Data Protection Policy

1. Introduction

ZenGuard Markets Ltd ("we", "us", "our") is committed to protecting the privacy and security of personal data. This Data Protection Policy explains how we collect, use, store, and protect your personal information when you use our trading platform, website, and related services. It applies to all individuals whose personal data we process, including clients, prospective clients, website visitors, and business contacts.

This policy should be read in conjunction with our Privacy Policy, which provides additional information about our data practices. We process personal data in accordance with applicable data protection laws and regulations, and we are committed to transparency and accountability in our handling of your information.

2. Data Controller

ZenGuard Markets Ltd is the data controller in respect of the personal data we collect and process. This means that we determine the purposes and means of the processing of your personal data. We are registered with the Information Commissioner's Office (ICO) in the United Kingdom where required by law.

Our registered address is 1 Canada Square, Canary Wharf, London E14 5AB, United Kingdom. If you have any questions about how we process your personal data or wish to exercise your data protection rights, you may contact us using the details provided in the Contact section of this policy.

3. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection compliance and acting as a point of contact for data subjects and supervisory authorities. The DPO monitors our compliance with data protection laws, advises on data protection impact assessments, and cooperates with supervisory authorities.

You may contact our Data Protection Officer at privacy@zenguardmarkets.com or by writing to: Data Protection Officer, ZenGuard Markets Ltd, 1 Canada Square, Canary Wharf, London E14 5AB, United Kingdom. The DPO will respond to your inquiries without undue delay and in any event within one month.

4. Legal Framework

We process personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). For clients and data subjects in the European Economic Area, we also comply with the EU General Data Protection Regulation (EU GDPR) where applicable.

For California residents, we comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including provisions relating to the right to know, right to delete, right to opt-out of sale, and right to non-discrimination. We do not sell personal information as defined under the CCPA. We also comply with other applicable data protection laws in the jurisdictions where we operate.

5. Data Processing Principles

We process personal data in accordance with the following principles: Lawfulness, fairness, and transparency. We process personal data lawfully, fairly, and in a transparent manner. Purpose limitation. We collect personal data only for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes. Data minimisation. We collect only the personal data that is necessary for the purposes for which it is processed. Accuracy. We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.

Storage limitation. We retain personal data only for as long as necessary for the purposes for which it was collected. Integrity and confidentiality. We process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage. Accountability. We are responsible for and able to demonstrate compliance with these principles.

6. Lawful Basis for Processing

We process personal data only where we have a lawful basis to do so. The lawful bases we rely on include: Contract performance. Where processing is necessary for the performance of a contract to which you are a party, such as providing our trading services. Legal obligation. Where processing is necessary for compliance with a legal obligation to which we are subject, including anti-money laundering, tax, and regulatory requirements.

Legitimate interests. Where processing is necessary for our legitimate interests or those of a third party, provided that your interests or fundamental rights do not override those interests. Consent. Where you have given clear consent for us to process your personal data for a specific purpose. You may withdraw consent at any time where we rely on consent as the lawful basis. Vital interests. Where processing is necessary to protect your vital interests or those of another person.

7. Data Subject Rights

Under the UK GDPR and applicable data protection laws, you have the following rights in relation to your personal data: Right of access. You have the right to obtain confirmation as to whether we process your personal data and to access that data. We will provide a copy of your personal data free of charge, subject to certain exceptions. Right to rectification. You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to erasure. You have the right to request the deletion of your personal data in certain circumstances, such as where the data is no longer necessary, you withdraw consent, or the data has been unlawfully processed. Right to data portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where technically feasible. Right to restriction. You have the right to request that we restrict the processing of your personal data in certain circumstances. Right to object. You have the right to object to processing based on legitimate interests or for direct marketing purposes. To exercise any of these rights, please contact our Data Protection Officer. We will respond within one month. You also have the right to lodge a complaint with a supervisory authority.

8. International Transfers

We may transfer your personal data to countries outside the United Kingdom or the European Economic Area. Where we do so, we ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws. Such safeguards may include adequacy decisions by the relevant authorities, standard contractual clauses approved by the European Commission or ICO, binding corporate rules, or other approved transfer mechanisms.

Our primary systems and data storage are located within the UK and EEA. Where we use service providers in other jurisdictions, we conduct due diligence and ensure that contractual protections are in place. You may request further information about the safeguards we use for international transfers by contacting our Data Protection Officer.

9. Data Breach Procedures

We have implemented procedures to detect, report, and investigate personal data breaches. In the event of a breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

Our breach response procedures include containment and assessment, notification to authorities and affected individuals where required, documentation of the breach and our response, and review to prevent recurrence. We maintain an incident response team and conduct regular training to ensure our staff are prepared to respond appropriately to data security incidents.

10. Data Protection Impact Assessments

Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, we conduct a Data Protection Impact Assessment (DPIA) before commencing the processing. A DPIA describes the processing, assesses necessity and proportionality, identifies risks to individuals, and sets out measures to address those risks.

We conduct DPIAs for new products or services that involve large-scale processing of sensitive data, systematic monitoring, or processing that could result in significant effects on individuals. The results of our DPIAs are reviewed by our Data Protection Officer and, where appropriate, we consult with the supervisory authority before proceeding with high-risk processing.

11. Third-Party Processors

We may engage third-party service providers to process personal data on our behalf. Such processors act only on our instructions and are contractually bound to implement appropriate technical and organisational measures to protect your data. We conduct due diligence on our processors and ensure that our contracts include the data protection provisions required by applicable law.

Our processors may include cloud hosting providers, payment processors, customer relationship management systems, analytics providers, and communication services. We maintain a register of our processors and review our processor relationships regularly. We do not permit our processors to use your data for their own purposes.

12. Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. Retention periods vary depending on the type of data and the purpose of processing. Client account data is typically retained for seven years after the closure of the account to comply with regulatory requirements. Transaction records are retained for at least five years as required by financial services regulation.

Marketing and communication data may be retained until you unsubscribe or withdraw consent. Technical logs and security data may be retained for shorter periods. At the end of the retention period, we securely delete or anonymise your personal data. You may request information about our retention periods for specific categories of data by contacting our Data Protection Officer.

13. Automated Decision-Making

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, except where such processing is necessary for entering into or performing a contract, is authorised by law, or is based on your explicit consent. Where we use automated systems for fraud detection, credit assessment, or similar purposes, we implement appropriate safeguards, including human review where appropriate.

If you believe that a decision affecting you has been made solely by automated means and you wish to challenge it, please contact our Data Protection Officer. We will review your request and, where applicable, provide you with the right to obtain human intervention, express your point of view, and contest the decision.

14. Children

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact our Data Protection Officer. We will take steps to delete such information from our systems promptly.

In the context of financial services, we are required to verify that our clients are of legal age to enter into binding contracts. Our account opening procedures include age verification as part of our know-your-customer requirements.

15. Complaints

If you have a concern about how we have handled your personal data, we encourage you to contact our Data Protection Officer in the first instance. We will investigate your concern and respond to you within a reasonable timeframe. We are committed to resolving any data protection complaints fairly and promptly.

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ICO), which can be contacted at ico.org.uk or by telephone at 0303 123 1113. If you are in the European Economic Area, you may lodge a complaint with the supervisory authority in your country of residence.

16. Contact

If you have any questions about this Data Protection Policy or wish to exercise your data protection rights, please contact us:

ZenGuard Markets Ltd Data Protection Officer Email: privacy@zenguardmarkets.com Address: 1 Canada Square, Canary Wharf, London E14 5AB, United Kingdom

For general inquiries, you may contact our client support team at support@zenguardmarkets.com. We aim to respond to all data protection inquiries within one month.