At Charlgate Ltd, operating under the brand name Dealing ( hereinafter “Dealing”), we are committed to maintaining the highest standards of integrity. In the course of our business, it is necessary to collect Personal Information about our potential clients. We take this activity seriously and seek to provide fair, secure, and appropriate methods for the handling of Personal Information. All such activities are intended to be consistent with both generally accepted privacy ethics and standard business practices. Your Personal Information may be shared with a limited number of trusted partners and/or affiliates of Dealing
where such use is restricted to the management of your account and will not breach any elements of the EU General Data Protection Regulation (“GDPR”) which is applicable as of 25 May 2018.

This Privacy Policy provides an overview of how Dealing processes your personal data and sets out the information that Dealing must provide to you for the purpose of the GDPR.

By accessing our Company’s website including using any of the communication channels to contact us, we consider that you have read, understood, and accepted the terms of this Privacy Policy and how we
process any information you disclose to us. Moreover, you agree that this Policy, including any amendments will govern how we collect, store, use, share and in any other form process your personal data and your rights during our relationship and after its termination.

The information contained herein supersedes any information in relation to the processing of personal data that is included in any of the existing Agreements/Client Agreement and associated forms on matters that are covered by this Privacy Policy. Dealing may revise or update this policy from time to time. The new version of this Policy will be available on Dealing’s website.

As per the relevant sections of the Law 2016/679, if you are a natural person, Dealing is the personal data processor and controller of your personal data in relation to the processing activities which your personal data undergo as stated further below.

For the purposes of this statement:

• Personal Data shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure
  by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• Controller shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
• Processor shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Dealing shall process your personal data as a Data Processor when you specifically opt-in and provide us with your consent, during your application to open an account with us. Dealing has a lawful base for processing your data, and it is for the following reason; ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into the contract.’

As part of Dealing’s client account opening procedures and ongoing obligations, needs to abide with the legislative framework currently in place with the Cyprus Securities and Exchange Commission (‘CySEC’).
Specifically, Dealing shall comply with its legal obligations under the AML Law (Law 13(I)/2018), as amended, and the AML Directive (Directive 157/2019) as amended, for the establishment on the Client’s economic profile and prevention of money-laundering as well as abide with the relevant record keeping obligations under the European Commission Delegated Regulation (EU) 2017/565 (‘Delegated Regulation’) and Law 87(I)/2017 for establishing the suitability and appropriateness of each Client based on the services offered by each CIF and recordings of telephone conversations, client transactions, FATCA and CRS.

Dealing based on the above-mentioned, is obliged to request, collect and maintain for at least five (5) years the following:

• Name and Surname
• Date of Birth
• Place of Birth
• Nationality
• Copy of the Passport and/or of the Identity Card (or other proof of identification)
• Proof of residential address (including the full address of the client)
• Tax Identification Number (depending on your residence)
• Tax Residence
• Telephone number
• Email
• Employer’s name
• Profession
• Industry of Employment
• Gross Annual Income
• Net Worth
• Anticipated Turnover
• Payment Details (depending on your deposit and withdrawal method)
• Bank Reference
• Information about your economic profile (size of wealth, source of wealth, income source),
• IP address

Details about Bank account, e-wallets and credit card Dealing may collect the said information directly from you (during the account opening procedure) and/or from other persons including for example, credit reference agencies, fraud prevention agencies, banks, other financial institutions, third authentication service providers and the providers of public registers.

Dealing may also collect Your Information in regard to your use of our website(s), such as pages visited, frequency, duration of visit and trading activities. Dealing also keeps records of your trading behaviour, including a record of:

• Products you trade and their performance
• Historical data about the trades and investments you have made including the amount invested
• Historical data about your payment activities and your withdrawal activities.

Further to the above, Dealing may also request further information to improve its Service to you (Existing or Potential Clients) or our activities (if you are our Provider for Trading Data) under our relevant Agreement, as the case may be, or comply with Applicable Regulations.

The client's right of access personal data relating to them may be partially or completely waived to, in accordance with the provisions of the Personal Data Processing (Protection of Person) Act:

• to enable the Company or competent national authority to fulfill its tasks properly for the purposes of the AML/CFT Law; or
• not to impede the conduct of official or legal investigations, analyses or procedures for the purposes of the AML/CFT Law and to ensure that the prevention, investigation and detection of ML and TF is not jeopardized.

Therefore, by accepting this policy you acknowledge you have been informed of the legal obligations of the Company under the AML/CFT Law to process data for the purposes of the prevention of ML and TF.

Dealing records any communications, electronic, by telephone, in person or otherwise, that we have with you in relation to the services that were provided by Dealing to you and the relationship with you. The said recordings will be Dealing’s sole property and will constitute evidence of the communications
between Dealing and you.

Where stated we may use the personal information you provide to contact you in the future about our products and services. We only hold data which is necessary to offer the services provided on our website. Automated-Decision Making/ Profiling: in cases that fall in the scope of automated decision-making and/ or profiling, you are entitled to challenge the results you have received by the automated system, express your point of view by sending us an email at [email protected] and request us to check manually the results based on the answers you initially provided via the automated system

This website contains links to other websites. Please note that Dealing cannot be held responsible for the privacy policies of other websites. We encourage all visitors to be aware and read the privacy statements of every website that collects personally identifiable information.

Dealing can confirm that it has a strict policy of not sharing your Personal Identifiable Information with an unauthorized third party under any circumstances.

You may inform Dealing at any time that Your Information has changed or that you wish Dealing to delete information we hold about you by emailing us at [email protected]. We will change or delete Your Information in accordance to your instructions, except to the extent that we are required to hold
your information for regulatory or legal purposes, to provide you with the Services you have requested or to maintain adequate business records.

We will keep Personal Information only as long as it is necessary and required to do so subject to CySEC regulation, including for the purposes of updating the product or services or as required by law. The retention period of your personal identifiable information is for a minimum of 5 years. You have a right to request to erase your information; however, this is subject to the 5-year retention period mentioned above.

When the Personal Information is no longer required, it will be destroyed either by shredding or other approved destruction methods to prevent unauthorized parties from gaining access to the information during and after the process.

The GDPR provides the following rights for individuals:

1. Right of access.You have the right to request a copy of your personal data which the Company holds about you. The Company will provide a copy of your personal data that is undergoing processing. For any further copies requested by you, the Company may charge a reasonable fee based on administrative costs. You can send an email to asking for a copy of your personal data that is undergoing processing.
2. Right to rectification. You have the right to request from the Company to rectify any inaccurate personal data concerning you.
3. Right to erasure. You have the right, under certain circumstances as these are defined in the Regulation, to obtain from the Company the erasure of your personal data.
4. Right to restriction of processing. Where there is a dispute in relation to the accuracy or processing of your personal data, you have the right to request a restriction on further processing, in accordance with the Regulation.
5. Right to data portability. Where the processing is based on consent or on a contract and the processing is carried out by automated means, you have the right to receive the personal data and have the right to transmit those data to another controller.
6. Right to object. Where applicable under the Regulation, you have the right to object to the processing of your personal data.
7. Right to withdraw your consent. Where the processing is based on your consent, you have the right to withdraw your consent at any time. To withdraw your consent, send an email to [email protected] asking to withdraw your consent.
8. Right to lodge a complaint with a competent authority. In such case, the company asks the data
   subject in the first instance to contact the Company at the email [email protected] .
9. Rights in relation to automated decision making and profiling. .In cases the Company will use automated processing (e.g. through automatic profiling / appropriateness test), for a decision concerning you or significantly affects you, you can request not to be subject to such a decision unless the Company can demonstrate to you that such decision is necessary for entering into, or the performance of, a contract between you and the Company. Even if a decision is necessary for entering into or performing a contract, you may contest the decision and require human intervention. We may not be able to offer our services or products with you, if we agree to such request (i.e., end our relationship with you).

For further details on each of your rights, please visit the website of the Office of the Commissioner for Data Protection at http://www.dataprotection.gov.cy.

Dealing has taken all the appropriate organisational measures to ensure that your personal data are secured. Moreover, Dealing has established an Internal Educational Training for its employees so as to mitigate any risks that may affect your data. The employees that are processing your data are being trained to respect the confidentiality of customer information and the privacy of individuals. We consider breaches of your privacy as top priority and Dealing will enhance its internal procedures to prevent any such event.

Dealing has implemented procedures in respect to safeguarding your data. Access to your information have only employees and/or Partners that need to have access to the information in order to enable the continuity of the agreement between you and Dealing.

Furthermore, we hold personal information in a combination of secure computer storage, secure servers and from time to time and if it is deemed necessary, we will store them in paper-based files. Dealing has taken all the necessary steps to protect the personal information that it holds from misuse, loss, unauthorised access, modification or disclosure.

While we will use all reasonable efforts to safeguard Your Information, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data transferred from you, or to you via the internet.

Dealing shall keep your personal data for as long as Dealing has business relationship with you (physical person). Once the business relationship has been ended, we may keep your data for up to five (5) years in accordance with the Laws governing Dealing.

Dealing may keep your personal data for longer than five (5) years for legal, regulatory and/or any other obligatory reason. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time.

We do not rent or sell your information to third parties outside Dealing without your consent and we never will, except as noted in this Policy. We also impose strict restrictions on how our processors can use and disclose the data we provide. Here are the types of third parties we share information with:

Service providers and other partners: We transfer information to service providers (processors), and other partners who globally support our business, such as providing technical infrastructure services, trading platforms, client identity verification, including PEPs and sanctions, services related to our website management.

We may need to transfer personal data to recipients outside the European Union; these activities can include dealings with foreign public entities (only when necessary and under request), the outsourcing of services to external providers located outside the EU and/or processing the data outside the EU (e.g. cloud computing, client identity verification and individuals from outside the EEA accessing to our web- services), or when arranging staff work trips to non-EU countries (see paragraph Transfer of your information out of the EEA).

Measurement and Analytics Services: Partners who use our analytics services like Google Analytics (Non- Personally Identifiable Information Only). We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement or analytics partners.

Dealing does extensive due diligence before choosing processors assuring that they provide sufficient guarantees, in particular in terms of expert knowledge, data governance, data security, cyber resilience, reliability and resources to implement technical and organizational measures which will meet the requirements of this General Personal Data Regulation, including for the security of processing.

Our processors provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of General Personal Data Regulation and ensure the protection of the rights of the data subject.

The adherence of the processor to an approved code of conduct, besides the SLA Agreement/Contract, or an approved certification mechanism is used as an element to demonstrate compliance with the obligations of the controller.

The carrying-out of processing by our processor it is governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.

Dealing and its processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission.

After the completion of the processing on behalf of the controller, the processor/-s should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

This data sharing with our processor enables us to proceed, for instance with our regulated activities and duties as KYC in order to meet our regulatory obligations. Some of those third party recipients (processors) may be based outside the European Economic Area; if the third party recipient is located
outside the EU/EEA in a country not ensuring an adequate level of data protection, the transfer can only be completed if a transfer agreement has been entered into between Dealing and the third party. The transfer agreement shall be based on the EU Standard Contractual Clauses.

Information collected within the European Economic Area (“EEA”) may, for example, be transferred to countries outside of the EEA for the purposes described in this policy. We and our processors utilise standard contract clauses approved by the European Commission, we assure they are GDPR compliant,
and we adopt other means under European Union law and obtain your consent to legitimise data transfers from the EEA to and other countries.

Dealing complies with all the general data protection principles and the Act as a whole, not just the eighth principle relating to international data transfers. International transfers may take place when there is an adequate level of protection to the fundamental right of individuals (data subjects) to data protection. Adequacy assessments may be carried out by Dealing when transferring data outside the EEA to conduct its regulated activities and services.

Adequate safeguards may be put in place in a number of ways including using Standard Contractual Clauses, Binding Corporate Rules, Binding Corporate Rules for Processors (BCRs) if applicable or other contractual arrangements; derogations are also permitted under limited additional circumstances under
GDPR. Where “adequate safeguards” are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA for processing. If a third party recipient is located outside the EU/EEA in a country not ensuring an adequate level of data protection, the transfer can only be completed if a transfer agreement has been entered into between Dealing and the third party. The transfer agreement shall be based on the EU Standard Contractual Clauses.

The Company records, monitors and processes any telephone conversations and/or electronic communications between the Company and you such as through phone, fax, email, social media, electronic messages, either initiated from the Company’s side or your side. All such communications are recorded and/or monitored and/or processed by the Company, including any telephone conversations and/or electronic communications that result or may result in transactions or your order services even if those conversations or communications do not result in the conclusion of such transactions. The content of relevant in person conversations and/or communications with you may be recorded by minutes or notes. Any such records shall be provided to you upon request at the same language as the one used to provide investment services to the data subject.

We use cookies and similar technologies to provide and support our Services. When you use our website we will use cookies to distinguish you from other users of our website.

For more information about cookies and how we use them, please read our Cookies Policy on our website at www.Dealing.com.

If you have any questions regarding this policy, wish to access or change your information or have a complaint, or if you have any questions about security on our Website, you may email us at [email protected].
Furthermore, in case you are not happy with the quality of Services we have provided you with in regard to the personal data processing, you as a natural person have the right to lodge a complaint with our supervisory authority which is the Commissioner for Personal Data Protection in the Republic of Cyprus.

Data Protection Officer

Dealing has appointed a Data Protection Officer (“DPO”) who is responsible for matters relating to privacy and data protection. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Company's DPO can be reached at: +357 25 251 100

Email address: [email protected]
Postal Address: 319, 28th October Street, Kanika Business Center, Office 201B, 3105 Limassol, Cyprus We will process and reply to your request in 30 days.

You have the right to make a complaint at any time to Cyprus Data Protection Commissioner. We would, however, appreciate the chance to deal with your concerns before you approach the Commissioner so please contact us in the first instance at [email protected]

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you have the right to submit a complaint with our supervisory authority, the Office of the Commissioner for Personal Data Protection (the “Commissioner”). You can find details about how to do this on the Commissioner’s website at http://www.dataprotection.gov.cy.

Breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Company is responsible for ensuring immediate action in the event of a security incident or personal data breach. The Company has in place procedures to deal with any suspected personal data breach and will notify you and the relevant competent regulator (http://www.dataprotection.gov.cy) of a breach where the Company is legally required to do so. If you require further information on how the Company deals with a Data Breach, please contact us at [email protected]

This Policy is subject to change without notice. For this reason, you are advised to look for updates from time to time.