Global

Legal

  • Privacy Notice
  • Site Terms of Use
  • Exchange Terms of Service
  • Exchange Rules
  • Risk Warnings
  • Fee Schedule
Last Updated: October 21, 2024

Privacy Notice

1. Who we are

This privacy notice applies to all Personal Data processing activities carried out by Bullish (GI) Limited and its affiliates (collectively, “Bullish”, “we”, “us” or “our”).

Bullish acts as the data controller for your Personal Data unless a different affiliate is named in a separate privacy notice, or we have identified a different data controller for a particular processing operation.

We respect an individual’s rights to privacy and are committed to protecting the privacy of your personal information. This Privacy Notice explains how we demonstrate this commitment, including: 

(a) the types of information we collect through your use of our products and services including our exchange software and mobile applications, and your navigation of our Websites;

(b) the manner in which we use and the information, and why;

(c) the circumstances in which your information may be transferred to another country;

(d) the rights you may have under relevant privacy or data protection laws;

(e) cookies that we use or used by our service providers; and

(f) whom you can reach out to regarding this Privacy Notice. 

This Privacy Notice complies with and constitutes the requisites found in Article 12 of the General Data Protection Regulation and DPP1(3) and DPP5 under the Personal Data (Privacy) Ordinance, Cap. 486. Where a law or regulation in the applicable jurisdiction requires us to provide you with a notice or other explanation of the information about you that we collect and process, our use of your Personal Data, and your rights, the purpose of this Privacy Notice is to satisfy that requirement.

2. Acceptance to this Privacy Notice

We are committed to protecting your privacy. By accessing Bullish Services you acknowledge and fully understand Bullish’s Privacy practices described in this Privacy Notice.

By accessing and using our Service, you signify your acceptance to the terms of this Privacy Notice. If you do not agree with or you are not comfortable with any aspect of this Privacy Notice, you should immediately discontinue access or use of our Services.

3. Purpose of this Privacy Notice

The purpose of this Privacy Notice is to explain how we collect and use Personal Data in connection with our business. In this Privacy Notice, “Personal Data” means any information relating to an identified or identifiable natural person as may be collected or processed by us in connection with the Data Sources. This is a broad definition that encompasses the specific types of personal data listed below. It excludes information that cannot be used to identify a specific individual, such as a company’s registration number.

The definition of personal information depends on the applicable law based on your physical location. Only the definition that applies to your physical location will apply to you under this Privacy Notice.

4. Scope

This Privacy Notice applies to your use of, access to, or participation in any of the following sources (collectively, our “Data Sources”):

(i) our products, services, applications or software offered through the Bullish Website or mobile application, including any communications with you about our Services (our “Services”), unless a separate privacy policy is expressed to apply in respect of such Service; 

(ii) any Bullish website (URL: www.bullish.com) or subdomains regardless of the medium in which the websites are accessed by a user (e.g., via a web or mobile browser) and any apps owned by Bullish (the “Websites”);  

(iii) any events hosted by us, whether such events are open to the public or by invitation (collectively the “Events”); and 

(iv) subsections of social media platforms (e.g. LinkedIn) controlled by us. 

5. Personal Data We Process

We process the Personal Data we collect about you when you use, gain access to, or participate in our Data Sources. 

Personal data or personal information refers to any information that identifies or can be used to identify an individual. This is a broad definition that encompasses the specific types of personal data listed below. It excludes information that cannot be used to identify a specific individual, such as a company’s registration number.

A “data subject” is a person who can be directly or indirectly identified by personal data.

Typically, this is done by referencing an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.

Personal data also includes separate pieces of information that, when combined, can lead to the identification of a particular individual. It excludes information from which the identity has been removed. (anonymous data).

We collect Personal Data through:

  • Your use of or participation in our Data Sources. For example, we may collect Personal Data from you when we onboard you as a client. A third party’s use of our Data Sources relating to you, for example where a third party may manage a Service or Event on our behalf. 
  • Direct or unsolicited interactions, such as when you voluntarily provide your information to us by contacting us, submitting requests and comments, subscribing to our newsletters, submitting job applications, or otherwise engaging with us through our Data Sources. For example, we may collect Personal Data from you when you sign up for a marketing newsletter.
  • Indirectly, such as through public or media Websites or government Websites when conducting user identity verifications and reviews.

You must ensure that all information provided by you to us is accurate, comprehensive, and current. Inaccurate or insufficient Personal Data you provide may have a negative impact on how we interact with you in the course of our business.

We may collect, use, retain, and transfer various types of personal data about you depending on whether and how you use our services or data sources, which we have categorised as follows:

Categories of personal dataExamples
Personal Identification datasuch as full name, title, date and place of birth, gender, signature, nationality, photograph, live portrait selfie, email address, residential address, mailing address, telephone number, marital status.
Social Identification datasuch as your group or company data, job title and work experience, office location, close connections, and  behavioural data.
Transactional datawhich includes account and authentication information; your username, user identification number; billing, contact details or cryptocurrency wallet address (including public key); transaction and account status information; and payment information, such as your credit or debit card number and other card information.
Government Issued Identification Information, such as passport copy, Tax identification number, visa information and any other information we may request in order to comply with our legal obligation under financial, tax and anti-money laundering laws.
Financial datasuch as bank account information, payment card primary account number, transaction history, trading history, trading data and tax identification, including source of wealth and source of funds.
Contact and Correspondence datawhich means residence details, billing address, delivery address, home address, work address, email address and telephone numbers, proof of address documentation.

It also includes the contents of the communications and correspondence between us, whether by email, social media, or otherwise through one of our Services, through your submission of an online form and survey responses, or when you otherwise provide information to our support team or user research team, as well as your communications preferences, such as for marketing purposes. Details of our interactions with you and the products and services you use with a view to establish relevant facts (including without limitation, any records of the phone calls between you and Bullish, emails, meeting notes, letters.

Investment datawhich means your knowledge of and experience in investment matters, investment objectives and prior investments.
Marketing datawhich includes your preferences in receiving marketing from us or third parties and  your communication preferences
Profile datawhich includes your username and password; your identification number as our user; requests by you for products or services; your interests, preferences and feedback; other information generated by you when you communicate with us, for example when you address a request to our customer support.
Usage datawhich means information about how you use the Website, the Services, mobile applications and other offerings made available by us, including: – device download time, – install time, – interaction type and time, – event time, name and source.
Online Identifying informationwhich means your IP address, browser name, operating system, GUID, coarse location and fine location. When you visit our Website or access our apps, our web server automatically records details about your visit (for example, your IP address, the type of browser software used, the Bullish Website pages that you actually visit including the date and the duration of your visit). Please read our Cookie Notice for more information.
Blockchain datasuch as public blockchain data in order to assess if customers using Services are not engaged in illegal or prohibited activity and/or in breach of our Terms of Use, and to analyse transaction trends for research and development purposes.
Information provided by identity verification partners, credit reference agencies, and public databaseswhich means personal information processed with our purpose to comply with our legal obligation related to anti-money laundering laws, to prevent and detect crime and for anti-fraud purposes.

We may also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but it is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

6. How We Use Your Personal Data

The following table outlines how and why we use your Personal Data:

ActivityCategories of Personal DataLawful Bases
To register you as a new customer. Enable you to use our Services and enforce our Service terms and conditions. It includes account creationPersonal Identification data; Social Identification data; Contact and Correspondence data; Financial dataPerformance of a Contract
Provision of our Services to you, including to execute, manage, and process any instructions or orders you makePersonal Identification data; Contact and Correspondence data; Financial data, Transactional data, Online Identifying information; Marketing data, Financial data; Transactional data; Contact and Correspondence dataPerformance of a contract 
To provide support for our Services. Answer your queries, resolve matters with accounts, disputes, collecting fees, to troubleshoot problems and otherwise provide general support related to our Services, 
Identity authentication
Personal Identification data; 
Transaction data; 
Government Issued Identification data; Correspondence data; Online Identifying data
Performance of a contract

Legitimate interest

To manage our relationship with you which will include asking you to leave a review, take a survey, keeping you informed of our company’s business and product development, Keeping you updated about our Services, inform you of relevant security issues or updates, or provide other transaction-related information.Personal Identification data; Contact and Correspondence data; Profile data; Transactional data; Marketing data.Performance of a contract
Consent, if required
Compliance with laws and regulations, Including AML, Fraud, Sanctions, Terrorist Financing Regulations, Tax evasion.
Verify accounts and activity, including processing personal data for identity verification purposes where required, detect abuse, fraud, money laundering, breach of confidence, theft of proprietary materials and any other illegal activities on our platforms.
Such processing is necessary for us to comply with laws in the jurisdictions where we are subject to them.
Personal Identification data; Contact and Correspondence data; Transactional data; Investment data; Blockchain data; Information provided by identity verification partners, credit reference agencies, and public databases; Online Identifying information.Legal obligation

We may process such data if it is required for the performance of the contract we have with you.

We may process this personal data for our legitimate interest in ensuring that Bullish is not involved in dealing with the proceeds of criminal, unlawful or fraudulent activities, as well as to develop, manage and improve our internal systems and controls for dealing with financial crime and to ensure effective management of complaints.

Protection of company interests, including the prevention of abuse of our Services and promotions.
Protecting of the Services we provide, protection of our business interests, and protection of data
Personal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databasesLegitimate interest
Obtain professional advice, obtain independent audits or similar services.

Obtain professional services from consulting, tax, legal, audit, accounting, or other professional firms for the proper protection or functioning of our business, and proper treatment of transactions

Personal Identification Information; Government Issued Identification Information; Institutional Information (including group affiliation); Licence details; Membership details with professional bodies; Transaction data; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Information provided by identity verification and KYC partners, credit reference agencies, and Financial Information to a certain extent.Performance of a contract

Legitimate Interest 

We collect these data to ensure appropriate review and related risks are considered and assessed for any outsourced service, and ensure the businesses are legitimate, competent and can provide good quality service.
 

Manage business risk. 

Mitigate risks related to the daily operations of Bullish.

Personal Identification Information; Government Issued Identification Information; Institutional Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Application Security InformationLegitimate Interest
Network, information security and investigations. We process your personal information to administer and protect our Site and Services, including to improve and monitor security, combat spam, troubleshooting, testing, system, maintenance, support, reporting, hosting of data, and other malware or security concerns.Transaction Information; Online Identifying InformationLegitimate Interest
Sharing with law enforcement/legal requests. Comply with valid legal requests from authorities, and to comply with our legal and regulatory obligations in the jurisdictions where we are subject to them.Personal Identification Information; Government Issued Identification Information; Financial Information; Transaction Information; Employment information; Correspondence Information; Online Identifying Information; Blockchain Data; Information provided by identity verification and KYC partners, credit reference agencies, and public databasesLegal Obligation
Facilitate corporate merger and acquisitions. To enable us to initiate or conclude corporate acquisitions, mergers, or other corporate transactions.Personal Identification Information; Government Issued Identification Information, Institutional Information, Employment information, Correspondence InformationLegitimate interests
To properly manage, process, collect and transfer payments, fees and charges, and to collect and recover payments owed to usPersonal identification data; Bank account details; Transactional data (including wallet address if needed)); Billing details; Contact details (e.g. business or personal address, email, phone number).Performance of a contract

Legitimate Interest

To use the services of other financial institutions, crime and fraud detection and prevention companies, risk measuring and management companies, which will use the personal data they receive for their own purposes while acting as independent data controllersPersonal Identification Information; Government Issued Identification Information; Institutional Information (including group affiliation); Licence and Regulatory details; Transaction data; Employment information; Correspondence Information; Online Identifying Information; Application Security Information; Information provided by identity verification and KYC partners, credit reference agencies, and Financial Information to a certain extent.Performance of a contract

Legitimate Interest

Ensure quality control and staff training to make sure we continue to provide you with accurate information and high-quality Services.Personal Identification Information, Transaction Information, Correspondence InformationLegitimate Interest
Events and webinars. Facilitate Event registration, plan and execute Events, and share pre- and post-event information with registrants and interested individuals.Personal Identification Information; Transaction Information; Employment information; Correspondence InformationLegitimate Interest
Prizes, contests and surveys. To allow you to enter a prize drawing, contest, or complete a surveyIdentity Data Contact Data
Profile Data 
Usage Data Marketing and Communications Data
Performance of a contract 
Consent, if required
For research & development. We process your personal information to better understand the way you use and interact with our Services. 
Leveraging data analytics to improve our Website, Services, marketing, users experiences and their relationship with Bullish.
Personal Identification data
Social Identification data
Contact and Correspondence data
Investment data
Marketing data
Profile data
Usage data
Online Identifying information
Legitimate interest
Product/ UX user research & testing. Identify the behaviour patterns, thoughts, and needs of customers by gathering user feedback from observation, task analysis, and other methods. It also includes gathering market data for studying customers’ behaviour including their preference, interest and how they use our products/services.Personal Identification data
Social Identification data
Contact and Correspondence data
Investment data
Marketing data
Profile data
Usage data
Online Identifying information
Consent
Marketing activities. Provide you with relevant information and news about our Services, events, promotions, prizes, giveaways and other opportunities. Send information that may be of interest to you based on your preferences.Personal Identification Information; Correspondence Information; Online Identifying Information, Marketing Data, Profile DataConsent

Legitimate Interest

Website traffic analysis and analytics. Understand how users interact with our Websites, analyse Website traffic and usage, to improve our Websites and our offeringsPersonal Identification Information; Transaction Information; Online Identifying Information; Usage DataConsent
Engaging with you on social media. Engaging with you on social media, including on subsections of social media platforms controlled by us. Understanding how you engage with us on social media, engaging users through social media platforms, and improving our social media activities and users’ social media experiencePersonal Identification Information; Correspondence Information; Online Identifying Information; Social Identification, Profile DataLegitimate Interest

Consent

To utilise the services of social media or advertising platforms, some of which may use personal data they receive for their own purposes, including marketing purposes, determining our marketing campaigns and growing our businessPersonal Identification Information; Correspondence Information;  Online Identifying Information, Social Identification, Profile DataConsent

In the above table, “consent” refers to Article 6(1)(a), “performance of a contract” to Article 6(1)(b), and “legitimate interest” to Article 6(1)(f) of the GDPR, or the equivalent provisions in your jurisdiction.

When the lawful basis for processing your personal data is legitimate interest, we always ensure that we consider and balance any potential impact on you and your rights under data protection laws.

In addition to the processing activities outlined on the above table, we may also process your Personal Data to comply with our obligations under applicable law, where the processing is necessary to protect a person’s vital interests, and for any purpose that you provide your consent. 

We will only use your personal information for the purposes for which it was collected, unless we need to use it for another reasonable purpose that is compatible with the original purpose. If you would like an explanation of how the processing for the new purpose is compatible with the original purpose, please contact the Bullish Privacy Office at [email protected].

7. How We Share Your Personal Data

We may share your Personal Data with the following categories of third-parties: 

  • Third-party service providers who need access to Personal Data to assist us in delivering Services or the operation of our business.  For example, such third-parties include payment processors; information technology service providers; providers of identity verification services; Website hosting providers; insurance, marketing, accounting, shipping, and delivery vendors; other business process outsourcing providers; and partners who assist us with administering programs we offer to you, such as our bug bounty program.
  • Information provided by identity verification and KYC partners, credit reference agencies, and public databases, which means personal information processed with our purpose to comply with our legal obligation related to anti-money laundering laws, to prevent and detect crime and for anti-fraud purposes. Our ID verification partners use a mix of government records, publicly available information, information provided to us by you and the use of technology to help Bullish on your identity verification. Such information may include criminal convictions and offences, credit history, status on any sanctions lists maintained by public authorities, and other relevant data.

We may also process additional information about you to assess and manage risk and to ensure Bullish Services, Website and app are not used for illicit activities.

  • Third-party service providers who need access to Personal Data to provide advertising and analytics services. For example, we use a third-party service for the collection and management of your Personal Data that enables us to deliver marketing communications about our Services and events to you. 
  • Public entities and institutions (e.g. Gibraltar Financial Services Commission (e.g. transaction data which is routed via an agent ), Gibraltar Regulatory Authority (e.g. data protection breaches), Gibraltar Financial Intelligence Unit (e.g. Suspicious Transactions Reports), Gibraltar Finance Centre (e.g. fiscal details, balances and interest for onwards transmission to relevant foreign tax authority), Hong Kong Joint Financial Intelligence Unit (e.g., Suspicious Transactions Reports identified by Bullish staff in Hong Kong), other financial authorities, including criminal prosecution authorities upon providing a legal or official obligation.
  • With our professional advisors who provide banking, legal, compliance, insurance, accounting, or other consulting services in order to complete third-party financial, technical, compliance and legal audits of our operations or otherwise comply with our legal obligations.
  • Other credit and financial service institutions or comparable institutions to which we transfer your personal data in order to process payments you have authorised and/or to carry out a business relationship with you (depending on the contract, e.g., correspondent banks, custodian banks, brokers, stock exchanges, information offices).
  • We may also share your details with people or companies if there’s a corporate restructure, merger, acquisition or takeover.
  • Other recipients of data can be any person for which you have given us your consent to transfer data.
  • Our corporate affiliates in the Bullish Group, when necessary to complete the processing activities described above. 
  • Other third-parties, as reasonably necessary:
    • In relation to a merger, sale, acquisition, divestiture, restructuring, reorganisation, dissolution, bankruptcy, or other change of ownership or control (whether in whole or in part); or 
    • To: (i) to detect and prevent financial crime, money laundering, terrorism, and tax evasion where required by law, to comply with applicable laws, a request from a law enforcement agency, regulatory authority, public or judicial body with jurisdiction over us, or other legal process; (ii) protect our legitimate rights, privacy, property, vital interests, health and safety, as well as those of our customers, business partners, personnel, or the general public; (iii) seek professional advice, manage risk (including obtaining and managing insurance), pursue available remedies or limit damages; (iv) enforce our Terms of Use; (v) respond to an emergency; (vi) other banks to help trace money in cases of fraud or other crimes; and/or  (vii) any other third parties where necessary to meet our legal obligations

Bullish requires that a request from a law enforcement agency or public or judicial body having jurisdiction over us be accompanied by sufficient legal process. This varies by location. For instance, production orders, search warrants, freezing orders, seizure orders, and subpoenas, as well as requests for voluntary data disclosure, all constitute a legal process. Bullish thoroughly evaluates each order and request for voluntary disclosure to verify that they have a legitimate legal basis and that any response is carefully limited to ensure that law enforcement receives just the data and/or remedy to which they are entitled. Additionally, Bullish requires that requests for asset freezing and/or seizure adhere to the relevant local jurisdiction’s legal process and include all appropriate instructions, including, if applicable, the period of the freeze.

We always endeavour to only share the minimum amount of Personal Data that these third parties need to perform their tasks.

8. Third Party Applications and Websites

Our Data Sources may contain links to third-party applications not affiliated with us. Your use of an external application or any informational content found on external applications is subject to and governed by the privacy policies, terms, and conditions of that application. 

We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external applications are framed within our Data Sources.

While we do review the privacy practices of our Service Providers prior to engaging them to ensure that they meet Bullish Service Provider privacy standards, we ultimately do not control the privacy practices of any external applications or Websites. The Websites may contain links to Websites not affiliated with us. Your use of external Websites or any informational content found on external Websites is subject to and governed by the privacy policies, terms, and conditions of those Websites.  We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external Websites even if one or more pages of the external Websites are framed within a page of our Websites.

9. Advertising and Analytics Services Provided by Third Parties

We may allow others to serve advertisements on our behalf across the Internet and to provide analytics services. These entities may use cookies, web beacons and other technologies to collect information about your use of our Data Sources and other Websites, including your IP address, web browser, pages viewed, blocks created, transactions undertaken, information provided to Bullish, time spent on pages, links you clicked, and conversion information. This information may be used by us and others to, among other things, analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on the Websites, and better understand your online preferences. For more information about interest-based ads, please visit the Digital Advertising Alliance at www.aboutads.info/choices.

We will get your opt-in consent before we share your personal data with any third party for marketing purposes

The third-party service providers we use for advertising and analytics include: 

  • Plausible Analytics, a web analysis service that captures web analytics entirely anonymously, uses no cookies, and collects no personal data.  All data is used in the aggregate only, and there is no tracking across devices, or Websites.  To learn more, please review the Plausible Analytics Privacy Policy and the Plausible Analytics Data Policy.
  • We use Piwik PRO Analytics Suite as our website/app analytics software and consent management tool. We collect data about website visitors based on cookies. The collected information may include a visitor’s IP address, operating system, browser ID, browsing activity and other information. See the scope of data collected by Piwik PRO. We calculate metrics like bounce rate, page views, sessions and the like to understand how our website/app is used. We may also create visitors’ profiles based on browsing history to analyse visitor behaviour, show personalised content and run online campaigns. The data is hosted on Microsoft Azure in the Netherlands and the data is stored for 14/25 months. The purpose of data processing is the analytics and conversion tracking based on consent. The legal basis is consent. Piwik PRO does not send the data about you to any other sub-processors or third parties and does not use it for its own purposes. For more, read Piwik PRO’s privacy policy.
  • Google Tag Manager: In order to monitor and provide diagnostics about system stability, performance, and installation quality, Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any measurement identifiers associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, and diagnostics data noted above, Google Tag Manager does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited.
  • Google Ads & DoubleClick: Google stores a record of the ads it serves in its logs. These server logs typically include your web request, IP address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser. Google stores this data for a number of reasons, the most important of which are to improve its services and to maintain the security of its systems. Google anonymizes this log data by removing part of the IP address (after 9 months) and cookie information (after 18 months). To help Google’s partners manage their advertising and websites, Google offers many products, including Google Ads, and a range of DoubleClick-branded services. When you visit a page or see an ad that uses one of these products, either on Google services or on other sites and apps, various cookies may be sent to your browser. These may be set from a few different domains, including google.com, doubleclick.net, googlesyndication.com, or googleadservices.com, or the domain of Google partners’ sites. Some of Google’s advertising products enable its partners to use other services in conjunction with Google’s (like an ad measurement and reporting service), and these services may send their own cookies to your browser. These cookies will be set from their domains. See more detail about the types of cookies used by Google and Google’s partners and how they use them.
  • Twitter: Conversion tracking enables Bullish to measure its return on ad spend by tracking the actions people take after viewing or engaging with Bullish’s ads on Twitter. On Twitter, Bullish can use its Twitter Pixel or the Conversions API to set up conversion tracking. These solutions pass data back to Twitter and help enable user attribution. It does this by matching conversion data to a Twitter user, using available identifiers like cookie IDs, Click ID or email. The Twitter Pixel allows Bullish to put a piece of code on the website to send conversion data to Twitter. The Conversion API allows advertisers to send conversion data directly from a server to Twitter. Learn more about the Twitter Pixel, Conversions API, and other conversion tracking tools here. Attributed data can be used for a variety of purposes, such as building Website Activity Audiences for campaign retargeting, to improve optimization models to help you drive action with your campaigns, and for reporting of campaign results, to understand the impact of a campaign. Use of any of Twitter’s conversion tracking products or services is subject to the Twitter Conversion Tracking Program T&C’s, which can be found here
  • LinkedIn: The LinkedIn Insight Tag enables the collection of data regarding members’ visits to Bullish’s website, including the URL, referrer, IP address, device and browser characteristics (User Agent), and timestamp. The IP addresses are truncated or hashed (when used for reaching members across devices), and members’ direct identifiers are removed within seven days in order to make the data pseudonymous. This remaining pseudonymized data is then deleted within 180 days. LinkedIn doesn’t share the personal data of members with Bullish; LinkedIn only provides reports and alerts (which do not identify members) about Bullish’s website audience and ad performance. LinkedIn also provides retargeting for website visitors, enabling Bullish to show personalised ads off Bullish’s website by using this data, but without identifying the member. LinkedIn also uses data that doesn’t identify members to improve ad relevance and reach members across devices. LinkedIn members can control the use of their personal data for advertising purposes through their account settings.
  • The Trade Desk offers what is known in the industry as a Demand Side Platform (“DSP” or “Platform”). The Trade Desk provides technology that helps advertisers and their advertising agencies manage digital advertising campaigns across many channels, such as websites, apps, audio, smart TVs, and other video. The Trade Desk technology uses data to target and serve or to help Bullish to target and serve relevant advertising to consumers and to perform attribution analysis or other analytics regarding advertising audiences, as well as to compile, match and link audiences on behalf of Bullish. For instance, The Trade Desk may, or help Bullish to, use this data to: – Determine what ad to show a consumer, and customise ads to particular types of audiences; – Customise ads to the type of web page users are viewing; – Limit the number of times a consumer sees an ad or a type of ad; – Perform analysis of how effective the ads are; – Help Bullish learn more about their own consumers; – Troubleshooting; and – Fraud detection. Learn more about The Trade Desk’s privacy policy here

10. Cookies

We use Cookies, web beacons, and other data collecting technologies, such as when you navigate the Websites or click on links in the emails we send you.  A cookie is a small data file that is transferred to a web browser, allowing our Sites to remember and customise your subsequent visits. A web beacon (also called a “pixel tag” or “clear GIF”) is a piece of computer code that enables us to monitor user activity and Website traffic.  To learn more about how we use cookies then please visit our Cookie Notice. For more information on cookies and web beacons more generally, please visit https://www.allaboutcookies.org.  Some web browsers offer settings that allow you to reject cookies or alert you when a cookie is placed on your computer or device.  Please note that if you reject cookies, the functionality of some areas of the Websites may be limited. 

When you first land on the Websites, you will be asked for your consent to the placement of Cookies.  No Non-essential Cookies are placed on your browser until you give your consent.  You also have the option to manage your consent on an ongoing basis by opting out of any Cookies category except Strictly Necessary Cookies by changing your Cookies Settings.  Please note that if you reject cookies, the functionality of some areas of the Websites may be limited.

11. Automated Decision-Making and Profiling

Automated decision-making is a process by which your Personal Data is used to make a decision about you that creates legal or other significant effects in an automated fashion using an algorithm alone, without any human intervention in the process. Profiling is where Personal Data is evaluated in an effort to predict things like interests or preferences about what types of information an individual might want to receive. Although profiling is a type of automated processing, it does not produce legal (or other significant) effects and in that way is different from automated decision-making.

As discussed above in the section on “Advertising and Analytics Services Provided by Third Parties”, we may use profiling as part of our analytics to deliver the most relevant content and best experience to you

Bullish relies on automated tools to help determine whether a transaction or a customer account presents a fraud or legal risk. In some jurisdictions, you have the right not to be subject to a decision based solely on automated processing of your personal information, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws. 

Customers won’t be subject to decisions that will have a significant impact on them based solely on automated decision-making. In cases where a customer does not pass our KYC verification, they will be immediately provided with an option to contact customer support and initiate a manual process to review the automated decision-making. Transaction monitoring will also be automated, with alerts and escalations being manually investigated by our Compliance team.

You have the right to not be subject to a decision based solely on automated processing.

12. Your Rights

Applicable privacy legislation may entitle you to some or all of the following rights with respect to your Personal Data: 

  • To access the Personal Data we maintain about you. We will provide you with one copy of your Personal Data free of charge, but we may charge you a reasonable fee to cover our administrative costs if you request further copies of the same information. In the cases we charge a fee, our time to respond to your request starts after we have received the fee.
  • To be provided with information about how we process your Personal Data. This will include information on the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, the recipients of your Personal Data, and the safeguards regarding data transfers to other jurisdictions, subject to the limitations set out in applicable laws and regulations. 
  • To correct your Personal Data. You have the right to ask us to rectify Personal Data you think is inaccurate or incomplete. In some cases, you will need to make these changes yourself by using the tools we provide in the Data Sources. 
  • To have your Personal Data erased. You have the right to ask us to delete your Personal Data. In some cases, you will need to do the deletion yourself using the tools we provide in the Data Sources. If we have shared your Personal Data with a third party in the manner described above, we will require the third party to delete the Personal Data that we have shared with them (consistent with their legal obligations to do so).  We will decline your request for deletion if processing your Personal Data is necessary: (i) to comply with our legal obligations such as fraud detection and monitoring, (ii) or being required to perform a task in the public interest; (iii) in pursuit of a legal action; (iv) for exercising the right of freedom of expression and information; and  (v) for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
  • To object to how we process your Personal Data. Where we process your Personal Data based on our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will decline your request where we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defence of legal claims. 
  • To stop your Personal Data from being used for direct marketing purposes. At your request, we will stop using your Personal Data for the purpose of direct marketing. Our marketing communications include an unsubscribe facility, which we encourage you to use.  If you want to stop us from contacting you in connection with marketing communications, please email us at the email address specified below. 
  • To restrict how we process your Personal Data. At your request, we will limit the processing of your Personal Data if: 
    • you dispute the accuracy of your Personal Data; 
    • your Personal Data was processed unlawfully, and you request a limitation on processing, rather than the deletion of your Personal Data; 
    • we no longer need to process your Personal Data, but you require your Personal Data in connection with a legal claim; or 
    • you object to the processing and no overriding legitimate interest for the processing exists. 
  • The right to data portability.  You have the right to receive your Personal Data in a structured, commonly used and machine-readable format, and to have us transfer your personal information to another controller. 
  • Please note information may already be available to you via the Data Sources. 
  • To withdraw any consent that you gave us to process your Personal Data. You have the right to withdraw any consent you may have previously given us at any time. Your consent withdrawal will not affect the lawfulness of the processing done before the withdrawal.
  • To complain to a supervisory authority. If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.
  • Not to be subjected to automated decision making. In some jurisdictions, you have the right not to be subject to a decision based solely on automated processing of your personal information, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws.

To exercise the above rights, please complete a Data Subject Rights Request Form or contact us at [email protected]. We will consider and process your request within the required period of time.  Please be aware that under certain circumstances, or in relation to certain types of data, the applicable legislation may limit your exercise of these rights. 

Please note that in some cases, if you do not agree with the way we process your information, it may not be possible for us to continue to operate your account and/or provide certain products and services to you. 

It is our policy to respect the rights of individuals. However, please be aware that your exercise of these rights may be subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime); where an overriding legitimate interest for the processing exists.s (e.g. the maintenance of legal privilege) an; some of these rights may be limited (for example, the right to withdraw consent) where we are required or permitted by law to continue processing your personal data to establish, exercise, and defend our legal rights or meet our legal and regulatory obligations; and for the protection of the rights of another natural or legal person.

13. International Data Transfers

We may transfer your Personal Data to any of our offices in countries outside of your jurisdiction for processing in accordance with this Privacy Notice and as permitted by the applicable laws. These locations include the EU, United States, and Asia-Pacific region. Such intra-organisational transfers are based on approved mechanisms. 

Where we rely on our service providers located outside of your jurisdiction and acting as data processors, we ensure that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.

In the event we transfer information to countries outside the European Economic Area, we will only transfer data to third parties where one of the conditions below apply:

  • The European Commission has decided that the country or the organisation we are sharing your information with will protect your information adequately.
  • The transfer has been authorised by the relevant data protection authority.
  • We have entered into a contract with the organisation with which we are sharing your information (on terms approved by the European Commission) to ensure your information is adequately protected.

14. How long we keep your information

We retain Personal Data for the period of time necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

Retention periods may be changed from time to time based on business or legal and regulatory requirements.

We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that the bank will be able to produce records as evidence, if needed.

While retention requirements vary by jurisdiction, information about our typical retention periods for different aspects of your personal information are described below:

  • Personal data collected to comply with our legal obligations under financial or anti-money laundering laws may be retained after account closure for at least five years.
  • Contact Information such as your name, email address and telephone number for marketing purposes to those who subscribe to our newsletter is retained for 6 months or until you unsubscribe. Thereafter we will add your details to our suppression list to ensure we do not inadvertently market to you.
  • Data relating to customer complaints, including contact information, complaint information, information needed to resolve a complaint, and linkages to account information as necessary to resolve complaints may be retained for six years after account closure.
  • Data relating to trades or other financial transactions made on the Bullish exchange, including personal identifiers needed to link transactions with individuals may be retained after the account closure for at least seven years.
  • Information provided by an individual when opening an account on Bullish, but prior to proceeding through the KYC process is retained for at least three years. This information can include email address, location of residence, and other basic identifying information.
  • Information collected via technical means such as cookies, web page counters and other analytics tools is kept for a period of up to one year from expiry of the cookie.

If you would like more information about how long we keep your information, please contact us at [email protected].

15. Data Security

We have a significant investment in Cyber Security controls, including, but not limited to in-house and external expertise, state-of-the art technologies, and processes. We follow a security by design approach, strengthened by continuous vulnerability and threat management, regular penetration testing, a bug bounty program, and ongoing security monitoring and risk management practices.

You can find more information about our security practices on  https://bullish.com/bullish-on-security/.

Procedures have been put in place to deal with any suspected breach of personal information. We will notify you and any applicable regulator of a data breach when we are legally required to do so.

16. Marketing

You can opt-out of receiving marketing communications from us at any time by clicking the the unsubscribe link at the bottom of a marketing email.In addition, you can notify us directly via email at [email protected] if you prefer not to receive any marketing messages.If you opt out of receiving marketing communications, that will not apply to service and transactional messages such as emails related to maintenance and changes to the terms and conditions

17. Children’s Privacy

Bullish Services are directed at adults aged 18 years and over, and not intended for children. We do not market to and do not knowingly collect Personal Data from individuals under the age of 18. Our verification process prevents Bullish collecting data of minors. Please contact us at [email protected] if you believe any individual under the age of 18 is using our Services so we can take immediate action to prevent his or her access to our Services and delete the information as soon as possible.

18. Do Not Track

Certain web browsers and other devices may permit you to submit your preference for not being “tracked” online, also known as “Do Not Track” or “DNT” signals. Since uniform standards for DNT signals have not been adopted, we do not currently process or respond to “DNT” signals. We will make efforts to monitor developments around “do not track” browser technology and the implementation of a standard.

19. Updates to the Privacy Notice

To keep up with changing legislation, best practices and changes in how we process your personal data, we reserve the right to revise this Privacy Notice at any time and without notice by posting an updated version on this Website. To stay up to date on any changes, we would therefore encourage you to review this Privacy Notice regularly to stay informed of the purposes for which we process your Personal Data and your rights to control how we process it. To the extent permitted by law, by continuing to use our Data Sources after changes have been posted, you are confirming that you have read and understood the latest version of this Privacy Notice. 

If you have any questions, comments or complaints, or would like to exercise your rights concerning your Personal Data and privacy preferences, you may use self-service options if they are available to you or contact in the following ways

20. Notice to U.S. Users

For U.S. users this notice will be supplemented by the privacy addendum included in your Bullish Institutional Customer Agreement.