Last update: 1st January, 2019
XCAP Global Consulting is a trading style of XGC Limited. XGC Limited is registered with the Information Commissioner's Office. The protection of your personal information is important to us and we will treat your personal information as private and confidential. However, in the circumstances we describe below we may use your personal information and share it with third parties.
- the personal information we collect and how we collect it in section 1;
- how we use your personal information in section 2;
- when and why we share your personal information in section 3;
- lawful basis for processing data in section 4;
- your rights in section 5;
- subject access requests in section 6;
- what you can do to protect your personal information in section 7;
- how we protect the personal information we hold in section 8;
- what you should be aware of when you click through to other websites from our website in section 9;
- data breaches in section 10;
- Data Protection Impact Assessment in section 11; and
- Data Protection Officer in section 12;
We may need to update this Policy from time to time. An up-to-date version of this Policy will always be available on our website and if we make any material changes which we think you should be made aware of we will notify you by prominently posting a notice on our website www.xcapglobal.com which you will see when you next log on together with the updated version of this Policy and/or by email to the email address you register with us and to which your consent will be deemed to be given by your continued use of our website.
For information about cookies and how we use these please see our policy on cookies below.
1. The personal information we collect and how we collect it
We collect certain personal information about you during the registration process and on an on-going basis once you start using the XCAP Global website.
The types of personal information we collect during the registration process
This may include basic personal information such as:
- your name;
- your email address;
- your postal address and telephone number;
- net investible assets and sources of income.
for the purposes of client onboarding, marketing and relationship management.
As well as personal information:
- that we reasonably require to carry out checks for know your client, anti-money laundering and anti-fraud purposes; and to check your creditworthiness;
- that we reasonably consider is helpful to assess your suitability and eligibility to invest in our products ; and
- you may wish to share with us, for example information about your investment objectives.
for the purposes of compliance, finance and IT:
We may obtain personal information about you from third parties such as credit reference agencies, fraud prevention agencies and identification verification agencies as part of the checks we carry out as described above.
The types of personal information we collect once you start using our website
This includes information about:
- your communications with us, including emails, phone calls and web chats;
- any permissions, consents or preferences that you give us, including communications that you would like to receive from us and how you would like us to contact you;
- your computer and your visits to, and use of our website or third party websites such as your IP address, geographical location, browser type, referral source, length of visit, and page views through the use of log files;
- your transactions and other use of our services; and
- you, specifically your name and email address if you contact us through our website with questions about our company or lending operations and are not already a registered user. We collect this information for the sole purpose of responding to such enquiries and do not store this information for later use unless you instruct us to or give us consent to do so.
How do we collect your information?
We may collect personal information:
- Via our website;
- Via livechat;
- Via the internet;
- Via face to face meetings with XCAP;
- By email and letters; and
- By phone.
We may also collect personal information from third parties we work with:
- Our ‘KYC’ service provider;
- Credit reference agencies;
- Financial advisers; and
- Companies that introduce you to us.
If you refer someone to our website directly from our website or via a partner’s website, we will store and track information about your referral and the person you refer to us only long enough to determine the effectiveness of our marketing activities and for the purposes of those activities. You should only refer someone to us if you have their consent to do so. We will not add the people you have referred to us to any mailing list or contact them independently of the referral process unless you made the referral as part of a bonus referral programme in which case we will store the information about the person you refer to us so that we can credit your account for the referral.
2. How we use your personal information
We collect, use and store your personal information for the following purposes:
- to register you and create an account for you so that you can start investing;
- to verify your identity, for fraud prevention and creditworthiness assessments and to implement automatic payments and fund transfers;
- to contact you if there is any problem with completing a transaction you requested or your account;
- to notify you about changes to or developments to the features and operation of the services or to our terms of service or this Policy;
- to respond to your queries and any complaints you may have;
- to update and improve the accuracy of the personal information we hold on you;
- to effectively manage our relationship with you and better understand your needs as an investor;
- to evaluate the effectiveness of marketing, and for market research and training;
- for customer modelling, statistics and trends analysis for the purposes of developing and improving the services we provide to you;
- to test new systems and check updates to existing systems;
- to remain in regular contact with you as may be necessary to execute transactions you request;
- to improve usability of our website and to evaluate the success of particular marketing/advertising campaigns, search engine optimisation strategies and other marketing activities;
- to help us ensure that our website has all of the appropriate features and functionality for the services we offer you and to improve the user experience;
- to send you service related notifications from time to time. You will receive notifications confirming your registration, the successful verification of contact details and bank accounts, and confirming successful submissions of orders. You will also receive progress updates on the status of orders you have submitted. These are transactional notifications that you cannot opt out of receiving, as they are in place to protect the security of your account and your personal information. We may also send you responses to any correspondence, if appropriate or applicable;
- as otherwise described in this Policy.
We will not retain your personal information for longer than is necessary for the above purposes. We may however retain your personal information for legal or regulatory requirements but for no longer than is necessary. For example, this will typically be for three years after you have closed your account with us or otherwise in accordance with other regulatory requirements where applicable.
3. When and why we share your personal information
We may share your information:
- with third parties to help us provide you with services and meet other obligations to you and perform related activities, for example, credit reference agencies, fraud prevention agencies, electronic verification service providers, collection agencies, electronic payment service providers, customer support call centres, external accounting and auditing firms and government regulators;
- with law enforcement, regulatory bodies or other competent authorities (such as the UK Financial Conduct Authority) as required by law or for the purposes of limiting fraud;
- when we believe that disclosure is reasonably necessary to protect our rights and/or to comply with a judicial proceeding, court order, or legal process;
- to prevent terrorism and other criminal activity; and
- for other purposes provided for under this Policy or for which you give your express consent.
Where we share your personal information to process your personal information on our behalf, we will require the third party to do so in accordance with our instructions and this Policy. Where we share your personal information for other purposes, we will ask the person with whom we share your personal information to process it in accordance with 2018 GDPR data protection standards.
When we share your personal information with third parties, we may need to transfer it to countries outside of the European Economic Area (the “EEA”) (such as the USA or the British Virgin Islands) for our own purposes (including for storage) and to third parties located in such countries who provide services to us. All countries in the EEA, including the UK have similar standards around the protection of your personal information, however, countries outside of the EEA do not necessarily have similar data protection laws. We cannot guarantee that where we transfer your personal information to a country outside the EEA, it will be protected to the same standard as it would be in the UK or the EEA but we will ask any third party to whom we share your personal information to protect your personal information in line with GDPR standards.
XGC Limited has Data Protection Agreements in place with our service providers, all of whom provide the firm with data processing services. Where your data is being processed outside the EEA we would expect the EU-US Privacy Shield Framework mechanism to be complied with.
In the event we become aware that we are holding inaccurate personal data on clients, and have shared this data with other firms, we will inform the other parties about the inaccuracy so that they can correct their own records.
If someone is thinking of buying us or our business in whole or in part, we may disclose information about you in an anonymised form to them for that purpose. If we go on to sell our business in whole or in part, the new owner may use, share and hold your personal information as described in this Policy. We will notify you of any change in our ownership by posting a notice on our website and/or by email to the email address you register with us.
4. Lawful basis for processing data
We have a duty to inform you of the lawful basis upon which we will process your personal data. Under Article 6 of GDPR, we will process your data on the basis of consent (in the event it is given by yourselves), contractual requirement (for services provided to you) and legal obligation (FCA regulatory requirements). Where consent is the lawful basis, it must be given by yourself in a free, specific, informed and unambiguous manner, with a positive opt-in. It must be verifiable. We will not infer consent from your silence or inactivity. Where consent is given, it may be withdrawn by yourself at any time.
|Client Categorisation||Legal Obligation|
|Know Your Client||Legal Obligation|
|Anti Money Laundering||Legal Obligation|
We won’t keep your data for longer than required to fulfil our contractual obligations or for regulatory purposes. Typically, your data will be retained for three years post account closure/end of agreement or for specific periods in accordance with regulatory requirements (where relevant), notwithstanding your rights as outlined in section 5.
5. Your rights
You may request information that we hold about you by emailing email@example.com
In accordance with GDPR, you have the following rights:
- the right to be informed about the collection and use of your personal data;
- the right to access your personal data;
- the right to have inaccurate personal data rectified;
- in certain circumstances the right to have personal data erased;
- in certain circumstances the right to restrict the processing of personal data;
- the right to data portability in commonly used formats;
- the right to object to processing for certain purposes;
- rights relating to automated decision-making and profiling.
If you wish to exercise any of the above rights then please contact us on firstname.lastname@example.org
If you believe there is a problem with the way we are handling your personal data, then you have the right to complain to the Information Commissioner’s Office (ICO). It’s contact details are 0303 123 1113 (helpline) and www.ico.org.uk (website).
This Policy may not constitute your entire set of privacy rights, as these may also vary from country to country. To be certain of your privacy rights, you can contact the appropriate agency in your country that is responsible for overseeing privacy rights of consumers. Certain local laws require us to maintain and report demographic information on the collective activities of our registered users. We may also be required to maintain your personal information for at least seven years in accordance with applicable local laws regarding recordkeeping, reporting and audits.
If you (i) have any questions about this Policy or in relation to your personal information (including what information we hold about you), or (ii) wish to opt out of certain marketing activities or notifications sent to you or (iii) want more information about how and with whom we share your personal information and from whom we obtain it, please:
- email us at email@example.com; or send us a letter at XGC Limited, for the attention of the Compliance Department, 28 Leman Street, 2nd Floor, London, E1 8EW, United Kingdom.
6. Subject access requests
You have the right to submit subject access requests to us. In most cases we will not charge any fees for complying with these requests. We will endeavour to provide you with the requested information within one month of you requesting it. However, we have the right to refuse or charge for requests that are manifestly unfounded or excessive. In circumstances where we refuse a request, we will tell you the reason why and inform you that you have the right to complain to the supervisory authority and to a judicial remedy.
7. What you can do to protect your personal information
You can take several precautions to protect the security of your computer and your personal information. For instance, you can start by using a well-chosen password. You should avoid using any information that others can easily learn about you, such as a family member’s name or birthday, and you should also consider using special characters in place of letters. We also recommend that you change your password frequently. You can also install and regularly update antivirus and firewall software to protect your computer from external attacks by malicious users. When you are finished with a session on our website, be sure that you log out and close the browser window.
At a minimum, we require the use of both numbers and letters in your password. We have also instituted secure steps by which you can regain access to your account should you forget your password, including the use of a security question. Your password is not known to any employee or third party with whom we may partner, and we will never ask for your password as a means of identifying yourself. You should never share your password with anyone, and if you ever receive an email that asks for your password and appears to come from us, you should report this to us immediately.
To protect the security of your account, we will send automatic notifications to confirm certain actions on your account, for example, if there has been a change to your password or the details of your external linked account. We do this to check that no one else is making changes to your account without your permission. However, the security offered through these notifications can be undermined if other people have access to your email account. Therefore, you might consider restricting access to the email account you registered with us and/or changing the password for that email account frequently.
If you use a computer that is accessed by other people, such as in a public library or Internet cafe, we recommend that you take special precautions to protect the security of your account and your personal information. When you are finished using our website, you should log out completely, close the browser window and clear the browser’s cache files.
You should also be aware of fraudulent attempts to gain access to your account information known as "phishing". Phishing is a tactic used by scammers in which unsuspecting people are directed to a website by a genuine-looking email that appears to be from a legitimate company. The phony or "spoof" email takes the person to a website that looks legitimate but is in fact not genuine. Either in the email itself or on this fake website, scammers will ask for login information to gain access to people’s accounts and withdraw their money. We will never ask you for your login information in any email. In general, you can protect yourself against phishing by never providing personal or login information via an email. You might also make it a habit to check the URL of a website to be sure that it begins with the correct domain. In the case of our website, you should always ensure the URL begins with http://www.xcapglobal.com.
8. How we protect the personal information we hold
Verification of Practices
We periodically review our operations and business practices (including the controls and safeguards we have put in place to protect your personal information) for compliance with our policies and procedures governing the confidentiality of information. These reviews may be conducted by our own internal staff, external accounting and auditing firms, and government regulators.
Standards and controls
We take steps to safeguard your personal information through vigorous physical, electronic and operational systems and controls. We treat all of your personal information as confidential. Data can only be read or written through defined service access points, the use of which is password-protected. The physical security of your personal information is achieved through a combination of network firewalls (there is no direct communication allowed between the database server and the Internet) and servers with hardened operating systems, all housed in a secure facility. Access to the system, both physical and electronic, is controlled and sanctioned by a senior manager.
We also equip our servers with Secure Socket Layer (SSL) certificate technology to ensure that when you connect to our website you are actually on our website. SSL also ensures that all data entered into our website is encrypted. To verify that SSL is being used, look for the key or padlock icon on your browser. For further encryption protection, we use a 128-bit secure browser for logins and transactions. Finally, we subject our systems to periodic security audits to ensure that your personal information is thoroughly protected and secure.
Secure, off-site hosting
Our payments processing providers store all sensitive financial information such as bank account information in a highly secure, SOC1 environment.
We also employ session time-outs to protect your account. You will be logged out of our website automatically after a specified period of inactivity. This time-out feature reduces the risk of others being able to access your account if you leave your computer unattended.
Protection of account numbers
When we contact you about your account to confirm a funds transfer, we only reference the last four digits of your bank account number; this is done for your protection so that you will recognise the source or destination account as one which you own. We also employ strict access standards ensuring that only the senior-most employees or partner representatives have access to your account numbers and other sensitive information. This access is only granted in order to complete transactions which you request or to provide regular ongoing service to your account.
ID theft policy
We use state of the art authentication technology to verify identities. We will work with law enforcement authorities to track down and prosecute anyone who has committed identity theft.
We are committed to the integrity of our business, and our corporate values and ethical standards and expect such commitment from all of our employees. The XCAP ‘Code of Conduct’ includes very specific guidelines concerning the safeguarding of confidential information, which includes your personal information. These guidelines limit employee access to confidential information and the use and disclosure of personal information. If it is determined that an employee has violated the XCAP Code of Conduct, disciplinary corrective action may be taken, including immediate dismissal.
9. What you should be aware of when you click through to other websites from our website
We are not responsible for the information practices employed by third party websites linked to or accessed from our website.
We may offer links to partners’ websites. We make the decision to provide these links based on the quality of information provided at the time the links are enabled or to facilitate your use of our website, and we take reasonable steps to monitor the continuing quality of content provided on these websites. However, these external sites are not subject to this Policy and may have different privacy policies or approaches to the handling of personal information. We have no control over the content of these websites. You should read the privacy policies on these websites before you provide them with any of your personal information.
10. Data breaches
Under GDPR we have a duty to report certain types of data breach to the ICO, and in some cases, to yourselves. These are breaches likely to result in a high risk to your rights and freedoms, e.g. if the breach could result in discrimination, reputational damage, financial loss, loss of confidentiality or any other significant economic or social disadvantage to yourselves. If you wish to contact us regarding a potential data breach please email firstname.lastname@example.org
11. Data Protection Impact Assessment
In situations where data processing is likely to result in high risk to you, we will conduct Data Protection Impact Assessments (DPIA’s). This could be where a new technology is being deployed; or where a profiling operation is likely to significantly affect yourselves; or where there is processing of special categories of data on a large scale (e.g. health records, criminal conviction information).
If a DPIA indicates that the data processing is high risk, and we cannot sufficiently address the risks, then we will consult the ICO as to whether or not the processing operation complies with the GDPR.
We do not envisage this kind of scenario occurring on our investment platform.
12. Our Data Protection Officer
Nomaan Jamal is the responsible data protection officer within XGC Limited. Nomaan Jamal also sits on the firm’s management committee and has the knowledge, support and authority to carry out the role effectively. He can be contacted directly on email@example.com
Our policy on cookies
A cookie is a text file sent by a web server to a web browser, and stored by the browser. A cookie is a small text file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.
We use web beacons or pixel tags, which are tiny graphics, in conjunction with cookies on our website, including session ID cookies, non-persistent cookies and persistent cookies. The text file is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser and load the pages according to a user’s preferences for that particular website, including the personalization of content. Cookies are also used to gather statistical data, such as which pages are visited, what is downloaded, the ISP’s domain name and country of origin, and the addresses of sites visited before and after coming to our website, as well as your "click stream" activity (meaning, the paths taken by visitors to our website as they navigate from page to page) and transactional attributes in accordance with information you voluntarily submit in the course of using our website. This data is aggregated for analysis to ensure proper functioning of our website, in terms of navigation and usability, as well as to evaluate the effectiveness of our marketing efforts. At no time do any of our cookies capture any personal information. More importantly, using cookies also helps us protect the security of your account.
We may send a cookie that can be stored by your browser on your computer’s hard drive. We may use the information we obtain from the cookie in the administration of our website, to improve its usability and for evaluating our marketing effectiveness as described above. We may also use that information to recognize your computer when you visit our website (if you select the "remember me on this computer" option, and to personalize our website for you. Most browsers allow you to refuse to accept cookies. (For example, in Internet Explorer you can refuse all cookie by clicking "Tools", "Internet Options", "Privacy", and selecting "Block all cookies" using the sliding selector). Blocking cookies, however, can also have a negative impact on the usability of many websites.
Cookies may have long-term expiration dates, or none, and thus can stay in your hard drive for months at a time. While you can remove them as instructed by the help content in your chosen browser, disabling cookies will prevent you from using our website. As with many transactional websites, cookies must be enabled in order to use our website.
If you would like more information about the use of third-party cookies and tags, or the process of opting out of such cookies or tags, please visit http://www.google.com/privacy.html