GET STARTEDloading spinner

Legal

  • Site Terms of Use
  • Privacy Notice
  • Exchange Terms of Service
  • Market Rules
  • Additional Terms for AMM Instructions
  • Risk Warnings
  • Fee Schedule
  • Bullish Event Privacy Notice
Last Updated: February 28, 2022

Privacy Notice

1. Who we are

This privacy notice applies to all Personal Data processing activities carried out by Bullish (GI) Limited and its affiliates (collectively, “Bullish”, “we”, “us” or “our”).

Bullish acts as the data controller for your Personal Data unless a different affiliate is named in a separate privacy notice, or we have identified a different data controller for a particular processing operation.

We respect an individual’s rights to privacy and are committed to protecting the privacy of your personal information. This Privacy Notice explains how we demonstrate this commitment, including: 

(a) the types of information we collect through your use of our products and services including our exchange software and mobile applications, and your navigation of our Websites;

(b) the manner in which we use and share the information, and why;

(c) the circumstances in which your information may be transferred to another country;

(d) the rights you may have under relevant privacy or data protection laws;

(e) cookies that we use or used by our service providers; and

(f) whom you can reach out to regarding this Privacy Notice.

Where a law or regulation in the applicable jurisdiction, for example, the EU General Data Protection Regulation (GDPR), requires us to provide you with a notice or other explanation of the information about you that we collect and process or similar, this Privacy Notice is intended to fulfill this obligation.

2. Acceptance to this Privacy Notice

We are committed to protecting your privacy. By accessing Bullish Services you acknowledge and fully understand Bullish’s Privacy practices described in this Privacy Notice.

By accessing and using our Service, you signify your acceptance to the terms of this Privacy Notice. If you do not agree with or you are not comfortable with any aspect of this Privacy Notice, you should immediately discontinue access or use of our Services.

3. Purpose of this Privacy Notice

The purpose of this Privacy Notice is to explain how we collect and use Personal Data in connection with our business. In this Privacy Notice, “Personal Data” means any information relating to an identified or identifiable natural person as may be collected or processed by us in connection with the Data Sources and includes “Personal Data” as defined in the EU General Data Protection Regulation 2016/679 (“GDPR”) or other applicable laws.

The definition of personal information depends on the applicable law based on your physical location. Only the definition that applies to your physical location will apply to you under this Privacy Notice.

4. Scope

This Privacy Notice applies to your use of, access to, or participation in any of the following sources (collectively, our “Data Sources”): 

(i) our products, services, applications or software offered through the Bullish Website or mobile application, including any communications with you about our Services (our “Services”), unless a separate privacy policy is expressed to apply in respect of such Service; 

(ii) any Bullish website (URL: www.bullish.com) or subdomains regardless of the medium in which the websites are accessed by a user (e.g., via a web or mobile browser) (the “Websites”);   

(iii) any events hosted by us, whether such events are open to the public or by invitation (collectively the “Events”); and 

(iv) subsections of social media platforms (e.g. LinkedIn) controlled by us. 

5. Personal Data We Process

We process the Personal Data we collect about you when you use, gain access to, or participate in our Data Sources. 

We collect Personal Data through: 

  • Your use of or participation in our Data Sources. For example, we may collect Personal Data from you when we onboard you as a client. 
  • A third party’s use of our Data Sources relating to you, for example where a third party may manage a Service or Event on our behalf. 
  • Direct or unsolicited interactions, such as when you voluntarily provide your information to us by contacting us, submitting requests and comments, subscribing to our newsletters, submitting job applications, or otherwise engaging with us through our Data Sources. For example, we may collect Personal Data from you when you sign up for a marketing newsletter.
  • Indirectly, such as through public or media Websites or government Websites when conducting user identity verifications and reviews.

We will collect and process the following data about you:

5.1 Information you provide to us:

Personal Identification Information, such as full name, title, date and place of birth, gender, signature, nationality, photograph, live portrait selfie, email address, residential address, mailing address, telephone number, marital status. 

Our third-party identity verification and KYC service providers can use image recognition software to verify your ID when you are looking to open an account with us. This involves them using optical character technology to extract relevant information from your ID documents. In such cases, we will ask you for consent to process this biometric data. Should you choose not An alternative channel will be made available to you should you choose not to give your consent. Please contact us for more information on the alternative channel. We will only use your biometric data to fulfil this request.

Government Issued Identification Information, such as passport copy, driving licence, national identification card, State ID card, Tax id number, visa information and any other information we may request in order to comply with our legal obligation under financial and anti-money laundering laws.

Institutional Information, such as Personal details (as per above) of any agent or attorney acting on behalf of the client. Employer identification number (or comparable number issued by a government agency), proof of legal formation. If relevant to the products and services we provide to you, we may also collect information about your additional account holders, business partners (including other shareholders or beneficial owners), dependants or family members, representatives, and agents. Before providing Bullish with this information, you should provide a copy of this notice to those individuals.

Financial Information, such as bank account information, payment card primary account number, transaction history, trading history, trading data and tax identification, including source of wealth and source of funds.

Transaction Information, which includes account and authentication information; your username, user identification number; billing, contact details or cryptocurrency wallet address (including public key or private key); transaction and account status information; and payment information, such as your credit or debit card number and other card information.

Employment information, such as your job title and work experience, office location, and your knowledge of and experience in investment matters.

Correspondence Information, which means the contents of the communications and correspondence between us, whether by email, social media, or otherwise through one of our Services, through your submission of an online form and survey responses, or when you otherwise provide information to our support team or user research team, as well as your communications preferences, such as for marketing purposes. Details of our interactions with you and the products and services you use with a view to establish relevant facts (including without limitation, any records of the phone calls between you and Bullish, emails, meeting notes, letters.

Audio, electronic, visual and similar information, such as call and video recordings.

  1. Information we collect from you automatically:

Online Identifying Information, which means your IP address, browser name, operating system, GUID, coarse location and fine location. When you visit our Website or access our app, our web server automatically records details about your visit (for example, your IP address, the web site from which you visit us, the type of browser software used, the Bullish Website pages that you actually visit including the date and the duration of your visit). Please read our Cookie Notice for more information.

Application Security Information, which means your account PIN, two-factor authentication software or key pairs, security questions (including the answers to the said questions) and security device identification number. 

We may also use identifiers to recognise you when you access our Websites via an external link, such as a link appearing on a third-party website.

  1. Information we receive from our affiliates and third parties.

We may obtain information about you from our affiliates or third party sources as required permitted by applicable law. These sources and information may include:

Information provided by identity verification partners, credit reference agencies, and public databases, which means personal information processed with our purpose to comply with our legal obligation related to anti-money laundering laws, to prevent and detect crime and for anti-fraud purposes. 

Blockchain Data, such as public blockchain data in order to assess if customers using Services are not engaged in illegal or prohibited activity and/or in breach of our Terms of Use, and to analyse transaction trends for research and development purposes. 

Advertising Networks and Analytics Providers, such as advertising networks, analytics providers and search information providers may provide us with de-identified information about you, such as confirming how you found our Website.  For more information on how you can manage collection of this personal data, please see our Cookie Notice.

Joint marketing partners and resellers. Unless prohibited by applicable law, joint marketing partners or resellers may share information about you with us so that we can better understand which of our Services may be of interest to you.

Publicly available information on the Internet, such as social media, websites, news and articles.

We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but it is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

6. How We Use Your Personal Data

The following table outlines how and why we use your Personal Data:

ActivityCategories of Personal DataPurpose of ProcessingLawful Bases
Providing ServicesPersonal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information, Online Identifying Information; Application Security InformationEnable you to use our Services and enforce our Service terms and conditions

Performance of a Contract
Providing support for our ServicesPersonal Identification Information; Transaction Information; Government Issued Identification Information; Correspondence Information; Online Identifying InformationAnswer your queries, resolve matters with accounts, disputes, collecting fees, to troubleshoot problems and otherwise provide general support related to our Services, Identity authenticationPerformance of a contract
Legitimate interest 
Providing service communications Personal Identification Information; Transaction Information; Correspondence InformationKeeping you updated about our Services, inform you of relevant security issues or updates, or provide other transaction-related information. Performance of a contract
User application and account creation processPersonal Identification Information; Transaction Information; Employment information; Online Identifying Information; Correspondence Information; Application Security InformationEnabling users to create accounts required to access and participate in our Services. Verify and screen individuals in order to protect against fraud and comply with our legal and regulatory obligations.Performance of a contract 
Consent (when required by law)
Compliance with laws and regulations, Including AML, Fraud, Sanctions, Terrorist Financing Regulations, Tax evasionPersonal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databasesVerify accounts and activity, including processing personal data for identity verification purposes where required, detect abuse, fraud, money laundering, breach of confidence, theft of proprietary materials and any other illegal activities on our platforms. Such processing is necessary for us to comply with laws in the jurisdictions where we are subject to them.Legal obligation
Protection of company interestsPersonal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databasesProtecting of the Services we provide, protection of our business interests, and protection of dataLegitimate interest
Obtain professional advicePersonal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databasesObtain professional advice from consulting, tax, legal, audit, or other professional firms for the proper protection or functioning of our businessLegitimate Interest 
Manage business riskPersonal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security InformationMitigate risks related to the daily operations of Bullish.Legitimate Interest 
Network, information security and investigationsTransaction Information; Online Identifying InformationWe process your personal information to improve security, monitor, combat spam and other malware or security concerns, and to comply with applicable security laws and regulations. Legitimate Interest
Events and webinarsPersonal Identification Information; Transaction Information; Employment information; Correspondence InformationFacilitate Event registration, plan and execute Events, and share pre- and post-event information with registrants and interested individuals. Legitimate Interest
Marketing activitiesPersonal Identification Information; Correspondence Information; Online Identifying InformationProvide you with relevant information and news about our Services, events, promotions, prizes, giveaways and other opportunities. Send information that may be of interest to you based on your preferences.Consent
Legitimate Interest
Website traffic analysis and analyticsPersonal Identification Information; Transaction Information; Online Identifying InformationUnderstand how users interact with our Websites, analyse Website traffic and usage, to improve our Websites and our offeringsConsent
Engaging with you on social mediaPersonal Identification Information; Correspondence Information; Online Identifying InformationEngaging with you on social media, including on subsections of social media platforms controlled by us. Understanding how you engage with us on social media, engaging users through social media platforms, and improving our social media activities and users’ social media experienceLegitimate Interest
Consent
Sharing with law enforcement/legal requestsPersonal Identification Information; Government Issued Identification Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databasesComply with valid legal requests from authorities, and to comply with our legal and regulatory obligations in the jurisdictions where we are subject to them.Legal Obligation

Legitimate Interest
Facilitate corporate merger and acquisitionsPersonal Identification Information; Government Issued Identification Information, Institutional Information, Employment information, Correspondence InformationTo enable us to initiate or conclude corporate acquisitions, mergers, or other corporate transactions.Legitimate interests
Protection of the vital interests of an individualPersonal Identification Information, Institutional Information, Employment information,Protect the life or physical safety of individuals, to combat harmful conduct, to promote safety and securityVital Interests
Ensure quality controlPersonal Identification Information, Transaction Information, Correspondence InformationEnsure quality control and staff training to make sure we continue to provide you with accurate information and high-quality Services.Legitimate Interest
Personalise your experienceOnline Identifying InformationEnhance user experience, manage your preferences, and personalise content delivered to you.Consent
For research & development Online Identifying Information, Blockchain Data, Information provided by identity verification and KYC partners, credit reference agencies, and public databasesWe process your personal information to better understand the way you use and interact with our Services. In addition, we use such information to customise, measure, and improve existing and new Services, the content and layout of our Website.Legitimate interest
Product user research & testingPersonal Identification Information, Employment Information, Correspondence and Online Identifying Information,Identify the behaviour patterns, thoughts, and needs of customers by gathering user feedback from observation, task analysis, and other methods.Consent

In the above table, “consent” refers to Article 6(1)(a) or the manner of consent required in your jurisdiction, “performance of a contract” or “steps we must take prior to entering into a contract” to Article 6(1)(b), and “legitimate interest” to Article 6(1)(f) of the GDPR.

When the lawful basis for processing your personal data is legitimate interest, we always ensure that we consider and balance any potential impact on you and your rights under data protection laws.

In addition to the processing activities outlined on the above table, we may also process your Personal Data to comply with our obligations under applicable law, where the processing is necessary to protect a person’s vital interests, and for any purpose that you provide your consent. 

7. How We Share Your Personal Data

We may share your Personal Data with the following categories of third-parties: 

  • Third-party service providers who need access to Personal Data to assist us in delivering Services or the operation of our business.  For example, such third-parties include payment processors; information technology service providers; providers of identity verification services; Website hosting providers; insurance, marketing, accounting, shipping, and delivery vendors; other business process outsourcing providers; and partners who assist us with administering programs we offer to you, such as our bug bounty program.
  • Information provided by identity verification and KYC partners, credit reference agencies, and public databases, which means personal information processed with our purpose to comply with our legal obligation related to anti-money laundering laws, to prevent and detect crime and for anti-fraud purposes. Our ID verification partners like, but not limited to, Jumio, ComplyAdvantage and 4Stop, use a mix of government records, publicly available information, information provided to us by you and the use of technology to help Bullish on your identity verification. Such information may include criminal convictions and offences, credit history, status on any sanctions lists maintained by public authorities, and other relevant data.

We may also process additional information about you to assess and manage risk and to ensure Bullish Services, Website and app are not used for illicit activities.

Jumio’s Privacy Policy, available at https://www.jumio.com/legal-information/privacy-policy/, describes its collection and use of personal data.

ComplyAdvantage’s Privacy Policy, available at https://complyadvantage.com/privacy-notice/, describes its collection and use of personal data.

4Stop’s Privacy Policy, available at https://4stop.com/privacy.html, describes its collection and use of personal data.

  • Third-party service providers who need access to Personal Data to provide advertising and analytics services. For example, we use a third-party service for the collection and management of your Personal Data that enables us to deliver marketing communications about our Services and events to you. 
  • Public entities and institutions (e.g. Gibraltar Financial Services Commission (e.g. transaction data which is routed via an agent ), Gibraltar Regulatory Authority (e.g. data protection breaches), Gibraltar Financial Intelligence Unit (e.g. Suspicious Transactions Reports), Gibraltar Finance Centre (e.g. fiscal details, balances and interest for onwards transmission to relevant foreign tax authority), Hong Kong Joint Financial Intelligence Unit (e.g., Suspicious Transactions Reports identified by Bullish staff in Hong Kong), other financial authorities, including criminal prosecution authorities upon providing a legal or official obligation.
  • With our professional advisors who provide banking, legal, compliance, insurance, accounting, or other consulting services in order to complete third-party financial, technical, compliance and legal audits of our operations or otherwise comply with our legal obligations.
  • Other credit and financial service institutions or comparable institutions to which we transfer your personal data in order to process payments you have authorised and/or to carry out a business relationship with you (depending on the contract, e.g., correspondent banks, custodian banks, brokers, stock exchanges, information offices).
  • We may also share your details with people or companies if there’s a corporate restructure, merger, acquisition or takeover.
  • Other recipients of data can be any person for which you have given us your consent to transfer data.
  • Our corporate affiliates in the Bullish Group, when necessary to complete the processing activities described above. 
  • Other third-parties, as reasonably necessary: 
    • In relation to a merger, sale, acquisition, divestiture, restructuring, reorganisation, dissolution, bankruptcy, or other change of ownership or control (whether in whole or in part); or 
    • To: (i) to detect and prevent financial crime, money laundering, terrorism, and tax evasion where required by law, to comply with applicable laws, a request from a law enforcement agency, regulatory authority, public or judicial body with jurisdiction over us, or other legal process; (ii) protect our legitimate rights, privacy, property, vital interests, health and safety, as well as those of our customers, business partners, personnel, or the general public; (iii) seek professional advice, manage risk (including obtaining and managing insurance), pursue available remedies or limit damages; (iv) enforce our Terms of Use; (v) respond to an emergency; (vi) other banks to help trace money in cases of fraud or other crimes; and/or  (vii) any other third parties where necessary to meet our legal obligations

Bullish requires that a request from a law enforcement agency or public or judicial body having jurisdiction over us be accompanied by sufficient legal process. This varies by location. For instance, production orders, search warrants, freezing orders, seizure orders, and subpoenas, as well as requests for voluntary data disclosure, all constitute a legal process. Bullish thoroughly evaluates each order and request for voluntary disclosure to verify that they have a legitimate legal basis and that any response is carefully limited to ensure that law enforcement receives just the data and/or remedy to which they are entitled. Additionally, Bullish requires that requests for asset freezing and/or seizure adhere to the relevant local jurisdiction’s legal process and include all appropriate instructions, including, if applicable, the period of the freeze.

We always endeavour to only share the minimum amount of Personal Data that these third parties need to perform their tasks.

8. Third Party Applications and Websites

Our Data Sources may contain links to third-party applications not affiliated with us. Your use of an external application or any informational content found on external applications is subject to and governed by the privacy policies, terms, and conditions of that application. 

We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external applications are framed within our Data Sources.

While we do review the privacy practices of our Service Providers prior to engaging them to ensure that they meet Bullish Service Provider privacy standards, we ultimately do not control the privacy practices of any external applications or Websites. The Websites may contain links to Websites not affiliated with us. Your use of external Websites or any informational content found on external Websites is subject to and governed by the privacy policies, terms, and conditions of those Websites.  We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external Websites even if one or more pages of the external Websites are framed within a page of our Websites.

9. Advertising and Analytics Services Provided by Third Parties

We may allow others to serve advertisements on our behalf across the Internet and to provide analytics services. These entities may use cookies, web beacons and other technologies to collect information about your use of our Data Sources and other Websites, including your IP address, web browser, pages viewed, blocks created, transactions undertaken, information provided to EOSIO blockchains, time spent on pages, links you clicked, and conversion information. This information may be used by us and others to, among other things, analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on the Websites, and better understand your online preferences. For more information about interest-based ads, please visit the Digital Advertising Alliance at www.aboutads.info/choices

The third-party service providers we use for advertising and analytics include: 

  • Plausible Analytics, a web analysis service that captures web analytics entirely anonymously, uses no cookies, and collects no personal data.  All data is used in the aggregate only, and there is no tracking across devices, or Websites.  To learn more, please review the Plausible Analytics Privacy Policy and the Plausible Analytics Data Policy.
  • Google Analytics, a web analysis service provided by Google, uses cookies to collect information such as how often users visit the Website, what they view on the Website, and which Websites they visited before coming to the Website.  Google’s ability to use and share information it collects about your visits to the Website is restricted by the Google Analytics Terms of Service and the Google Privacy Policy. In order to protect your privacy, your IP address will be truncated. To opt-out of Google Analytics, you may disable cookies on your browser or install the Google Analytics Opt-Out Browser Ad-On.  To opt-out of a personalization, you may visit Google Ads Settings

10. Cookies

We use Cookies, web beacons, and other data collecting technologies, such as when you navigate the Websites or click on links in the emails we send you.  A cookie is a small data file that is transferred to a web browser, allowing our Sites to remember and customise your subsequent visits. A web beacon (also called a “pixel tag” or “clear GIF”) is a piece of computer code that enables us to monitor user activity and Website traffic.  To learn more about how we use cookies then please visit our Cookie Notice. For more information on cookies and web beacons more generally, please visit http://www.allaboutcookies.org.  Some web browsers offer settings that allow you to reject cookies or alert you when a cookie is placed on your computer or device.  Please note that if you reject cookies, the functionality of some areas of the Websites may be limited. 

When you first land on the Websites, you will be asked for your consent to the placement of Cookies.  No Non-essential Cookies are placed on your browser until you give your consent.  You also have the option to manage your consent on an ongoing basis by opting out of any Cookies category except Strictly Necessary Cookies by changing your Cookies Settings.  Please note that if you reject cookies, the functionality of some areas of the Websites may be limited. 

11. Automated Decision-Making and Profiling

Automated decision-making is a process by which your Personal Data is used to make a decision about you that creates legal or other significant effects in an automated fashion using an algorithm alone, without any human intervention in the process. Profiling is where Personal Data is evaluated in an effort to predict things like interests or preferences about what types of information an individual might want to receive. Although profiling is a type of automated processing, it does not produce legal (or other significant) effects and in that way is different from automated decision-making.

As discussed above in the section on “Advertising and Analytics Services Provided by Third Parties”, we may use profiling as part of our analytics to deliver the most relevant content and best experience to you

Bullish relies on automated tools to help determine whether a transaction or a customer account presents a fraud or legal risk. In some jurisdictions, you have the right not to be subject to a decision based solely on automated processing of your personal information, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws. 

Customers won’t be subject to decisions that will have a significant impact on them based solely on automated decision-making. In cases where a customer does not pass our KYC verification, they will be immediately provided with an option to contact customer support and initiate a manual process to review the automated decision-making. Transaction monitoring will also be automated, with alerts and escalations being manually investigated by our Compliance team.

You have the right to not be subject to a decision based solely on automated processing.

12. Your Rights

Applicable privacy legislation may entitle you to some or all of the following rights with respect to your Personal Data: 

  • To access the Personal Data we maintain about you. We will provide you with one copy of your Personal Data free of charge, but we may charge you a reasonable fee to cover our administrative costs if you request further copies of the same information. In the cases we charge a fee, our time to respond to your request starts after we have received the fee.
  • To be provided with information about how we process your Personal Data. This will include information on the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, the recipients of your Personal Data, and the safeguards regarding data transfers to other jurisdictions, subject to the limitations set out in applicable laws and regulations. 
  • To correct your Personal Data. You have the right to ask us to rectify Personal Data you think is inaccurate or incomplete. In some cases, you will need to make these changes yourself by using the tools we provide in the Data Sources. 
  • To have your Personal Data erased. You have the right to ask us to delete your Personal Data. In some cases, you will need to do the deletion yourself using the tools we provide in the Data Sources. If we have shared your Personal Data with a third party in the manner described above, we will require the third party to delete the Personal Data that we have shared with them (consistent with their legal obligations to do so).  We will decline your request for deletion if processing your Personal Data is necessary: (i) to comply with our legal obligations such as fraud detection and monitoring, (ii) or being required to perform a task in the public interest; (iii) in pursuit of a legal action; (iv) for exercising the right of freedom of expression and information; and  (v) for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
  • To object to how we process your Personal Data. Where we process your Personal Data based on our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will decline your request where we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defence of legal claims. 
  • To stop your Personal Data from being used for direct marketing purposes. At your request, we will stop using your Personal Data for the purpose of direct marketing. Our marketing communications include an unsubscribe facility, which we encourage you to use.  If you want to stop us from contacting you in connection with marketing communications, please email us at the email address specified below. 
  • To restrict how we process your Personal Data. At your request, we will limit the processing of your Personal Data if: 
  • you dispute the accuracy of your Personal Data; 
  • your Personal Data was processed unlawfully, and you request a limitation on processing, rather than the deletion of your Personal Data; 
  • we no longer need to process your Personal Data, but you require your Personal Data in connection with a legal claim; or 
  • you object to the processing and no overriding legitimate interest for the processing exists. 
  • The right to data portability.  You have the right to receive your Personal Data in a structured, commonly used and machine-readable format, and to have us transfer your personal information to another controller. 

Please note information may already be available to you via the Data Sources. 

  • To withdraw any consent that you gave us to process your Personal Data. You have the right to withdraw any consent you may have previously given us at any time. Your consent withdrawal will not affect the lawfulness of the processing done before the withdrawal.
  • To complain to a supervisory authority. If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.

Not to be subjected to automated decision making. In some jurisdictions, you have the right not to be subject to a decision based solely on automated processing of your personal information, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws.

To exercise the above rights, please complete a Data Subject Rights Request Form or contact us at [email protected] We will consider and process your request within the required period of time.  Please be aware that under certain circumstances, or in relation to certain types of data, the applicable legislation may limit your exercise of these rights. 

Please note that in some cases, if you do not agree with the way we process your information, it may not be possible for us to continue to operate your account and/or provide certain products and services to you. 

It is our policy to respect the rights of individuals. However, please be aware that your exercise of these rights may be subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime); where an overriding legitimate interest for the processing exists.s (e.g. the maintenance of legal privilege) an; some of these rights may be limited (for example, the right to withdraw consent) where we are required or permitted by law to continue processing your personal data to establish, exercise, and defend our legal rights or meet our legal and regulatory obligations; and for the protection of the rights of another natural or legal person.

13. International Data Transfers

We may transfer your Personal Data to any of our offices in countries outside of your jurisdiction for processing in accordance with this Privacy Notice and as permitted by the applicable laws. These locations include the EU, United States, and Asia-Pacific region. Such intra-organisational transfers are based on approved mechanisms. 

Where we rely on our service providers located outside of your jurisdiction and acting as data processors, we ensure that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.

In the event we transfer information to countries outside the European Economic Area, we will only transfer data to third parties where one of the conditions below apply:

  • The European Commission has decided that the country or the organisation we are sharing your information with will protect your information adequately.
  • The transfer has been authorised by the relevant data protection authority.
  • We have entered into a contract with the organisation with which we are sharing your information (on terms approved by the European Commission) to ensure your information is adequately protected. 

14. How long we keep your information

We retain Personal Data for the period of time necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

Retention periods may be changed from time to time based on business or legal and regulatory requirements.

We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that the bank will be able to produce records as evidence, if needed.

While retention requirements vary by jurisdiction, information about our typical retention periods for different aspects of your personal information are described below:

  • Personal data, including biometric data, collected to comply with our legal obligations under financial or anti-money laundering laws may be retained after account closure for at least five years.
  • Contact Information such as your name, email address and telephone number for marketing purposes to those who subscribe to our newsletter is retained for 6 months or until you unsubscribe. Thereafter we will add your details to our suppression list to ensure we do not inadvertently market to you.
  • Data relating to customer complaints, including contact information, complaint information, information needed to resolve a complaint, and linkages to account information as necessary to resolve complaints may be retained for six years after account closure.
  • Data relating to trades or other financial transactions made on the Bullish exchange, including personal identifiers needed to link transactions with individuals may be retained after the account closure for at least seven years.
  • Information provided by an individual when opening an account on Bullish, but prior to proceeding through the KYC process is retained for at least three years. This information can include email address, location of residence, and other basic identifying information.
  • Information collected via technical means such as cookies, webpage counters and other analytics tools is kept for a period of up to one year from expiry of the cookie.

If you would like more information about how long we keep your information, please contact us at [email protected].

15. Data Security

We have a significant investment in Cyber Security controls, including, but not limited to in-house and external expertise, state of the art technologies and processes. We follow a security by design approach, strengthened by continuous vulnerability and threat management, regular penetration testing, a bug bounty program, ongoing security monitoring and risk management practises.

You can find more information about our security practices on  https://bullish.com/bullish-on-security/.

Procedures have been put in place to deal with any suspected breach of personal information. We will notify you and any applicable regulator of a data breach when we are legally required to do so.

16. Marketing

You can opt-out of receiving marketing communications from us at any time, please click the unsubscribe link at the bottom of a marketing email or let us know by reaching us at the email address specified below.  Please note that even if we stop all marketing communications, you may still receive administrative, legal, and other important Service-related communications from us. Service-related communications from us.

17. Children’s Privacy

Bullish Services are directed at adults aged 18 years and over, and not intended for children. We do not market to and do not knowingly collect Personal Data from individuals under the age of 18. Our verification process prevents Bullish collecting data of minors. Please contact us at [email protected] if you believe any individual under the age of 18 is using our Services so we can take immediate action to prevent his or her access to our Services and delete the information as soon as possible.

18. Do Not Track

Certain web browsers and other devices may permit you to submit your preference for not being “tracked” online, also known as “Do Not Track” or “DNT” signals. Since uniform standards for DNT signals have not been adopted, we do not currently process or respond to “DNT” signals. We will make efforts to monitor developments around “do not track” browser technology and the implementation of a standard.

19. Updates to the Privacy Notice

To keep up with changing legislation, best practices and changes in how we process your personal data, we reserve the right to revise this Privacy Notice at any time and without notice by posting an updated version on this Website. To stay up to date on any changes, we would therefore encourage you to review this Privacy Notice regularly to stay informed of the purposes for which we process your Personal Data and your rights to control how we process it. To the extent permitted by law, by continuing to use our Data Sources after changes have been posted, you are confirming that you have read and understood the latest version of this Privacy Notice. 

20. Our Role and How to Contact Us

If you have any questions, comments or complaints, or would like to exercise your rights concerning your Personal Data and privacy preferences, you may use self-service options if they are available to you or contact in the following ways: 

If you are in the EEA, you may also contact our EU Representative, designated for the purposes of Article 27 of the GDPR:

Achieved Compliance Advocacy, Ltd., Singel 250; 1016 AB, Amsterdam, Netherlands​.

[email protected] 

If you are in the UK, you may also contact our UK Representative, designated for the purposes of Article 27 of the UK GDPR:

Achieved Compliance Advocacy, Ltd., Princess House, Princess Way, Swansea, UK SA13LW

[email protected]