Privacy Policy - FundYourFX

Kebijakan Privasi

1. Introduction

1.1. About This Privacy Policy

This Privacy Policy (“Policy“) explains how FYFX Capital Limited, a company incorporated in Hong Kong, (referred to as “FundYourFX“, “FYFX“, “we“, “us” or “our”), collects, uses, stores and shares the personal data of a person (referred to as “you“, “your“, “User“, “Customer” or “Trader”) who visit our website, use our services or otherwise interact with us. We are committed to complying with, including but not limited to, the following:

EU General Data Protection Regulation (“EU GDPR”);
United Kingdom General Data Protection Regulation and the Data Protection Act 2018 (“UK GDPR”);
Hong Kong Personal Data Privacy Ordinance (“PDPO”)
Singapore Personal Data Protection Act 2012 (“PDPA”);
Australian Privacy Act 1988 (“APA”) and Australian Privacy Principles (“APP”);
Certain United States privacy laws, including the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) and, where applicable, similar state privacy laws (including but limited to Virginia, Colorado, Connecticut and Utah).

(Collectively referred to as the “Protection Laws”).

1.2. Data Controller

1.2.1. FYFX is the data controller (or equivalent) for your personal data under the Protection Laws.

1.2.2. Our collection, use, storage, retention and disclosure of personal data is governed by this Policy and also our Terms of Service and our Cookies Policy. The provisions of our Terms of Service and our Cookies Policy form a part of this Agreement and are incorporated herein by reference. However, nothing in this Policy limits or overrides your statutory data protection rights. By using the Website and the Services you acknowledge that you have had the opportunity to read those documents.

1.3. Scope of This Policy

This Policy applies to your use of:

Our Website and any other online interfaces;
Our Instant Funded Accounts, Evaluation Plans (including one phase and two p-hase programmes), 10X Quest Challenge, Scaling Plan and any other accounts or plans that we may offer in the future;
Our online platform at app.fundyourfx.io (the “Dashboard“);
Communicate with us by email, telephone, ticket system, live chat, social media or other channels;
Join any affiliate or partner programme that we operate; and
Any related content, tools, software, applications and communication channels provided by us, (together, the “Services“).

This Privacy Policy does not apply to Third party websites, applications, trading platforms, tools or services that you may access through our Website or Services. Their own privacy policies will apply.

1.4. Your Acceptance of This Policy

By ticking a box, clicking “I agree”, “Accept” or other similar button, creating an account, or by accessing or using any part of the Services, you agree to be legally bound by this Policy. If you do not agree with this Policy or any incorporated document by reference, you must not access or use the Services and you must cease to use our Website.

1.5. Changes to This Policy

We may update the Policy from time to time at our discretion. Changes will be notified to you via email or Dashboard announcement at least seven (7) days before they take effect, except where immediate changes are required for legal, regulatory or platform integrity reasons. When you next use our Website or Dashboard after a change to the Policy, a pop up window will appear requesting your acceptance of the new Policy. If you decline acceptance of the new Policy and continued processing of your personal data is necessary for the provision of the Services, we may be unable to continue providing the Services to you.

1.6. Language

This Policy is drafted in English. If translated into another language, the English version prevails in case of conflict.

2. Definitions

For the purposes of this Policy the definitions in our Terms of Service and our Cookies Policy apply equally in this Policy and are incorporated herein by reference.

3. Interpretation

3.1. Headings in this Policy are for convenience only and do not affect interpretation. References to “including” or similar expressions mean “including without limitation”.

3.2. If there is any inconsistency between this Privacy Policy and our Terms of Service or Cookies Policy about how we collect, use, store or share personal data, this Privacy Policy will prevail. For all other matters (including how the Services are provided and your contractual rights and obligations), the Terms of Service will take precedence.

4. Personal Data We Collect

4.1. Identification and Contact Data

We may collect:

Full name;
Date of birth and age;
Nationality and country of residence;
Residential address and billing address;
Email address and telephone number;
Copies of government issued identification documents
Proof of address documents such as utility bills or bank statements;
Photographs or selfie images used for identity checks.

We will not use personal identifiers as our own identifier or disclose them except where reasonably necessary to verify your identity or where required or authorised by law or where a permitted general situation exists.

4.2. Account and Profile Data

We may collect:

Login details such as username and password;
Account preferences and settings, for example language, communication and marketing choices;
The programme type and plan size that you have purchased and your account status;
Information about breaches, rule violations or other flags applied to your account;
Information you choose to add to your profile on the dashboard.

4.3. Payment and Payout Data

We may collect:

Information about your purchases, including programme type, price, currency, discounts and dates of purchase;
Limited card or wallet information needed to process payments through our payment providers. We do not store full card numbers;
Bank account details, payment account details or cryptocurrency wallet addresses that you give to us for payouts;
Transaction identifiers, payment confirmations, chargebacks, refunds and payment disputes.

4.4. Verification, KYC, AML and Sanctions Data

To meet our legal and risk management duties, we may collect and create:

Copies of identity documents and proof of address;
Selfie photographs or video for face matching and liveness checks;
Tax identification numbers or similar identifiers where required;
Results from identity verification, fraud checks and sanctions screening tools;
Information from credit reference or background check agencies where allowed by law;
Information from public sources, such as company registers or publicly available databases.

4.5. Trading and Performance Data

All trading that you carry out with us is simulated in a virtual environment. We record and analyse your simulated trading to assess performance and compliance with our rules. This can include:

Trading platform login data and account identifiers;
Details of simulated orders, entries and exits, instrument types, lot sizes, prices and time stamps;
Simulated balances, equity, drawdown, profit and loss and other risk and performance indicators;
Data about breaches of trading rules, forbidden trading practices, use of automated strategies and news trading;
Information about how many FYFX accounts you hold and how you use them.

4.6. Technical and Usage Data

We may collect technical and usage data when you visit our Website or use our Dashboard, including:

Internet Protocol IP address and approximate location;
Device type and model, operating system and version, browser type and version, screen resolution and language settings;
Dates and times of access to our Website, pages you viewed, features used, actions taken, session duration, crash logs and error reports;
Referring website addresses that led you to our Website;
Information about how you navigate our Website and Dashboard;
Device fingerprinting data, browser signatures, and network telemetry that we use to identify linked accounts (“Client Clusters”), detect VPN/proxy usage, and prevent forbidden trading practices as defined in our Trading Rules.

Further details about cookies and similar technologies are provided in our separate Cookies Policy.

4.7. Communication and Support Data

We may keep:

Records of emails, support tickets, telephone calls, live chat transcripts and other communications with you;
Content of any queries, complaints, feedback, reviews or survey responses that you send to us;
Social media messages and public posts that mention us, where we review or respond.

4.8. Marketing and Affiliate Data

We may collect:

Your marketing and communication preferences;
Information about how you respond to our marketing, for example whether you open emails or click on links;
Affiliate codes, referral identifiers and basic data shared with or received from affiliate partners to track referrals and pay commissions.

4.9. Special Category and Sensitive Data

4.9.1. Except where strictly necessary for identity verification and compliance with KYC, AML and sanctions requirements, we do not seek to collect special category or sensitive personal data (such as data about your health, race, political opinions or religious beliefs). When you apply for an Account we may need to collect the following sensitive data for KYC and fraud prevention purposes as follows:

Biometric Data Facial scan data derived from your selfie photograph and ID document to perform liveness checks and face matching.
Government Identifiers: Passport or National ID numbers and similar identifiers.

We use this information solely to:

Verify your identity and age;
Conduct KYC, AML and sanctions screening;
Detect and prevent fraud, abuse and other unlawful activity; and
Comply with our legal and regulatory obligations where they apply.

We do not use biometric data or government identifiers for marketing, profiling for advertising or for any purpose unrelated to identity verification, security and compliance.

Legal Basis:

For users in the EEA and UK, we process biometric and government ID data only to the extent permitted by Articles 6(1)(b), 6(1)(c) and/or 6(1)(f) and Article 9(2) GDPR / UK GDPR (for example, where necessary for reasons of substantial public interest relating to the prevention of fraud and money laundering, to comply with KYC/AML and sanctions obligations, or based on your explicit consent where required by law);
In other jurisdictions, we rely on your consent where required, our legitimate interests in verifying identity and preventing fraud, and/or applicable legal obligations

4.9.2. Where consent is required, we will ask you to provide separate, specific, informed and freely given consent at the point of collection. You are not legally required to provide biometric data, but if you choose not to, or if you later withdraw your consent, we may be unable to open or maintain your Account or provide certain programme features (including Funded User status or Payouts) where identity verification is required.

4.9.3. You may withdraw your consent to the processing of your biometric data at any time by contacting us. In such event, we reserve the right to terminate your Account as we may no longer be able to meet KYC requirements. We may retain certain biometric data for the periods specified in Clause 10 where this is required by law or necessary for the establishment, exercise or defence of legal claims.

4.10. CCPA Categories

We collect certain categories of Personal Information as defined under CCPA as amended by CPRA. For transparency, The following outlines the specific categories we may collect, their sources, our business purposes for processing and any third parties with whom we may share them.

4.10.1. Identifiers

Sources: Directly from you and third-party verifiers;

Business purpose: Account management, security and legal compliance;

Third parties shared with: Service providers and legal authorities when required.

4.10.2. Commercial Information

Sources: Your transactions;

Business purpose: Service delivery and analytics;

Third parties shared with: Service providers.

4.10.3. Biometric Information

Sources: Your selfie/ID;

Business purpose: Identity verification only;

Third parties shared with: Identity verification providers.

4.10.4. Internet Activity

Sources: Automatic collection;

Business purpose: Service improvement and security;

Third parties shared with: Analytics providers and security vendors.

4.10.5. Professional Information

Sources: You provide;

Business purpose: Programme evaluation;

Third parties shared with: None.

4.10.6. Inferences

Sources: Trading analysis;

Business purpose: Performance assessment; rule compliance;

Third parties shared with: None.

5. How We Collect Personal Data

We collect personal data in three main ways.

5.1. Directly From You

For example when you:

Create an account;
Purchase a programme or other services;
Complete forms on our Website or Dashboard;
Submit identity verification or KYC documents;
Contact us or request support;
Take part in surveys, promotions, competitions or events.

5.2. Automatically When You Use Our Services

For example:

Through cookies, pixels and similar technologies when you visit our website or use the dashboard;
Through our servers and logging systems when you access our services;
Through our trading platforms and tools, which record your simulated trading activity.

Please see our Cookies Policy for more detail on cookies and similar technologies.

5.3. From Third Parties

We may receive data about you from:

Identity verification, fraud prevention, KYC, AML and sanctions screening providers;
Payment processors, banks and other financial institutions that handle your payments and payouts;
Trading platform providers that help us run our programmes;
Credit reference and background check agencies where allowed by law;
Marketing and analytics partners;
Social media platforms if you interact with us there;
Publicly available sources such as company registers and public databases.

6. Why We Use Your Personal Data and Legal Bases

Data protection laws require us to tell you the purposes for which we use your personal data and the legal bases we rely on. In many cases we process your data because it is:

Needed to perform our contract with you or to take steps at your request before entering into a contract;
Needed to comply with a legal obligation;
In our legitimate interests where these are not overridden by your rights;
Based on your consent.

6.1. Account Registration and Management

Purpose:

To create and administer your account and user profile;
To verify your identity and eligibility;
To keep our records accurate and up to date.

Legal bases:

Performance of a contract with you;
Compliance with legal obligations, for example KYC and AML requirements where they apply;
Our legitimate interest in operating and managing our business.

6.2. Providing Our Services and Programmes

Purpose:

To give you access to our website, dashboard, Instant Funded Accounts, Evaluation Plans, 10X Quest Challenge and Scaling Plan;
To record and evaluate your simulated trading performance
To manage scaling, rewards and other programme benefits.

Legal bases:

Performance of a contract with you;
Our legitimate interest in providing and improving our services.

6.3. Payments, Payouts and Financial Administration

Purpose:

To process payments for our Services;
To administer payouts to eligible funded users;
To keep accounting and financial records.

Legal bases:

Performance of a contract with you;
Compliance with legal and tax obligations;
Our legitimate interest in managing our finances and preventing fraud.

6.4. Identity Checks, KYC, AML and Sanctions Compliance

Purpose:

To verify your identity and age;
To carry out KYC and AML checks;
To screen you against sanctions lists and other watch lists;
To detect and prevent fraud, abuse, money laundering, terrorist financing and other unlawful activities.

Legal bases:

Compliance with legal obligations, where KYC, AML or sanctions laws apply to us;
Our legitimate interest in protecting our business, our users and the financial system.

6.5. Enforcing Programme and Trading Rules and Protecting Our Services

Purpose:

To monitor compliance with our programme rules and trading rules.
To detect misuse, forbidden trading practices, account sharing, passing services and attempts to circumvent geographic or sanctions restrictions.
To keep our platforms and systems secure and to investigate incidents or complaints.

Legal bases:

Our legitimate interest in enforcing our rules, protecting the integrity of our Services and safeguarding our reputation.
In some cases, compliance with legal obligations and the establishment, exercise or defence of legal claims.

6.6. Analytics, Service Improvement and Product Development

Purpose:

To analyse how users interact with our Website, Dashboard and programmes.
To improve the design, performance and user experience of our Services.
To develop new features, products and services.
To produce aggregated statistics and management reports.

Where we use data in an aggregated or anonymised form that no longer identifies you, data protection laws do not apply to that information.

Legal bases:

Our legitimate interest in developing, improving and promoting our Services.

6.7. Service Communications

Purpose:

To send you important service messages, for example account activation, security alerts, changes to this Privacy Policy, Terms of Service or Trading Rules, and information about your programme progress.

These messages are not marketing. They are necessary for the proper use and administration of our services.

Legal bases:

Performance of a contract with you;
Our legitimate interest in keeping you informed about important service information.

6.8. Marketing Communications

Purpose:

To keep you updated on our activities, we may send you information about new products or features, promotions and special offers and a newsletter;
We may also invite you to events, complete surveys or enter our competitions;
We may use information on your interests and past interactions to tailor marketing content.

Legal bases:

Your consent where required by law;
We have a legitimate interest in promoting and expanding our Services to existing customers while complying with direct marketing rules.

You have the right to opt out of email marketing at any time. Either use the unsubscribe link in our emails or contact us. For Hong Kong userS we only use personal data for direct marketing if you have previously consented (e.g., by ticking a box to opt-in). Your consent may be withdrawn at any time without cost to you.

6.9. Legal, Regulatory and Tax Compliance

Purpose:

We are required to comply with laws, regulations, court orders and requests from regulators or law enforcement;
To maintain records for tax and accounting purposes;
To respond to legal claims, audits or investigations.

Legal bases:

To ensure compliance with our mandated legal obligations;

We have a legitimate interest in protecting our legal rights and defending claims.

6.10. Protecting Our Rights, Property and Users

Purpose:

To protect FYFX, our group companies, staff, users and the public from fraud, abuse, misuse and other harmful activities.
To manage business risk, including credit, operational and security risk;
To enforce our Terms of Service, trading rules and other policies.

Legal bases:

Our legitimate interest in protecting our business and users;
In some rare cases, protection of the vital interests of a person.

6.11. Data Protection Impact Assessments (EU GDPR)

We conduct Data Protection Impact Assessments (DPIAs) before data processing that is likely to result in high risk to individuals, including:

Systematic monitoring of trading behavior and pattern detection;
Processing of biometric data for identity verification;
Large-scale processing of special category data;
Automated decision-making with legal or significant effects.

DPIAs help us identify and minimize privacy risks before implementing new processing activities.

6.12. Privacy By Design and Default

We implement privacy by design and by default principles by:

Considering data protection at the design stage of all new services;
Minimizing data collection to what is necessary for specified purposes;
Implementing default settings that maximize privacy protection;
Limiting access to personal data on a need-to-know basis;
Regularly reviewing and updating privacy measures.

6.13. Data Minimization

Our priority is to collect only personal information that we require for our business and legitimate purposes. To ensure we are collecting only the data that we need, the type of data we are collecting is checked regularly.

7. Cookies and Similar Technologies

Our cookies and similar tools assist us to optimise your browsing experience. They recognise your browser or device, remember your preference settings, assist to implement security features and assist us to understand how you use our services.

Details about:

The types of cookies we use;
The purposes for which we use them;
How you can manage or disable cookies,

are set out in our separate Cookies Policy, which forms part of this Privacy Policy by reference.

8. How and When We Share Your Personal Data

We do not sell your personal data. We may share your personal data with third parties, but only where this is necessary, lawful and subject to appropriate safeguards.

8.1. Group Companies

We may share your data with our parent company, subsidiaries and other related entities for:

Providing and supporting our Services;
Centralised management, administration and reporting;
Fraud prevention, risk management and security;
Product development and analytics.

Where a group company acts as a separate data controller, it is responsible for its own compliance with data protection laws.

8.2. Service Providers

We use trusted service providers who process personal data for us and on our instructions. These providers include:

Website and application hosting, cloud infrastructure and storage providers;
Trading platform and technology providers;
Payment processors, banks and other financial institutions;
Identity verification, KYC, AML and sanctions screening providers;
Customer support, helpdesk and communication tools;
Email, marketing, survey and analytics providers;
Professional advisers such as lawyers, auditors and accountants;

We require these service providers to protect your personal data and to use it only for the purposes we specify.

8.3. Trading Platform Providers

To provide our services, we work with trading platform providers who may process your trading data and related information. In some cases these providers act as independent data controllers in respect of certain data. Their own privacy policies may apply and we encourage you to read them.

8.4. Affiliates and Business Partners

If you join our services through an affiliate or partner link, we may share limited data with that partner such as your name, email address and registration or purchase status. This is necessary to track referrals and pay affiliate commissions. We do not allow affiliates to use this data for their own unrelated marketing unless you agree with them directly.

8.5. Authorities and Other Third Parties

We may share your data with:

Regulatory, tax and law enforcement authorities, courts and government bodies where required by law, or where we reasonably believe disclosure is necessary to meet legal obligations or protect our rights.
Third parties who claim that content you have provided violates their rights, where this is supported by law or court order.
Buyers, investors, professional advisers and other parties in connection with a merger, acquisition, reorganisation, sale of assets or insolvency. In such cases, your data may be transferred as part of the transaction.

Where possible we will try to limit the data disclosed and challenge requests that are excessive or unclear.

8.6. With Your Consent

We may share your personal data with other third parties where you have clearly consented to this sharing.

8.7. Aggregated and Anonymised Data

We may share aggregated or anonymised data that cannot reasonably be used to identify you with third parties for research, analysis, product development or similar purposes.

8.8. Sub-Processors

To provide our Services, we engage trusted third-party service providers to process personal data on our behalf (“Sub-processors”). These Sub-processors support functions such as infrastructure hosting, identity verification, payment processing, and trading platform connectivity. We ensure that all Sub-processors are bound by data processing agreements or similar confidentiality obligations that require them to protect your personal data in accordance with applicable laws. The following are our current sub-processors:

Name of Sub-processor	Service	Location	Function
Hostinger UAB	Infrastructure Hosting	Inggris Raya	Provides cloud hosting infrastructure where all website data and user personal data is stored and processed.
YourPropFirm	Prop Trading Firm Dashboard Integration	Inggris Raya	Integrates WooCommerce order and account data with the YourPropFirm trading dashboard for managing trader accounts and challenges.
Automattic, Inc.	E-commerce Platform (WooCommerce)	Amerika Serikat	Powers the core e-commerce functionality, processing customer orders, product data, and transaction records.
Stripe, Inc.	Payment Processing	Amerika Serikat	Processes credit/debit card payments, stores transaction data, and handles payment authentication on behalf of the website.
Triple-A Technologies Pte. Ltd.	Cryptocurrency Payment Processing	Singapura	Processes cryptocurrency payment transactions, including customer identity and transaction data.
Klaviyo, Inc.	Email Marketing & CRM	Amerika Serikat	Collects and processes customer email addresses, purchase history, and behavioral data to send automated marketing and transactional emails.
Google Site Kit	Analytics & Tag Management	Amerika Serikat	Collects and processes website traffic data, user behavior, and conversion events via Google Analytics, Google Tag Manager, and Search Console.
Meta Platforms, Inc.	Advertising & Conversion Tracking	Amerika Serikat	Tracks user behavior via Meta Pixel and Conversion API to measure ad effectiveness and enable targeted advertising on Facebook and Instagram.
Metricool S.L.	Social Media & Web Analytics	Spain, European Union	Collects website traffic and user behavior data for reporting and social media performance analytics.
Rybbit Analytics	Website Analytics	Amerika Serikat	Collects and processes website visitor traffic and behavioral analytics via a lightweight tracking script.
Hotjar Ltd.	User Behavior Analytics	Malta, European Union	Records user sessions, generates heatmaps, and tracks clicks and scroll behavior to analyze how users interact with the website.
Pushlapgrowth	Affiliate & Growth Management	Amerika Serikat	Tracks affiliate referrals and e-commerce performance data to manage growth and affiliate marketing programs.
Crisp IM SAS	Live Chat & Customer Support	France, European Union	Processes names, email addresses, and chat conversation data when users interact with the live chat widget.
Typeform SL	Online Forms & Surveys	Spain, European Union	Collects and processes personal data submitted by users through forms and surveys embedded on the website.
Weglot SAS	Website Translation	France, European Union	Processes website content and user cookies to deliver translated versions of the website in multiple languages.
Zapier, Inc.	Workflow Automation	Amerika Serikat	Receives WooCommerce order and customer data and forwards it to connected third-party applications as configured by the website operator.

8.9. Joint Controller Arrangements

In certain circumstances, we may process your personal data jointly with one or more other organisations, each of which independently determines the purposes and means of processing. Where this occurs, we and the other organisation(s) are “joint controllers” under applicable data protection law. As of the date of this Privacy Policy, we do not have any joint controller arrangements in place. If we enter into any joint controller arrangements in the future, we will:

Enter into an arrangement with the other joint controller(s) that sets out each party’s respective responsibilities for compliance with data protection obligations;
Update this Privacy Policy to identify the joint controller(s) and describe the essence of the arrangement; and
Provide you with the means to exercise your rights against each joint controller.

If you have questions about whether any joint controller arrangement applies to the processing of your personal data, please contact us.

9. International Transfers of Personal Data

9.1. FYFX is based in Hong Kong and uses infrastructure and service providers in several countries. Your personal data may be transferred to and stored in countries other than your own, including Hong Kong, the European Economic Area, United Kingdom, United States, Singapore, Australia and other jurisdictions. These countries may have different data protection laws to those in your jurisdiction.

9.2. Transfers from the EEA and UK

Where we transfer personal data from the EEA or UK to a country without an adequacy decision, we use appropriate safeguards such as:

Standard Contractual Clauses approved by the European Commission and where required for UK transfers the UK International Data Transfer Addendum (“IDTA”);
The IDTA issued by the Information Commissioner’s Office;
Binding corporate rules approved by a competent supervisory authority; or
Other recognised safeguards under applicable data protection law.

9.3. Transfers from Hong Kong and Singapore

Where we transfer personal data from Hong Kong or Singapore, we take reasonable steps to ensure recipients provide a comparable standard of protection by:

Contractual arrangements requiring recipients to protect personal data to a standard comparable to the PDPO (Hong Kong) or PDPA (Singapore);
Ensuring the recipient is subject to laws or binding schemes providing comparable protection;
Obtaining your consent to the transfer; or
Relying on other permitted exceptions under applicable law.

9.4. Transfers from Australia

Australian residents acknowledge that our servers and service providers may be located in jurisdictions that may not be subject to the Australian Privacy Act 1988. By providing your personal data to us and using our Services, you:

Consent to disclosure of your personal data to overseas recipients in disclosed jurisdictions;
Acknowledge that we are not required to ensure overseas recipients comply with the Australian Privacy Principles and may not be accountable under the Privacy Act if they handle your information in breach of the APPs. However, we take reasonable steps to ensure that overseas recipients handle personal information in accordance with the Australian Privacy Principles, as required under applicable law. ; and
Acknowledge that overseas recipients may not be subject to privacy obligations similar to the APPs and you may not be able to seek redress under the Privacy Act.
If you do not consent, please contact us before providing your personal data. However, we may be unable to provide certain Services to you without this consent.
We take reasonable steps to select reputable overseas service providers and to protect your personal data through contractual commitments and appropriate technical and organisational measures.

9.5. Further information

Contact us for information about specific transfer destinations, the safeguards we use, or to obtain copies of relevant transfer mechanisms (see Clause 16.2 for Contact Details).

10. How Long We Keep Your Personal Data

Your personal data is retained only for as long as necessary for the purposes described in this Privacy Policy or as mandated by law.

When deciding how long to retain your data, we consider:

The type and sensitivity of the data.
Whether we can achieve our purposes in alternative ways.
Legal, regulatory, tax and accounting requirements.
The risk of harm from unauthorised use or disclosure.

Typical retention periods are:

Account and identity data: for duration of your account and up to seven (7) years after closure, to deal with queries, disputes, legal claims, accounting and tax requirements.
KYC and verification data: for duration of your account and as required by AML and financial regulations, which could be several years.
Trading and performance data: while necessary to provide our services, assess your eligibility for programmes and to maintain a record of rule compliance, and for up to five years after account closure. Some data may be kept longer in aggregated or anonymised form.
Financial and transaction data: at least seven years from the date of the transaction, as required by tax and accounting laws.
Communication records: usually three years from the date of the communication, unless needed longer for disputes or legal claims.
Marketing data: while you continue to receive marketing from us or until you opt out. We may keep a record of your opt out to ensure your preference is respected.
Technical and usage data: normally for up to twelve months from collection, unless we need it longer for security, fraud prevention or legal reasons.

When data is no longer needed, we will delete it or anonymise it so that it can no longer be linked to you.

11. Data Breach Notification

11.1. A personal data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

11.2. Technical and Organizational Security Measures

We implement appropriate security measures including:

Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256);
Regular security testing and vulnerability assessments;
Access controls based on least privilege principle;
Multi-factor authentication for administrative access;
Regular staff training on data protection and security;
Incident response procedures and business continuity planning;
Pseudonymization where appropriate;
Regular review of security measures effectiveness.

11.3. Notification to Authorities

While we implement stringent security measures to industry standards to protect your personal data, we cannot guarantee 100% security. Where a breach poses a risk to individuals’ rights and freedoms, we will notify the relevant supervisory authority within the following timeframes:

Jurisdiction	Timeline	Authority
EEA	72 hours	Lead supervisory authority
UK	72 hours	Information Commissioner’s Office
Singapura	3 calendar days after assessment	Personal Data Protection Commission
Australia	As soon as practicable	Office of the Australian Information Commissioner
Hong Kong	Voluntary, following best practice	Office of the Privacy Commissioner for Personal Data

11.4. Notification to Individuals

We will notify you directly if a breach is likely to result in high risk (EEA/UK), significant harm (Singapore), or serious harm (Australia) to you. Such notification will describe the nature of the breach, likely consequences, measures taken, and how to contact us.

11.5. Exceptions

Notification to individuals may not be required where we have applied measures (such as encryption) rendering the data unintelligible, have taken steps ensuring the risk is no longer likely to materialise, or where notification would involve disproportionate effort (in which case we will make a public communication).

11.6. Your Responsibilities

If you believe your account credentials have been compromised or suspect unauthorised access to your personal data, please contact us immediately (see Clause 16.2 for Contact Details).

12. Your Privacy Rights

In many countries, including the European Economic Area, the United Kingdom, Singapore and Australia, you may have the following rights in relation to your personal data:

12.1. Right of Access

You may request confirmation of whether we process your personal data and obtain a copy, along with information about how we use it. California residents may request disclosure of personal information collected in the preceding 12 months, including categories, sources, purposes and third parties with whom it is shared.

12.2. Right to Correction

You may request correction of inaccurate or incomplete personal data.

12.3. Right to Deletion

You may request deletion of your personal data where it is no longer needed, you withdraw consent (and no other lawful basis applies), or as otherwise required by law. We may retain data where necessary to complete a transaction, detect fraud, comply with legal obligations or for other permitted purposes.

12.4. Right to Restrict Processing

You may request that we restrict processing of your data in certain circumstances, such as while we verify its accuracy or consider an objection. (EEA/UK).

12.5. Right to Data Portability

You may request to receive certain personal data in a structured, commonly used, machine-readable format and, where technically feasible, request transfer to another controller where technically possible and where the legal conditions are met. (EEA/UK/Singapore).

12.6. Right to Object

You may object to processing based on our legitimate interests, including profiling. We will stop unless we have compelling lawful grounds or need to continue for legal claims. You may object to direct marketing at any time and we will stop. (EEA/UK)

12.7. Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Singapore: Withdrawal may affect our ability to provide services to you.

12.8. Right to Opt Out of Sharing (California)

We may share technical and usage data with analytics and advertising partners for cross-context behavioural advertising. You may opt out by adjusting cookie preferences or contacting us.

12.9. Right to Non-Discrimination (California)

We will not discriminate against you for exercising your privacy rights, though we may be unable to provide certain services if we cannot use necessary data.

12.10. Right Not to be Subject to Automated Decision-Making

To not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such decision is necessary for entering into or performing a contract with you, is authorised by law, or is based on your explicit consent.

12.11. Authorised Agents (California)

You may authorise an agent to submit requests on your behalf, subject to verification of both you and your agent.

12.12. Jurisdiction Specific Rights

12.12.1. Hong Kong

For Hong Kong residents, we comply with Hong Kong’s six data protection principles:

○ Purpose and manner of collection: We collect data lawfully and fairly for stated purposes;

○ Accuracy and retention: We take reasonable steps to ensure accuracy and delete data when no longer needed;

○ Use limitation: Personal data will only be used for purposes directly related to original collection purpose or with your consent;

○ Security: We maintain appropriate security measures;

○ Transparency: We maintain policies and practices that are available upon request;

○ Access and correction: You may access and correct your data (reasonable fees may apply).

We will not use your data for direct marketing without consent. You may opt out of direct marketing at any time, free of charge, by contacting us or by using the unsubscribe mechanism in our marketing communications.
We will not provide your personal data to any third party for that third party’s own direct marketing purposes unless you have provided your written consent specifically for such transfer.

Hong Kong law does not provide a general right to erasure. Deletion requests will be considered based on retention requirements and legitimate purposes.

12.12.2. Australia

We comply with all 13 Australian Privacy Principles:

APP 1-2: Open and transparent management; anonymity option where lawful
APP 3-5: Collection of solicited information only when reasonably necessary
APP 6-7: Use and disclosure only for collected purpose; no direct marketing without consent. You may opt-out via unsubscribe links in emails, account settings, or by contacting us.
APP 8-9: Cross-border disclosure with accountability; government identifier restrictions
APP 10-11: Quality and security of personal information
APP 12-13: Access and correction rights

You may complain to us and, if unsatisfied, to the Office of the Australian Information Commissioner (“OAIC”).

12.12.3. Singapore

Consent Types: We rely on explicit consent for sensitive data, deemed consent for reasonably expected uses, and legitimate interests where permitted;
Accuracy: We make reasonable efforts to ensure personal data is accurate and complete if likely to affect decisions about you or be disclosed to another organization;
Breach Notification: If there is a notifiable breach under PDPA, we will notify the Personal Data Protection Commission (“PDPC”) as soon as practicable and, in any event, no later than three (3) days and will notify affected individuals where required;
Retention Limitation: Business contact information may be retained for business purposes without consent;
Access and Correction: Requests will be processed within 30 days (fees may apply for complex requests;
If we send marketing messages to Singapore telephone numbers via voice calls, text messages (SMS/MMS), or fax, we will check the relevant Do Not Call Registers maintained by the Personal Data Protection Commission before sending such messages, unless you have given us clear and unambiguous consent or you have an ongoing relationship with us. You can opt out of receiving marketing messages from us at any time by sending a notice to us (see Clause 16.2 for Contact Details).

12.12.4. United States (Including California)

If you are a resident of California, or another U.S. state that has enacted a comprehensive consumer privacy law (such as Virginia, Colorado, Connecticut or Utah), you may have some or all of the following additional rights, subject to the conditions and exceptions in your state’s law. You can exercise these rights using the methods described in Section 12.13.

Right to opt out of Sharing: We may “share” technical and usage data with analytics and advertising partners. You have the right to opt out of this sharing by adjusting your cookie preferences or contacting us.
Right to limit use of sensitive personal information: We collect sensitive personal information (specifically government IDs and biometric verification data) solely for the purposes of identity verification, fraud prevention, and security. Because we do not use this data for inferring characteristics about you or for marketing purposes, the “Right to Limit” under the CPRA does not apply to this specific usage.
Right to non discrimination: we will not discriminate against you for exercising your California privacy rights, though we may not be able to provide certain services if we cannot use data that is necessary for them.
Retention: Personal information is retained for the periods or by reference to the criteria described in Clause 10. Once a category of personal information is no longer reasonably necessary for the purposes disclosed to you, we delete it or de-identify it within a reasonable period not exceeding twelve (12) months, unless a longer retention period is required or permitted by law:;
You may authorise an agent to submit a request on your behalf, subject to verification of both you and your agent.
We do not offer financial incentives or price or service differences in exchange for the retention or sale of your personal information.
California “Shine the Light” Law Under California Civil Code Section 1798.83, California residents may request information about the disclosure of personal information to third parties for their direct marketing purposes. We do not disclose your personal information to third parties for their own direct marketing purposes.
Other U.S. States: If you are resident in Virginia, Colorado, Connecticut, Utah or another U.S. state with a comprehensive consumer privacy law, you may have similar rights (for example, to access, delete or correct your personal information, to opt out of “sales” or targeted advertising, and to appeal certain decisions). We will honour those rights to the extent required by your state’s law. You can exercise them using the same contact methods described in Section 12.13.

12.13. How to Exercise Your Rights

To exercise any of your privacy rights, please contact us (see Clause 16.2 for Contact Details). Please tell us:

Who you are.
Which right you wish to exercise.
What information your request relates to.

We may ask you for additional information to verify your identity and to help us find the data that relates to you. We will respond to your request within the following timeframes:

EEA and UK: Within one month of receipt, extendable by two additional months for complex requests (we will notify you within the first month if an extension is needed);
California: Within 45 days of receipt, extendable by an additional 45 days with notice;
Singapore: As soon as reasonably possible and within 30 days;
Australia: Within 30 days of receipt (access requests may incur a reasonable fee);
Hong Kong: Within 40 days of receipt (a reasonable fee may be charged for data access requests).

We will not charge a fee for handling your request unless it is manifestly unfounded or excessive. In that case we may charge a reasonable fee or refuse to act on the request, as permitted by law.

13. Children and Minors

Our services are strictly for adults aged 18 or above. We do not knowingly collect personal data from anyone under 18. We implement age verification procedures during registration. If we discover data from someone under 18, we will promptly delete it and terminate any associated account. Parents/guardians who believe their child has provided personal data should contact us immediately (see Clause 16.2 for Contact Details).

14. Automated Decision Making and Profiling

14.1. We use automated systems to analyse your simulated trading activity and apply programme rules. This includes assessing performance and rule adherence, determining whether profit targets and drawdown limits have been met, detecting suspicious patterns or forbidden trading practices and identifying client clusters and linked accounts.

14.2. Our systems monitor your simulated trading in real-time. If a “Hard Breach” breach is detected (such as exceeding the Maximum Drawdown limit), your account will be automatically deactivated and trading permission revoked. This processing is necessary for performance of our contract with you.

Legal Basis: This automated processing is necessary for the performance of the contract between us (specifically, enforcing the agreed Trading Rules).

14.3. Your Rights

If you are subject to a decision based solely on automated processing that produces legal or similarly significant effects, you have the right to:

● Obtain human intervention;

● Express your point of view; and

● Contest the decision.

These rights apply under the EU and UK GDPR unless the decision is necessary for contract performance, authorised by law, or based on your explicit consent.

14.4. Human Review

If you believe an automated decision was made in error, contact us with relevant details. We will acknowledge your request within 7 days, conduct a review within a reasonable timeframe, and inform you of the outcome and reasons.

14.5. Right to Object to Profiling

You may object at any time to profiling based on our legitimate interests. We will cease such profiling unless we demonstrate compelling legitimate grounds or need to continue for legal claims. You may always contact us to object to profiling for direct marketing purposes, and we will stop.

14.6. Safeguards

We implement appropriate safeguards including regular testing and review of automated systems, the ability to request human review, and clear information about the logic, significance and consequences of such processing (as provided in this Privacy Policy and the Trading Rules Document).

15. Third Party Links and Services

Our website and dashboard may contain links to websites, tools or services operated by third parties, such as brokers, charting tools, news sites or social platforms. We are not responsible for these third party sites or their privacy practices. If you follow a link to any of these sites, their own privacy policies will apply. We encourage you to read those policies before you provide any personal data to them. The inclusion of a link to a third party website does not mean that we endorse that website or its content.

16. Contact Details

16.1. FYFX Capital Limited Unit 2A, 17/F Glenealy Tower, No.1 Glenealy Central, Hong Kong

Email for general support: support@fundyourfx.io

Email for general enquiries: info@fundyourfx.io

Website: www.fundyourfx.io

We will respond to your request free of charge within the time frame required by applicable laws and regulations.

16.2. Representative and Data Protection Officer:

If you have any issues relating to our Website or your personal data, please contact our Representative and Data Protection Officer:

Jasjit Gill

Unit 2A, 17/F Glenealy Tower, No.1 Glenealy Central, Hong Kong

legal@fundyourfx.io

You may contact our Representative and Data Protection Officer: for any matters relating to the processing of your personal data.

If we are required to appoint a data protection officer or local representative for any region, we will amend these Terms accordingly.

If you are not satisfied with our response, you may have the right to complain to your local data protection authority or privacy regulator. Examples include:

European Economic Area: Your local data protection authority in your Member State.
United Kingdom: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom, www.ico.org.uk.
Hong Kong: Office of the Privacy Commissioner for Personal Data, 12 F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong, www.pcpd.org.hk.
Singapore: Personal Data Protection Commission, 10 Pasir Panjang Road, Mapletree Business City, Singapore 117438, www.pdpc.gov.sg.
Australia: Office of the Australian Information Commissioner, GPO Box 5218, Sydney NSW 2001, Australia, www.oaic.gov.au.
California: You may contact the California Attorney General or another relevant authority.

We are committed to working with you and regulators to resolve any privacy concerns in a fair and lawful way.