Data Protection and Privacy Policy

Last Updated: March 2025

Introduction

Smart Money Dealing Ltd (trading as “SmartMoney” and referred to as "we," "us," or "our") is committed to protecting the privacy and personal data of all individuals we interact with. This Privacy Policy explains how we collect, use, disclose, and protect personal information in the course of our business and website operations. It applies to all data subjects, including our institutional and individual clients (and their representatives), counterparties, vendors, employees, and anyone else whose personal data we process. By using our services or website, or by entering into a Participant Agreement with us, you acknowledge the terms of this Privacy Policy.

Relationship to Participant Agreement: If you are a client or participant who has signed our Participant Agreement, please note that that agreement contains strict confidentiality obligations for both parties. We will treat your confidential information (including personal data) with the same degree of care as we treat our own confidential information, and we will only disclose it under the conditions permitted in the Participant Agreement – for example, to our staff on a need-to-know basis, to our auditors, or where required by law or regulation. This Privacy Policy is consistent with those confidentiality commitments, and it provides additional detail on how we handle personal data in compliance with applicable data protection laws and our contractual obligations.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and other applicable privacy laws. We also abide by relevant financial regulations and obligations. Our goal is to be fully transparent about our data practices and to ensure that your personal information is safeguarded at all times.

Scope of this Policy

This Privacy Policy applies to all personal data we process, whether you are using our website, receiving brokerage or financial services from us, supplying services to us, or employed by us. Personal data means any information that can identify an individual (directly or indirectly). This includes obvious identifiers like names and contact details, as well as information such as account numbers, IP addresses, and other online identifiers.

We have structured this Policy into clear sections so you can easily find details about:

·         What Information We Collect: The categories of personal data we collect and generate.

·         How We Use Personal Data (Purposes and Legal Bases): Why we use your data and under what legal grounds.

·         How We Share Personal Data: Who we may disclose your data to and why, including how the Participant Agreement’s confidentiality terms apply.

·         International Data Transfers: Our practices regarding storing or transferring data outside the UK.

·         Data Retention: How long we keep personal data.

·         Your Rights and Choices: The rights you have over your personal data (including Data Subject Access Requests) and how you can exercise them.

·         Data Security and Breach Notification: How we protect your data and what happens in the event of a security incident.

·         Contacting Us and the DPO: How to get in touch for any privacy-related queries, including contact details of our Data Protection Officer (DPO).

·         Updates to this Policy: How we will notify you of any changes to this Policy.

Please read this Policy carefully. If you have any questions or concerns about our data practices, you can contact us at the details provided in the Contact section below.

Information We Collect

We collect personal information that is necessary for the purposes described in this Policy. This information is provided by you directly in many cases (for example, when you fill out forms or communicate with us), and in some cases it is obtained from third parties or generated through your use of our services. The categories of personal data we collect include:

·         Contact and Identity Details: This includes information such as your name, business or personal address, email address, telephone number, date of birth, and any identification documents (e.g. passport, driver’s license) you provide for verification purposes. We may also record your job title, employer or institution, and other information needed to identify you in our dealings.

·         Account and Financial Information: If you are a client or counterparty, we collect information related to your accounts with us and transactions you conduct. This may include bank account details, transaction histories, trading data, credit or risk ratings, and related financial information necessary to facilitate trades or services. For vendors or suppliers, this may include billing details and tax identifiers.

·         Regulatory Compliance Data: To meet our legal obligations in the financial sector, we collect data for Know-Your-Customer (KYC), anti-money laundering (AML) and fraud prevention checks. This may include copies of identification documents, proof of address, background check results, sanctions and politically exposed person (PEP) screening results, and information we obtain from credit reference agencies or fraud prevention agencies for identity verification. For example, we may receive information from credit bureaus and the Electoral Register to verify your identity, and we may record if any false or inaccurate information is provided for fraud detection purposes.

·         Communications and Correspondence: We maintain records of our interactions with you. This includes recorded telephone calls (we routinely record phone calls with clients or counterparties for compliance, monitoring and training purposes), as well as copies of emails, instant messages, or other communications you send us or that we send to you. It also includes any in-person meeting notes or correspondence by post. These records may contain personal data you share during those communications.

·         Website Usage Data (Log Data and Cookies): When you visit our website or use our online services, we collect technical information about your interaction. This Log Data includes details such as your Internet Protocol (IP) address, browser type and version, the pages you visit on our site, the date and time of each visit, and the amount of time spent on each page. We also use cookies and similar tracking technologies on our site to enhance user experience and gather analytics. Cookies are small files stored on your device that remember your preferences and activity. Through cookies, we may collect information about how you navigate our site and use our services. You can set your browser to refuse cookies or alert you when cookies are being used; however, note that some features of our site may not function properly without cookies. For more details, please see our Cookies notice (if available) or contact us with any questions about our use of cookies.

·         Employment and HR Data: If you are an employee, contractor, or job applicant, we will collect data relevant to your employment or application. This can include your CV/resume, work history, references, right-to-work documentation, performance reviews, payroll information, and other HR-related records. (Employee data is also handled in line with this Policy, though employees may be provided with additional privacy notices specific to staff.)

·         Other Information You Provide: You may provide other personal data to us from time to time. For instance, if you respond to a survey, request technical support, or participate in a promotion or event, we will collect whatever information you choose to give us (and any feedback, inquiries, or responses you submit).

In all cases, we aim to limit the personal data collected to only that which is necessary for the purposes set out in the next section. Where we collect sensitive personal data (known as "special category" data under the GDPR, such as health information or biometric data), we will ensure we have an appropriate legal basis and, if required, your explicit consent. Generally, our services are not intended to collect special category data unless necessary (for example, we typically do not need health or biometric data in our ordinary course of business).

If you fail to provide certain information that we require by law or under a contract with you, we may not be able to enter into or continue that contract or provide services to you. For example, if you are a client and do not provide necessary identification information, we cannot perform mandatory identity verification and therefore would have to suspend or refuse the service.

How We Use Personal Data (Purposes and Legal Bases)

We process personal data for a variety of business purposes, and in each case we ensure that we have a lawful basis under the UK GDPR for the processing. Under the UK GDPR, we must have at least one of the following legal bases to process your data: (a) your consent, (b) performance of a contract with you, (c) compliance with a legal obligation, (d) protection of vital interests, (e) performance of a task carried out in the public interest, or (f) our legitimate interests (or those of a third party), provided these are not overridden by your interests or fundamental rights. Below, we describe the purposes for which we use personal data and identify the primary legal bases that apply to each. In some cases, more than one legal basis may be relevant (especially where the same data is used for multiple purposes).

·         Providing and Administering Services: We use personal information to set up and administer client accounts, to provide our brokerage and financial services, and to execute transactions that you or your organization have entered into with us. This includes using your details to confirm your identity when you become a client, processing trades and orders, facilitating payments or settlements, and providing customer support. Legal basis: This is generally necessary for the performance of a contract with you or your organization (UK GDPR Article 6(1)(b)) – for example, using your information to carry out the services agreed in our Participant Agreement or other contracts. It may also be in our legitimate interests (Article 6(1)(f)) to use certain data for general account administration and relationship management, especially when our client is a corporate entity, but we process personal data of individual representatives in order to serve that client.

·         Compliance with Legal Obligations (KYC/AML, etc.): We process personal data to meet various legal and regulatory obligations that we are subject to (UK GDPR Article 6(1)(c)). This includes obligations under financial regulations, anti-money laundering laws, anti-fraud laws, tax laws, and other legislation. For example, we are required by law to verify the identity of our clients and conduct due diligence checks. To fulfill these obligations, we use the personal data you provide (such as identity documents) and may check it against external databases or enlist third-party agencies. We may perform background checks, monitor transactions for suspicious activity, report to regulatory authorities (like the Financial Conduct Authority or National Crime Agency in the UK) when required, and maintain records of your transactions and communications as mandated by law. We also use personal data to comply with court orders, subpoenas, or lawful requests from government agencies. Legal basis: Legal obligation (Article 6(1)(c)) is the primary basis for processing in these cases. In some situations, processing for compliance may also overlap with legitimate interests – for instance, our interest in preventing fraud and protecting the integrity of our platform aligns with legal obligations to prevent financial crime.

·         Identity Verification and Fraud Prevention: As part of account opening and ongoing security, we may use automated tools or scoring systems to verify your identity and assess risks. This can involve sending your details to credit reference agencies or fraud prevention databases to confirm your information and receive a risk score or alert. We record and flag information if we suspect fraud or if we receive alerts about potential risks. We also may compare your information against sanctions lists or other databases. Legal basis: This is in our legitimate interests (ensuring our customers are genuine, preventing fraud and financial crime) and is also often required by law (as part of our AML obligations). Where automated processing is used for these purposes, we do not base any final decisions solely on automated means that would produce legal or similarly significant effects without human involvement – there is always a manual review in critical identity verification and compliance decisions. (If ever we were to make a purely automated decision with significant effect, we would do so only as permitted by law and with your knowledge, and you would have the right to request human review of that decision.)

·         Communication Monitoring and Record-Keeping: We record telephone calls and monitor communications (such as emails or messages) between you and us as allowed by law. These recordings and records are used for purposes such as confirming trade details, monitoring quality of service, training our staff, and resolving disputes. In many cases, financial regulations require us to record and retain communications that result in transactions (for example, under UK FCA rules or other securities regulations). We also log usage of our website and systems to maintain audit trails and investigate any suspicious activities. Legal basis: It is our legal obligation to keep certain records (Article 6(1)(c)) – for instance, regulations may mandate retention of call recordings for a minimum period. Additionally, it is within our legitimate interests (Article 6(1)(f)) to have accurate records of dealings in case of disagreements or for training and improvement. We consider these interests to align with the expectations of our users in a regulated financial context, and we protect these records appropriately.

·         Providing Customer Support and Communications: If you contact us with an inquiry, request, or complaint, we will use your contact information and any relevant account data to respond to you, investigate issues, and provide assistance. We might also use your data to send service-related notices, such as important updates about your account, changes to terms, or alerts about system availability. Legal basis: This is typically contractual necessity when related to providing you services (Article 6(1)(b)) or otherwise our legitimate interests in ensuring customer satisfaction and effective service delivery.

·         Marketing and Updates (with Consent or Legitimate Interest): We may use your personal data to send you information about our products or services, news, events, or other marketing communications if you have agreed to receive marketing information. This could include newsletters or promotions from us or our carefully selected partners. We will typically obtain your opt-in consent to send electronic marketing (as required by law). You have the right to opt out of marketing at any time. We may also send existing customers occasional product updates or similar communications under the "soft opt-in" basis where applicable but will always honour your choice to unsubscribe. Legal basis: Consent (Article 6(1)(a)) is the primary legal basis for electronic direct marketing to new users. In certain cases, legitimate interests (Article 6(1)(f)) may be relied upon to inform our clients about our own products and services that are relevant to them (for example, updates about features you are already using), but we will do so in compliance with the Privacy and Electronic Communications Regulations and you will always have a clear opt-out. We do not share your data with third parties for their own marketing without your explicit consent.

·         Internal Business Purposes and Analytics: We may use personal data for our internal operations and analytics, such as improving our services and website, developing new features, quality control, training, and financial reporting. For example, we might analyze usage data to see how clients use our trading platform, so we can optimize its design. We might use aggregated transaction data to assess our business performance. When possible, we will use anonymized or aggregated information for these purposes, which does not identify individuals. Legal basis: Legitimate interests (Article 6(1)(f)) – it is in our interest to run an efficient, robust, and evolving business. We ensure that our internal use of data for analytics does not unjustifiably impact your privacy (for instance, analytics typically uses anonymized data or at least does not involve making decisions about individuals).

·         Security and Risk Management: To protect our business, clients, and systems, we use personal data for security monitoring, fraud detection, and risk management. This includes using login information and device identifiers to detect unusual account access, using CCTV at our office premises (if applicable) for security, and verifying identity to prevent unauthorized access. We also may process data to establish, exercise or defend legal claims – for example, retaining correspondence if we anticipate a potential dispute or litigation. Legal basis: Legitimate interests (Article 6(1)(f)) – we have a legitimate interest in ensuring the security of our assets, preventing crime, and protecting our legal rights. In some cases, processing for these purposes may also be necessary for compliance with a legal obligation (e.g., data security measures required by data protection law, or obligations to report certain fraudulent activities).

If we need to process personal data for a purpose that is unrelated to the purposes listed above, and not otherwise permitted under applicable law, we will provide you with a new privacy notice explaining that use. We will also seek your consent when required by law, particularly if we plan to process data for a new purpose that requires consent (e.g., using your data in a testimonial or case study for marketing, if you are identifiable).

We do not engage in any selling of personal data to third parties. We also do not use your personal data for any automated decision-making, including profiling, that produces legal effects or similarly significant effects on you without human intervention (as noted, any scoring or automated analysis we perform for fraud or identity purposes is subject to manual review and is done to assist our compliance process).

How We Share Personal Data

We treat your personal data with confidentiality and do not disclose it to anyone except as described in this Policy, as consented by you, or as permitted/required by law. In line with our Participant Agreement’s confidentiality clause, we do not share Confidential Information (which includes your personal data) with third parties except under certain allowed circumstances. The main categories of recipients with whom we may share personal data are:

·         Affiliates and Group Companies: If Smart Money Dealing Ltd becomes part of a group of companies, we may share personal data with our affiliates, subsidiaries, or parent company as needed to deliver services or for corporate governance. Any intra-group sharing will be on a need-to-know basis and under strict confidentiality. (At present, we operate solely as Smart Money Dealing Ltd with no subsidiaries, this does not apply.)

·         Employees and Staff: Your data will be accessed by our internal staff who require it to perform their jobs – for example, our trading desk personnel, compliance officers, customer support team, finance and billing staff, etc. All our employees and contractors are bound by confidentiality obligations and trained in data protection, so they understand the importance of protecting your information. As per the Participant Agreement, our staff are only given Confidential Information on a need-to-know basis and must adhere to the same confidentiality standards.

·         Service Providers and Data Processors: We use trusted third-party service providers to support our operations. These include, for example: IT hosting and maintenance providers, cloud storage services, CRM or client management systems, email and communication platforms, analytics services, identity verification tools, and professional advisors (law firms, accountants, auditors). When we share data with service providers, we do so under contracts that require them to only use the data to provide services to us and to protect it in line with data protection laws. For instance, if we use a third-party identity verification service or credit reference agency, we provide the necessary personal data for them to perform checks. Our auditors may also review certain records that include personal data as part of their financial or compliance audits (they are bound to confidentiality as well). In all cases, processors acting on our behalf must implement appropriate security measures and cannot use your data for their own purposes.

·         Credit Reference and Fraud Prevention Agencies: As noted under "Compliance" above, we may disclose personal information to credit reference agencies, ID verification services, and fraud prevention databases when performing background checks. These agencies will use your information in their own files (for example, they will record that an identity check was performed, to prevent multiple checks affecting credit scores) and may share results back to us. They in turn might share information with other organizations as part of fraud prevention or credit referencing, but this is governed by those agencies' privacy terms and applicable law. We share with them only what is necessary for the checks, and we may receive information such as credit scores or alerts in return.

·         Counterparties to Transactions: If you are involved in a transaction or trade facilitated by us, we may need to share certain information with the other party to the transaction or with intermediaries. For example, if you execute a trade with a counterparty through our brokerage, we might exchange traders' names or contact details for confirmation or settlement purposes. We limit what is shared to the essentials (such as confirming the identity of the trading parties, or providing settlement instructions). All counterparties are typically subject to their own confidentiality obligations, either contractually or under industry standards. Additionally, the Participant Agreement’s confidentiality provisions protect such information, meaning neither we nor the other party should disclose it beyond what is necessary to effect the transaction.

·         Regulators and Law Enforcement: We may be required to disclose personal data to supervisory authorities, government bodies, or law enforcement agencies. For instance, we must report certain information to regulators like the Financial Conduct Authority (FCA) or the Information Commissioner’s Office (ICO) upon request or in case of regulatory examinations. We might also share data with law enforcement or fraud monitoring bodies if we suspect criminal activity such as fraud or money laundering, in line with our legal obligations. If we receive a court order or subpoena demanding the release of personal data, we will comply after verifying the request’s legitimacy. Wherever appropriate and lawful, we will notify the affected individuals before disclosing information (for example, if a government agency demands data, we may let you know unless the law prohibits us from doing so).

·         Professional Advisors: We may share information with our professional advisors (such as lawyers, accountants, auditors, or insurers) when that information is necessary for them to provide their services to us. For example, if we seek legal advice about a contract or a dispute involving a client, we might share relevant personal data with our legal counsel. These parties are under duties of confidentiality. Auditors, in particular, might access personal data when reviewing our compliance processes or financial statements – for instance, they might check that we have proper KYC records. This is permitted as an exception under our confidentiality obligations (sharing with auditors).

·         Third Parties in Corporate Transactions: In the event that we undergo a business transition, such as a merger, acquisition, or sale of business assets, personal data may be disclosed to potential or actual buyers (and their agents) as part of due diligence or transfer of assets. In such cases, we will ensure the recipient of the data is bound to confidentiality and will use the information only for evaluating the transaction. If a transfer of ownership actually occurs, the successor company will assume the rights and obligations regarding your personal data as described in this Privacy Policy.

·         With Your Consent or At Your Direction: Aside from the above, we will share your information with third parties if you specifically request or consent to it. For example, if you ask us to provide a reference or confirmation of your transactions to a third party, or if you opt-in to a feature that involves sharing data with a partner service, we will do so with your direction. We may also share anonymized data (which no longer identifies you) freely, as that is not personal data – for example, publishing market statistics or trends that are derived from aggregated client data.

We do not disclose personal data to any third parties for their own marketing or advertising purposes, nor do we sell personal information. We also do not share personal data outside the above scenarios except as permitted by the Participant Agreement and applicable law. Any third party that receives personal data from us is expected to protect it with appropriate security and to use it only for the purposes we agree with them.

If you would like more information about the third parties with whom we might share your personal data (for example, details of the credit reference agencies or fraud databases we use), you may contact us using the details below. We can provide you with a list of our current key service providers or partners that handle personal data on our behalf.

International Data Transfers

We are a UK-based company, and as of the date of this Policy, we do not routinely transfer personal data outside of the United Kingdom. All the personal data we collect is stored on servers located within the UK, or in some cases, in other jurisdictions that are deemed adequate under UK data protection law (such as countries within the European Economic Area (EEA)). We have chosen service providers and data storage solutions that keep data in the UK to avoid unnecessary cross-border transfers.

If in the future we or our service providers need to transfer your personal data to a country outside the UK (or not covered by a UK adequacy decision), we will ensure that appropriate safeguards are in place as required by the UK GDPR. These safeguards might include reliance on an adequacy regulation (if the destination country has been approved by the UK government as having adequate protection), or implementing Standard Contractual Clauses (SCCs) or Binding Corporate Rules, along with additional measures as needed to protect the data. We will also notify you or update this Policy if our international transfer practices change.

In summary, you can assume your data stays within UK jurisdiction under the protection of UK data law. We understand that data protection regimes can vary worldwide, and we are committed to maintaining the highest standard of privacy protection wherever your data may be processed.

Data Retention

We will retain personal data for only as long as it is necessary to fulfill the purposes for which it was collected, as outlined in this Policy, and for as long as we are required or permitted to keep it by law or regulation. In practical terms, this means:

·         If you are a client or participant, we will keep your personal information for the duration of our business relationship and thereafter for a period required by applicable laws. For example, even after you close your account or cease doing business with us, we might need to retain

certain data for a number of years to comply with financial regulations, tax laws, or record-keeping requirements. We will only retain your data for as long as is necessary to provide our services to you and for any period required for regulatory or legal reasons. This often translates to retaining data for at least five to six years after the end of a client relationship, since various UK regulations (e.g., anti-money laundering law, MiFID recordkeeping rules, and Limitation Act for contracts) require records to be kept for certain minimum periods. We may retain data longer than the minimum period if we believe it is necessary (for instance, to exercise or defend legal claims). Conversely, data that is no longer needed even within those periods may be deleted or anonymized earlier, if appropriate.

·         If you are a prospective client who did not end up using our services, or if you provided information during an inquiry but did not sign up, we will typically delete or anonymize your information after a reasonable period (for example, 1 year) unless we have a reason to keep it (such as an ongoing conversation or a legal requirement to retain records of the prospecting activity).

·         If you are a vendor or business partner, we retain your business contact information for the duration of our relationship and thereafter as needed for contract enforcement or due diligence documentation. Typically, we keep contract-related information for the length of the contract and at least 6 years after its termination (aligned with legal prescription periods).

·         Employee and HR data will be kept in accordance with employment law requirements. For example, payroll records and pension data may be kept for many years as required by law. Personal data of unsuccessful job applicants is usually deleted or anonymized after a short period unless we obtained consent to keep it on file for future openings.

·         Website log data and analytics data are generally kept for a shorter period, often automatically overwritten or anonymized after a set time (e.g., we might keep detailed web logs for a few months for security analysis, and aggregated analytics for longer without personal identifiers).

When the retention period for a set of personal data expires, or if you validly exercise your right to deletion (and no exemption applies), we will ensure the data is securely erased or anonymized such that it can no longer be associated with you. We have in place processes to review data holdings periodically and delete data that is no longer needed in line with our internal data retention schedule.

Please note that in some cases we may be unable to delete data upon request if we are required to keep it by law or if it falls under an exemption (for example, you request deletion of transaction records which we must keep under financial regulations). In such cases, we will inform you of the reason we cannot fulfill the request and will securely isolate the data from active use if possible.

Your Rights and Choices

As a data subject, you have certain rights under the UK GDPR and other data protection laws regarding the personal data we hold about you. We respect and uphold these rights. Below is a summary of your key rights and how you can exercise them:

·         Right to Access (Data Subject Access Request): You have the right to request confirmation of whether we are processing your personal data, and if so, to receive a copy of that personal data along with supplementary information about how and why it is processed. This is commonly known as a Data Subject Access Request or DSAR. You can make a DSAR to obtain a copy of the information we hold about you. Once we verify your identity (to ensure we don't disclose data to the wrong person), we will provide you with the information required by law. Typically, we will respond to access requests within one month of receipt. If your request is complex or numerous, we may extend this period by up to two further months, but we will inform you of the extension and the reasons. There is generally no fee for making an access request, though repetitive or excessive requests may incur a reasonable fee as permitted by law.

·         Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to contact us to keep your information up-to-date (for example, if you change your address or phone number, or if you realize we have misspelled your name). We will make the corrections as soon as possible and will notify any third parties who received the incorrect data if we are legally required to do so. As noted in the Participant Agreement, you also have a right to have inaccurate data corrected, and we are committed to honoring that.

·         Right to Erasure (Right to be Forgotten): You have the right to request that we delete your personal data in certain circumstances. This includes situations such as: the data is no longer necessary for the purposes it was collected; you originally consented to processing and now withdraw consent (and no other legal basis exists); you object to processing and we have no overriding legitimate grounds to continue; or the data was processed unlawfully. If you request deletion, we will assess whether the conditions under the UK GDPR (Article 17) are met. If so, we will securely delete your data. Keep in mind that the right to erasure is not absolute – sometimes we must retain certain information despite a deletion request, for example to comply with legal obligations or to establish or defend legal claims. We will inform you of any such reasons if applicable. We also note that due to the Participant Agreement or other legal requirements, some data must be kept for minimum periods, which may delay deletion until those obligations are fulfilled.

·         Right to Restrict Processing: You have the right to request that we restrict (i.e., pause or limit) the processing of your personal data in certain scenarios. For example, if you contest the accuracy of data, you can request we restrict processing while we verify its accuracy; or if you have objected to processing (see below) and we are considering our legitimate grounds, you can ask that we hold the data but not process it further during that time. You can also request restriction if processing is unlawful but you do not want full erasure, or if we no longer need the data but you need us to keep it for a legal claim. When processing is restricted, we will store the data securely and not use it except to the extent allowed (such as to exercise legal rights or with your consent). If the restriction is lifted later (e.g., the accuracy issue is resolved), we will inform you.

·         Right to Object: You have the right to object to our processing of your personal data in certain circumstances. Notably, you can object at any time to processing of your data for direct marketing purposes. If you object to marketing, we will stop using your data for that purpose immediately, and this is an absolute right (no exceptions). You can also object to processing based on our legitimate interests (Article 6(1)(f)) or public interest tasks (Article 6(1)(e)). In such cases, you should give reasons related to your particular situation as to why you object. We will then consider whether our legitimate grounds for processing override your rights and interests. If they do not, we will cease the processing in question. Where we rely on legitimate interests, we believe we have balanced those interests with your rights, but we will always respect an objection if the law requires us to. For example, you might object to our use of your data for internal analytics; we would evaluate if we can accommodate your objection by perhaps anonymizing your data.

·         Right to Data Portability: For personal data that you provided to us and which we process by automated means under the legal basis of consent or contract, you have the right to request a copy of such data in a structured, commonly used, machine-readable format (for example, a CSV file), and you have the right to have that data transmitted to another controller where technically feasible. This right mainly applies to data you actively provided (like registration information) or observed data from your use of a service (like log records about you). It would not typically apply to most of our compliance-related data or other derived information. However, if you need an export of your client data, we will do our best to provide it in a convenient format.

·         Right not to be subject to Automated Decision-Making: You have rights related to automated decision-making and profiling. As noted earlier, we do not make decisions based solely on automated processing that have legal or similarly significant effects on you without human involvement. If we ever engage in such activity, we will ensure compliance with Article 22 of the UK GDPR, including providing you notice and an opportunity to contest the decision or request human review. Given our current practices (where any automated scoring for fraud/identity is reviewed by staff), this scenario should not arise in a way that impacts your rights.

·         Right to Withdraw Consent: In instances where we are processing your personal data based on your consent (for example, for optional marketing communications), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, but it means we will stop the specific activity that was based on consent. For example, if you subscribed to our newsletter and then withdraw consent, we will stop sending you the newsletter. You can withdraw consent by using the unsubscribe link in emails or by contacting us directly.

·         Right to Complain to a Supervisory Authority: If you believe we have processed your personal data unlawfully or not in accordance with your rights, you have the right to lodge a complaint with a supervisory authority. In the UK, that is the Information Commissioner’s Office (ICO). You can find details on how to report concerns to the ICO on its website. We encourage you, however, to contact us first with any complaint or issue, and we will do our best to resolve it to your satisfaction.

Exercising Your Rights: You may contact us at any time to exercise any of the above rights. The easiest way is to email our Data Protection Officer at swalker@smartmoneydealing.com or use the contact information in the Contact section below. Please clearly state which right you wish to exercise and provide us with enough information to verify your identity (we may ask for certain details or identification documents to ensure we are dealing with the correct individual). We will respond to your request as soon as possible, generally within one month. If we need more time or cannot fulfill your request (due to a legal exemption), we will inform you of the reason and your options.

We will not discriminate against you for exercising any of these rights, and we will fulfill them in accordance with our legal obligations. Bear in mind that some rights have limitations; for example, we cannot provide information that involves others’ personal data without consent, and we might not delete data that we are required to keep. But we will explain any such limitations in our reply.

Data Security Measures

We take the security of your personal data very seriously. We have implemented a variety of technical and organizational measures to protect your information from unauthorized access, use, alteration, or destruction. These measures include, for example:

·         Encryption and Access Control: Sensitive data is stored and transmitted using encryption techniques where appropriate. We use secure protocols for data transfer (HTTPS on our website, secure FTP for file transfers, etc.). Access to personal data within our organization is restricted to authorized personnel who have a business need to know the information. Each such individual has unique credentials and authentication methods to access systems containing personal data. We employ firewalls, intrusion detection systems, and anti-malware tools to prevent and detect unauthorized access to our networks.

·         Physical Security: Personal data in hard copy form (paper documents) or on local servers is kept in secure facilities. Our offices have controlled access. Confidential documents are stored in locked cabinets. Where we use third-party data centers, we rely on their physical security controls (which typically include 24/7 monitoring, access badges, surveillance cameras, etc.).

·         Employee Training and Policies: All employees and contractors are required to adhere to our data protection and confidentiality policies. Regular training is provided to ensure everyone is aware of best practices for information security and privacy. We have internal procedures addressing how to handle personal data, how to report potential security issues, and the consequences of any misuse of data.

·         Vendor Due Diligence: When we engage service providers or partners who handle personal data, we conduct due diligence to ensure they meet adequate security standards. We also ensure that data processing agreements with these providers oblige them to protect your data and notify us of any incidents.

·         Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks, and we carry out periodic risk assessments and testing of our security measures. This includes penetration testing of our applications and infrastructure, as well as regular reviews of access logs to detect any anomalies.

·         Data Minimization and Pseudonymization: Where possible, we minimize the amount of personal data we hold or use. If full data is not needed for a task, we might use partial or masked data. We also consider pseudonymization (replacing identifiers with codes) for datasets that do not require identification of individuals, especially when using data for analytics or testing.

While we strive to use robust and state-of-the-art security measures, it is important to note that no method of transmission over the internet or method of electronic storage is completely foolproof. We cannot guarantee absolute security of information, but we continuously update and refine our security practices to mitigate risks. You also have an important role in keeping your data safe: please use strong passwords for your accounts, do not share your account credentials with others, and alert us immediately if you suspect any unauthorized access to your account or personal data.

Data Breach Notification

Despite all precautions, data breaches (incidents leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data) can potentially occur. We have a detailed data breach response plan in place to handle such situations should they arise. In line with our legal obligations under the UK GDPR, if a personal data breach occurs, we will take the following steps:

·         Investigation and Containment: We will immediately investigate the breach to understand what happened, what data is affected, and the scope of impact. Our IT and security team will work to contain the breach (e.g., isolating compromised systems, changing access credentials, restoring backups) to prevent further unauthorized access or loss of data.

·         Internal Reporting: Any employee who discovers or suspects a data breach is required to report it to our Data Protection Officer (DPO) and management without delay. We keep an internal register of data breach incidents, regardless of severity, to monitor and learn from them (as part of the GDPR's accountability requirements).

·         Notification to the ICO: If the breach is likely to result in a risk to the rights and freedoms of individuals (for example, risk of financial loss, identity theft, confidentiality breach, or other significant harm), we will notify the UK Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breachico.org.uk. Our breach report to the ICO will include details of the nature of the incident, categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or plan to take to address the breach.

·         Notification to Affected Individuals: If the breach is likely to result in a high risk to your rights and freedoms (for instance, if sensitive personal data or financial details were compromised), we will also inform you (and any other affected individuals) directly and without undue delay (ico.org.uk).We will do so in clear language, describing what happened and what information is involved. We will provide you with the contact details of our DPO or relevant contact point, explain the potential consequences of the breach, and detail what measures we have taken or propose to take to mitigate the harm (ico.org.uk). Where appropriate, we will advise you on steps you can take to protect yourself (such as changing passwords or being vigilant for fraud attempts - ico.org.uk). If specific circumstances of law or security require us to delay notification (for example, if law enforcement requests a delay to investigate the incident), we will adhere to those requirements, but otherwise we believe in proactive communication.

·         Follow-up and Prevention: After containing a breach and notifying as required, we will conduct a post-incident review to identify the root cause and implement improvements. This might include patching software, updating our security policies, training staff, or taking disciplinary action if the breach was caused by a policy violation. We will document everything about the breach and our response, as required by Article 33(5) of the GDPR (to demonstrate accountability).

Our aim is to be transparent and responsible in the unfortunate event of a data breach. We recognize the importance of timely communication to both regulators and individuals. Rest assured that if your personal data is ever involved in such an incident, we will work diligently to minimize any harm and keep you informed of all relevant facts and advice.

Data Protection Officer and Contact Information

We have appointed a Data Protection Officer (DPO) to oversee our privacy strategy and compliance. Our DPO is Simon Walker, who can be contacted at swalker@smartmoneydealing.com. The DPO’s role is to monitor our compliance with data protection laws, provide advice on data protection matters, and act as a point of contact for data subjects and the supervisory authority (ICO).

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please do not hesitate to contact us. You can reach out to our DPO directly via the email above. Alternatively, you may contact us through the following methods:

·         Email: You can email our support or compliance team at info@smartmoneydealing.com. Please include "Privacy Inquiry" in the subject line so we can direct it to the appropriate staff.

·         Mail: You may write to us at our registered business address:
Smart Money Dealing Ltd
16 High Street,
Saffron Walden, Essex,
United Kingdom, CB10 1AX.

·         Telephone: For urgent matters, you can call our main office line (as listed on our website). Please ask to speak with the Data Protection Officer or the Compliance department.

We will endeavour to respond to all legitimate requests or questions as promptly as possible, and at least within any timeframes required by law. If you are contacting us to exercise one of your data protection rights, please see the Your Rights section above for more details on the process.

Remember, you also have the right to contact the Information Commissioner’s Office (ICO) if you have concerns about our data practices. The ICO can be reached through their website (ico.org.uk) or by phone at +44 303 123 1113. However, we encourage you to contact us first so we can address your concerns directly – we are committed to resolving any privacy issues in a fair and effective manner.

Links to Other Websites

Our website may contain links to websites of other companies or organizations. Please note that those websites will have their own privacy policies and we do not accept any responsibility or liability for their policies or content. If you follow a link to any external websites, we encourage you to read their privacy notices to understand how they handle your data. This Privacy Policy applies solely to personal data processed by Smart Money Dealing Ltd.

Changes to this Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices or to ensure compliance with legal or regulatory developments. If we make significant changes, we will notify our clients and website users in an appropriate manner – for example, by posting a prominent notice on our website or by contacting you via email. The "Last Updated" date at the top of this Policy will always indicate when the latest changes were made.

Any changes will become effective when the revised Privacy Policy is posted online (or as otherwise communicated). Your continued use of our services or website after any update will signify your acceptance of the changes, so please check back periodically to stay informed of how we are protecting your information. If we change the purposes of processing or the legal basis in a way that requires your consent (or fresh consent), we will seek that from you.

We maintain archived versions of previous privacy policies which are available upon request, should you need to see the evolution of our terms.

Conclusion: Protecting your privacy is fundamental to our business. We appreciate the trust you place in us when you provide your personal data, and we are committed to using it responsibly and safeguarding it to the best of our ability. This Privacy Policy aims to give you a comprehensive understanding of what we do with your data and why. If anything remains unclear or you need further information, please reach out to us. We value open communication and will be happy to assist you.

Thank you for reading our Privacy Policy.