top of page

Data Privacy Policy

1. Purpose and Scope

This Data Privacy Policy sets out the principles and practices by which Inform FX Ltd (“the Company”) collects, processes, stores, and protects personal data. The policy ensures that the Company meets its obligations under all applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all employees, contractors, officers, consultants, and third-party service providers who process personal data on behalf of Inform FX Ltd. It covers all personal data processed, stored, or transmitted by the Company, whether in electronic or physical form.

2. Data Protection Officer (DPO)

The Company has appointed a Data Protection Officer responsible for maintaining and enforcing the data protection framework:

Email

dpo@informfx.co.uk

Telephone

+44 20 7770 8098

 

The DPO is responsible for advising the Company on its data protection obligations, monitoring compliance, cooperating with the Information Commissioner’s Office (ICO), and acting as the first point of contact for data subjects and supervisory authorities.

3. Definitions of Personal Data

 

For the purposes of this policy, personal data means any information relating to an identified or identifiable natural person. This includes, but is not limited to:

  • Names

  • Dates of birth

  • Telephone numbers

  • Postal and email addresses

  • Photographs and audio/visual recordings

  • Bank and financial details

  • Passport and national identification numbers

  • Location and geolocation data

  • IP addresses and online identifiers

  • Opinions and personal views

  • Employment and education history

Special category data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation. Such data is subject to additional safeguards and may only be processed where a specific legal basis applies.

4. Data Protection Principles

Inform FX Ltd adheres to the following principles when processing personal data, as set out in Article 5 of the UK GDPR:

  1. Lawfulness, Fairness and Transparency – Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

  2. Purpose Limitation – Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

  3. Data Minimisation – Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

  4. Accuracy – Personal data shall be accurate and, where necessary, kept up to date. Reasonable steps shall be taken to erase or rectify inaccurate data without delay.

  5. Storage Limitation – Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.

  6. Integrity and Confidentiality – Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

  7. Accountability – The Company shall be responsible for, and be able to demonstrate compliance with, all of the above principles.

 

5. Lawful Basis for Processing

 

The Company will only process personal data where it has a lawful basis to do so. The lawful bases upon which the Company relies include:

  • Consent – The data subject has given clear consent for the Company to process their personal data for a specific purpose.

  • Contract – Processing is necessary for the performance of a contract with the data subject, or to take steps at their request before entering into a contract.

  • Legal Obligation – Processing is necessary for compliance with a legal obligation to which the Company is subject, including financial regulation and anti-money laundering requirements.

  • Legitimate Interests – Processing is necessary for the legitimate interests of the Company or a third party, provided those interests are not overridden by the rights and interests of the data subject.

The lawful basis relied upon for each processing activity will be documented in the Company’s Data Processing Register.

 

6. Applicable Data Protection Regulations

 

Inform FX Ltd complies with all relevant data protection regulations in each jurisdiction in which it operates. In the United Kingdom, the principal legislation comprises the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Where the Company processes personal data of individuals located in the European Economic Area, it will also comply with the EU General Data Protection Regulation (EU GDPR) to the extent applicable.

 

7. Data Processing Register

 

In accordance with Article 30 of the UK GDPR and Article 61 of the Data Protection Act 2018, the Company maintains a Record of Processing Activities (ROPA). This register documents all data processing activities for which the Company is responsible, and includes:

  • The name and contact details of the controller and, where applicable, the DPO.

  • The purposes of the processing.

  • A description of the categories of data subjects and categories of personal data.

  • The categories of recipients to whom personal data has been or will be disclosed.

  • Details of any transfers of personal data to a third country or international organisation.

  • The envisaged time limits for erasure of the different categories of data.

  • A general description of the technical and organisational security measures in place.

Clients acting as data controllers of end-clients’ personal data are also expected to maintain their own Data Processing Register in compliance with these provisions.

 

8. Data Collection and Consent

 

The Company collects personal data through the following means:

  • Client onboarding and Know Your Customer (KYC) / Customer Due Diligence (CDD) processes.

  • Contractual engagement with corporate clients and partners.

  • Website enquiry forms, email correspondence, and telephone communications.

  • Third-party referrals and introductions, with appropriate consent.

Where consent is the lawful basis for processing, the Company will ensure that consent is freely given, specific, informed, and unambiguous. Data subjects may withdraw consent at any time by contacting the DPO, and withdrawal will not affect the lawfulness of processing carried out prior to withdrawal.

 

9. Data Retention

 

Personal data will be retained only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law and regulation. Not only will Inform FX Ltd retain the data but our regulator partners will also. These include Currencycloud, Sciopay, Capitex and GC Partners.

9.1 Regulatory Retention Requirements

In compliance with financial services regulations and anti-money laundering legislation, all data collected in relation to client transactions and relationships must be retained for a minimum period of five (5) years. This retention period is measured from the later of:

  • The date of trade execution or payment processing; or

  • The date on which the client’s business relationship with the Company ends.

 

9.2 Categories of Data Retained

The data the Company retains includes, at a minimum:

  1. KYC and due diligence documentation, including identity verification records.

  2. Customer communication records, including telephone call recordings (where the Company executes payments or books trades on behalf of clients via telephone, all such calls must be recorded) and email correspondence.

  3. Internal communications pertaining to clients.

  4. Records pertaining to customer complaints.

  5. Transaction records and any other information relating to the provision of the Company’s services.

 

9.3 Call Recording

Telephone calls with clients must be conducted on recorded lines. Any third-party providers of call recording services must be able to provide retention for the full five-year period, or the Company must archive recorded calls locally. All third-party call recording providers must also comply with applicable data privacy regulations, given the sensitive and confidential nature of information shared during client calls.

 

9.4 Disposal of Data

When the retention period expires, personal data will be securely deleted or anonymised. Physical records will be securely shredded. Electronic records will be permanently erased using methods that prevent reconstruction.

 

10. Data Security Measures

The Company implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or damage. These measures include:

10.1 Technical Measures

  • Encryption of personal data in transit (TLS/SSL) and at rest where appropriate.

  • Secure access controls, including multi-factor authentication for systems containing personal data.

  • Firewalls, intrusion detection systems, and anti-malware protection.

  • Regular vulnerability assessments and penetration testing.

  • Automated backup procedures with encrypted storage.

  • Secure disposal of hardware and electronic media.

10.2 Organisational Measures

  • Role-based access control, ensuring personal data is accessible only to authorised personnel on a need-to-know basis.

  • Confidentiality agreements for all employees and contractors who access personal data.

  • Clean desk and clear screen policies.

  • Secure document storage and controlled access to physical records.

  • Regular review and testing of security measures.

 

11. Third-Party Data Processors

 

Where the Company engages third-party processors to process personal data on its behalf, it will:

  1. Conduct due diligence to ensure the processor provides sufficient guarantees of compliance with data protection legislation.

  2. Enter into a written Data Processing Agreement (DPA) specifying the subject matter and duration of processing, the nature and purpose of processing, the type of personal data, and the categories of data subjects.

  3. Require processors to implement appropriate technical and organisational security measures.

  4. Require processors to obtain prior written authorisation before engaging sub-processors.

  5. Conduct periodic reviews of processor compliance.

Third-party processors will not be permitted to process personal data except on documented instructions from the Company.

 

12. International Data Transfers

 

Where personal data is transferred to a country or territory outside the United Kingdom, the Company will ensure that appropriate safeguards are in place, including:

  • Transfers to countries or territories recognised by the UK Government as providing an adequate level of data protection.

  • Use of Standard Contractual Clauses (SCCs) approved by the ICO or the European Commission.

  • Binding Corporate Rules where applicable.

  • Derogations for specific situations under Article 49 of the UK GDPR, where no other safeguard is available.

A Transfer Impact Assessment will be conducted where required to evaluate the level of protection afforded in the destination country.

 

13. Data Subject Rights

 

Inform FX Ltd is committed to upholding the rights of data subjects in accordance with the UK GDPR. Individuals have the following rights in relation to their personal data:

  • Right of Access (Article 15) – The right to obtain confirmation of whether their personal data is being processed and to access a copy of that data.

  • Right to Rectification (Article 16) – The right to have inaccurate personal data corrected or incomplete data completed.

  • Right to Erasure (Article 17) – The right to request deletion of personal data where there is no compelling reason for its continued processing, subject to regulatory retention obligations.

  • Right to Restriction of Processing (Article 18) – The right to request the restriction of processing in certain circumstances.

  • Right to Data Portability (Article 20) – The right to receive personal data in a structured, commonly used, and machine-readable format.

  • Right to Object (Article 21) – The right to object to processing based on legitimate interests or for direct marketing purposes.

  • Rights in Relation to Automated Decision-Making (Article 22) – The right not to be subject to decisions based solely on automated processing which produce legal or similarly significant effects.

 

13.1 Exercising Rights

Data subjects may exercise any of these rights by contacting the DPO at dpo@informfx.co.uk. The Company will respond to all valid requests within one calendar month of receipt, unless the request is complex or numerous, in which case the period may be extended by a further two months with notification to the data subject.

The Company will not charge a fee for processing a data subject request unless the request is manifestly unfounded or excessive, in which case a reasonable administrative fee may be applied.

 

14. Personal Data Breach Handling

 

A personal data breach is a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

 

14.1 Breach Detection and Reporting

  • All employees must report suspected or confirmed personal data breaches immediately to the DPO.

  • Reports should include the nature of the breach, the categories and approximate number of data subjects and records affected, and any actions already taken to mitigate harm.

 

14.2 Breach Assessment and Containment

  • The DPO and IT security team will assess the severity of the breach, including the type and volume of data affected, the potential risks to individuals, and the regulatory notification obligations.

  • Immediate containment steps will be taken, which may include restricting system access, applying security patches, resetting credentials, or isolating compromised systems.

  • Affected departments will coordinate with IT and the compliance team to minimise further impact.

 

14.3 Notification Requirements

Regulatory Authorities: Where the breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery.

Affected Individuals: Where the breach poses a high risk of harm (e.g., financial fraud, identity theft), affected individuals must be informed without undue delay, with details of the breach and recommended mitigation steps.

Internal Notification: Senior management and relevant teams will be informed immediately to ensure a coordinated response.

 

14.4 Investigation and Remediation

  • A full investigation will be conducted to determine the root cause, impact, and effectiveness of response measures.

  • Corrective actions will be implemented, including security upgrades, policy revisions, and targeted staff training to prevent recurrence.

  • A formal incident report will be documented for audit and regulatory compliance purposes.

 

14.5 Breach Register

All personal data breaches, including minor incidents that do not require regulatory notification, must be documented in the Company’s Breach Register. The register will record the facts relating to each breach, its effects, and the remedial action taken.

 

15. Data Protection Impact Assessments (DPIAs)

 

The Company will conduct a Data Protection Impact Assessment where a proposed processing activity is likely to result in a high risk to the rights and freedoms of individuals. This includes, but is not limited to:

  • The introduction of new technologies for processing personal data.

  • Large-scale processing of special category data.

  • Systematic monitoring of publicly accessible areas.

  • Automated decision-making, including profiling.

The DPO will be consulted during the DPIA process. Where the assessment identifies a high residual risk that cannot be mitigated, the Company will consult the ICO before proceeding with the processing activity.

 

16. Staff Training and Awareness

 

All employees and contractors who handle personal data will receive appropriate data protection training. This includes:

  • Mandatory induction training on data protection principles and this policy for all new starters.

  • Annual refresher training covering regulatory updates, emerging threats, and best practices.

  • Role-specific training for employees in compliance, IT, and client-facing functions.

  • Awareness communications on phishing, social engineering, and other data security threats.

Training completion and records will be maintained by the DPO and made available for audit purposes.

 

17. Complaints

 

Any individual who believes that their personal data has been misused or that the Company has not complied with this policy or applicable data protection legislation may lodge a complaint with the DPO at dpo@informfx.co.uk.

The Company will investigate all complaints promptly and will aim to resolve them within 30 calendar days. If the individual is not satisfied with the Company’s response, they have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

 

18. Policy Review

 

This policy will be reviewed at least annually, or more frequently where required by changes to legislation, regulatory guidance, business operations, or following a significant data breach.

The DPO is responsible for ensuring that this policy remains current and effective. All material amendments will be communicated to staff and relevant third parties.

bottom of page