Privacy Policy

As part of our daily business operations, we collect and process personal information from clients and prospective clients to provide and improve our products and services and to meet legal and regulatory requirements. Your privacy is important to us, and we are committed to safeguarding confidential information and respecting individuals’ privacy.

This Privacy Policy applies to the processing activities performed by TPXMGLOBAL Kenya Limited (the “Company”) and its affiliates (together, the “Group”) in relation to the personal data/information of its clients/potential clients (“You”, “Your”, Yours” or “Yourself”), website visitors and employees. Our websites or apps may contain links to third-party websites or services; this Policy does not apply to those sites or services, and we are not responsible for their privacy practices and you are encouraged to review their privacy policies. Further, each entity of the Trading Point Group has its own separate Privacy Policy. Such entities operate their own websites and as such, if you are interested in learning about how such entities process your personal data, please refer to their corresponding privacy statements which may be found on their specific websites.

This Policy explains the Company and its affiliates collect, use, disclose and protect personal information provided by you or obtained from third parties in connection with our services, or collected from your use of our website(s) and applications, including among other, the Company’s Members Area. It also describes your rights regarding your personal information.

Our Privacy Policy is reviewed regularly to ensure that any new obligations and technologies, changes to our business operations and practices are taken into consideration, as well as that it remains abreast of the changing regulatory environment. Any personal information we hold will be governed by our most recent Privacy Policy as this is posted on our website.

The Company is licensed and regulated by the Capital Markets Authority (“CMA”) under a License with No. 233 to carry on the business of non-dealing online foreign exchange broker, with its registered address at Muthithi Road, Allys Centre, Westlands District, Nairobi, Kenya (P.O BOX 39258 Parklands). For the purposes applicable data protection laws and regulations, the Company is the Data Controller.

In order to open an Account with us, you must first complete a profile registration and thereon submit and provide us with the required information and/or documentation to complete the onboarding process. During this process, you are requested to disclose personal information in order to enable the Company to assess your application and comply with the relevant rules and regulations. The information you provide may also be used by the Company to send you account related communications (e.g., news, updates on its services and products, etc.).

We may collect and process the following categories of personal information:

• Identification and contact details: full name, residential address and contact details (e.g., email address, telephone number, fax, nationality, citizenship, date and place of birth, title, gender, etc.);

• Verification and compliance data: copies of passports/national IDs/driver’s licences, identification numbers, tax numbers, sanctions/PEP screening results, adverse media checks, KYC/CDD data, FATCA/CRS information. This may include background information we receive about you from public records or from other third-party entities.

• Authentication data: signature (handwritten, electronic).

• Financial and transactional data: source of funds and wealth, bank and payment details, assets and liabilities, trading account balances and activity, trading statements, investment history.

• Appropriateness/suitability and conduct data: trading knowledge and experience, risk tolerance, product preferences, appropriateness/suitability assessments.

• Employment and education details: profession, employer, role, qualifications (as relevant to onboarding and suitability) and academic / educational information and background;

• Technical and usage data: device identifiers, IP address, browser type, operating system, app and site usage logs, login logs, activity journals, historical data, cookie identifiers, in-app events, traffic data, page interactions (subject to your device/app settings).

• Communications and recordings: emails, chat messages, in-app messages, call recordings and other communications relating to our services and relationship with you.

• CCTV and access logs: images recorded on our premises for security and compliance, visitor logs.

• Marketing and communication data: survey responses, preferences, selections, marketing permissions, consents.

• Recruitment data (applicants): CVs, application forms, references, interview notes, background screening results (where permitted), and other information necessary for recruitment.

• Any other personal information requested by us and/or provided from your or from third-parties as part of our provision of the Services to you throughout our business relationship.

We do not knowingly collect personal information from children. Our services are not intended for individuals under the age of 18. If you believe a child has provided us personal information, please contact us so we can delete it.

Sensitive information or special categories of personal data is a sub-set of personal information that is given a higher level of protection under the applicable data protection laws and regulations. It refers to information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union or other professional associations or memberships, sexual orientation or practices or preferences, genetic or biometric data, criminal records, health information. We do not collect sensitive information from you, unless it is required for the provision of our Services to you.

Where we do collect such information (e.g., biometric data, such as for liveness checks, facial matching, etc.) we use the appropriate legal bases (e.g., to comply with legal obligation and/or fulfil our legitimate interests (such as to prevent financial crime, fraud and/or other abuse activities of our services) and/or consent and we apply additional measures for the security and protection of the data. Sensitive information may be used or disclosed only if required or authorised or mandated by applicable law.

If you do not provide information that we reasonably need for onboarding, compliance or to provide requested products or services, we may be unable to provide those products or services.

We collect information directly from you in several ways such as through your use of our services or in the course of other business transactions between you and the Company. This includes collection of the data through any of our websites (e.g., cookies), mobile applications, the account opening applications, our demo account registration forms, webinar sign-up forms, subscriptions to news’ updates as well as from ongoing customer support communications and our ongoing business relationship. We may also collect this information about you from third parties such as through publicly available sources, the Internet, social media platforms, introducing brokers and affiliates, banks and credit card processors, and subscription-based intelligence/screening databases.

We may ask for other personal information voluntarily from time to time (for example, through market research or surveys or offers).

• Identification and contact details: full name, residential address and contact details (e.g., email address, telephone number, fax, nationality, citizenship, date and place of birth, title, gender, etc.);

• Verification and compliance data: copies of passports/national IDs/driver’s licences, identification numbers, tax numbers, sanctions/PEP screening results, adverse media checks, KYC/CDD data, FATCA/CRS information. This may include background information we receive about you from public records or from other third-party entities.

• Authentication data: signature (handwritten, electronic).

• Financial and transactional data: source of funds and wealth, bank and payment details, assets and liabilities, trading account balances and activity, trading statements, investment history.

• Appropriateness/suitability and conduct data: trading knowledge and experience, risk tolerance, product preferences, appropriateness/suitability assessments.

• Employment and education details: profession, employer, role, qualifications (as relevant to onboarding and suitability) and academic / educational information and background;

• Technical and usage data: device identifiers, IP address, browser type, operating system, app and site usage logs, login logs, activity journals, historical data, cookie identifiers, in-app events, traffic data, page interactions (subject to your device/app settings).

• Communications and recordings: emails, chat messages, in-app messages, call recordings and other communications relating to our services and relationship with you.

• CCTV and access logs: images recorded on our premises for security and compliance, visitor logs.

• Marketing and communication data: survey responses, preferences, selections, marketing permissions, consents.

• Recruitment data (applicants): CVs, application forms, references, interview notes, background screening results (where permitted), and other information necessary for recruitment.

• Any other personal information requested by us and/or provided from your or from third-parties as part of our provision of the Services to you throughout our business relationship.

We record any communications whether electronic, by telephone, in person, or otherwise, that we have with you in relation to the services we provide to you and our business relationship with you. We also record the communication that takes place between you and the Company in relation to the transactions made with you and the provision of services relating to the acceptance, transmission and execution of your orders. These recordings will be our sole property and will constitute evidence of the communications between us. Such telephone conversations may be recorded without the use of a warning tone or any other further notice.

Further, if you visit any of our offices or premises, we may have CCTV which will record your image for security, safety and compliance, and may maintain visitor logs.

Job Applicants and Personnel
We process applicant data (e.g., identification and contact details, CVs, references, interview notes, background screening results, where permitted) to manage recruitment. If you are unsuccessful, we may retain your data for a limited period for future opportunities (where permitted by law or with your consent, which you may withdraw at any time). Candidates, employees and contractors receive separate privacy notices and are subject to confidentiality obligations.

Unsolicited Personal Information
If we receive personal information about an individual which is unsolicited by us and not required for the provision of our services, we will securely destroy/delete the information (provided it is lawful and reasonable for us to do so).

Internet cookies are small pieces of data sent from our website(s) to your browser and stored on your computer’s hard drive when using our website(s), and they may include a unique identification number. The purpose of collecting this information is to provide you with a more relevant and effective experience on our website(s), including the presentation of our web pages according to your needs or preferences.

We use cookies, web beacons, pixels, SDKs and similar technologies to operate our websites and apps, improve performance and user experience, remember preferences, measure usage and support advertising/re-marketing. You can control cookies through your browser settings and, where available, our cookie preference tools. Some features (including the Members Area) may not function properly if cookies are disabled. We may use third-party vendors, such as Google and AdRoll, to display our ads over the internet to you, based on your previous use of our website(s). You can opt out this particular use of cookies at any time by visiting Google’s Ads Settings page and the DoubleClick opt-out page or as they later update those facilities.

For details, please see our Cookies Policy.

We may process your personal data on one of the following legal bases:

1. Performance of a contract: to provide our products and services, open and administer accounts, process transactions, provide customer support, review and resolve complaints and queries, and generally fulfil our contractual obligations during the course of our business relationship.

2. Compliance with legal and regulatory obligations: to comply with all legal and regulatory obligations to which are subject, as a regulated Company. These include, among, other, to conduct identity verification and ongoing monitoring (i.e., KYC and CDD requirements), credit checks, fraud and abuse prevention checks, payment processing, risk management, comply with anti-money laundering and counter-terrorist financing laws, financial services regulations, privacy and tax laws, respond to lawful requests and court orders, maintain required records, and meet other regulatory obligations (including those of the CMA).

3. Safeguarding our legitimate interests: to maintain or safeguard our legitimate interests such as, maintaining and improving our system, network, information and cyber security; prevent and detect fraud or other illegal activities; protect assets and premises (including CCTV and access controls); manage our business; handle queries and complaints; develop and improve products and services (e.g., through data analytics; improve performance of the app, troubleshoot bugs, and for other internal product needs, analysis of log files for product use and performance, monitor use on our website or app use, pages and links clicked, patterns of navigation, time at a page, devices used, location of users, etc.); personalized and enhance our services; manage risk; initiate or defend legal claims; determine PEP status, share data with service providers/vendors (including Group affiliated entities who provide support and administrative services to the Company) to update or verify information in line with applicable AML/CFT frameworks and to enable the provision of their services to the Company – provided that these interests do not overwrite your rights and interests

4. Consent: for certain activities where consent is required by law and/or where the processing of your personal information does not fall under one of the above legal bases. You may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal. You may also unsubscribe from our email lists in relation to marketing/promotional communications. Please note that any account-related and/or operational related communications will not be affected even if you do not provide and/or withdraw your consent.

The channels used for communications may include telephone, emails, notifications through your secure Members Area and text messaging notifications, including push notifications and in-app notifications.

Although the Company normally relies on one of the above legal bases, the applicable laws and regulations provide two (2) more legal bases upon which the Company could potentially (if required) rely for the processing of personal information:

5. Vital Interests: where the processing is necessary to protect the vital interests of an individual. This typically applies in life or death situations where obtaining consent is impossible. For example, we may share limited information with emergency services in a medical emergency at our premises to protect someone’s life.

6. Public Interest or Official Authority: where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. We are a private entity and do not ordinarily perform tasks in the public interest or exercise official authority. However, in limited/rare cases we may process personal information when required or permitted to support public authorities in such tasks (for example, responding to lawful directions related to public health, safety or financial system integrity).

Processing of your personal information based on the above legal bases may take place for the following purposes:

• Suitability and appropriateness: assessing whether our products and services are appropriate/suitable as required by applicable laws and regulations.

• Provision of our products and Services to you as per our Terms and Conditions of Business (Client Agreement) and other policies.

• Compliance with applicable laws and regulations.

• Customer communications: sending service messages, legal notifications and updates to the terms or features of products/services (these are not marketing).

• Surveys and feedback: seeking feedback to maintain and/or improve service quality (legitimate interests) and, where required, obtaining consent for participation in certain surveys.

• Corporate transactions: using and sharing information as reasonably necessary in connection with mergers, acquisitions, restructurings, or other corporate transactions, under appropriate safeguards.

• Physical security: maintaining visitor logs and CCTV for safety, security and compliance.

• To perform data analysis (e.g., through aggregation of your information with other clients’ information on an anonymous basis so that more rigorous statistical analysis of general or behavioral patterns, interactions or preferences (including predictive analysis) may lead to us providing better products and services.
  We note that when your information is anonymized, we do not require a legal basis, as the information will no longer constitute personal information.

• Marketing: to send you marketing communications about our products and services by email, phone, SMS, push notifications, in-app messages, social media or other agreed means of communication. We do so based on your consent, where required, or otherwise on our legitimate interests. You can opt out from marketing related communications at any time by following the instructions in our communications, adjusting in-app settings, or contacting us at dpo@xm.ke. We do not share your personal information with third parties for their own direct marketing without your consent.

• Internal business purposes and Record Keeping: we may need to process your personal information for internal business and research purposes as well as for record-keeping purposes (either for legitimate interest or to comply with our legal and regulatory obligations).

• Corporate restructuring: If we undergo a corporate re-structuring or part, or if all of our business is acquired by a third party, we may need to use your personal information in association with that re-structuring or acquisition. Such use may involve sharing your information as part of due diligence enquiries or disclosures pursuant to legal agreements. It is our legitimate interest to use your information in this way, provided we comply with any legal/regulatory obligation we have towards you.

We disclose personal information only as necessary for the purposes described in this Policy and in accordance with applicable laws and regulations, including to:

• Other entities/affiliates of the Group, for business, operational and compliance purposes.

• Service providers acting on our behalf and/or providing services to us (e.g., IT and cloud service providers, cybersecurity, fraud prevention, identity verification and screening, analytics, marketing service providers, legal, insurance and professional advisers (e.g., legal, financial tax, compliance, audit, research, etc.).

• Business introducers and partners with whom we have a mutual business relationship.

• Payment service providers (PSPs) and/or banking/credit institutions for the purposes of processing your transactions (i.e., deposits/withdrawals) to/from trading account(s) and/or commencing an investigation regarding such transactions (e.g., third party deposits, cashbacks, etc.);

• Credit reference agencies (where lawful and applicable) and similar providers who may record searches on our behalf.

• Courts, tribunals, law enforcement, regulatory and supervisory authorities (including the CMA) where required or permitted by law.

• Third-party apps’ providers when you use our mobile app(s), communication systems and trading platforms, SMS gateways, which are provided to us by third-parties;

• Anyone you authorise or as otherwise instructed by you

We require processors handling personal information on our behalf to implement appropriate security and confidentiality measures and to process data only under our instructions. Where third parties act as independent controllers, their own privacy notices apply.

If the Company discloses your personal information to business parties, such as card processing companies or banks, in order to perform the services requested by you, such third parties may store your information in order to comply with their legal and other obligations.

We may transfer or store personal information to countries other than the one in which it was collected (including to service providers and Group entities). Where we transfer personal information internationally, we implement appropriate safeguards as required by applicable law (for example, standard contractual clauses, intra group agreements and additional technical/organizational measures) to ensure that such transfers are lawful. If transfers are made to countries without an adequacy decision (e.g., certain transfers to the USA), we will ensure an adequate level of protection through such safeguards.

The Company implements and maintains appropriate technical and organizational measures designed to ensure the safeguarding and protection of any personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. Any such measures are aligned with the requirements of applicable laws and regulations on personal data protection and include, without limitation, access controls based on role and necessity, multi-factor authentication when accessing corporate systems, Chinese walls, firewalls, intrusion detection systems, virus scanning tools, encryption in transit (e.g., TLS), network and endpoint security, vulnerability management, data minimisation, secure development practices, clean desk policies, data classification policies, and staff training. While transmission over the internet is not completely secure, we take reasonable precautions to protect your data. Once received, we apply robust administrative, technical and physical safeguards to reduce the risk of unauthorized access.

The personal information you provide to us is classified as registered information which is protected in several different ways. You can access your registered information after logging in to your Members Area by entering your credentials (username and password). It is your responsibility to make sure that your password is only known to you and not disclosed to anyone else. Registered information is securely stored in a safe location and only authorized personnel have access to it via secure access control. All personal information is transferred to the Company over a secure encrypted connection and thus all necessary measures are taken to prevent unauthorized parties from viewing any such information. Personal information provided to the Company that does not classify as registered information is also kept in a safe place and is accessible by authorized personnel only.

We keep personal information for as long as necessary to fulfil the purposes described in this Policy and to comply with legal, regulatory, tax, accounting and reporting requirements. We are required to retain your information for as long as we have an active business relationship with you and for seven (7) years after our business relationship ends. The information we retain includes: (i) documents used to comply with know-your-customer (KYC) and/or customer due diligence (CDD) obligations; (ii) supporting evidence and records of transactions and our relationship with you; (iii) copies and evidence of transaction monitoring, complaints, queries, etc. Recorded communications (telephone, electronic, in person or otherwise) will be held in line with local regulatory requirements (generally 5 years after our relationship ends). Where you opt out of marketing, we will keep your details on a suppression list to honor your preference.

We may retain data for longer if we cannot delete it for legal, regulatory, security or technical reasons or any other legitimate interest for such retention exists. When information is no longer needed, we will delete it securely or anonymise it.

Subject to applicable law and certain exemptions, you have the following rights:

To exercise your rights, contact us at dpo@xm.ke. We may need to verify your identity and may request additional information to process your request. We aim to respond within thirty (30) days, subject to any extensions permitted by law. If your information has been shared with third parties, we will notify them of your request where feasible and lawful.

We may charge you a reasonable fee when a request is manifestly unfounded, excessive or repetitive, or we receive a request to provide further copies of the same data. In this case we will send you a fee request which you will have to accept prior to us processing your request. Alternatively, we may refuse to comply with your request in these circumstances.

1. Information and Access: to know whether we process your personal information and to receive a copy, along with certain details. If you require additional copies, we may need to charge a reasonable administration fee.

2. Rectification: to request us to correct / update inaccurate or incomplete personal information we may hold about you. The Company will change your personal information in accordance with your instructions. To proceed with such requests, in some cases we may need supporting documents from you as proof, i.e. personal information that we are required to keep for regulatory or legal purposes such as proof of address documentation.

3. Erasure: to request deletion of your personal information in certain circumstances (subject to legal/regulatory retention obligations). We may not always be able to fulfill your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request (e.g., if we have a legal or regulatory obligation to retain the data). In other words, an erasure request is subject to any retention requirements we must comply with in accordance with applicable laws and regulations. If we have disclosed your personal information to others, we will let them know about the erasure request, where possible.

4. Restriction: to request that we restrict processing in certain circumstances (such as if you contest the accuracy of that personal information or object to us processing it). However, we will continue to retain your personal information where necessary in order to comply with our legal and regulatory obligations. We will inform you before we decide not to agree with any requested restriction. If we have disclosed your personal information to others, we will inform about the restriction request if possible.

5. Portability: to ask to receive, in certain circumstances, personal information you provided to us in a structured, commonly used and machine-readable format and to request that we transfer it to a third party where technically feasible. Note that this right only applies to automated information (i.e., not to hard copies) which you initially provided consent for us to use or where we used the information to perform a contract with you.

6. Objection: You can ask us to stop processing your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

7. Consent Withdrawal: where processing is based on consent, you have the right to withdraw your consent at any time. You may do so by sending your request at dpo@xm.ke, using your registered email address. To unsubscribe from our e-mail database or opt-out of marketing communications, please contact us using the details below or opt-out using the opt-out facilities provided in the communication.

8. Automated decisions and profiling: to request not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects, and to request human intervention, express your point of view, and contest the decision, where applicable.

The Company shall not be liable for misuse or loss of personal information or otherwise on the Company’s Website(s) that the Company does not have access to or control over. The Company will not be liable for unlawful or unauthorized use of your personal information due to misuse or misplacement of your passwords, negligent or malicious intervention and/or otherwise by you or due to your acts or omissions or a person authorized by you (whether that authorization is permitted by the terms of our legal relationship with you or not).

Our Policy is reviewed from time to time so as to consider new laws and technologies, changes to our operations and practices, and to ensure that it remains appropriate to the changing environment. If we decide to change our Policy, we will post those changes to this Policy and other places we deem appropriate so that you are made aware of such changes.

For any questions, queries, concerns or complaints about any aspect of our privacy practices you can contact us via email at dpo@xm.ke.