Privacy Policy

CASTLE TRADING PRIVACY POLICY

1. INTRODUCTION

Tayside Fintech Solutions Ltd, trading as Castle Trading (“Castle Trading,” “we,” “us,” or “our”), a company incorporated in Scotland with company number SC809177 and registered office at 2/8 King James VI Business Centre, Friarton Road, Perth, Perthshire, Scotland, PH2 8DY, is committed to safeguarding the privacy and personal data of our customers (“Traders,” “you,” or “your”). This Privacy Policy explains how we collect, use, store, share, and protect your personal data in connection with our Services, provided through our website at www.castle.trading (the “Website”) and proprietary trading platform (the “Platform”).

Castle Trading offers virtual trading accounts for simulated trading in financial markets using virtual capital only. We process personal data in compliance with the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR) as retained in UK law, and other applicable regulations. This Policy supplements our General Terms & Conditions and AML/KYC Policy, available on the Website.

2. PURPOSE AND SCOPE

This Policy outlines:

The types of personal data we collect and the purposes for which we collect it.

How we use, share, protect, and retain your data.

Your rights regarding your personal data and how to exercise them.

Our approach to cookies and tracking technologies.

This Policy applies to all Traders using our Services, including account registration, trading activities, and optional educational content or tools.

3. DATA CONTROLLER

Castle Trading is the data controller responsible for your personal data. For inquiries or to exercise your data protection rights, contact us at support@castle.trading.

4. PERSONAL DATA WE COLLECT

We collect the following personal data, depending on your interaction with our Services:4.1 Registration and Account Data:

Full name, date of birth (DOB), email address, physical address, and phone number provided during account creation.

Login credentials for the Client Section and Platform.

4.2 KYC Verification Data (for first payout):

Government-issued ID (e.g., passport, driver’s license, national ID).

Proof of address (e.g., utility bill, bank statement, dated within 3 months).

4.3 Payment Data:

Cardholder or cryptocurrency wallet details (processed via third-party providers: Paytiko, Coinbase, Blockbee), ensuring the name matches the Trader’s verified identity.

Transaction details for account access fees and payouts (80% of simulated profits, biweekly).

4.4 Trading and Platform Activity Data:

Trading activity logs, including simulated trades, account balances, and performance metrics.

Platform interactions, such as login times, session durations, and navigation history.

IP addresses to verify compliance with restricted jurisdiction rules.

4.5 Communication Data:

Emails, support tickets, or other correspondence sent to support@castle.trading.

4.6 Optional Services Data:

Data related to engagement with educational content, tools, or guides, if provided. Specific data collection will be explained when such services are offered.

5. HOW WE USE YOUR PERSONAL DATA

We use your personal data for the following purposes, based on GDPR legal bases:5.1 To Provide Services (Contractual Necessity, GDPR Art. 6(1)(b)):

Process account registration and manage access to the Client Section and Platform.

Verify identity for KYC/AML compliance before the first payout.

Process payments for account access and distribute payouts.

Monitor trading and platform activity to ensure compliance with our Terms & Conditions and “Rules” page.

5.2 To Ensure Compliance (Legal Obligation, GDPR Art. 6(1)(c)):

Screen Traders against restricted jurisdictions (Burundi, Central African Republic, Cuba, Congo Republic, Crimea, Democratic Republic of Congo, Eritrea, Guinea, Guinea-Bissau, Iraq, Iran, Laos, Liberia, Libya, Myanmar, North Korea, Papua New Guinea, South Sudan, Sudan, Somalia, Syria, Vanuatu, Venezuela, Yemen) and sanctions lists (e.g., UK Sanctions List, OFAC).

Monitor transactions and trading for money laundering, fraud, or cheating-like activities.

Retain records for 5 years, as required by the UK Money Laundering Regulations 2017.

5.3 To Improve Services and Trader Profiling (Legitimate Interests, GDPR Art. 6(1)(f)):

Analyze trading patterns, platform usage, and activity logs to enhance Platform functionality, user experience, and service offerings.

Profile Traders to personalize optional educational content or tools, ensuring relevance to your trading needs.

Our legitimate interest is to improve service quality while respecting your privacy rights.

5.4 Marketing and Promotions (Consent, GDPR Art. 6(1)(a)):

Send promotional emails about new features, offers, or updates, if you opt-in during registration or later.

You can opt-out at any time via a single-click unsubscribe link in emails or by contacting support@castle.trading.

5.5 To Communicate (Contractual Necessity or Consent, GDPR Art. 6(1)(b)(a)):

Respond to inquiries, complaints, or support requests via support@castle.trading.

Send service-related notifications (e.g., policy updates, account status, KYC requests).

6. DATA SHARING

We share your personal data only as necessary and with appropriate safeguards:6.1 Third-Party Service Providers:

Payment Processors: Paytiko (card payments), Coinbase, and Blockbee (cryptocurrency) to process account fees and payouts.

KYC Verification Providers: Third parties (at our discretion) to verify identities and screen against sanctions lists.

Email Marketing and Analytics Tools: Providers like email marketing platforms and Google Analytics to support promotional campaigns and analyze Website/Platform usage (anonymized where possible).

IT and Cloud Services: Providers for secure data storage, hosting, and Platform operations.

All providers are bound by GDPR-compliant data processing agreements, ensuring data protection and confidentiality.

6.2 Legal Obligations:

With UK authorities (e.g., National Crime Agency) for suspicious activity reports under AML laws.

To comply with court orders, regulatory requirements, or legal processes.

6.3 No Third-Party Marketing:

We do not share your data with third parties for their own marketing purposes without your explicit consent.

7. INTERNATIONAL DATA TRANSFERS

7.1 Data transfers outside the UK/EEA are rare but may occur (e.g., to third-party KYC or analytics providers). We ensure compliance with GDPR through industry-standard safeguards:

Standard Contractual Clauses (SCCs): Approved by the UK Information Commissioner’s Office for transfers to countries without adequate data protection.

Adequacy Decisions: For countries recognized by the UK as having equivalent data protection laws (e.g., EU, Canada).

Binding Corporate Rules: For multinational providers, where applicable.

7.2 Traders are informed of potential transfers during registration and consent to them as part of Service use. We minimize such transfers to protect your data.

8. DATA RETENTION

8.1 We retain personal data for a maximum of 5 years from account closure, last transaction, or when it is no longer needed for the purposes outlined in Section 5, whichever is shorter, in compliance with the UK Money Laundering Regulations 2017 and GDPR.8.2 Specific Retention:

KYC/AML Data: Retained for 5 years to meet legal obligations.

Account, Trading, and Activity Data: Retained for the duration of your account and up to 5 years after closure to support service delivery and resolve disputes.

Marketing Data: Retained until you opt-out or withdraw consent.

Communication Data: Retained for 5 years or until no longer needed for support purposes.

8.3 Data is deleted by removing it from our encrypted internal database, ensuring secure erasure. Traders are not routinely notified of deletion unless requested, due to administrative feasibility.

9. DATA SECURITY

We implement industry-standard security measures to protect your personal data:9.1 Technical Measures:

Encryption: Data is encrypted in transit (e.g., TLS 1.3) and at rest in our internal database using AES-256 standards.

Access Controls: Role-based access with two-factor authentication (2FA) for authorized personnel only.

Firewalls and Intrusion Detection: Network security systems to prevent unauthorized access or cyberattacks.

Regular Backups: Encrypted backups to ensure data recovery in case of system failure.

9.2 Organizational Measures:

Staff Training: Annual GDPR and data protection training for all employees, including executive staff handling MLRO duties.

Security Audits: Quarterly audits and penetration testing by third-party experts to identify and mitigate vulnerabilities.

Incident Response Plan: Documented procedures to detect, report, and resolve data breaches within 72 hours, as required by GDPR.

9.3 Breach Notification:

In the unlikely event of a data breach, we will notify affected Traders and the UK Information Commissioner’s Office (ICO) within 72 hours, providing details and mitigation steps.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 The Website and Platform do not use tracking cookies or similar technologies for advertising or behavioral tracking.10.2 We use essential cookies for:

Session management to authenticate access to the Client Section and Platform.

Security purposes, such as detecting unauthorized login attempts.

Platform functionality (e.g., saving login preferences).

10.3 Essential cookies do not require consent under GDPR, as they are necessary for Service delivery. No additional consent banners are used, given the absence of tracking cookies.10.4 IP addresses are collected for restricted jurisdiction compliance and security, as outlined in Section 4.4, but are not used for tracking or profiling beyond these purposes.

11. YOUR DATA PROTECTION RIGHTS

Under GDPR and the UK Data Protection Act 2018, you have the following rights:11.1 Access: Request a copy of your personal data (e.g., KYC documents, trading logs).11.2 Rectification: Correct inaccurate or incomplete data (e.g., updated address).11.3 Erasure: Request deletion of data, subject to AML/KYC retention obligations (5 years).11.4 Restriction: Limit data processing in certain circumstances (e.g., during disputes).11.5 Objection: Object to processing based on legitimate interests (e.g., trader profiling) or marketing.11.6 Data Portability: Receive your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON). We endeavor to provide data in a suitable format but cannot guarantee specific formats due to technical constraints.11.7 Withdraw Consent: Stop processing based on consent (e.g., promotional emails) at any time.

11.8 Exercising Rights:

Submit requests to support@castle.trading, specifying the right(s) you wish to exercise.

Requests are handled case-by-case, with identity verification required to prevent unauthorized access.

We will respond within 30 days, free of charge, unless requests are manifestly unfounded or excessive, in which case a reasonable fee or refusal may apply.

If data cannot be provided in a requested format for portability, we will provide an alternative format where feasible.

11.9 Complaints:

If unsatisfied with our response, contact us at support@castle.trading to resolve issues.

You may lodge a complaint with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk or by phone at 0303 123 1113.

12. TRADER OBLIGATIONS

12.1 You must provide accurate and up-to-date personal data during registration, KYC verification (before first payout), and account use.12.2 Providing false data (e.g., KYC documents) or engaging in cheating-like activities results in immediate account termination, nullification of simulated profits, a ban from purchasing further accounts, and no refund, as per our Terms & Conditions.12.3 Safeguard your login credentials and report unauthorized access or suspected breaches to support@castle.trading immediately.

13. POLICY UPDATES

13.1 We may update this Policy to reflect legal, regulatory, or operational changes. Updates are effective upon posting on the Website or notification via email to Traders.13.2 Continued use of the Services constitutes acceptance of the updated Policy.

14. CONTACT

14.1 For questions, data protection requests, or complaints about this Policy, contact us at support@castle.trading.

14.2 We aim to respond within 30 days, in line with GDPR requirements.

15. GOVERNING LAW

15.1 This Policy is governed by the law of Scotland. Any disputes are subject to the exclusive jurisdiction of Scottish courts.

‍