1. Who we are
This privacy notice applies to all Personal Data processing activities carried out by Bullish (GI) Limited and its affiliates (collectively, “Bullish”, “we”, “us” or “our”).
Bullish acts as the data controller for your Personal Data unless a different affiliate is named in a separate privacy notice, or we have identified a different data controller for a particular processing operation.
We respect an individual’s rights to privacy and are committed to protecting the privacy of your personal information. This Privacy Notice explains how we demonstrate this commitment, including:
(a) the types of information we collect through your use of our products and services including our exchange software and mobile applications, and your navigation of our Websites;
(b) the manner in which we use and share the information, and why;
(c) the circumstances in which your information may be transferred to another country;
(d) the rights you may have under relevant privacy or data protection laws;
(e) cookies that we use or used by our service providers; and
(f) whom you can reach out to regarding this Privacy Notice.
Where a law or regulation in the applicable jurisdiction, for example, the EU General Data Protection Regulation (GDPR), requires us to provide you with a notice or other explanation of the information about you that we collect and process or similar, this Privacy Notice is intended to fulfill this obligation.
2. Acceptance to this Privacy Notice
We are committed to protecting your privacy. By accessing Bullish Services you acknowledge and fully understand Bullish’s Privacy practices described in this Privacy Notice.
By accessing and using our Service, you signify your acceptance to the terms of this Privacy Notice. If you do not agree with or you are not comfortable with any aspect of this Privacy Notice, you should immediately discontinue access or use of our Services.
3. Purpose of this Privacy Notice
The purpose of this Privacy Notice is to explain how we collect and use Personal Data in connection with our business. In this Privacy Notice, “Personal Data” means any information relating to an identified or identifiable natural person as may be collected or processed by us in connection with the Data Sources and includes “Personal Data” as defined in the EU General Data Protection Regulation 2016/679 (“GDPR”) or other applicable laws.
The definition of personal information depends on the applicable law based on your physical location. Only the definition that applies to your physical location will apply to you under this Privacy Notice.
This Privacy Notice applies to your use of, access to, or participation in any of the following sources (collectively, our “Data Sources”):
(ii) any Bullish website (URL: www.bullish.com) or subdomains regardless of the medium in which the websites are accessed by a user (e.g., via a web or mobile browser) (the “Websites”);
(iii) any events hosted by us, whether such events are open to the public or by invitation (collectively the “Events”); and
(iv) subsections of social media platforms (e.g. LinkedIn) controlled by us.
5. Personal Data We Process
We process the Personal Data we collect about you when you use, gain access to, or participate in our Data Sources.
We collect Personal Data through:
- Your use of or participation in our Data Sources. For example, we may collect Personal Data from you when we onboard you as a client.
- A third party’s use of our Data Sources relating to you, for example where a third party may manage a Service or Event on our behalf.
- Direct or unsolicited interactions, such as when you voluntarily provide your information to us by contacting us, submitting requests and comments, subscribing to our newsletters, submitting job applications, or otherwise engaging with us through our Data Sources. For example, we may collect Personal Data from you when you sign up for a marketing newsletter.
- Indirectly, such as through public or media Websites or government Websites when conducting user identity verifications and reviews.
We will collect and process the following data about you:
5.1 Information you provide to us:
Personal Identification Information, such as full name, title, date and place of birth, gender, signature, nationality, photograph, live portrait selfie, email address, residential address, mailing address, telephone number, marital status.
Our third-party identity verification and KYC service providers can use image recognition software to verify your ID when you are looking to open an account with us. This involves them using optical character technology to extract relevant information from your ID documents. In such cases, we will ask you for consent to process this biometric data. Should you choose not An alternative channel will be made available to you should you choose not to give your consent. Please contact us for more information on the alternative channel. We will only use your biometric data to fulfil this request.
Government Issued Identification Information, such as passport copy, driving licence, national identification card, State ID card, Tax id number, visa information and any other information we may request in order to comply with our legal obligation under financial and anti-money laundering laws.
Institutional Information, such as Personal details (as per above) of any agent or attorney acting on behalf of the client. Employer identification number (or comparable number issued by a government agency), proof of legal formation. If relevant to the products and services we provide to you, we may also collect information about your additional account holders, business partners (including other shareholders or beneficial owners), dependants or family members, representatives, and agents. Before providing Bullish with this information, you should provide a copy of this notice to those individuals.
Financial Information, such as bank account information, payment card primary account number, transaction history, trading history, trading data and tax identification, including source of wealth and source of funds.
Transaction Information, which includes account and authentication information; your username, user identification number; billing, contact details or cryptocurrency wallet address (including public key or private key); transaction and account status information; and payment information, such as your credit or debit card number and other card information.
Employment information, such as your job title and work experience, office location, and your knowledge of and experience in investment matters.
Correspondence Information, which means the contents of the communications and correspondence between us, whether by email, social media, or otherwise through one of our Services, through your submission of an online form and survey responses, or when you otherwise provide information to our support team or user research team, as well as your communications preferences, such as for marketing purposes. Details of our interactions with you and the products and services you use with a view to establish relevant facts (including without limitation, any records of the phone calls between you and Bullish, emails, meeting notes, letters.
Audio, electronic, visual and similar information, such as call and video recordings.
- Information we collect from you automatically:
Online Identifying Information, which means your IP address, browser name, operating system, GUID, coarse location and fine location. When you visit our Website or access our app, our web server automatically records details about your visit (for example, your IP address, the web site from which you visit us, the type of browser software used, the Bullish Website pages that you actually visit including the date and the duration of your visit). Please read our Cookie Notice for more information.
Application Security Information, which means your account PIN, two-factor authentication software or key pairs, security questions (including the answers to the said questions) and security device identification number.
We may also use identifiers to recognise you when you access our Websites via an external link, such as a link appearing on a third-party website.
- Information we receive from our affiliates and third parties.
We may obtain information about you from our affiliates or third party sources as required permitted by applicable law. These sources and information may include:
Information provided by identity verification partners, credit reference agencies, and public databases, which means personal information processed with our purpose to comply with our legal obligation related to anti-money laundering laws, to prevent and detect crime and for anti-fraud purposes.
Advertising Networks and Analytics Providers, such as advertising networks, analytics providers and search information providers may provide us with de-identified information about you, such as confirming how you found our Website. For more information on how you can manage collection of this personal data, please see our Cookie Notice.
Joint marketing partners and resellers. Unless prohibited by applicable law, joint marketing partners or resellers may share information about you with us so that we can better understand which of our Services may be of interest to you.
Publicly available information on the Internet, such as social media, websites, news and articles.
We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but it is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
6. How We Use Your Personal Data
The following table outlines how and why we use your Personal Data:
|Activity||Categories of Personal Data||Purpose of Processing||Lawful Bases|
|Providing Services||Personal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information, Online Identifying Information; Application Security Information||Enable you to use our Services and enforce our Service terms and conditions||Performance of a Contract|
|Providing support for our Services||Personal Identification Information; Transaction Information; Government Issued Identification Information; Correspondence Information; Online Identifying Information||Answer your queries, resolve matters with accounts, disputes, collecting fees, to troubleshoot problems and otherwise provide general support related to our Services, Identity authentication||Performance of a contract|
|Providing service communications||Personal Identification Information; Transaction Information; Correspondence Information||Keeping you updated about our Services, inform you of relevant security issues or updates, or provide other transaction-related information.||Performance of a contract|
|User application and account creation process||Personal Identification Information; Transaction Information; Employment information; Online Identifying Information; Correspondence Information; Application Security Information||Enabling users to create accounts required to access and participate in our Services. Verify and screen individuals in order to protect against fraud and comply with our legal and regulatory obligations.||Performance of a contract |
Consent (when required by law)
|Compliance with laws and regulations, Including AML, Fraud, Sanctions, Terrorist Financing Regulations, Tax evasion||Personal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databases||Verify accounts and activity, including processing personal data for identity verification purposes where required, detect abuse, fraud, money laundering, breach of confidence, theft of proprietary materials and any other illegal activities on our platforms. Such processing is necessary for us to comply with laws in the jurisdictions where we are subject to them.||Legal obligation|
|Protection of company interests||Personal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databases||Protecting of the Services we provide, protection of our business interests, and protection of data||Legitimate interest|
|Obtain professional advice||Personal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databases||Obtain professional advice from consulting, tax, legal, audit, or other professional firms for the proper protection or functioning of our business||Legitimate Interest|
|Manage business risk||Personal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security Information||Mitigate risks related to the daily operations of Bullish.||Legitimate Interest|
|Network, information security and investigations||Transaction Information; Online Identifying Information||We process your personal information to improve security, monitor, combat spam and other malware or security concerns, and to comply with applicable security laws and regulations.||Legitimate Interest|
|Events and webinars||Personal Identification Information; Transaction Information; Employment information; Correspondence Information||Facilitate Event registration, plan and execute Events, and share pre- and post-event information with registrants and interested individuals.||Legitimate Interest|
|Marketing activities||Personal Identification Information; Correspondence Information; Online Identifying Information||Provide you with relevant information and news about our Services, events, promotions, prizes, giveaways and other opportunities. Send information that may be of interest to you based on your preferences.||Consent|
|Website traffic analysis and analytics||Personal Identification Information; Transaction Information; Online Identifying Information||Understand how users interact with our Websites, analyse Website traffic and usage, to improve our Websites and our offerings||Consent|
|Engaging with you on social media||Personal Identification Information; Correspondence Information; Online Identifying Information||Engaging with you on social media, including on subsections of social media platforms controlled by us. Understanding how you engage with us on social media, engaging users through social media platforms, and improving our social media activities and users’ social media experience||Legitimate Interest|
|Sharing with law enforcement/legal requests||Personal Identification Information; Government Issued Identification Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databases||Comply with valid legal requests from authorities, and to comply with our legal and regulatory obligations in the jurisdictions where we are subject to them.||Legal Obligation|
|Facilitate corporate merger and acquisitions||Personal Identification Information; Government Issued Identification Information, Institutional Information, Employment information, Correspondence Information||To enable us to initiate or conclude corporate acquisitions, mergers, or other corporate transactions.||Legitimate interests|
|Protection of the vital interests of an individual||Personal Identification Information, Institutional Information, Employment information,||Protect the life or physical safety of individuals, to combat harmful conduct, to promote safety and security||Vital Interests|
|Ensure quality control||Personal Identification Information, Transaction Information, Correspondence Information||Ensure quality control and staff training to make sure we continue to provide you with accurate information and high-quality Services.||Legitimate Interest|
|Personalise your experience||Online Identifying Information||Enhance user experience, manage your preferences, and personalise content delivered to you.||Consent|
|For research & development||Online Identifying Information, Blockchain Data, Information provided by identity verification and KYC partners, credit reference agencies, and public databases||We process your personal information to better understand the way you use and interact with our Services. In addition, we use such information to customise, measure, and improve existing and new Services, the content and layout of our Website.||Legitimate interest|
|Product user research & testing||Personal Identification Information, Employment Information, Correspondence and Online Identifying Information,||Identify the behaviour patterns, thoughts, and needs of customers by gathering user feedback from observation, task analysis, and other methods.||Consent|
In the above table, “consent” refers to Article 6(1)(a) or the manner of consent required in your jurisdiction, “performance of a contract” or “steps we must take prior to entering into a contract” to Article 6(1)(b), and “legitimate interest” to Article 6(1)(f) of the GDPR.
When the lawful basis for processing your personal data is legitimate interest, we always ensure that we consider and balance any potential impact on you and your rights under data protection laws.
In addition to the processing activities outlined on the above table, we may also process your Personal Data to comply with our obligations under applicable law, where the processing is necessary to protect a person’s vital interests, and for any purpose that you provide your consent.
7. How We Share Your Personal Data
We may share your Personal Data with the following categories of third-parties:
- Third-party service providers who need access to Personal Data to assist us in delivering Services or the operation of our business. For example, such third-parties include payment processors; information technology service providers; providers of identity verification services; Website hosting providers; insurance, marketing, accounting, shipping, and delivery vendors; other business process outsourcing providers; and partners who assist us with administering programs we offer to you, such as our bug bounty program.
- Information provided by identity verification and KYC partners, credit reference agencies, and public databases, which means personal information processed with our purpose to comply with our legal obligation related to anti-money laundering laws, to prevent and detect crime and for anti-fraud purposes. Our ID verification partners like, but not limited to, Jumio, ComplyAdvantage and 4Stop, use a mix of government records, publicly available information, information provided to us by you and the use of technology to help Bullish on your identity verification. Such information may include criminal convictions and offences, credit history, status on any sanctions lists maintained by public authorities, and other relevant data.
We may also process additional information about you to assess and manage risk and to ensure Bullish Services, Website and app are not used for illicit activities.
- Third-party service providers who need access to Personal Data to provide advertising and analytics services. For example, we use a third-party service for the collection and management of your Personal Data that enables us to deliver marketing communications about our Services and events to you.
- Public entities and institutions (e.g. Gibraltar Financial Services Commission (e.g. transaction data which is routed via an agent ), Gibraltar Regulatory Authority (e.g. data protection breaches), Gibraltar Financial Intelligence Unit (e.g. Suspicious Transactions Reports), Gibraltar Finance Centre (e.g. fiscal details, balances and interest for onwards transmission to relevant foreign tax authority), Hong Kong Joint Financial Intelligence Unit (e.g., Suspicious Transactions Reports identified by Bullish staff in Hong Kong), other financial authorities, including criminal prosecution authorities upon providing a legal or official obligation.
- With our professional advisors who provide banking, legal, compliance, insurance, accounting, or other consulting services in order to complete third-party financial, technical, compliance and legal audits of our operations or otherwise comply with our legal obligations.
- Other credit and financial service institutions or comparable institutions to which we transfer your personal data in order to process payments you have authorised and/or to carry out a business relationship with you (depending on the contract, e.g., correspondent banks, custodian banks, brokers, stock exchanges, information offices).
- We may also share your details with people or companies if there’s a corporate restructure, merger, acquisition or takeover.
- Other recipients of data can be any person for which you have given us your consent to transfer data.
- Our corporate affiliates in the Bullish Group, when necessary to complete the processing activities described above.
- Other third-parties, as reasonably necessary:
- In relation to a merger, sale, acquisition, divestiture, restructuring, reorganisation, dissolution, bankruptcy, or other change of ownership or control (whether in whole or in part); or
Bullish requires that a request from a law enforcement agency or public or judicial body having jurisdiction over us be accompanied by sufficient legal process. This varies by location. For instance, production orders, search warrants, freezing orders, seizure orders, and subpoenas, as well as requests for voluntary data disclosure, all constitute a legal process. Bullish thoroughly evaluates each order and request for voluntary disclosure to verify that they have a legitimate legal basis and that any response is carefully limited to ensure that law enforcement receives just the data and/or remedy to which they are entitled. Additionally, Bullish requires that requests for asset freezing and/or seizure adhere to the relevant local jurisdiction’s legal process and include all appropriate instructions, including, if applicable, the period of the freeze.
We always endeavour to only share the minimum amount of Personal Data that these third parties need to perform their tasks.
8. Third Party Applications and Websites
Our Data Sources may contain links to third-party applications not affiliated with us. Your use of an external application or any informational content found on external applications is subject to and governed by the privacy policies, terms, and conditions of that application.
We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external applications are framed within our Data Sources.
While we do review the privacy practices of our Service Providers prior to engaging them to ensure that they meet Bullish Service Provider privacy standards, we ultimately do not control the privacy practices of any external applications or Websites. The Websites may contain links to Websites not affiliated with us. Your use of external Websites or any informational content found on external Websites is subject to and governed by the privacy policies, terms, and conditions of those Websites. We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external Websites even if one or more pages of the external Websites are framed within a page of our Websites.
9. Advertising and Analytics Services Provided by Third Parties
The third-party service providers we use for advertising and analytics include:
When you first land on the Websites, you will be asked for your consent to the placement of Cookies. No Non-essential Cookies are placed on your browser until you give your consent. You also have the option to manage your consent on an ongoing basis by opting out of any Cookies category except Strictly Necessary Cookies by changing your Cookies Settings. Please note that if you reject cookies, the functionality of some areas of the Websites may be limited.
11. Automated Decision-Making and Profiling
Automated decision-making is a process by which your Personal Data is used to make a decision about you that creates legal or other significant effects in an automated fashion using an algorithm alone, without any human intervention in the process. Profiling is where Personal Data is evaluated in an effort to predict things like interests or preferences about what types of information an individual might want to receive. Although profiling is a type of automated processing, it does not produce legal (or other significant) effects and in that way is different from automated decision-making.
As discussed above in the section on “Advertising and Analytics Services Provided by Third Parties”, we may use profiling as part of our analytics to deliver the most relevant content and best experience to you
Bullish relies on automated tools to help determine whether a transaction or a customer account presents a fraud or legal risk. In some jurisdictions, you have the right not to be subject to a decision based solely on automated processing of your personal information, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws.
Customers won’t be subject to decisions that will have a significant impact on them based solely on automated decision-making. In cases where a customer does not pass our KYC verification, they will be immediately provided with an option to contact customer support and initiate a manual process to review the automated decision-making. Transaction monitoring will also be automated, with alerts and escalations being manually investigated by our Compliance team.
You have the right to not be subject to a decision based solely on automated processing.
12. Your Rights
Applicable privacy legislation may entitle you to some or all of the following rights with respect to your Personal Data:
- To access the Personal Data we maintain about you. We will provide you with one copy of your Personal Data free of charge, but we may charge you a reasonable fee to cover our administrative costs if you request further copies of the same information. In the cases we charge a fee, our time to respond to your request starts after we have received the fee.
- To be provided with information about how we process your Personal Data. This will include information on the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, the recipients of your Personal Data, and the safeguards regarding data transfers to other jurisdictions, subject to the limitations set out in applicable laws and regulations.
- To correct your Personal Data. You have the right to ask us to rectify Personal Data you think is inaccurate or incomplete. In some cases, you will need to make these changes yourself by using the tools we provide in the Data Sources.
- To have your Personal Data erased. You have the right to ask us to delete your Personal Data. In some cases, you will need to do the deletion yourself using the tools we provide in the Data Sources. If we have shared your Personal Data with a third party in the manner described above, we will require the third party to delete the Personal Data that we have shared with them (consistent with their legal obligations to do so). We will decline your request for deletion if processing your Personal Data is necessary: (i) to comply with our legal obligations such as fraud detection and monitoring, (ii) or being required to perform a task in the public interest; (iii) in pursuit of a legal action; (iv) for exercising the right of freedom of expression and information; and (v) for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
- To object to how we process your Personal Data. Where we process your Personal Data based on our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will decline your request where we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defence of legal claims.
- To stop your Personal Data from being used for direct marketing purposes. At your request, we will stop using your Personal Data for the purpose of direct marketing. Our marketing communications include an unsubscribe facility, which we encourage you to use. If you want to stop us from contacting you in connection with marketing communications, please email us at the email address specified below.
- To restrict how we process your Personal Data. At your request, we will limit the processing of your Personal Data if:
- you dispute the accuracy of your Personal Data;
- your Personal Data was processed unlawfully, and you request a limitation on processing, rather than the deletion of your Personal Data;
- we no longer need to process your Personal Data, but you require your Personal Data in connection with a legal claim; or
- you object to the processing and no overriding legitimate interest for the processing exists.
- The right to data portability. You have the right to receive your Personal Data in a structured, commonly used and machine-readable format, and to have us transfer your personal information to another controller.
Please note information may already be available to you via the Data Sources.
- To withdraw any consent that you gave us to process your Personal Data. You have the right to withdraw any consent you may have previously given us at any time. Your consent withdrawal will not affect the lawfulness of the processing done before the withdrawal.
- To complain to a supervisory authority. If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.
Not to be subjected to automated decision making. In some jurisdictions, you have the right not to be subject to a decision based solely on automated processing of your personal information, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws.
To exercise the above rights, please complete a Data Subject Rights Request Form or contact us at [email protected] We will consider and process your request within the required period of time. Please be aware that under certain circumstances, or in relation to certain types of data, the applicable legislation may limit your exercise of these rights.
Please note that in some cases, if you do not agree with the way we process your information, it may not be possible for us to continue to operate your account and/or provide certain products and services to you.
It is our policy to respect the rights of individuals. However, please be aware that your exercise of these rights may be subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime); where an overriding legitimate interest for the processing exists.s (e.g. the maintenance of legal privilege) an; some of these rights may be limited (for example, the right to withdraw consent) where we are required or permitted by law to continue processing your personal data to establish, exercise, and defend our legal rights or meet our legal and regulatory obligations; and for the protection of the rights of another natural or legal person.
13. International Data Transfers
We may transfer your Personal Data to any of our offices in countries outside of your jurisdiction for processing in accordance with this Privacy Notice and as permitted by the applicable laws. These locations include the EU, United States, and Asia-Pacific region. Such intra-organisational transfers are based on approved mechanisms.
Where we rely on our service providers located outside of your jurisdiction and acting as data processors, we ensure that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.
In the event we transfer information to countries outside the European Economic Area, we will only transfer data to third parties where one of the conditions below apply:
- The European Commission has decided that the country or the organisation we are sharing your information with will protect your information adequately.
- The transfer has been authorised by the relevant data protection authority.
- We have entered into a contract with the organisation with which we are sharing your information (on terms approved by the European Commission) to ensure your information is adequately protected.
14. How long we keep your information
We retain Personal Data for the period of time necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.
Retention periods may be changed from time to time based on business or legal and regulatory requirements.
We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that the bank will be able to produce records as evidence, if needed.
While retention requirements vary by jurisdiction, information about our typical retention periods for different aspects of your personal information are described below:
- Personal data, including biometric data, collected to comply with our legal obligations under financial or anti-money laundering laws may be retained after account closure for at least five years.
- Contact Information such as your name, email address and telephone number for marketing purposes to those who subscribe to our newsletter is retained for 6 months or until you unsubscribe. Thereafter we will add your details to our suppression list to ensure we do not inadvertently market to you.
- Data relating to customer complaints, including contact information, complaint information, information needed to resolve a complaint, and linkages to account information as necessary to resolve complaints may be retained for six years after account closure.
- Data relating to trades or other financial transactions made on the Bullish exchange, including personal identifiers needed to link transactions with individuals may be retained after the account closure for at least seven years.
- Information provided by an individual when opening an account on Bullish, but prior to proceeding through the KYC process is retained for at least three years. This information can include email address, location of residence, and other basic identifying information.
- Information collected via technical means such as cookies, webpage counters and other analytics tools is kept for a period of up to one year from expiry of the cookie.
If you would like more information about how long we keep your information, please contact us at [email protected].
15. Data Security
We have a significant investment in Cyber Security controls, including, but not limited to in-house and external expertise, state of the art technologies and processes. We follow a security by design approach, strengthened by continuous vulnerability and threat management, regular penetration testing, a bug bounty program, ongoing security monitoring and risk management practises.
You can find more information about our security practices on https://bullish.com/bullish-on-security/.
Procedures have been put in place to deal with any suspected breach of personal information. We will notify you and any applicable regulator of a data breach when we are legally required to do so.
You can opt-out of receiving marketing communications from us at any time, please click the unsubscribe link at the bottom of a marketing email or let us know by reaching us at the email address specified below. Please note that even if we stop all marketing communications, you may still receive administrative, legal, and other important Service-related communications from us. Service-related communications from us.
17. Children’s Privacy
Bullish Services are directed at adults aged 18 years and over, and not intended for children. We do not market to and do not knowingly collect Personal Data from individuals under the age of 18. Our verification process prevents Bullish collecting data of minors. Please contact us at [email protected] if you believe any individual under the age of 18 is using our Services so we can take immediate action to prevent his or her access to our Services and delete the information as soon as possible.
18. Do Not Track
Certain web browsers and other devices may permit you to submit your preference for not being “tracked” online, also known as “Do Not Track” or “DNT” signals. Since uniform standards for DNT signals have not been adopted, we do not currently process or respond to “DNT” signals. We will make efforts to monitor developments around “do not track” browser technology and the implementation of a standard.
19. Updates to the Privacy Notice
To keep up with changing legislation, best practices and changes in how we process your personal data, we reserve the right to revise this Privacy Notice at any time and without notice by posting an updated version on this Website. To stay up to date on any changes, we would therefore encourage you to review this Privacy Notice regularly to stay informed of the purposes for which we process your Personal Data and your rights to control how we process it. To the extent permitted by law, by continuing to use our Data Sources after changes have been posted, you are confirming that you have read and understood the latest version of this Privacy Notice.
20. Our Role and How to Contact Us
If you have any questions, comments or complaints, or would like to exercise your rights concerning your Personal Data and privacy preferences, you may use self-service options if they are available to you or contact in the following ways:
- Submit a request through the Bullish Data Subject Rights Request web form.
- Contact us directly at [email protected].
- Alternatively, you may contact our Data Protection Officer (DPO) at [email protected].
If you are in the EEA, you may also contact our EU Representative, designated for the purposes of Article 27 of the GDPR:
Achieved Compliance Advocacy, Ltd., Singel 250; 1016 AB, Amsterdam, Netherlands.
If you are in the UK, you may also contact our UK Representative, designated for the purposes of Article 27 of the UK GDPR:
Achieved Compliance Advocacy, Ltd., Princess House, Princess Way, Swansea, UK SA13LW