Privacy Policy FxRex.pro
This comprehensive Privacy Policy outlines how FxRex.pro collects, processes, stores, and protects your personal data in compliance with international data protection regulations and financial industry standards.
1 Introduction & Scope
FxRex.pro ("we," "our," "us") operates the forex trading platform and related services accessible via https://fxrex.pro. We are committed to protecting your privacy and handling your personal data with transparency and security.
Scope of Application
This Privacy Policy applies to all personal data collected through our website, mobile applications, API integrations, customer support channels, marketing activities, and any interaction with our services globally.
1.1. Legal Framework & Compliance
Our data processing activities comply with:
- General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
- California Consumer Privacy Act (CCPA) and CPRA
- UK Data Protection Act 2018 and UK GDPR
- Financial Conduct Authority (FCA) data protection requirements
- Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations
- Other applicable national and international data protection laws
Legal References
GDPR Article 4(1) - Definitions; CCPA §1798.100 - Consumer rights; FCA Handbook SYSC 3.2 - Systems and controls; Fifth Money Laundering Directive (5MLD) - Enhanced due diligence.
2 Data Controller Information
Data Controller Details
Registered in England and Wales
Company Number: 14528743
VAT Number: GB 425 6789 01
Level 5, 123 Finance Street
London, EC2A 4NE
United Kingdom
2.1. Joint Controllers & Representatives
In certain processing activities, we act as joint controllers with our partner brokers. We have established clear agreements outlining respective responsibilities in compliance with GDPR Article 26.
EU Representative
For GDPR compliance, our EU representative is:
DataProtect EU GmbH
Friedrichstraße 95, 10117 Berlin, Germany
Email: eu-representative@fxrex.pro
3 Definitions & Key Terms
4 Detailed Data Collection Categories
4.1. Registration & Account Data
| Data Category | Specific Elements | Purpose | Legal Basis |
|---|---|---|---|
| Identity Information | Full name, date of birth, nationality, photograph | Account creation, KYC verification | Contract, Legal obligation |
| Contact Details | Email, phone, address, emergency contact | Communication, service delivery | Contract |
| Financial Information | Bank accounts, payment cards, tax ID, source of funds | Transaction processing, AML compliance | Contract, Legal obligation |
| Employment Information | Occupation, employer, annual income, net worth | Suitability assessment, risk profiling | Legal obligation (MiFID II) |
4.2. Trading & Transaction Data
- Trading Activity: Positions opened/closed, instruments traded, order history, execution prices
- Account Performance: Balance, equity, margin, profit/loss, drawdown statistics
- Platform Usage: Login times, session duration, features used, click patterns
- Technical Data: IP addresses, device fingerprints, browser details, operating system
- Communication Records: Support tickets, chat logs, email correspondence, call recordings
4.3. Automated & Derived Data
We generate and process derived data including:
- Risk Profile: Calculated risk score based on trading behavior
- Trading Patterns: Analysis of trading strategies and preferences
- Market Analysis: Correlation of your activity with market conditions
- Predictive Analytics: Models to personalize services and detect anomalies
Sensitive Data Notice
We do not intentionally collect Special Category Data unless required by law (e.g., politically exposed persons screening). If such data is inadvertently collected, it is processed with enhanced protections.
5 Purposes & Legal Bases for Processing
5.1. Primary Purposes
| Processing Purpose | Data Categories | Legal Basis | Retention Period |
|---|---|---|---|
| Account Management | Identity, Contact, Profile | Contract (Art. 6(1)(b) GDPR) | 7 years post-closure |
| KYC/AML Compliance | Identity, Financial, Employment | Legal obligation (Art. 6(1)(c)) | 10 years (regulatory) |
| Trade Execution | Trading, Financial, Technical | Contract, Legal obligation | 7 years |
| Risk Management | Trading, Financial, Derived | Legitimate interest (Art. 6(1)(f)) | 5 years |
| Marketing & Analytics | Usage, Profile, Technical | Consent (Art. 6(1)(a)) | 3 years post-consent |
| Fraud Prevention | All categories as needed | Legitimate interest, Legal obligation | 7 years |
5.2. Legitimate Interests Assessment
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) considering:
- Purpose test: Is there a legitimate interest behind the processing?
- Necessity test: Is the processing necessary for that purpose?
- Balancing test: Do our interests override your interests or fundamental rights?
Examples of Legitimate Interests
• Fraud prevention and network security
• Direct marketing (with opt-out rights)
• Reporting criminal acts to authorities
• Internal administrative purposes
• Service improvement and innovation
6 Data Sharing & International Transfers
6.1. Categories of Recipients
| Recipient Category | Purpose of Sharing | Data Shared | Safeguards |
|---|---|---|---|
| Partner Brokers | Account opening, trade execution | Identity, Financial, KYC | Data Processing Agreements |
| Payment Processors | Deposit/withdrawal processing | Financial, Contact | PCI-DSS compliance |
| Cloud Providers | Data hosting, infrastructure | All data (encrypted) | ISO 27001, SCCs |
| Analytics Providers | Service improvement, analytics | Anonymized, aggregated | Data minimization |
| Regulatory Authorities | Legal compliance, investigations | As required by law | Legal obligation |
6.2. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including:
- United Kingdom: Adequacy decision from EU Commission
- United States: Using Standard Contractual Clauses (SCCs)
- Other jurisdictions: With appropriate safeguards as per GDPR Chapter V
Transfer Mechanisms
We use GDPR-approved transfer mechanisms including:
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Derogations for specific situations (e.g., explicit consent)
• UK International Data Transfer Agreement (IDTA)
6.3. Sub-processors
We maintain an updated list of sub-processors available upon request. Key sub-processors include:
- AWS - Cloud infrastructure (USA/Ireland)
- Stripe - Payment processing (USA)
- Twilio - Communications (USA)
- Google Analytics - Web analytics (USA)
- Intercom - Customer support (USA)
7 Data Security & Protection Measures
7.1. Technical Security Measures
- Encryption: AES-256 encryption at rest, TLS 1.3+ for data in transit
- Access Controls: Role-based access, multi-factor authentication, privileged access management
- Network Security: Next-generation firewalls, DDoS protection, intrusion detection/prevention systems
- Endpoint Security: Device encryption, mobile device management, endpoint detection and response
- Application Security: Secure SDLC, vulnerability scanning, penetration testing, code reviews
7.2. Organisational Security Measures
- Security Policies: Comprehensive information security management system (ISMS)
- Employee Training: Annual security awareness training, phishing simulations
- Incident Response: Documented incident response plan, regular drills
- Business Continuity: Disaster recovery plans, regular backups, redundancy
- Third-party Risk Management: Vendor security assessments, contractual obligations
Security Certifications
Our security practices align with:
• ISO 27001:2022 Information Security Management
• SOC 2 Type II compliance
• PCI DSS Level 1 for payment processing
• NIST Cybersecurity Framework
7.3. Data Breach Response
In the event of a personal data breach, we will:
- Notify the supervisory authority within 72 hours where required
- Communicate with affected individuals without undue delay
- Document all breaches, regardless of notification requirement
- Take immediate steps to contain and remediate the breach
- Conduct post-incident review and implement improvements
8 Data Retention & Deletion Policy
8.1. Retention Schedule
| Data Category | Retention Period | Legal/Regulatory Basis | Deletion Method |
|---|---|---|---|
| Account Registration Data | 7 years after account closure | FCA record-keeping requirements | Secure erasure |
| Financial Transactions | 10 years after transaction | Money Laundering Regulations | Secure erasure |
| KYC/AML Documents | 10 years after relationship ends | 5MLD, JMLSG Guidance | Physical destruction/Secure deletion |
| Marketing Data | 3 years after last interaction | GDPR principle of storage limitation | Anonymization |
| Support Communications | 6 years after resolution | Limitation Act 1980 | Secure erasure |
| System Logs | 1 year | Operational necessity | Automated deletion |
8.2. Data Minimization & Storage Limitation
We adhere to the principles of data minimization and storage limitation by:
- Collecting only data necessary for specified purposes
- Regularly reviewing retained data for continued necessity
- Anonymizing data where possible for statistical purposes
- Implementing automated data lifecycle management
- Conducting annual data retention audits
Right to Deletion Exception
Your right to erasure may be limited where we have legal obligations to retain data (e.g., financial regulations, tax laws, legal proceedings). In such cases, we will restrict processing instead of deletion.
9 Your Data Protection Rights
9.1. Comprehensive Rights Overview
Right of Access
Article 15 GDPR
Obtain confirmation of processing and access to your personal data.
Right to Rectification
Article 16 GDPR
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Article 17 GDPR
Request deletion of personal data under specific conditions.
Right to Restrict
Article 18 GDPR
Request restriction of processing in certain circumstances.
Data Portability
Article 20 GDPR
Receive your data in structured, commonly used format.
Right to Object
Article 21 GDPR
Object to processing based on legitimate interests.
9.2. How to Exercise Your Rights
To exercise your rights, please:
- Submit a verifiable request via our Data Subject Request Portal
- Email us at privacy@fxrex.pro
- Contact our DPO directly at dpo@fxrex.pro
Response Timeline
We respond to all valid requests within 30 calendar days. Complex requests may take up to 90 days, but we will inform you within 30 days if an extension is needed.
9.3. Identity Verification
To protect your data, we verify your identity before processing rights requests. We may request:
- Government-issued photo ID
- Recent proof of address
- Account-specific verification questions
- Two-factor authentication confirmation
10 Cookies & Tracking Technologies
10.1. Detailed Cookie Classification
| Cookie Category | Purpose | Examples | Duration | Essential |
|---|---|---|---|---|
| Strictly Necessary | Website functionality, security | Session cookies, CSRF tokens | Session | Yes |
| Performance | Analytics, performance monitoring | Google Analytics, Hotjar | 2 years | No |
| Functional | Remember preferences | Language, theme settings | 1 year | No |
| Targeting/Advertising | Personalized advertising | Facebook Pixel, Google Ads | 2 years | No |
10.2. Cookie Management
You can manage cookies through:
- Our Cookie Preference Center (accessible via website footer)
- Browser settings (Chrome, Firefox, Safari, Edge)
- Industry opt-out platforms:
- Your Online Choices (EU)
- Digital Advertising Alliance (USA)
- Ad Choices (Canada)
Consent Management
We use a consent management platform that records your preferences, provides granular control, and automatically renews consent requests annually or when purposes change significantly.
11 Children's Privacy
Our services are not directed to individuals under the age of 18 ("minors"). We do not knowingly collect personal data from minors.
Age Verification
During registration, we verify age through date of birth confirmation and may request additional verification if age is in question. If we learn that we have collected personal data from a minor, we will take steps to delete that information promptly.
11.1. Parental Controls
Parents or guardians who believe their child has provided us with personal data may contact us to request deletion. We will require verification of parental relationship before processing such requests.
12 Policy Updates & Contact Information
12.1. Policy Version History
• Added detailed data processing purposes table
• Enhanced security measures description
• Updated international transfer mechanisms
• Expanded user rights section with practical guidance
• Comprehensive GDPR compliance updates
• Added Data Processing Agreement references
• Enhanced data subject rights procedures
• Updated contact information and DPO details
12.2. Notification of Changes
We will notify you of material changes to this Privacy Policy by:
- Email notification to registered users 30 days before changes take effect
- Prominent notice on our website for 30 days
- In-app notifications for active users
- Updated "Last Updated" date on this page
12.3. Contact Information
Response time: 5 business days
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk | Phone: 0303 123 1113
Questions About This Policy?
We are committed to transparency about our data practices. If you have questions not covered here, please contact our Data Protection Officer.
Contact DPO