and IP address.
How we store your Personal Data
We shall keep Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We shall apply anonymization or pseudonymisation to Personal Data where possible to reduce the risks to the Data Subjects
We strive to keep Personal Data accurate, and, where necessary, it is to be kept up to date. We shall take reasonable steps to ensure that Personal Data is accurate, having regard to the purposes for which it is processed, and any inaccurate Personal Data shall be erased or rectified without undue delay.
Retention of Personal Data
XDAT ensures that the Personal Data will not be kept for longer than is necessary and only kept for the purposes for which it is processed. Retention periods may vary from a few months in relation to simple enquiries to over ten years as required by applicable law or court orders.
Rights of Access by Data Subjects
XDAT acting as Data Controller shall provide Data Subjects with a reasonable access mechanism to enable the same to access their Personal Data. The Data Subject shall be allowed to update, rectify, erase, or transmit their Personal Data, if appropriate or as required by law.
Right to be forgotten
Upon request, and within the limits allowed by applicable law, you have the right to have your Personal Data erased by us. XDAT acting as a Controller will take all necessary actions (including technical measures) to inform any third-party Data Processors where applicable to comply with the request.
You shall have the right to receive, upon request, a copy of the Personal Data you provided to us in a structured, commonly used and machine-readable format and to transmit it to another Controller, for free. We shall endeavour to ensure that such requests are processed within one month, subject that it is not excessive and does not affect the rights of other individuals’ Personal Data.
Disposal of Personal Data
When we receive requests to dispose of Personal Data records by Data Subjects, we shall ensure that these requests are handled within a reasonable time frame. XDAT shall keep a record, including a log, of these requests.
XDAT ensures that any archived Personal Data is disposed of by adequate disposal mechanisms on expiry of retention period. Any hard copies of Personal Data that we might have obtained from you shall be physically destroyed when no longer relevant. We shall also strive in obtaining adequate disposal mechanisms to ensure no Personal Data is leaked outside of the organisation.
For all Personal & Enterprise-level accounts, we collect transaction information including deposit snapshots, account balances, trade history, withdrawals, order activity and distribution history. This transaction data is monitored for suspicious trading activity for user fraud protection, and legal case resolution.
WHY DOES XDAT COLLECT THIS INFORMATION
To provide and maintain our services
We use the information collected to deliver our services and verify user identity.
To protect our users
We use the information collected to protect our platform, users’ accounts and archives.
We use IP addresses and cookie data to protect against automated abuse such as spam, phishing and Distributed Denial of Service (DDoS) attacks.
We analyse trading activity with the goal of detecting suspicious behaviour early to prevent potential fraud and loss of funds to bad actors.
To comply with legal and regulatory requirements
Respect for the privacy and security of Personal Data you store with XDAT informs our approach to complying with regulations, governmental requests and user-generated inquiries. We will not disclose or provide any Personal Data to third party sources without obtaining specific consent from you (unless any applicable law requires otherwise) and without review from our legal team.
To measure site performance
We actively measure and analyse data to understand how our services are used. This review activity is conducted by our operations team to continually improve our platform’s performance and to resolve issues with the user experience.
We continuously monitor our systems’ activity information and communications with users to look for and quickly fix problems.
To communicate with you
We use Personal Data collected, like an email address to interact with users directly when providing customer support on a ticket or to keep you informed on logins, transactions, and security. Without processing your Personal Data for confirming each communication, we will not be able to respond to your submitted requests, questions and inquiries. All direct communications are kept confidential and reviewed internally for accuracy.
The Company shall provide its users with user support through an online chat with an agent. Username and email address may be necessary to sign up for online chat. The data collected in this manner shall be processed exclusively for the purpose of providing user support.
The Company may keep logs for internal and external audits; training and investigation including law enforcement agencies. These logs are deleted once the account is terminated or after one (1) year if they are no longer required for any crime prevention, investigation, detection purposes and crime reporting for the protection of the business and other legal interests and the protection of employees.
Marketing of our services
XDAT may, pursuant to the given consent, periodically notify Data Subjects of any new benefits or services being offered. The Data Subject may always decide to opt out from receiving the above notifications and may cancel the service by sending an e-mail to [email protected]
HOW DOES XDAT PROTECT USER DATA
XDAT has implemented a number of security measures to ensure that your Personal Data is not lost, abused, or altered. Our data security measures include, but are not limited to: PCI Scanning, Secured Sockets Layered encryption technology, pseudonymisation, internal data access restrictions, and strict physical access controls to buildings & files. Please note that it is impossible to guarantee 100% secure transmission of data over neither the Internet nor any method of electronic storage. As such, we request that you understand the responsibility of independently taking safety precautions to protect your own Personal Data.
If you suspect that your Personal Data has been compromised, especially account and/or password information, please lock your account and contact XDAT customer service immediately on the following link https://xdat.zendesk.com/hc/en-us
XDAT shall ensure appropriate Personal Data processing by all its employees and all those who have access and process data on our behalf.
- The board of directors is ultimately responsible for ensuring that XDAT meets its legal obligations.
- The Data Protection Officer or the person in charge is responsible for:
- Keeping the Board updated about data protection responsibilities, risks and issues.
- Dealing with requests from individuals to check the data XDAT holds about them (also called 'subjects access requests' [SAR])
- checking and approving any contracts or agreements with third parties that may handle any sensitive data.
- The IT Manager, is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services XDAT is considering using to store or process data e.g. cloud computing services.
- The Marketing Manager, is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
How do we respond to Personal Data Breach Incidents
When the Company learns of a suspected or actual Personal Data breach, the Company shall perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of Data Subjects, the Company will notify the relevant supervisory authorities without undue delay and, when possible, within 72 hours from when it learns of such breach.
Audit and Accountability
In accordance with the applicable regulations governing the protection of Personal Data, each request/inquiry will be resolved or closed without undue delay and at the latest within 30 days of receipt.
When contacting and posting such requests, we will invest reasonable efforts to confirm your identity and to prevent unauthorized Personal Data processing.
Changes to this Policy
As the Company evolves, there may be the need to update this Policy to keep pace with changes to the website, software, services, business and applicable laws. The Company will however, always maintain its commitment to respect the Data Subject's privacy. The Company ensures that it will notify the Data Subjects with any material changes under this Policy by email (the most recent email provided by the Data Subject) or post any other revisions to this Policy along with their effective date, in an easy-tofind area of the website.
This document was updated on
1st October 2018 and is effective from that date.
Email: [email protected]
Ground Floor, Palace Court, Church Street. ST. Julians STJ 3049