Privacy Policy

Last updated: February 1, 2026. This policy explains how Proxy.forex Ltd. collects, uses, and protects personal data in connection with our forex and CFD trading services.

1. Introduction

Proxy.forex Ltd. ("Proxy.forex", "we", "us", or "our") is committed to protecting the privacy and security of personal data processed through our forex and CFD trading platform. This Privacy Policy explains how we collect, use, store, disclose, and safeguard information when you access our services, website, client portal, or APIs. Proxy.forex Ltd. is registered in Malta (Company Registration No. C 98210) with its registered office at Level 3, Quantum House, 75 Abate Rigord Street, Ta' Xbiex XBX 1120, Malta. We operate as a data controller under the General Data Protection Regulation (GDPR) (EU Regulation 2016/679), the Malta Data Protection Act (Chapter 586 of the Laws of Malta), and all other applicable data protection laws across the jurisdictions in which we operate. This policy applies to all individuals whose personal data we process, including traders, clients, prospective clients, and website visitors whose personal data we process in connection with our trading services. By using our services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you must discontinue use of our services immediately.

2. Data We Collect

We collect and process the following categories of personal data in connection with the provision of our forex and CFD trading services: Identity Data: Full legal name, date of birth, nationality, government-issued identification documents (passport, national ID, driving licence), photographs, and proof of address documentation. For corporate clients, this includes director and ultimate beneficial owner (UBO) details as required under the Fourth and Fifth EU Anti-Money Laundering Directives. Contact Data: Email addresses, telephone numbers, postal addresses, and business addresses of clients and authorised contacts. Financial Data: Bank account details, payment card data (processed in PCI DSS Level 1 compliant environments), transaction histories, settlement records, chargeback and dispute records, and rolling reserve balances. This includes deposit and withdrawal amounts, payment method preferences, and currency conversion records. KYC and Compliance Data: Source of funds documentation, source of wealth declarations, enhanced due diligence (EDD) documentation, politically exposed person (PEP) screening results, sanctions screening records, and adverse media monitoring outputs. Technical Data: IP addresses, browser type and version, device identifiers, operating system, geolocation data (at the country level), referral URLs, session identifiers, and login timestamps. Usage Data: Dashboard interactions, API call logs, payment page customisation preferences, report generation activity, and feature utilisation metrics. Trading Activity Data: We process trading activity data including account funding frequency, deposit-to-withdrawal ratios, and instrument categories traded. This data is used for risk management, compliance, and improving our services.

3. How We Use Your Data

We process personal data for the following purposes, each supported by a lawful basis under Article 6 of the GDPR: Payment Processing: To facilitate deposits, withdrawals, and currency conversions for your trading account. Lawful basis: performance of contract (Article 6(1)(b)). KYC, AML, and Regulatory Compliance: To conduct customer due diligence, verify identity, screen against sanctions lists (OFAC, EU, UN, HMT), detect and prevent money laundering and terrorist financing, and fulfil reporting obligations to the Malta Financial Intelligence Analysis Unit (FIAU), CySEC, FCA, ASIC, and other competent authorities. Lawful basis: legal obligation (Article 6(1)(c)). Fraud Prevention and Risk Management: To operate our AI-powered fraud detection systems, monitor transaction patterns for anomalies, assess chargeback risk, and maintain the integrity of our payment platform. Lawful basis: legitimate interest (Article 6(1)(f)). Service Delivery and Support: To provide technical support, maintain your trading account, process your enquiries, and deliver platform updates. Lawful basis: performance of contract (Article 6(1)(b)). Analytics and Service Improvement: To analyse aggregate usage patterns, improve trading services, enhance approval rates, and develop new features for our platform. Lawful basis: legitimate interest (Article 6(1)(f)). Communications: To send essential service communications including transaction confirmations, settlement notifications, compliance alerts, and security notices. Where you have opted in, to send product updates and industry insights relevant to forex payment processing. Lawful basis: legitimate interest or consent (Article 6(1)(a) or (f)).

4. Data Sharing and Disclosure

We may share personal data with the following categories of recipients, each bound by contractual obligations to protect data confidentiality: Payment Partners: To process card payments, bank transfers, and alternative payment methods, we share necessary transaction data with our acquiring bank partners, card networks (Visa, Mastercard, JCB, UnionPay), e-wallet providers (Skrill, Neteller, FasaPay), cryptocurrency processors, and local bank transfer networks in accordance with payment scheme rules and PSD2 requirements. KYC and Compliance Vendors: Identity verification data shared with licensed KYC/AML providers for document verification, biometric checks, PEP and sanctions screening, and adverse media monitoring. Regulatory Authorities: We disclose personal data to regulators, law enforcement, and financial intelligence units when required by law, including but not limited to the FIAU, CySEC, FCA, ASIC, FinCEN, and relevant tax authorities under CRS and FATCA reporting obligations. Professional Advisors: Our external legal counsel, auditors (including PCI DSS Qualified Security Assessors), and tax advisors, subject to professional confidentiality obligations. Group Companies: Within the Proxy.forex group of companies for internal administration, shared compliance functions, and consolidated reporting. Fraud Prevention Networks: Transaction data shared with industry fraud prevention databases (e.g., Ethoca, Verifi) to identify and prevent fraudulent activity. We do not sell, rent, or trade personal data to third parties for their own marketing purposes.

5. International Data Transfers

As a global forex and CFD broker serving traders in 180+ countries, we transfer personal data internationally. We ensure that all transfers outside the European Economic Area (EEA) are protected by appropriate safeguards as required under Chapter V of the GDPR: Adequacy Decisions: Where the European Commission has determined that the recipient country ensures an adequate level of data protection (e.g., transfers to the UK under the adequacy decision, Japan, Canada, etc.). Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision, we implement the European Commission's Standard Contractual Clauses (adopted June 2021) together with supplementary measures where necessary following a transfer impact assessment. Binding Corporate Rules (BCRs): Intra-group transfers are governed by our approved Binding Corporate Rules, which establish uniform data protection standards across all Proxy.forex entities. Additional Safeguards: Where required by transfer impact assessments, we implement supplementary technical measures including encryption in transit and at rest (AES-256), pseudonymisation, and access controls that prevent government access incompatible with EU law. For transfers to the United States in connection with card network processing, we rely on the EU-U.S. Data Privacy Framework where the recipient is certified, or SCCs with supplementary measures where they are not.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to mandatory regulatory retention periods: Transaction Records: Retained for a minimum of 7 years from the date of the transaction, in accordance with the Malta Prevention of Money Laundering Act (Chapter 373), MiFID II record-keeping requirements, and applicable card scheme rules. KYC and Due Diligence Records: Retained for a minimum of 5 years from the end of the business relationship, or longer where required by specific regulatory orders or ongoing investigations, in line with the Fourth Anti-Money Laundering Directive (Directive 2015/849). Suspicious Activity Reports: Retained in accordance with FIAU directives, typically for a minimum of 5 years from the date of filing, subject to confidentiality obligations under tipping-off provisions. Technical and Access Logs: Retained for 24 months for security monitoring and incident investigation purposes. Marketing Consent Records: Retained for the duration of consent plus 3 years thereafter to demonstrate compliance with GDPR consent requirements. Client Account Data: Retained for the duration of the client relationship plus 7 years to address any post-termination disputes or regulatory enquiries. Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised using industry-standard data destruction methods.

7. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or any jurisdiction with equivalent data protection legislation, you have the following rights regarding your personal data: Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, together with information about how and why we process it. We will provide this within 30 days of receiving your verified request. Right to Rectification (Article 16): You may request correction of inaccurate personal data or completion of incomplete data. Please note that some data corrections (e.g., legal name changes) may require supporting documentation for compliance purposes. Right to Erasure (Article 17): You may request deletion of your personal data where there is no compelling reason for continued processing. This right is subject to our regulatory retention obligations -- we cannot erase data that we are legally required to retain. Right to Restriction (Article 18): You may request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of contested data. Right to Data Portability (Article 20): You may request that we provide your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV), or transmit it directly to another controller where technically feasible. Right to Object (Article 21): You may object to processing based on legitimate interests, including profiling for fraud detection purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Right to Lodge a Complaint: You have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC) in Malta, or with your local supervisory authority. To exercise any of these rights, contact our Data Protection Officer at [email protected] or write to Proxy.forex Ltd., Attn: Data Protection Officer, Level 3, Quantum House, 75 Abate Rigord Street, Ta' Xbiex XBX 1120, Malta.

8. Data Security

We implement comprehensive technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction: Encryption: All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256 encryption. Payment card data is tokenised immediately upon capture, and full PAN numbers are never stored in our systems. PCI DSS Level 1 Compliance: Our payment processing infrastructure is certified to the highest level of the Payment Card Industry Data Security Standard, validated annually by a Qualified Security Assessor (QSA). Access Controls: Role-based access control (RBAC) with mandatory multi-factor authentication (MFA) for all administrative access. Access to personal data is restricted to personnel who require it for their specific job functions. Infrastructure Security: Our systems are hosted across geographically distributed data centres with ISO 27001 certification. We maintain 24/7 security operations centre (SOC) monitoring, intrusion detection systems (IDS/IPS), and web application firewalls (WAF). Incident Response: We maintain a documented data breach incident response plan in compliance with GDPR Article 33 requirements, ensuring that the relevant supervisory authority is notified within 72 hours of becoming aware of a qualifying breach, and affected individuals are notified without undue delay where there is a high risk to their rights and freedoms. Regular Testing: We conduct annual penetration testing, quarterly vulnerability assessments, and ongoing automated security scanning of our infrastructure and application layers. Employee Security: All Proxy.forex employees and contractors are subject to background checks, sign confidentiality agreements, and undergo mandatory data protection and security awareness training upon hire and annually thereafter.

9. Cookies and Tracking Technologies

Our website and client portal use cookies and similar tracking technologies. For full details on the types of cookies we use, their purposes, and how to manage your preferences, please refer to our dedicated Cookie Policy at /legal/cookies. In summary, we use: Strictly Necessary Cookies: Required for the operation of our website and dashboard, including session management, authentication, and security tokens. These cannot be disabled. Analytical Cookies: Used to understand how visitors interact with our website and to improve our services. We use privacy-focused analytics that do not create individual user profiles. Functional Cookies: Used to remember your preferences and settings within the client portal, such as language, timezone, and report configurations. We do not use third-party advertising or remarketing cookies on our platform.

10. Children's Privacy

Proxy.forex's services are not directed at individuals under the age of 18 (or the applicable age of majority in the relevant jurisdiction). We do not knowingly collect personal data from minors. Forex and CFD trading is restricted to adults, and we verify the age of all clients as part of our account opening procedures. If we become aware that we have inadvertently collected personal data from an individual under 18, we will take immediate steps to delete such data from our systems and close the associated account.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or regulatory guidance. We will notify you of material changes by: - Posting the updated policy on our website with a revised "Last Updated" date. - Sending an email notification to the primary contact address on file for client accounts. - Displaying a prominent notice within the client portal for significant changes. We encourage you to review this policy periodically. Your continued use of our services after changes are posted constitutes your acceptance of the revised policy.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us: Data Protection Officer Proxy.forex Ltd. Level 3, Quantum House 75 Abate Rigord Street Ta' Xbiex XBX 1120, Malta Email: [email protected] Phone: +356 2144 0100 Malta Information and Data Protection Commissioner (IDPC) Floor 2, Airways House Triq il-Kbira Birkirkara BKR 9033, Malta Website: https://idpc.org.mt For UK-related data protection enquiries, you may also contact the Information Commissioner's Office (ICO) at https://ico.org.uk.