At OneChronos Markets UK Limited and its wholly-owned subsidiary OneChronos Markets NL B.V. (referred to as “OneChronos”, “the Company”, “we”, “our”, “us”), we are committed to safeguarding your personal data. This Privacy Statement outlines how we collect, use, store, and protect your personal information in compliance with the United Kingdom (UK) General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and other relevant data protection laws in the EMEA region, including the Data Protection Act (2018) and the requirements set by the Information Commissioner’s Office (ICO) in the UK and the Autoriteit Persoonsgegevens (AP) in The Netherlands.
As regulated investment firms, each operating a Multilateral Trading Facility (MTFs) under the supervision of the Financial Conduct Authority (FCA) and the Dutch Authority for the Financial Markets (AFM) respectively, we are dedicated to processing your personal data with the utmost responsibility and transparency. If you have any questions or concerns regarding this Privacy Statement or wish to obtain more information about how we protect your personal data, please do not hesitate to contact us.The Company’s Compliance department has the overall responsibility for oversight of data privacy policy, so any questions in relation to the Privacy Statement or other data protection matters should contact: [email protected]
As OneChronos processes personal data of individuals (a “Data Controller”), we are obliged under both the UK GDPR and GDPR to protect such information and ensure that it is collected, used, processed, stored, and disposed of in compliance with applicable data protection laws.
Definitions
| Term | Definition |
|---|---|
| Adequacy decision | A decision by the European Commission or UK Government confirming that a third country provides a level of data protection comparable to GDPR or UK GDPR. |
| Data controller | The entity that determines the purposes and means of processing personal data, as defined by GDPR and UK GDPR. |
| Data subject | Any identified or identifiable individual whose personal data is being processed. |
| EEA | The European Economic Area, which includes all EU Member States and Iceland, Liechtenstein, and Norway. |
| Personal data | Any information relating to an identified or identifiable individual, as defined by the General Data Protection Regulation (GDPR) and UK GDPR. |
| Processing | Any operation or set of operations performed on personal data, including collection, recording, storage, alteration, retrieval, or deletion |
| Standard contractual clauses (SCCs) | Legal agreements approved by the European Commission or UK Government to ensure adequate safeguards for data transfers outside the EEA or UK. |
| Third party | Any individual or entity other than the data subject, the data controller, or the processor authorized to process personal data. |
Who we are
| OneChronos Markets UK Limited |
|---|
| Registered Address: Hallswelle House, 1 Hallswelle Road, London, NW11 0DH, United Kingdom Business Address: Suite 1805, 100 Bishopsgate, London, EC2N 4AG, United Kingdom Company Number: 15456957 FCA Reference Number (FRN): 1022069 Contact Email: [email protected] Contact Phone: +44 (0) 207 078 8689 ICO Registration: ZB779410 |
| OneChronos Markets NL B.V. |
|---|
| Address: Strawinskylaan 357, 1077 XX, Amsterdam, The Netherlands. Chamber of Commerce Registration Number: 93411073 AFM License Number: 144006514 Contact Email: [email protected] Contact Phone: +31 9 7010 258 288 |
For any inquiries related to data protection, you can reach out to our Compliance Department at [email protected]. Our team is available to assist with any questions or concerns you may have regarding the handling of your personal data and our commitment to data protection and privacy.
Who does this privacy notice cover
This Privacy Notice applies to individuals interacting with OneChronos in various capacities, including users of the OneChronos website, customers, prospective customers, subscribers, members, and platform users. It also covers representatives or associates of these entities and any other individuals whose personal data is collected by OneChronos during its business operations (hereinafter, the “Data subject”, “you”, or “your”).
Personal data we collect
Personal data, also referred to as personal information, encompasses any details that can be used to identify an individual, either directly or indirectly. This does not include information where the individual’s identity has been anonymized or otherwise removed. Depending on the services you access, the nature of your interactions with us, or the specific context of our business relationship, we may collect, use, store, and process various categories of personal data. These may include, but are not limited to, the information provided by you directly or automatically through your use of our services.
Categories of Personal Data
- Identity Data: Includes your first name, last name, username or similar identifier, job title, employer details, social media username, photograph, government-issued identification (e.g., passport), career history, and education background.
- Contact Data: Includes postal address, email address, business contact information, and telephone numbers.
- Professional Data: Includes details about your employer, trading activities, industry affiliations, and other information related to your professional role.
- Financial Data: Includes bank account details, credit card numbers, payment history, financial holdings, and records of transactions conducted through our services.
- Technical Data: Includes your internet protocol (IP) address, login data, browser type and version, time zone settings, browser plug-ins, operating system and platform, cookies, and other technology on devices you use to access our website or services.
- Profile Data: Includes your username, password, preferences, interests, and feedback provided to us.
- Usage Data: Includes information about how you use our website, systems, or services, such as activity logs, analytics, trends, and aggregated quantitative data.
- Marketing and Communications Data: Includes your preferences for receiving marketing materials from us and your communication preferences.
- Compliance Data: Includes information collected to meet legal and regulatory obligations, such as Know Your Customer (KYC) or Anti-Money Laundering (AML) requirements, which may involve identification documents, verification records, and transaction monitoring data.
- Sensitive Personal Data: In some cases, we may collect sensitive data, including details about your health, racial or ethnic origin, religious or philosophical beliefs, sex life or sexual orientation, trade union membership, political opinions, genetic or biometric data, or information about criminal convictions or offenses. This data is processed only when necessary to fulfill legal obligations or with your explicit consent, and only when other methods of processing are insufficient.
Sources of Personal Data
We collect personal data directly from you, your employer, or associated representatives through:
- Account creation, form submissions, or other direct interactions.
- Engagement with our services, platforms, or hosted events. Participation in our services or events.
We may also obtain personal data from:
- Third-party sources: Such as regulatory authorities, publicly available databases, industry directories, and social media platforms.
- Public records: Including sanction lists, government publications, and widely distributed media sources.
Aggregated Data
We may collect and process aggregated data, such as statistical or demographic information. While aggregated data may be derived from your personal data, it is not considered personal data under the law if it does not directly or indirectly identify you. For example, we may use aggregated usage data to improve our services. However, if aggregated data is combined with personal data that could identify you, it will be treated as personal data.
How we use your data
We use your personal data only where permitted by applicable data protection laws, including UK GDPR and GDPR. The purposes for processing your personal data are supported by one or more lawful bases, as outlined in the point below.
Legal basis for processing and purpose
Legal basis
Please note that we may process your personal data based on more than one lawful basis, depending on the specific purpose for which it is being used. If you require further clarification about the specific legal basis we are relying on for processing your personal data, especially when multiple grounds are applicable, please feel free to contact us.
Legal basis may include:
- Consent: We may process your personal data where you have provided clear, specific, and unambiguous consent to do so. You have the right to withdraw your consent at any time (please see ‘Your Rights as a Data Subject’ section below).
- Performance of a contract: We may process your personal data when it is necessary to perform a contract to which you are a party or to take steps at your request before entering into such a contract. For example, we may process your data to provide a service, fulfill an order, or manage your account.
- Compliance with a legal obligation: We may process your data when it is necessary for compliance with a legal obligation to which we are subject. This may include meeting regulatory requirements, responding to lawful requests from public authorities, and maintaining records as required by law.
- Legitimate interests: We may process your personal data when it is necessary for the legitimate interests of our business, provided those interests are not overridden by your rights. Interests include conducting and managing our business to provide you with the best possible service and ensuring a secure and efficient experience. We carefully consider and balance the potential impact on you (both positive and negative) and your rights before processing your data under this basis.
Purpose
We may process your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| To register you as a new customer, member, or subscriber. | Performance of a contract with you. |
| To respond to requests for information about our services. | Your consent. |
| To manage our relationship with you, including notifying you about changes to terms, policies, or services, and requesting feedback. | Performance of a contract with you / Necessary to comply with a legal obligation / Necessary for our legitimate interests. |
| To administer and protect our business and systems (e.g., troubleshooting, data analysis, testing, system maintenance). | Necessary for our legitimate interests / Necessary to comply with a legal obligation. |
| To analyze and improve our services, websites, and user experiences (e.g., through data analytics). | Your consent / Legitimate interests. |
| To comply with legal, regulatory, or industry obligations under applicable law, guidelines, and internal policies. | Necessary to comply with a legal obligation. |
| To facilitate transactions initiated by you or your representatives. | Necessary to comply with a legal obligation. |
| To provide you with marketing and communication updates, such as promoting services or events of interest and evaluating promotional campaign effectiveness. | Your consent / Necessary for our legitimate interests. |
| To safeguard our digital platforms and networks (e.g., detect and prevent cyber threats, maintain security). | Necessary for our legitimate interests. |
We will only use your personal data for the purposes for which it was collected, unless we determine that it is necessary to use it for a different purpose that is compatible with the original intent. If you would like an explanation of how the new purpose aligns with the original one, please feel free to contact us. Should we need to use your personal data for an unrelated purpose, we will inform you and provide details of the legal basis permitting such use. Please note that, in certain circumstances, we may process your personal data without your knowledge or consent, where this is required or allowed by law and in compliance with applicable regulations.
How we share your data
We may share your personal data with the following categories of recipients, ensuring compliance with applicable GDPR and UK GDPR standards:
-
Regulatory and supervisory authorities: We may disclose your personal data to regulatory bodies, such as the Financial Conduct Authority (FCA) in the UK and the Autoriteit Financiële Markten (AFM) in the Netherlands, where required by law or to comply with regulatory obligations. This includes reporting obligations, responding to official investigations, or addressing regulatory inquiries.
-
Service providers and third-party processors: We may share your personal data with trusted third-party service providers who perform functions on our behalf under strict confidentiality agreements. These providers include:
-
IT service providers: For system management, data storage, or cybersecurity solutions.
-
Auditors and consultants: To ensure compliance with legal, financial, and operational standards.
-
Cloud service providers: For secure hosting and storage of your data.
These third parties are only permitted to process your personal data for specified purposes in line with our instructions and are required to implement appropriate security measures to protect your data.
-
-
Other parties with your consent or to fulfill contractual obligations: We may share your data with other parties when you have explicitly consented and/or sharing is necessary to fulfill contractual obligations.
-
Legal and enforcement obligations: We may share your data with courts, law enforcement agencies, or other competent authorities when required to comply with legal processes. We ensure that all third parties with whom we share your personal data comply with GDPR and UK GDPR standards and apply appropriate security measures to protect your data. Before engaging any service provider, we conduct due diligence to assess their compliance with data protection laws. We maintain written agreements with all third-party processors to ensure their responsibilities are clearly defined and aligned with GDPR requirements.
Data retention
We retain your personal data only as long as necessary to fulfill the purposes outlined in this Privacy Statement, comply with legal and regulatory obligations, or resolve disputes or enforce agreements. Retention periods may vary based on the type of data and applicable laws. We determine the appropriate retention period for personal data by considering several factors, including the volume, sensitivity, and nature of the data; the potential risk of harm from unauthorized access, use, or disclosure; the purposes for which the data is being processed; and any applicable legal, regulatory, accounting, or tax obligations. Once the retention period has ended, we securely delete, aggregate, or anonymise your personal data in accordance with applicable laws and best practices.
Your rights as a data subject
Under UK GDPR and GDPR, you have the following rights regarding your personal data:
- Right to Access: Request access to your personal data.
- Right to Rectification: Correct inaccuracies in your data.
- Right to Erasure: Request deletion of your data (subject to legal or regulatory restrictions).
- Right to Restriction: Limit the processing of your data under certain conditions.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent: Withdraw consent for processing where consent is the legal basis.
To exercise these rights, contact us at [email protected]. If you believe your data has been processed unlawfully, you can file a complaint as follows:
- If you wish to file a complaint regarding your data in the UK, you may contact the ICO at: https://ico.org.uk/
- For complaints regarding your data in the EU, you may contact the AP at: https://autoriteitpersoonsgegevens.nl.
Opting out/choice
We offer the option to opt out of receiving marketing communications at the point of data collection. If you opt in, we may:
- Use your data for internal purposes;
- Share your data with trusted business partners; or
- Contact you for market research.
Please note that opting out of marketing communications does not affect personal data provided for other purposes, such as responding to your requests, using our services, or other interactions. To opt out you can reach us using the contact information provided above.
Data security
We have implemented robust technical and organizational measures to protect your personal data from unauthorized access, loss, alteration, or misuse. Access to your personal data is restricted to employees with a legitimate business need, and any processing of your data is carried out under our explicit instructions. Our employees are also bound by a duty of confidentiality. Security measures include encryption, access controls, and routine security assessments to ensure data integrity. Additionally, we have established procedures to address any suspected data breaches and will notify you and relevant regulatory authorities when required by law. In alignment with our obligations under the Digital Operational Resilience Act (DORA), we maintain robust ICT risk management and incident response measures to ensure the protection of personal data processed through our systems and platforms.
International data transfers
We may transfer your personal data outside the EEA and the UK to countries where data protection laws may not provide the same level of protection. To ensure your data remains secure, we implement appropriate safeguards as required by applicable laws, such as EU-approved Standard Contractual Clauses (SCCs), UK-specific SCCs, or rely on adequacy decisions made by the European Commission or the UK Government, meaning that when transferring data internationally, we comply with Articles 44 to 50 of the GDPR and UK GDPR. If you would like more information about the safeguards we apply or have questions about our data transfer practices, please contact us using the details provided in this privacy notice.
Automated decision-making
We do not engage in automated decision-making or profiling that produces significant legal effects or similarly impactful consequences for individuals, as defined under Articles 22 of the GDPR and UK GDPR. This means that we do not rely solely on automated processes to make decisions about you that could significantly affect your legal rights, freedoms, or opportunities.
Changes to this privacy statement
This Privacy Statement is effective from the date stated above and may be updated, amended, or modified periodically to reflect changes in applicable laws, regulations, or our business operations. Any updates will be posted on our website, and we encourage you to review this Privacy Statement regularly to stay informed about how we protect your personal data. For further questions or concerns regarding this Privacy Statement or our data processing practices, please contact us at [email protected] This Privacy Statement demonstrates our commitment to complying with the UK GDPR, GDPR, and the guidelines provided by relevant authorities, such as the UK ICO and the Dutch AP.