Privacy Policy
BPX Markets Limited (“BPX” or collectively “We”, “us” or “ours”) is committed to protecting your personal data when you use our website, products and services. We recognise that when you choose to provide us with information about yourself, you trust us to treat it in a responsible manner. This privacy notice aims to give you information on how we collect and process your personal data, including any data you may provide to us directly via our website, platform or otherwise. Personal data is any information relating to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data. It is important that you read this privacy notice together with any other privacy notice, fair processing notice or privacy policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.
The date of this privacy notice is: 27 October 2025
This privacy notice explains the following:
- what information we may collect about you;
- how we will use information we collect about you;
- whether we will disclose your details to anyone else
- where we might send your information
- how we keep your data secure
- your rights and how to contact us
BPX uses all personal data that you provide to us or that we collect from you in accordance with all applicable laws, including UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018.
Collection and use of data
How do we collect information
Direct interactions
You may give us your identity and contact data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- engage our services;
- request that we contact you;
- create an account;
- subscribe to our services or publications;
- request marketing communications; or
- provide feedback or otherwise contact us.
Automated technologies or interactions
As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies, for example from analytics providers such as Google, based outside the UK. Please see our cookie policy for further details.
Third parties or publicly available sources
We may receive personal data about you from various third parties and public sources.
- Identity and Contact Data from data brokers or aggregators which compile information from a range of publicly available sources (e.g. news media, government registers, sanctions lists).
- What information do we collect
- We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity Data: such as first and last name, username or similar identifier, title, date of birth and gender.
- Contact Data: email address, postal address, phone number, and other similar contact data.
- Technical Data: includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
- Profile Data: such as passwords and other security information for authentication and access, your feedback and survey responses.
- Usage Data such as how you navigate our website and your browsing history
- Marketing and Communications Data including your preferences in receiving marketing from us and your communication preferences
In certain circumstances, we may collect additional Identity Data to comply with our legal obligations, including anti-money laundering and counter-terrorist financing requirements. This may include:
- Identification documents (e.g. passport, driving licence)
- Financial documentation (e.g. evidence of source of funds and source of wealth)
We may obtain personal data beyond what is mentioned above from various public sources. These sources may include information publicly available on the internet, widely distributed media, or records from government agencies. Examples of such information range from sanction lists to public records on governmental websites, and even personal data shared on social media platforms
The public source data may also include or reveal, directly or indirectly, Special Categories of Personal Data which relates to race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health data, sex life, sexual orientation, criminal offence data or family circumstances (e.g. marital status, dependents, etc.).
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us, if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
| Purpose/Activity | Type of data | Lawful basis for processing including basis of legitimate interest* |
|---|---|---|
| To register you as a new customer | (a) Identity (b) Contact |
(a) Performance of a contract with you (b) Necessary to comply with a legal or regulatory obligation |
| To respond to a request from you for further information about our services | (a) Identity (b) Contact |
Consent |
| To manage our relationship with you which may include: (a) Notifying you about changes to our terms or privacy statement (b) Asking you to leave a review or take a survey |
(a) Identity (b) Contact (c) Profile (d) Marketing and Communications |
(a) Performance of a contract with you (b) Necessary to comply with a legal or regulatory obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) |
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity (b) Contact (c) Technical |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal or regulatory obligation |
| (General compliance and regulatory requirements) | (a) Identity (b) Contact |
(b) Necessary to comply with a legal or regulatory obligation |
| To use data analytics to improve our website, products/services, marketing, customer relationships and experiences | (a) Technical (b) Usage |
Depending on the circumstances: —your consent as gathered by the separate cookies tool on our website. See our Cookie Policy. |
Lawful basis means the legal reason we are allowed to collect and use your personal data. These are consent, performance of a contract with you, legal obligation or legitimate interests.
Legitimate Interest refers to the processing your personal data where it is necessary for our legitimate business interests—such as delivering and improving our services, ensuring security, and managing our operations—provided that those interests are not overridden by your rights and interests (unless we have your consent or are otherwise required or permitted to by law). We carefully assess and balance any potential impact on you before relying on this basis. You can contact us for more information about how we assess legitimate interests against any impact on you in specific contexts.
Performance of contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Data aggregation
We may collect, use and share aggregated data.
Aggregated data may be derived from your personal data but is not considered personal data under the UK GDPR on the basis that it does not directly or indirectly reveal your identity. We may share this anonymous data with third-parties.
For the avoidance of doubt, if the aggregated or combined data we hold on you can directly or indirectly identify you, we will treat this data as personal data which will be used in accordance with this Policy.
- Service providers who may act as processors based inside or outside the EU and who provide IT, system administration and other services.
- Professional advisers who may act as processors including lawyers, bankers, auditors and insurers based inside or outside the EU who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities who may act as processors based inside or outside the EU who require reporting of processing activities in certain circumstances.
Disclosure of your personal data
We may have to share your personal data with the parties set out below for the purposes set out in the table in the section above.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Internal third parties
Other companies in our corporate group who may act as joint controllers or processors and who may be based inside or outside the EU.
External third parties
- Service providers who may act as processors based inside or outside the EU and who provide IT, system administration and other services.
- Professional advisers who may act as processors including lawyers, bankers, auditors and insurers based inside or outside the EU who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities who may act as processors based inside or outside the EU who require reporting of processing activities in certain circumstances.
Other
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
Where do we send your information
We may store and process your personal data outside of your home country, including outside the United Kingdom and the European Economic Area (EEA), where data protection laws may not offer the same level of protection.
When we transfer personal data internationally, we implement safeguards as required by applicable data protection laws, including UK General Data Protection Regulations (Articles 44 to 50). These safeguards may include standard contractual clauses or other approved mechanisms. If you wish to learn more about our data transfer practices, please contact us.
Keeping your data secure
Third Party Websites
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy statement of every website you visit.
How do we protect your information?
We take appropriate measures to ensure that any personal data which you disclose to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used. The security measures taken may include, but are not limited to, data encryption – to read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Data retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and applicable legal and regulatory requirements.
What are your rights?
Under the UK GDPR, you have the following rights, which we will always work to uphold:
- Right to be informed – to have the right to be informed about the collection and use of your personal data.
- Right to access – for a copy of the personal data we hold about you, and details about how we are processing your personal data (commonly known as a “data subject access request). If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is “manifestly unfounded or excessive”. Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.
- Right to correct – to have any inaccuracies in your personal data corrected.
- Right to erase – to have your personal data erased, or for our use of it to be restricted (for example, if your preferences change, or if you don’t want us to send you the information you have requested). Note, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
- Right to restrict use – the right to “block” BPX from using your data or limit the way in which we can use it.
- Right to data portability – if we process your personal data by automated means and on the basis of your consent or in performance of a contract, you have the right to receive that information in a structured, commonly used, and machine-readable format. You can also ask us to transfer your personal data directly to another organisation, where technically feasible
- Right to object – the right to object to our use of your data including where we use it for our legitimate interests.
Right to opt out
You can ask us to stop sending you marketing communications at any time by contracting [email protected] or following the opt-out instructions in the message. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a request for further information or use of a product/service or other transaction.
How to contact us
This privacy notice should tell you everything you need to know, but you can always contact us to ask any questions or if you wish to exercise any of your rights in relation to your personal data, using the contact information below:
BPX has appointed a Data Protection Officer (“DPO”), who is responsible for managing any questions you may have in relation to this policy. Please contact them using the details set out below:
- Full Name: Anj Latif
- Email address: [email protected]
- Postal address: 14th Floor, 33 Cavendish Square, London, W1G 0PW, United Kingdom
- You have the right to make a complaint to the supervisory authority if you are unhappy with how we’ve handled your personal data.
- In the UK, the supervisory authority is the Information Commissioner’s Office (http://www.ico.org.uk).