Bullion FX Privacy Policy

1.1About this Policy

This Privacy Policy explains how Bullion FX ("Bullion FX", "we", "our", or "us") collects, uses, shares, retains, and protects personal information when you visit our website, open a trading account, use our trading platform, or otherwise interact with our services. It also explains the rights and choices you have over your data.

We have written this Policy in plain English. Where a term has a specific regulatory meaning (for example, "personal data" or "lawful basis"), we use that term in the way it is generally understood under the General Data Protection Regulation (GDPR) of the European Union, because the GDPR has become a widely recognised benchmark even outside the EU.

Where local data-protection law applies to the processing of your personal data, we follow it. The structure of this Policy adopts GDPR-style conventions because they represent a high baseline for any modern financial-services business.

1.2Who we are

Bullion FX is the trading name of Bullion FX Markets Ltd, an International Business Company registered in St. Vincent and the Grenadines. Where this Policy refers to "the Company", "we", "us", or "our", it refers to Bullion FX Markets Ltd trading as Bullion FX.

For the purposes of data-protection law, Bullion FX Markets Ltd is the controller of your personal data. We decide why your data is collected and how it is used.

1.3Scope

This Policy applies to visitors to the Bullion FX website, prospective and approved clients who use our services (including the trading platform, copy-trading marketplace, and support channels), and anyone who corresponds with us by email or chat.

It does not apply to third-party websites we link to — those operators have their own privacy practices, and we recommend that you read their policies before sharing information with them.

1.4Where we offer our services

Bullion FX is available to retail clients in over 80 countries worldwide. We do not currently offer services to residents of the United States. If you are a resident of the United States, please do not attempt to open an account; we will reject your application during onboarding.

Where local data-protection law (such as the European Union General Data Protection Regulation) applies to the processing of your personal data, we honour the rights and processing principles described in this Policy. The structure of this Policy follows GDPR-style conventions because they represent a high baseline for any modern financial-services business.

2.1Account information

When you register for an account or apply for a trading account, we collect:

• your full legal name;
• your date of birth;
• your country of residence and your nationality;
• your email address;
• your phone number (optional — phone is not required to open an account, and we do not use phone numbers for SMS messaging of any kind);
• your preferred language of communication (we currently support English, Hindi, Arabic, and Spanish in customer support).

2.2Identity verification and Know-Your-Customer (KYC) information

To comply with our anti-money-laundering, counter-terrorist-financing, and sanctions-screening obligations, we are required to verify your identity before you can fund a trading account. The KYC information we collect includes:

• a government-issued identity document, which may be a passport, national identity card, or driver's licence;
• a recent selfie photograph, used to confirm that the person submitting the documents matches the photograph on the identity document;
• at higher account tiers or where additional verification is required, proof of address — a utility bill or bank statement dated within the past 90 days that shows your name and current residential address.

KYC documents are treated as a sensitive data category. We store them on segregated infrastructure with restricted file-system permissions and limit access to staff with a verified business need.

2.3Transaction and trading data

Once you are an approved client, we collect data that is generated by your use of our services, including:

• deposits and withdrawals across each funding rail you use (USDT on TRON, Ethereum, and BNB Smart Chain; Bitcoin; and the wallet partner we offer for Indian rupee deposits);
• trades you execute on the MT5 platform, including instruments, volumes, opening and closing prices, profit and loss, and timestamps;
• account balances, equity, used margin, free margin, and margin levels;
• allocations to copy-trading manager accounts and the associated transfer history;
• bonus issuances, bonus eligibility states, and any bonus clawbacks if applicable.

This information is generated as a natural part of operating the brokerage and is necessary for us to run your account.

2.4Device and technical data

When you visit our website, log in to your dashboard, or trade on MT5, we automatically collect:

• your Internet Protocol (IP) address;
• limited browser fingerprint information (user-agent string, screen resolution, browser language);
• device type (desktop, mobile, or tablet) and operating system family;
• session timestamps (login, logout, and trading activity);
• approximate geolocation derived from your IP. We use city-level resolution at most and do not collect GPS coordinates.

We use this data to keep your account secure, detect unauthorised access, comply with sanctions-screening obligations (which require us to know roughly where you are connecting from), and debug technical issues.

2.5Communications data

When you interact with our support team, we collect:

• emails you send to or receive from hello@bullionfx.io and any other support address we publish;
• transcripts of support-chat sessions on our website. Chat is available in English, Hindi, Arabic, and Spanish;
• relevant MT5 client log fragments that you or our staff include in a support ticket to help us diagnose a trading issue.

Communications data may include personal information about you that is incidental to your support request (for example, you might include a screenshot showing your account balance). We treat this content with the same care as any other personal data.

2.6Marketing information

We do not currently operate a marketing mailing list. We do not currently send promotional emails, and we do not currently collect marketing-preference data.

If we introduce a marketing programme in the future, we will collect marketing-preference data only on an opt-in basis, and we describe that future-state framework in Section 7 (Marketing communications). Importantly, even if we introduce marketing in the future, we will not send marketing by SMS — see Section 2.7.

2.7What we do not collect

To be explicit: Bullion FX does not collect or send Short Message Service (SMS) data. We do not operate an SMS gateway. We do not send one-time passwords by SMS, we do not send marketing by SMS, and we do not retain mobile phone numbers for the purpose of texting you.

We also do not currently run third-party advertising or analytics tracking on our website. See Section 6 (Cookies and similar technologies) for details.

4.1Performance of a contract

Most of what we do with your data is necessary to provide you with the services you have asked us for. Operating your trading account, processing your deposits and withdrawals, executing your trades on MT5, settling profit and loss, allocating your funds to a copy-trading manager when you choose to do so, and providing customer support are all examples of processing carried out to perform the contract between us.

4.2Compliance with a legal obligation

Brokerages are subject to a range of legal and regulatory obligations, including anti-money-laundering and counter-terrorist-financing rules, sanctions-screening rules, financial-records retention rules, and (in some jurisdictions) tax-reporting rules. We process personal data — particularly KYC documents, transaction histories, and identity-verification results — to comply with these obligations.

4.3Legitimate interests

We process some data because we have a legitimate business interest in doing so and because that interest is not overridden by your rights and freedoms. Examples include:

• monitoring login activity and trading behaviour to detect fraud, unauthorised access, or platform abuse;
• maintaining the security of our website, platform, and supporting infrastructure;
• understanding how clients use our services so that we can improve them;
• pursuing or defending legal claims.

Where we rely on legitimate interests, you have the right to object — see Section 8 (Your rights).

4.4Consent

We rely on consent for any marketing communications we may send in the future. As explained in Section 2.6, we do not currently operate a marketing programme. If we introduce one, your consent will be freely given, specific, informed, and easy to withdraw. We do not use consent as the lawful basis for anything we are obliged to do under contract or under the law; that would not be appropriate, because you cannot freely withdraw consent for a thing that we have to do anyway.

5.1Onboarding and account management

We use your account and KYC information to verify your identity, open your trading account, set up your MT5 credentials, and maintain accurate client records. Lawful basis: performance of a contract and compliance with a legal obligation.

5.2Anti-money-laundering and sanctions screening

We screen prospective and existing clients against sanctions lists and politically-exposed-person databases. Automated services perform initial checks; unclear results are escalated to a human compliance officer. Lawful basis: compliance with a legal obligation. Section 8.8 explains your right to request human review.

5.3Transaction processing

We use deposit, withdrawal, and trade information to credit your account, settle trades, route withdrawals through the relevant payment rail, and reconcile funds held on your behalf. Lawful basis: performance of a contract, plus compliance with financial-records obligations.

5.4Risk monitoring and fraud prevention

We monitor login attempts, IP addresses, device fingerprints, withdrawal-destination addresses, and trading patterns to detect fraud, account takeovers, bonus abuse, sanctions-evasion attempts, and chargeback patterns. Lawful basis: legitimate interest and, where it touches AML rules, compliance with a legal obligation.

5.5Customer support

We use your communications data to answer questions, resolve tickets, and improve our support content. Lawful basis: performance of a contract.

5.6Service security and improvement

We use device and technical data, server logs, and platform metrics to keep the service running, investigate incidents, improve performance, and develop new features. Lawful basis: legitimate interest. We do not use this data to build advertising profiles or to sell to third parties.

5.7Regulatory reporting and legal claims

Where the law requires us to report information to a regulator, financial-intelligence unit, tax authority, or court, we will do so. We may also use your data to establish, exercise, or defend legal claims. Lawful basis: compliance with a legal obligation or legitimate interest.

6.1What we use

• Essential session cookies. When you log in to your client dashboard, we set a session cookie so that the server can recognise you across page loads. Without this cookie you would have to log in again on every page, and the service would not work.
• Load-balancer and content-delivery cookies. Our web infrastructure uses cookies to direct your traffic consistently to the right back-end server. These are technical cookies and do not identify you personally.
• No third-party analytics. We do not run Google Analytics, Facebook Pixel, or any other third-party analytics or advertising service on our website.
• No advertising cookies. We do not place advertising cookies, retargeting cookies, or conversion pixels on our pages.

The only logs that capture details of your visit are server logs written by our own platform host (the nginx web server and the application server). Those logs are described in Section 2.4 and are retained for the period set out in Section 11.

6.2Managing cookies

You can configure your browser to refuse cookies or to warn you when cookies are being set. If you refuse the essential session cookie, the client dashboard will not work for you, because the server has no way to recognise you across requests without it.

6.3Why we keep this minimal

We have deliberately chosen not to deploy third-party analytics or advertising trackers. Forex and CFD trading is sensitive financial activity, and we do not see a legitimate reason to share your browsing behaviour with advertising networks. If this position changes, we will update this Section and obtain consent where required.

7.1Current position

Bullion FX does not currently send marketing emails. The emails we send today are limited to operational matters — account confirmations, password resets, security alerts, transaction confirmations, and customer-support replies. Operational emails are necessary to perform the contract or to keep your account safe, and you cannot opt out of them while your account is open.

7.2If we introduce marketing in the future

If we introduce a marketing programme at any point in the future, the framework will be as follows:

• We will collect marketing consent only on an opt-in basis — never by default checkboxes or bundled consent.
• Every marketing email will contain a clear unsubscribe link.
• Withdrawing consent will be easy and immediate.
• We will not send marketing communications by SMS. Bullion FX does not operate any SMS infrastructure (see Section 2.7).
• We will not share your contact details with third parties for their marketing purposes — ever.

7.3No sale of personal information

We do not sell personal information. We have never sold personal information. We do not plan to sell personal information.

8.1Right of access

You can request a copy of the personal data we hold about you, in a structured machine-readable format where reasonably possible.

8.2Right of rectification

You can ask us to correct inaccurate or incomplete data. For some categories (for example, your registered name on a KYC document) we may need updated supporting documents first.

8.3Right of erasure

You can request deletion of your data. We cannot delete data we are legally required to retain — account, transaction, and KYC records are subject to mandatory retention windows under anti-money-laundering and financial-records law (see Section 11). Within those limits, we will erase what we can.

8.4Right to restriction of processing

You can ask us to pause certain processing while a dispute about accuracy or lawful basis is being resolved.

8.5Right to data portability

For data you have provided under a contract or based on consent and that we process by automated means, you can ask us to deliver it in a portable format or transmit it to another provider where technically feasible.

8.6Right to object

Where we process your data on the basis of legitimate interests, you can object on grounds relating to your particular situation. We will stop unless we can show compelling legitimate grounds that override your rights, or unless we need the data to establish, exercise, or defend a legal claim.

8.7Right to withdraw consent

Where we rely on consent (today, only relevant in the future-marketing case described in Section 7), you can withdraw it at any time. Withdrawal does not affect processing carried out before withdrawal.

8.8Right to human review of an automated decision

If you believe an automated decision has affected you adversely (for example, your application was declined or a withdrawal was held), you can request human review. We do not use fully automated decision-making for account closure or other significant decisions — those always involve a human reviewer.

8.9Right to lodge a complaint

If you believe we have mishandled your data, please contact us first (Section 14) so that we can investigate. If you remain unsatisfied, you may lodge a complaint with the data-protection authority of your country of residence, where local law provides one. Because Bullion FX Markets Ltd is registered in St. Vincent and the Grenadines as an International Business Company and is not currently subject to supervision by a national data-protection authority in that jurisdiction, the avenue available to you is the authority that applies under the laws where you live, rather than one in our own jurisdiction.

8.10How to exercise your rights

Email hello@bullionfx.io from the email address registered against your account. We may ask you to verify your identity before acting — this protects you against impersonation. We will respond within 30 days of a properly verified request. If we need longer for a complex request, we will tell you why and give an estimated timeline. We do not charge for reasonable requests.

9.1Encryption in transit

All connections to our website and trading platform are encrypted using TLS 1.2 or higher. Older protocols are disabled at the server level.

9.2Encryption at rest

Sensitive data, including KYC documents, is encrypted at rest using AES-256.

9.3Segregated KYC storage

KYC documents (ID, selfies, proof of address) are stored in a segregated area of broker-controlled infrastructure with restrictive file-system permissions (mode 700 for the directory, mode 600 for individual files). Access is limited to staff with a verified business need.

9.4Role-based access control

Internal staff access to client data is governed by role-based permissions. Staff have only the access they need for their job.

9.5Two-factor authentication for staff

All staff with access to client data are required to use two-factor authentication on internal systems.

9.6Password hashing

Passwords are never stored in clear text. They are hashed using bcrypt (or a successor of equivalent strength). Even our staff cannot recover your password if you forget it; we can only reset it.

9.7Session management

Authenticated sessions use short-lived tokens. If you leave the dashboard idle, your session expires and you must log in again.

9.8Rate-limiting and abuse monitoring

We apply rate limits on login attempts, password resets, and other sensitive actions, and monitor server logs for credential-stuffing, brute-force, and scraping patterns.

9.9Cryptocurrency custody — hot and cold wallet split

For client funds held on cryptocurrency rails, we operate a hot-and-cold wallet split. Day-to-day inflows are received into hot wallets capped at approximately one day of expected receipts. Balances above approximately $500 per receiving address are swept to cold storage, with keys held offline. This architecture limits the value exposed in any single incident.

9.10Acknowledging the limits of security

No system is perfectly secure. We commit to applying industry-recognised practices and to disclosing material security incidents to affected clients in a reasonable time. You also have a role to play — use a strong unique password, enable two-factor authentication where we offer it, and never share your credentials.

10.1Service providers

We share data with service providers that help us run the brokerage, on a need-to-know basis and under written confidentiality terms:

• payment-rail providers, including the wallet partner we use for Indian rupee deposits and withdrawals, and the cryptocurrency networks for USDT-TRC20, USDT-ERC20, USDT-BEP20, and BTC settlements;
• the MT5 platform vendor (MetaQuotes), to whom we may share account-related information if we open a platform-support ticket on your behalf;
• identity-verification and sanctions-screening providers, who receive KYC documents and selfie images during onboarding;
• our cloud infrastructure operator, who hosts our application and database servers under enterprise data-processing terms.

10.2Regulators and law-enforcement

We may share data with regulators that have lawful authority over the Company or over a particular transaction, with financial-intelligence units, with tax authorities (where required), and with law-enforcement agencies acting under lawful authority. As described on the Regulation page, we are not currently supervised by a tier-1 retail-derivatives regulator, but we remain subject to the laws of St. Vincent and the Grenadines and to reporting obligations that may arise under those laws or under the laws of your country of residence. We comply with valid legal process but resist requests we believe to be overbroad or improperly served.

10.3Legal counsel under privilege

We may share data with our external legal counsel under privilege when we need legal advice or when we are pursuing or defending a legal claim.

10.4Affiliates and corporate transactions

We may share data with affiliated companies in the Bullion FX group of entities for the purposes described in this Policy. If we are ever involved in a merger, acquisition, restructuring, or asset transfer, the personal data that we hold may be transferred to the relevant party as part of that transaction, subject to confidentiality and continued protection consistent with this Policy.

10.5What we do not do

We do not share personal data with advertising networks, data brokers, or analytics vendors. We do not share contact information for any third party's marketing purposes. We do not sell personal data.

11.1Where we store data

Personal data is stored on broker-controlled infrastructure in secure data centres operated by reputable hosting providers. We do not name our cloud-infrastructure provider in this Policy because doing so creates an additional attack surface, but we operate under enterprise data-processing terms with that provider.

11.2Safeguards on transfer

Wherever we transfer or store data, we use encryption in transit and at rest as described in Section 9. We require service providers to handle the data under written terms that include confidentiality, security, and limited-purpose use. Legal protections for personal data vary significantly across jurisdictions; we will not transfer data to a jurisdiction where, in our reasonable assessment, the legal protections are clearly inadequate.

13.1Automated KYC verification

When you submit your identity documents and selfie during onboarding, we use third-party identity-verification services to compare the documents and selfie automatically and to score the result. A high-confidence match passes to the next stage; an unclear result is escalated to a human compliance officer for review. We do not finally reject an applicant on the basis of an automated check alone — a human reviews unclear cases.

13.2Automated AML and sanctions screening

We screen prospective and existing clients automatically against sanctions lists and politically-exposed-person databases. A positive screen escalates to a human compliance officer for review. We may apply a withdrawal hold or a leverage cap while a review is in progress.

13.3Your right to human review

If you believe an automated decision has affected you adversely, you can ask for a human review at any time by contacting us at hello@bullionfx.io. This is restated here for clarity from Section 8.8.