1.1 This privacy policy is issued on behalf of Boex. “Boex” is the trading name of Boex CIC UK and Boex Ireland so when we mention “Boex”, “we”, “us” or “our” in this privacy policy, we are referring to the relevant Boex company responsible for processing your data acting as Controller.

Controller 1.2 Boex is made up of different legal entities:

Boex CIC UK is responsible for this website.

Purpose of this privacy policy

1.3 This privacy policy aims to give you information on how Boex collects and processes Personal Data we collect from you or that you provide to us or that we obtain from third parties.

This Personal Data may be obtained through the provision of our services in accordance with our terms and conditions and through the use and interaction of our website.

1.4 This website is not intended for children, and we do not knowingly collect data relating to children.

1.5 It is important that you read this privacy policy together with our terms and conditions (a copy of which can be obtained upon request) and any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data.

This privacy notice supplements the other notices and is not intended to override them.

1.6 We have appointed a Data Privacy Manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the Data Privacy Manager using the details set out below.

Contact details

1.7 If you have any questions about this privacy policy or our privacy practices, please contact our Data Privacy Manager in the following ways:

Full name of legal entity: Boex CIC UK

Email address: [email protected]

Personal Data Collection

2.1 Personal data means any information about an individual that can identify them. It does not include anonymized data.

2.2 We may collect, use, store, and transfer various types of personal data:

• Identity Data: First name, last name, username, title, date of birth.
• Contact Data: Billing address, delivery address, email, phone numbers.
• Financial Data: Bank account and payment card details, credit data, authorized signatory details.
• Transaction Data: Payments to and from you, details of services purchased.
• Technical Data: IP address, login data, browser type, time zone, browser plug-ins, operating system, platform, device usage.
• Profile Data: Username, password, purchases, interests, preferences, feedback, survey responses.
• Usage Data: Website usage, product/service usage.
• Marketing and Communications Data: Preferences in receiving marketing from us and third parties.

2.3 We also collect Aggregated Data for statistical or demographic purposes, which does not directly or indirectly identify you.

2.4 We process this data only when required for the services provided, for public interest, with consent, or by legal obligation.

Data Collection Methods

3.1 We use different methods to collect data:

3.1.1 Direct interactions: Forms, correspondence (post, phone, email), account creation, subscriptions, marketing requests, competitions, feedback.

3.1.2 Automated technologies: Website interactions, cookies, server logs, similar technologies.

3.1.3 Third parties or publicly available sources: Public sources, credit referencing agencies, professional social networking sites, sanctions, and criminal background checks.

Usage of Personal Data

4.1 We use your personal data as permitted by law:

• To perform contracts.
• For legitimate interests, unless overridden by your interests and rights.
• To comply with legal obligations.

4.2 More details on the lawful basis for processing your data are in the table linked here.

4.3 Generally, we do not rely on consent for processing personal data. You can withdraw consent for marketing at any time by contacting us.

Promotional Offers

4.7 We may use your data to determine suitable products, services, and offers.

4.8 You will receive marketing communications if you requested information or purchased services and have not opted out.

Third-Party Marketing

4.9 We require express opt-in consent to share your data with third parties for marketing purposes.

Opting Out

4.10 You can stop receiving marketing messages by adjusting preferences on our website or contacting us.

4.11 Opting out does not affect personal data provided as a result of product/service transactions.

Cookies

4.12 Our website uses cookies for essential functions (account authentication, security, fraud prevention, preference setting, load balancing).

4.13 We use cookies or similar technologies for analytics.

4.14 Our cookie policy provides details on the types and purposes of cookies used. You can change your preferences at any time.

4.15 Disabling cookies may affect website functionality. For more information, see our cookie policy.

Change of Purpose

4.16 We use your personal data only for collected purposes, unless required for a compatible reason. We will notify you of any changes.

4.17 We may process your data without consent if required by law.

Data Sharing

5.1 We may share your personal data with internal and external third parties.

5.2 Third parties must respect data security and confidentiality.

5.3 We may disclose personal data to:

• Group companies for contract performance.
• Comply with legal obligations.
• Business transactions.

International Transactions

5.4 We ensure data protection for transfers outside the UK or EU with appropriate safeguards.

Data Security

We implement measures to prevent data breaches, including malware scanning, firewalls, encryption, two-factor authentication, and regular security audits.

Data Retention

7.1 We retain personal data as necessary for legal, regulatory, tax, accounting, or reporting requirements. Retention periods vary by jurisdiction.

7.2 We consider data amount, nature, sensitivity, risk of harm, and processing purposes to determine retention periods.

Anonymization and Deletion

In some cases, we anonymize personal data for indefinite use. You may request data deletion under certain circumstances.

Under certain circumstances, you have rights under data protection laws in relation to your Personal Data.

a) Request access to your Personal Data.

Commonly known as a “Data Subject access request”. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.

b) Request correction of your Personal Data.

You have the right to request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

c) Request erasure of your Personal Data.

This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. For example, we are required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 to keep information on our clients for five years after our business relationship with that client has come to an end.

d) Object to processing of your Personal Data.

You have the right to object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

e) Request restriction of processing your Personal Data.

This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:

• If you want us to establish the data’s accuracy.
• Where our use of the data is unlawful but you do not want us to erase it.
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

f) Request transfer of your Personal Data.

You have the right to request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

g) Right to withdraw consent. 

You have the right to withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent

If you wish to exercise any of the rights set out above, please contact us at  [email protected]

No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

“CDD” means Client Due Diligence;

“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. It is responsible for establishing practices and policies in line with Data Protection Legislation. We are the Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes;

“Criminal Convictions Data” means personal data relating to criminal convictions and offences, including personal data relating to criminal allegations and proceedings

“Data Subject” means the identified or identifiable living individual to whom Personal Data relates;

“EDD” means Enhanced Due Diligence;

“FCA” means the Financial Conduct Authority;

“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679) of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) as it has effect in European Union law;

“UK GDPR”: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018;

“KYC” means Know Your Client;

“Legal Basis for Processing” means the lawful bases for processing as set out in Article 6 of the GDPR and UK GDPR. At least one of these must apply whenever Boex process Personal Data. We must also provide this data to the client so that they understand what data we are processing, and why:

a) “Consent” means that the individual has given clear consent for you to process their Personal Data for a specific purpose.

b) “Contract” means that the Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

c) “Legal obligation” means that the processing is necessary for you to comply with the law (not including contractual obligations).

d) “Vital interests” means the processing is necessary to protect someone’s life.

e) “Public task” means that the Processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

f) “Legitimate interests” means that the Processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s Personal Data which overrides those legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law);

“Personal Data” means “any information that relates to an identified or identifiable natural person” or individual (‘Data Subject’) (Article 4 GDPR); or “any information relating to an identified or identifiable living individual” (Section 3(2) DPA 2018)”.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

“Special Categories of Personal Data” includes any data we hold which is Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or conditions, sexual life, sexual orientation, biometric or genetic data. Any use of sensitive Personal Data must be strictly controlled in accordance with this policy. Any Criminal Convictions Data which we hold will also be considered to be special category of Personal Data.

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.