XY Capital Online Privacy Policy (Effective date: 31 August 2021)

Your personal information is important to us. That’s why we do so much to protect your information, while continually providing service you can count on. While no one can guarantee absolute information security, we protect your information in many ways—from working to ensure that our buildings are secure, to proactively preparing for disasters and business interruptions, to using safe and secure computing practices. We continually review and make enhancements to how we safeguard and protect customer information.

This privacy policy will inform you as to how we look after your personal information when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

About this website

The online privacy policy (“Policy”) is adopted jointly by XY Capital Limited and XY Capital Europe Limited, these entities are collectively referred to as “XY”, “we”, “us”, “our”, and applies to this website, our mobile applications or online forms, and our producer websites that link to this Policy (together, “Digital Technologies”). This Policy does not apply to any information collected through other channels, such as in person, on paper, or by phone.

Other sites

Digital Technologies operated by non-XY related entities may link to and from our website, but they may have different privacy policies from the one described here. We do not have control over, or responsibility for, the content or operation of the website of any non- XY entity. These other sites may send their own cookies to your device, may independently collect data or solicit personal data or personally identifiable information, and may or may not have their own published privacy policies. Visitors should read the privacy statements of other websites they visit for information regarding their specific privacy practices.

Your consent

Please take a few minutes to review this Policy before using our Digital Technologies. To the extent permissible under applicable law, by using our Digital Technologies you are consenting to the collection, use and disclosure of your information as set forth in this Policy. If you do not agree to be bound by this Policy, you may not access or use our Digital Technologies.

Information collected

XY collects personal data about you, i.e. information that can be used to identify you as an individual. Types of personal information we collect and use when you provide such information through our Digital Technologies include:

1. Financial information – your financial position, status and history;
2. Contact information – where you live and how to contact you;
3. Identity information – your name, work or profession, nationality, gender, social security number (or local equivalent), or other information contained in identity-related documentation (such as, passport, driving license, or birth certificate);
4. Transactional information – details about payments to and from your accounts and other details of products and services you have purchased from us;
5. Contractual information – details about the products and services we provide to you;
6. Technical information – details on the devices and technology you use;
7. Communications information – information we obtain through letters, emails, conversations, social media interactions, or any other correspondence between us;
8. Open Data and Public Records information – details about you that are available in public records or that is openly available on the internet;
9. Usage information – information about how you use the products and services we provide to you;

The personally identifiable information collected varies depending upon the function selected and the information provided.

For individuals that login as representatives of a business or corporate account, we may gather information based on your relationship with our organization for the purposes of providing customized online services.

For visitors who provide an email address or volunteer other information, such as contact information and/or site registration, we collect this information. Visitors who provide an email address may also be asked to provide feedback about our website via surveys. Additionally, visitors may receive periodic messages from us about new products and services or upcoming events. If you do not want to receive e-mail or other mail from us, please click the “unsubscribe” link in the email correspondence received from us.

Connecting with XY on social media sites

XY provides experiences on social media platforms that enable online sharing and collaboration among users who have registered to use them. We may collect information you provide by interacting with us via social media, such as photographs, opinions, or Twitter handle. Any content you post, such as pictures, information, opinions, or any personal information that you make available to other participants on these social platforms, is also subject to the terms of use and privacy policies of those platforms. Please refer to them to better understand your rights and obligations with regard to such content.

 Mobile applications information

XY’s mobile applications allow you to access your accounts using wireless or mobile devices. Our privacy practices apply to any personal information or other information that we may collect through the applications. Additional conditions may apply depending on the specific terms of use of the applications. Please refer to your mobile applications terms of use or agreements.

Information received from third parties

We may receive information about you from third parties such as consumer or other reporting agencies and medical or health care providers; or through your interactions with our affiliated companies. In addition, if you are on another website and you opt-in to receive information from us, that website will submit to us your email address and other information about you so that we may contact you as requested. We may supplement the information we collect about you through our Digital technologies with such information from third parties in order to enhance our ability to serve you, to tailor our content to you and/or to offer you opportunities to purchase products or services that we believe may be of interest to you.

Information collected by use of cookies and spotlight tags

We allow third-party companies to use cookies and spotlight tags to collect certain information when you visit our website or use our Digital Technologies (“Usage Information”). Usage Information helps us measure the performance of our online advertising campaigns, analyze visitor activity on our Digital Technologies and utilized for other business purpose. Usage Information may include browser type, device type, operating system, application version, the page served, the time, the preceding page views, and your use of features on the Digital Technologies.

Cookie policy

This website uses session cookies. Without these cookies, a user would not be able to log onto this website. Session cookies are temporarily created when visiting a website (i.e. a session cookie is created upon logging in and accessing secured information). The information collected may include such things as what time the website was visited, how long a user stays logged in, if a user has visited the website previously and what pages were visited. Session cookies expire when a user leaves the website, closes their browser, opens a new browser window or there is 30 minutes of inactivity.

XY considers the information collected through our Digital Technologies valuable. At this time, XY does not respond to do-not-track signals or similar technologies sent by a browser setting. However, visitors will continue to have the ability to control cookie settings for XY’s websites. The information we receive from your web browser and device may or may not be personally identifiable and we may combine it with other information.

How you can control what data is collected through cookies

The information we collect may depend on your browser settings. Most web browsers automatically accept cookies, but you can usually alter the setting of your browser to prevent that; however, doing so may limit your access to certain sections of our website, including account information found behind the log in.

If you do not wish to receive cookies, please refer to the help section of your Internet browser (Chrome, Safari, Firefox, Internet Explorer, etc.) to learn how to either block all cookies or receive a warning before a cookie is stored on your computer. In addition to altering the cookie settings on your browser, you can also install the Google Analytics Opt-out Add-on, which prevents Google Analytics from collecting information about your website visits.

How we use information collected through the Digital Technologies

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you (“Performance of a contract”);
• Where it is necessary for our legitimate interests (i.e. we have a business or commercial reason for using your information) and your interests and your fundamental rights do not override those interests (“Legitimate interests”);
• Where we need to comply with a legal or regulatory obligation (“Legal obligation”); or
• Where you consent (“Consent”).

What we use your personal information for	Our reasons	Our legitimate interests
To provide and manage our products, services and Website (including any online account with us).	• Performance of a contract • Legitimate interests • Legal obligation	• Being efficient about how we fulfill our legal and contractual duties. • Providing high quality customer service.
To create, process and deliver the accounts you hold with us or the products or services you receive from us.	• Performance of a contract • Legitimate interests • Legal obligation	• Complying with regulations that apply to us. • Being efficient about how we fulfill our legal and contractual duties.
To process transactions and carry out obligations arising from any contract entered into between you and us.	• Performance of a contract • Legitimate interests • Legal obligation	• Being efficient about how we fulfill our legal and contractual duties.
To communicate with you and respond to your inquiries, including responding to complaints and attempting to resolve them.	• Performance of a contract • Legitimate interests • Legal obligation	• Complying with regulations that apply to us. • Being efficient about how we fulfill our legal and contractual duties. • Providing high quality customer service.
To send you promotional and marketing materials, newsletters or other related communications (including making suggestions and recommendations to you about services that may be of interest to you). To conduct research and analysis to improve the quality of our marketing and the experience of and relationships with our customers.	• Your consent • Performance of a contract • Legitimate interests • Legal obligation	• Developing products and services, and what we charge for them. • Defining types of customers for new products or services. • Seeking your consent when we need it to contact you.
To comply with our legal and regulatory obligations (including verifying your identity and conduct identity and background checks for anti-money laundering, fraud, credit and security purposes) and to exercise our legal rights.	• Legitimate interests • Legal obligation	• Complying with regulations that apply to us. • Being efficient about how we fulfill our legal and contractual duties.
To exercise our rights in agreements and contracts to which we are a party.	• Performance of a contract
To administer and protect our business and this Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).	• Performance of a contract • Legitimate interests • Legal obligation	• Developing and improving the network security, efficiency and technical specification of our IT systems and infrastructure.
To administer auditing, billing and reconciliation activities and other internal and payment-related functions.	• Performance of a contract • Legitimate interests • Legal obligation	• Being efficient about how we fulfill our legal and contractual duties.
To detect, investigate, report, and seek to prevent financial crime and to manage risk for us and our customers.	• Performance of a contract • Legitimate interests • Legal obligation	• Developing and improving how we deal with and manage financial crime. • Complying with regulations that apply to us. • Being efficient about how we fulfill our legal and contractual duties.
To develop, manage and improve our products, services and the Website (including conducting research and analysis) and to test new products, services, and features of the Website.	• Performance of a contract • Legitimate interests • Legal obligation	• Providing our customers with high quality products, services and Website features. • Keeping our products, services and Website features updated and relevant.
To run our business in an efficient and proper way, including in respect of our financial position, business capability, corporate governance, audit, strategic planning and communications.	• Legitimate interests • Legal obligation	• Complying with regulations that apply to us. • Being efficient about how we fulfill our legal and contractual duties.

Failure to provide personal information

Where we need to collect personal information by law or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

Change of purpose

We will only use your personal information for the uses and purposes set out above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original uses and purposes. If we need to use your personal information for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.

Information shared

Except as described here or in any of our other applicable privacy policies, we will not provide any of your personal information to any third parties without your specific consent. We may share non-personal (anonymized) information, such as aggregate data and Usage Information with third parties. We may share your personal information to the following categories of recipient:

• With group companies and affiliates. We may share the information we collect about you with other member companies of XY for a variety of purposes. For example, we share information to assist us in providing service and account maintenance, to help us design and improve products and to offer products and services that may be of interest to you.
• With our carefully selected business partners. We may share information with third parties that offer products or services that we believe may be of interest to you. Before we do so, we will provide you the opportunity to “opt out” or “opt in,” as required by applicable law so that you can say “no” to such sharing.
• With our service providers. We may disclose information to third party service providers that perform services for us in the processing or servicing of your transaction, or with third parties that perform marketing or other services on our behalf. Third parties with whom we may have joint marketing agreements include financial services companies (such as other insurance companies, banks or mutual fund companies).
• With third parties as permitted or required by law. This includes disclosing your information to regulators, law enforcement authorities and credit bureaus. Personal information about employees or customers is only disclosed as required or permitted by law and in accordance with established company procedures. We may transfer and disclose the information we collect about you to comply with a legal obligation, including responding to a subpoena, to prevent fraud, to comply with an inquiry by a government agency or other regulator, to address security or technical issues, to respond to an emergency, or as necessary for other legal purposes.
• As part of business transitions. In relation to an ongoing or proposed business transaction your information may be transferred to a successor organization. If such a transfer occurs, the successor organization’s use of your information will still be subject to this Policy and the privacy preferences you have expressed to us.
• With third party social media platforms and applications.

We may provide functionality on our Digital Technologies that allows you to automatically post information to a third-party social media platform (such as Facebook, Twitter, or Pinterest). If you choose to take advantage of this functionality, people with access to your profile on the third-party platform will be able to see your post. Thus, you should have no expectation of privacy in those actions. Further, if you choose to link your profile on our Digital Technologies with an account on a third-party social media platform, we may share the information in your profile with that third-party platform. We may also use third-party social media platforms to offer you interest-based ads. To offer such ads, we may convert your email address into a unique value which can be matched by our partner company with a user on their platform. Although we do not provide any personal information to these platform vendors, they may gain insights about individuals who respond to the ads we serve.

Not all member companies of XY collect medical information, but the member companies of XY that collect medical information process such information in accordance with their privacy policy and applicable law. Where such member companies share medical information with affiliates or with third parties, such medical information will not be shared for any purpose other than:

• for providing and servicing your policies, accounts, claims or contracts;
• as allowed by the relevant laws protecting your privacy; or
• in circumstances where you consent.

How we protect your information

We understand the importance of appropriately safeguarding information you provide to us in the course of business operations. It is our practice to protect the confidentiality of this information, limit access to this information to those with a business need, and not disclose this information unless required or permitted by law.

We have comprehensive security practices and procedures in place to protect data entrusted to us. These procedures and related standards include limiting access to data and regularly testing and auditing our security practices and technologies.

All employees are required to complete privacy, security, ethics and compliance training. We also offer a wide variety of other training to all employees and temporary workers to help us achieve our goal of protecting your information.

Ultimately, no website, mobile application, database or system is completely secure or “hacker proof.” While no one can guarantee that your personal information will not be disclosed, misused or lost by accident or by the unauthorized acts of others, we continuously review and make enhancements to how we protect customer information.

Further, we cannot control dissemination of personal information you post on or through our Digital Technologies using any social networking tools we may provide and you should have no expectation of privacy in respect of such information.

Retention of data

It may not always be possible to completely remove or delete all of your information from our databases without some residual data because of backups and other reasons. We will retain your information for as long as your information is necessary for the purposes for which it was collected. For example, we may retain your personal data if it is reasonably necessary to comply with any legal obligations, meet any regulatory requirements, resolve any disputes or litigation, or as otherwise needed to enforce this Policy and prevent fraud and abuse. If requested by a law enforcement authority, we may also retain your personal data for a period of time.

To determine the appropriate retention period for the information we collect from you, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of the data, the purposes for which we process the data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

Do Not Contact or Call Requests

If you do not wish to be contacted by mail, telephone, email or fax, you can indicate this by contacting us at compliance@xycapitalgroup.com. We retain the right to contact any customer for service-related issues.

Children’s privacy online

Our Digital Technologies are not directed toward children. We do not knowingly collect, use or post personally identifiable information from children under the age of 13. If we determine upon collection that a user is under this age, we will not use or maintain his or her personal information without parent or guardian consent. If we become aware that we have unknowingly collected personally identifiable information from a child under the age of 13, we will make reasonable efforts to delete such information from our records. If you want to learn more about children’s privacy under the GDPR, you can access a number of resources on the UK Information Commissioner’s website.

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us at compliance@xycapitalgroup.com.

You have the right to make a complaint at any time to the relevant data protection supervisory authority in the EU member state in which you reside. We would, however, appreciate the chance to deal with your concerns before you approach your supervisory authority so please contact us in the first instance.

Legal Rights

• Right to withdraw consent at any time: This applies where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
• Request access to your personal data: This enables you to receive a copy of the personal data we hold about you and to check that it is accurate and that we are processing it lawfully.
• Object to processing of your personal data: This enables you to object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. We will provide you with appropriate choices to opt-in or opt-out as set out above in our Policy.
• Request correction of your personal data: This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data: This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Request transfer of your personal data: This enables you to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Request restriction of processing: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Right not to be subject to a decision based on automated profiling: This applies where the automated processing produces legal effects on you or similarly significantly affects you. Note, it does not apply if the decision (a) is necessary for the performance of a contract between you and us, (b) is authorized by applicable law, or (c) is based on your explicit consent. However, where (a) or (c) applies, you have the right to obtain human intervention. You also have the right to be informed of the logic involved in such processes.
• Make a complaint: You have the right to make a complaint at any time to the relevant data protection supervisory authority in the EU member state in which you reside.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Data Transfers

The data that we collect from you will be transferred to, and stored at, a destination outside the European Economic Area (“EEA”).

We share your personal data within XY which will involve transferring your data outside the EEA. Furthermore, many of our external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.

Where we transfer personal data to a destination outside the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission, or if we have used specific contracts approved by the European Commission which give personal data the same protection it has in Europe, or we have received your prior explicit consent.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Effective date and changes to this Policy

This Policy is effective as of 31 August 2021. We are continually improving and adding to the features and functionality of our website and the services we offer through our Digital Technologies. As a result of these changes (or changes in the law), we may need to update or revise this Policy. Accordingly, we reserve the right to update or modify this Policy at any time, without prior notice, or providing any notice required under applicable law, by posting the revised version of this Policy behind the link marked “Online Privacy Policy” at the bottom of each page of this website and as may otherwise be made available on our Digital Technologies. To the extent permissible under applicable law, your continued use of our Digital Technologies after we have posted the revised Policy constitutes your agreement to be bound by the revised Policy. However, we will honour the terms that were in effect when we gathered data from you.

For your convenience, whenever this Policy is changed, we will update the “effective date” at the top of this page. Be sure you check the effective date to see if this Policy has been revised since your last visit. We recommend that visitors to our site review our online privacy policies from time to time to learn of new privacy practices and changes to our policies.

You may access the current version of this Policy at any time by clicking the link marked “Online Privacy Policy” at the bottom of each page of this website.

Contact us

If you have any questions about this Policy, the practices of or your dealings with our Digital Technologies, or if you would like to exercise any rights you may have in relation to your personal information, please contact us at compliance@xycapitalgroup.com.