Legal

Privacy Policy

Updated: 11 June 2026

How I-Trade collects, uses and protects your personal data.

This Privacy Policy (the "Policy") describes what personal data is collected by ITRADE ENTERPRISE LTD ("I-Trade", "we"), a company registered in England and Wales, Company No. 09038312, registered office: 22 Kingsley Close, Birkenshaw, Bradford, West Yorkshire, United Kingdom, BD11 2NH, on what legal bases that data is processed, and what rights you hold. The Policy applies to the i-trade.io website, mobile applications, and all platform services provided under the I-Trade brand.

Personal data processing is carried out in accordance with the UK GDPR and the Data Protection Act 2018, and, in respect of clients from the European Economic Area (EEA), also in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR). Services are provided in accordance with the applicable law of the jurisdictions in which the Platform operates.

1. Data Controller and Contact Details

The controller of your personal data is ITRADE ENTERPRISE LTD. A Data Protection Officer has been appointed; they may be contacted at [email protected]. For legal enquiries, please contact [email protected], for service enquiries — [email protected]. Responses to data subject requests are provided within one month of receipt.

2. Data We Collect

  • Identification data — full name, date of birth, nationality, identity document details, and photograph for verification matching. Biometric verification is carried out only with your explicit consent or in cases expressly provided for by applicable law.
  • Contact details — email address, phone number, residential address, country of tax residence, tax identification number (TIN).
  • Financial data — bank account details, deposit and withdrawal history, transaction log, portfolio composition, strategy and risk-limit settings, and results of appropriateness and suitability assessments.
  • KYC/AML Data — source of funds, politically exposed person (PEP) status, results of sanctions list checks.
  • Technical data — IP address, device and browser type, session identifiers, security logs, application crash data.
  • Interaction Data — support requests, chat records, interface and language preferences, and details of consents given, including cookie consents.

3. Legal Bases for Processing

  • Contract performance (Art. 6(1)(b) UK GDPR / GDPR) — opening and maintaining your Account, executing orders, operating algorithmic strategies, processing withdrawals.
  • Legal obligation (Art. 6(1)(c) UK GDPR / GDPR) — KYC/AML verification under applicable anti-money laundering legislation (including the Money Laundering Regulations 2017 in the United Kingdom and applicable EU rules for EEA clients), tax reporting, record-keeping, and responding to lawful requests from competent authorities.
  • Legitimate Interest (Art. 6(1)(f) UK GDPR / GDPR) — fraud prevention, infrastructure security, protection of legal claims, and aggregated product analytics.
  • Consent (Art. 6(1)(a) UK GDPR / GDPR) — analytics cookies, marketing communications. Consent may be withdrawn at any time without affecting the provision of services.
  • Explicit Consent for Special Category Data (Art. 9(2)(a) UK GDPR / GDPR) — biometric data processed during remote identity verification, where no other lawful basis applies.

4. Purposes of Processing

  • Identity verification and compliance with KYC/AML requirements — prior to account opening and periodically throughout the course of the relationship.
  • Execution of your selected strategies: algorithms process portfolio composition and limits but do not access identification data — the trading engine operates with pseudonymised account identifiers.
  • Detection of suspicious activity: automated systems analyse login and transaction patterns; blocking decisions are always confirmed by a staff member.
  • Product improvement: analytics are built on aggregated and anonymised data from which no individual can be identified.
  • Notifications of material changes to terms, fees and risks are service messages that cannot be unsubscribed from while the agreement is in force.

5. Data Recipients

We share data only with categories of recipients without whom the service would be legally or technically impossible to provide:

  • Credit Institutions and Payment Institutions — processing of deposits and withdrawals.
  • Exchanges and Execution Venues — order routing (only anonymised trade orders are transmitted).
  • KYC/AML Verification Providers — document and biometric verification at onboarding, sanctions list screening.
  • Cloud and Hosting Providers — infrastructure hosted in data centres located in the United Kingdom and the EEA.
  • Auditors and Professional Advisers — to the extent necessary for the provision of their services and compliance with applicable law.
  • Supervisory and Law Enforcement Authorities — to the extent required by applicable law.

We do not sell personal data and do not transfer it to advertising networks. All processors are bound by data processing agreements (DPAs) in accordance with Art. 28 UK GDPR / GDPR.

6. International Data Transfers

Data is stored and processed primarily in data centres located in the United Kingdom and the EEA. Transfers of data between the United Kingdom and the EEA are carried out on the basis of applicable adequacy decisions.

For transfers of data to other countries, we apply the mechanisms prescribed by law: for transfers from the United Kingdom — the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; for transfers from the EEA — EU Standard Contractual Clauses (SCC) or European Commission adequacy decisions. Where necessary, additional technical and organisational safeguards are applied.

7. Retention Periods

  • Account data, KYC/AML documentation, and the transaction log — for the duration of the Agreement and 5 years following the termination of the relationship (under anti-money laundering legislation requirements; the retention period may be extended to 10 years upon a lawful request from a competent authority).
  • Records of order-related communications — 5 years, in accordance with the requirements of applicable financial services legislation.
  • Technical logs and security journals — no longer than 12 months.
  • Data from unconfirmed registrations — 30 days.
  • Marketing consents — until withdrawn.

Upon expiry of retention periods, data is irreversibly deleted or anonymised.

8. Your Rights

  • Access (Art. 15 UK GDPR / GDPR) — to request a copy of all personal data we hold about you and information about how it is processed.
  • Correction (Art. 16) — correct inaccurate data or complete incomplete records.
  • Deletion (Art. 17) — request erasure of data for which there is no lawful basis for retention.
  • Restriction of processing (Art. 18) — restrict processing for the duration of a dispute regarding its lawfulness.
  • Portability (Art. 20) — to receive your data in a machine-readable format (CSV/JSON) or to have it transmitted to another controller.
  • Objection (Art. 21) — to object to processing based on legitimate interests, and absolutely to object to direct marketing.
  • Withdrawal of consent — at any time via your profile settings or by writing to [email protected]; withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Requests are fulfilled free of charge within one month; for complex requests the period may be extended by a further two months, with notification to you of the reasons for the extension.

9. Complaints to Supervisory Authorities

If you believe your rights have been infringed, you have the right to lodge a complaint with the United Kingdom's data protection supervisory authority — the Information Commissioner's Office (ICO, ico.org.uk). If you reside in an EEA country, you also have the right to approach the data protection authority of your country of residence. Lodging a complaint does not prejudice any other legal remedies available to you.

10. Automated Decision-Making

Algorithmic trading strategies execute the mandate that you yourself specify when activating a strategy: you set the parameters and limits and may alter them or deactivate the strategy at any time. Such processing is carried out for the performance of the Agreement and does not constitute a decision based solely on automated processing that produces legal or similarly significant effects within the meaning of Art. 22 UK GDPR / GDPR.

Automated AML and anti-fraud checks may temporarily suspend a transaction; in such cases the final decision is taken by a member of staff. You have the right to express your view, request human intervention, and contest the decision by contacting [email protected].

11. Cookies

Information about which cookies and similar technologies we use, for what purposes, and how to manage consent is set out in the Cookie Policy. Analytics and marketing cookies are set only with your consent.

12. Security

We apply encryption in transit (TLS 1.3) and at rest (AES-256), environment segregation, the principle of least privilege, mandatory two-factor authentication for staff, regular penetration tests, and a bug bounty programme. We notify the supervisory authority of personal data breaches within 72 hours, and notify you without undue delay where a breach is likely to result in a high risk to your rights (Arts. 33–34 UK GDPR / GDPR).

13. Data of Minors

The service is intended for individuals aged 18 and over. We deliberately do not collect data from minors; any accounts identified as belonging to minors are closed and their data deleted.

14. Policy Changes and Effective Date

The current version is always published on this page. We will notify you of material changes by email and within the account portal no less than 14 days before they take effect. Continued use of the service after that date constitutes acknowledgement of the updated version.

This version of the Policy comes into force on 11 June 2026. The terms of use of the Platform are set out in the Terms of Use.