1.2. This policy sets out the manner in which we collect, use, disclose and process your personal data when you: access or use our websites, applications (including mobile and web-based applications) and services, or provide us with your personal data. In this policy, “we”, “us” or “our” refers to GCOX.
2. COLLECTING PERSONAL DATA
2.1. How we collect your personal data.
We collect personal data that is relevant to our business relationship with you. We may collect your personal data directly or indirectly through various channels, such as when:
• you use our services or enter into transactions with us (or express interest in doing so);
• you visit our websites, download or use our mobile applications, or register an account with us or our websites or applications;
• you participate in events and programmes organised by us;
• when you apply to be a member of any of our programmes, respond to our promotions, or subscribe to our mailing lists;
• you contact us or request that we contact you through various communication channels, e.g. through social media platforms, messenger platforms and e-mails; or
• you submit your personal data to us for any other reason.
2.2. Personal data provided by others.
Depending on your relationship with us, we may also collect your personal data from third party sources, such as:
• from our business partners who provide services (such as due diligence and legal compliance) to us;
• from your family members or friends who provide your personal data to us on your behalf; or
• from public agencies or other public sources.
2.3. Automated Data Collection Technologies.
Our websites and applications may contain or involve certain technologies that collect data (including personal data) in the manner described below. Please do not use our websites and applications if you do not wish to have your data collected through such means. Alternatively, you may also disable the operation of these technologies on your devices where it is possible to do so.
• Web Beacons and Tracking Links. We may make use of web beacons, tracking links and/or similar technologies. In conjunction with cookies, these are primarily used for statistical analysis purposes, including to track traffic patterns on our websites and applications, as well as finding out if an e-mail has been received and opened and to see if there has been any response.
• Web Analytics. We may collect and assess the behaviour of users of our websites and applications. This includes the analysis of traffic patterns in order, e.g. to determine the frequency of visits to certain parts of a website or mobile application, or to find out what information and services our visitors are most interested in.
2.4. What personal data we collect from you. The personal data we may collect from you depends on the purposes for which we will be using the personal data and what you have chosen to provide, and may include your name, address, identification numbers, contact information (such as email address, and telephone number); date of birth; images; IP addresses; and other transactional or financial information.
2.5. Providing personal data belonging to others. In certain circumstances, you may also provide us with personal data of persons other than yourself (such as your family members). If you do so, you are responsible for informing him/her of the specific purposes for which we are collecting his/her personal data and to ensure that he/she has provided valid consent for your provision of his/her personal data to us.
2.6. Accuracy and completeness of personal data. You are responsible for ensuring that all personal data that you provide is true, accurate and complete, and to inform us of any changes to your personal data.
2.7. Voluntary provision of personal data. Your provision of personal data to us is voluntary and you have the right to withdraw your consent for us to use your personal data at any time by contacting us. However, if you do so, it may not be possible for us to fulfil the purposes for which we require the personal data, including providing products or services which you require from us.
2.8. Minors. If you are a child, minor or not of legal age, you are not permitted to use our applications and/or services. Please do not provide any personal data to us. If you are a parent or guardian of a minor and you have reason to believe your child or ward has provided us with their personal data, please contact us to request for erasure of their personal data.
3. WHAT WE DO WITH PERSONAL DATA
3.1. We are committed to respecting your privacy and personal data. We collect, use, disclose and process your personal data where:
• you have given us consent;
• necessary to comply with our legal or regulatory obligations, e.g. anti-money laundering and “know your customer” checks or disclosure to law enforcement;
• necessary to support our legitimate business interests, provided that this does not override your interests or rights; and/or
• necessary to perform a contract or transaction you have entered into with us, or provide a service that you have requested or require from us.
3.2. Purposes. We collect, use, disclose and process your personal data for purposes connected or relevant to our business, or to manage your relationship with us, such as:
• facilitating your use of our applications and services;
• authenticating, operating and maintaining your user accounts;
• assisting you with your enquiries and feedback;
• administrative purposes, e.g. accounting, risk management and record keeping, business research, data, planning and statistical analysis, and staff training;
• security purposes, e.g. protecting our website and applications from unauthorised access or usage and to monitor for security threats;
• using data analytics and related technologies on data, to enable us to deliver relevant content and information to you, and to improve our websites, applications, services and offerings;
• managing and engaging third parties or data processors that provide services to us, e.g. IT services, data analytics, messaging marketing, and other professional services.
• supporting our legitimate business interests (listed below); and
• other reasonable purposes related to the above.
3.3. Marketing purposes. If you have provided us with your consent, we may use your personal data for the purposes of marketing our products, events and services and those of our strategic partners and business associates, e.g. informing you of activities and promotions through EDMs, or notifications through our applications. In order for us to market products, events and services which are of specific interest and relevance to you, we may analyse and rely on your personal data provided to us, or data collected from your interactions with us.
3.4. Legitimate business interests. Our legitimate business interests include:
• managing our business and relationship with our customers and/or users;
• providing services to our customers and/or users;
• understanding and responding to inquiries and feedback from our customers and/or users;
• understanding how our customers and/or users use our websites, applications and services;
• identifying what our customers and/or users want and improving our websites, applications, services and offerings;
• enforcing obligations owed to us; and
• sharing data in connection with acquisitions and transfers of our business.
3.5. Use permitted under applicable laws. We may also collect, use, disclose and process your personal data for other purposes, without your knowledge or consent, where this is required or permitted by law.
3.6. Contacting you. When using your personal data to contact you for the above purposes, we may contact you via pop-up notifications on our applications, e-mail (including EDMs), SMS, telephone or any other means. We will not contact you for marketing purposes unless with your consent, or we are exempted by applicable law from having to obtain consent. If you do not wish to receive any communication or information from us, or wish to restrict the manner by which we may contact or send you information, you may contact us.
4. DISCLOSURE OF PERSONAL DATA
4.1. We will not sell, rent or trade your personal data to third parties.
4.2. Disclosure to related parties. We may disclose or share your personal data with our related organisations or business partners in connection with the purposes described in Part 3 above.
4.3. Other disclosure. We may also disclose or share your personal data in connection with the purposes described in Part 3 above, including without limitation to the following parties:
• third parties who provide services to us, e.g. IT services, data analytics, messaging marketing, and other professional services;
• third parties that we conduct joint marketing and cross promotions with; and
• regulatory authorities, governments or public agencies.
When disclosing personal data to third parties, we will (where appropriate and permissible) enter into contracts with these third parties to protect your personal data in a manner that is consistent with all applicable laws and/or ensure that they only process your personal data in accordance with our instructions.
5. CROSS-JURISDICTIONAL TRANSFERS
5.1. Transfers. We may transfer your personal data to different jurisdictions in connection with the purposes described in Part 3 above:
• amongst ourselves, from the jurisdiction where it is collected to any other jurisdictions that we operate in; and
• to third parties in other jurisdictions.
5.2. Safeguards. Where we transfer your personal data across jurisdictions, we will require recipients of the personal data to protect the personal data in accordance with this policy and applicable laws. For example, we may enter into contracts (or impose binding rules) with recipients to protect your personal data in a manner that is consistent with applicable laws. You may obtain details of these safeguards by contacting us.
6. PROTECTION OF PERSONAL DATA
6.1. Unauthorised access. While we take reasonable precautions to safeguard your personal data in our possession or under our control, we cannot be held responsible for unauthorised or unintended access that is beyond our control, such as hacking or cybercrimes.
6.2. Vulnerabilities. We do not guarantee that our websites and applications are invulnerable to security breaches, nor do we make any warranty, guarantee, or representation that your use of our websites and applications is safe and protected from viruses, worms, Trojan horses, and other vulnerabilities. We also do not guarantee the security of data that you choose to send us electronically. Sending such data is entirely at your own risk.
6.3. Period of retention. We keep your personal data only for so long as we need the personal data to fulfil the purposes we collected it for, and to satisfy our business and/or legal purposes, including audit, accounting or reporting requirements. How long we keep your personal data depends on the nature of the data, e.g. we keep personal data for at least the duration of the limitation period for bringing claims if the personal data may be required to commence or defend legal proceedings. Some information may also be retained for longer, e.g. where we are required to do so by law. Typically, our data retention periods range from 7 to 15 years.
6.4. Anonymised data. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we are entitled to retain and use such data without restriction.
7.1. Depending on the jurisdiction you are in or where we operate, you may enjoy certain rights at law in relation to our collection, use, disclosure and processing of your personal data. Such rights include:
• Access: you may ask us if we hold your personal data and, if we are, you can request access to your personal data. This enables you to receive a copy of and information on the personal data we hold about you.
• Correction: you may request that any incomplete or inaccurate personal data we hold about you is corrected.
• Erasure: you may ask us to delete or remove personal data that we hold about you in certain circumstances.
• Restriction: you may withdraw consent for our use of your personal data, or ask us to suspend the processing of certain personal data about you, for example if you want us to establish its accuracy.
• Portability: you may request the transfer of certain of your personal data to another party under certain conditions.
• Objection: where we are processing your personal data based on a legitimate interest (or those of a third party) you may object to processing on this ground.
If you wish to exercise your rights, you may contact us to do so. We may require that you submit certain forms or provide certain information to process your request. Where permitted by law, we may also charge you a fee to process your request.
7.2. Limitations. We may be permitted under applicable laws to refuse a request, for example, we may refuse (a) a request for erasure where the personal data is required for in connection with claims; or (b) an objection request and continue processing your personal data based on compelling legitimate grounds for the processing.
7.3. Complaints. If you are of the opinion that we have not complied with this Policy or we have infringed applicable data protection laws, we encourage you to contact us so that we can resolve your concerns. If you wish to make a formal complaint, you may also do so with any data protection regulator or authority having jurisdiction over us.
If you wish to contact us in relation to this policy or your personal data, our Data Protection Officer is available at dpo@GCOX.com.