Skip to main content
Privacy Policy
Updated over 7 months ago

Introduction

Investium Limited (referred to in this policy as “we”, “us”, or “the Company”), is committed to the protection of your personal data and we do not access or use it for any purpose other than in providing, maintaining and improving our services and as otherwise required by law. In order to open and maintain client accounts, we obtain and hold personal information.

This policy outlines how we manage such information to ensure we meet our obligations to respect our clients’ privacy and that all such information remains confidential. These binding obligations derive from the legal and regulatory framework governing the processing and protection of personal data in Cyprus and in particular the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data Law of 2018 (the “Law”) which was adopted for the effective implementation of certain provisions of the GDPR.

The Company is operating under Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on Markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (the “Markets in Financial Instruments Directive 2014/65/EU” or “MiFID II”) and amending Directive 2002/92/EC and Directive 2011/61/EU, as last amended by Directive (EU) 2016/1034 of the European Parliament and of the Council, of 23 June 2016 and under Regulation (EU) No 600/2014 of the European Parliament and the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (the “MiFIR”) which was implemented in Cyprus by the Investment Services and Activities and Regulated Markets Law of 2017 (Law 87(Ι)/2017), which provide for the provision of Investment Services, the exercise of Investment Activities, the operation of Regulated Markets and other related matters (the “Investment Services and Activities and Regulated Markets Law”), as the same may be modified and amended from time to time.

Who are we?

Investium Limited is the data controller (who is responsible for determining the purpose and manner in which your personal data is used).

We are committed to doing the right thing when it comes to how we collect, use and protect your personal data and is why we’ve developed this privacy and cookies policy (“Policy”), which:

  • Sets out the different ways you interact with us and the types of personal data that we collect;

  • Explains the reasons why we use the data we collect;

  • Explains when and why we will share personal data within the Company and with other organisations; and

  • Explains the rights and choices you have when it comes to your personal data.

Information for Investium Limited

Investium Limited is a Cyprus Investment Firm incorporated under the laws of Cyprus. The Company is regulated as a Cyprus Investment Firm (‘CIF’) by the Cyprus Securities and Exchange Commission (‘CySEC’) under licence number 421/22. The Company is registered in Cyprus (company number HE 412142). Investium Limited operates under the trading name “FlexInvest,” the website www.flexinvest.com, (the “Website”), and the FlexInvest mobile Application.

Investium Limited

Phone: +357 22730078

Address:

6 Nikou Georgiou Street, Office 302,

1095, Nicosia, Cyprus

What do we mean by personal data?

Personal data is any information relating to you or data that may be used to identify you.

As a client of ours, you provide us with some of your personal data, which will include your name, telephone number, e-mail address, ID and other documentation as may be requested by us. It may also include IP addresses, device, browser information and other account usage information which in some circumstances may be used to identify you.

What sort of information do we need and why?

When you access our FlexInvest mobile Application, in the Apple App Store/ Google Play Store (together with the ‘‘Application’’), we may collect personal data about you through you connecting to the Application, signing up to receive information from us, participating in trading, creating an account, contacting us, or other use of our services.

We process the personal data that we received from you as part of the contractual relationship that we have with you or for the purposes of legitimate interests pursued by the Company. We may also process data that we have legitimately received from publicly available sources. and identification databases. In principle, we are obligated or would need your personal data:

  • In the course of establishing and maintaining a contractual relationship we are obligated to collect personal information from you to enable us to establish and verify your identity. To do this, we will request personal data which includes, but may not be limited to your full name, country of residence, your address, date of birth, nationality, national insurance number/tax ID, email address or other contact information;

  • In order to prevent fraud, we may collect information about your financial status (i.e. income and savings) or other financial information about your professional and employment details, trading history and other personal information;

  • To facilitate your funding and withdrawal requests, we may process your IBAN details and other payment processing information as requested by the respective payment services providers;

  • Your ID card or passport and other public or private issued documents that can be used as a proof of address (e.g. utility bill, bank statement) or any further documents, photo or video evidence that may be required;

  • To assess the appropriateness of our Services to your circumstances and experience, we may ask for additional information such as, but not limited to, trading experience, employment details, knowledge and experience in financial services and products;

  • We may also collect, and be required to collect and process information about you through your use of our Application. Such information may include, among others, site areas visited, pages viewed, frequency and duration of your visit, the Internet Protocol (IP) address used to connect your computer to the internet, your login information, your geographic location, your browser and browser plug-in type and version, your operating system and platform, and other indirect personal data. Whenever we process such information, we will aim at always using it in an aggregated and anonymised bases;

  • Any other personal information which may be needed to comply with applicable rules; and

  • Any other personal information which may be needed to settle any disputes or prepare a legal defense.

How is your personal data collected?

We collect most of this personal data directly from you, by email, chat and/or via our Application. However, in some instances:

We will request this information from you through our application form, and also use our own records and information from other sources for compliance with legal and regulatory obligations.

The processing and the storage of your personal data is necessary to provide you with the services described in our Terms and Conditions and to comply with our regulatory obligations. If you choose not to provide some of the requested information to us, we may not be able to onboard you as a new client or to cease services provided under an existing agreement and consequently terminate that agreement as we will not be able to fulfil our contractual and regulatory obligations.

We keep the information as up to date as possible, and will change any details, such as your address, promptly when you inform us that they have changed.

Personal data that may be processed by the Company includes any type of electronic communications such as letters, emails, chat messages, telephone conversations, tax identification number and any related tax information, any personal information resulting from the 'Know Your-Customer’ and ‘Anti Money Laundering' checks carried out by the Company pursuant to the applicable legislation relating to the fight against money laundering and terrorist financing.

Your use of the Application and connected online services involves the automated collection of certain types of information, some of which may be considered personal information. This information includes: IP address, browser type and operating system.

Why do we need this information and on what legal basis is the data processed?

Lawfulness of processing

We will process your personal data (including collect, use, store and transfer, if applicable):

  • for the performance of the Client Agreement and/or Terms and Conditions (together referred to as the ‘‘Agreement’’) concluded between you as a client and the Company and for the provision of the services described in the Agreement or accessed through the FlexInvest Application (the ‘‘Services’’);

  • to take steps at your request prior to entering into an Agreement with you;

  • for compliance with legal and regulatory obligations to which the Company is subject (including but not limited to the obligations arising under the MIFID II regulation, anti-money laundering and countering terrorist financing regulatory obligations, any applicable tax legislation etc.) Examples of such regulatory obligations include, among others: reporting obligations to CySEC; providing information to financial crime authorities of suspicious money-laundering transactions or in the context of financial criminal proceedings; providing information to tax authorities. Please note that in order to meet some of the above requirements we may use automated decision making and profiling, whereas you may request human intervention, however, you will not be able to object to such processing.

In case the processing of personal data is necessary for the purposes of the legitimate interests pursued by the Company - for example, in case we are obliged to provide a reference about you to a public authority or agency to comply with a legal obligation, as well as to ensure that we provide you with the best trading services and information we can and to continue improving our products in your best interest.

Within the scope of your consent – for example, for marketing and promotional purposes. If you have granted us consent to process your personal data for marketing purposes, processing will only take place in accordance with the purposes set out in the declaration of consent and to the extent agreed therein. Any consent given may be revoked at any time by you with future effect.

Purposes

The Company will process and analyze your direct personal data (such as your name, date of birth, ID etc.) and indirect personal data (such as analytics and tracking data) in combination with your use of your account for the purposes of:

  • providing the Services requested by you and carried out in relation to the Agreement, including, among others, verify;

  • verifying your identity, opening and managing your account;

  • meeting our regulatory obligations;

  • processing your requests related to the Services (deposit and withdrawals, transactions, tax and other information demands);

  • managing client relationships by means of electronic, telephone or chat communication, entering into and executing transactions with financial instruments;

  • having chat or email communication;

  • conducting a risk assessment as prescribed by applicable legal provisions by collecting and archiving required documentary evidence regarding your identity; Such assessments may include automated decisions when we, or a reputable third party, is carrying out financial crimes checks;

  • conducting a risk management control, data analysis and global supervision of your ongoing needs and enhancing the services offered to you;

  • improving and personalising our Services to enhance your trading experience;

  • providing you with market information which we believe may be relevant to you and send you important account and Services related data by different communication channels, including surveys, in-app notifications, platform messages and emails we think would be of interest to you;

  • preventing misuse and fraud, demonstrating business transactions and communications; managing transactions surveillance and monitoring and complying with reporting obligations; managing risks, disputes, complaints, litigation or in the context of prosecution;

  • marketing communications with you about updates to our products and services and informing you about any promotions offered by us, as long as it is in our legitimate interest or you have consented to receive such communications and unless you choose to opt-out of them; and

  • providing the services requested by you and carried out in relation to any other agreement between us.

Who are the recipients of your personal data?

Your personal data is received and processed by those employees of the Company that need it for the execution of contractual, legal and regulatory obligations. Further, we may disclose, to the extent we deem such disclosure or transmission is necessary for satisfying the purposes set out above, to the following recipients:

  • Any lawyers, external auditors or advisors, professional consultants, credit reference agencies, notaries, bailiffs, as well as any courts, regulatory, governmental, administrative or other official bodies as agreed or may be required by law, where such disclosure is necessary (i) to comply with any applicable law or regulation; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our services; and (iv) to protect our rights and interests;

  • third-party service providers that provide IT services, advisory and consultancy services, research, marketing services, identity verification checks, banking and payment processing services, insurance or other services to the Company, which are only authorised to process your personal data strictly for the purposes of providing these services and in accordance with our instructions. If applicable, we will enter with such third-party service providers into the relevant contractual agreements or the standard data protection clauses that would be required under the relevant data protection laws to ensure compliance with our instructions; and

  • third parties as part of mergers and acquisitions, provided that the prospective buyer or seller agrees to respect your personal data in a manner consistent with our Privacy Policy.

We will require any entity to whom we disclose your information or who may obtain it on our behalf to ensure its confidentiality, and to handle it in line with the legitimate purpose for which they are allowed to access it and in accordance with the applicable data protection laws.

We will not share or sell your information with third parties for their own independent marketing or business purposes without your consent.

Transferring Information Internationally

Personal data may be held at our offices, third party agencies, service providers, representatives, auditors, lawyers and agents as described above. Some of these third parties may be based outside the EU and the European Economic Area (EEA).

Under data protection law, we may only transfer your personal data to a country or international organization outside the EU/EEA where:

  • the European Commission has decided the particular country or international organization ensures an adequate level of protection of personal data. (known as an ‘adequacy decision’);

  • there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or

  • a specific exception applies under data protection law.

Adequacy decision

We may transfer your personal data to certain countries, on the basis of an adequacy decision. The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

Other countries we are likely to transfer personal data to do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.

It may be processed by staff working for us or for one of our suppliers, located outside the EU and / or the EEA. Such personnel may, for example, be involved in the execution of our support services. We will take all necessary steps to ensure that your personal data is treated securely and in accordance with this Privacy Policy and have adopted appropriate safeguards to protect it.

Transfers with appropriate safeguards

Where there is no adequacy decision, we may transfer your personal data to another country if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for you, as data subjects.

The safeguards will usually include using legally-approved standard data protection contract clauses. In this way, we make binding arrangements with such third parties so that your information is protected to the same standards as it is in the EU and EEA.

How long will your data be stored?

We will process your personal data for the entire duration of the Agreement you have concluded with us and for a period of five (5) years after the termination of the Agreement to comply with the applicable anti-money laundering legislation and legal safe-keeping obligations. Further, any personal data will not be retained for longer than the time necessary for satisfying the purposes of its processing, subject to the general statutory limitation periods and the mentioned retention period where the applicable laws require that the personal data is retained for a certain period after the termination of our business relationship with you.

What are your rights regarding your personal data processing?

You have the right to:

  • access and obtain information about your personal data – you have the right to request what information (if any) we process for you and if so, provide you with information containing your personal data and a copy of that personal data undergoing processing by directly contacting the DPO officer at [email protected]. Please note, to request information, we will need to verify your identity. If you require additional copies, we may need to charge a reasonable administration fee for requests that we deem are manifestly unfounded. Upon receiving a request from you and/or upon the receipt of the applicable fee, we will acknowledge your request and respond to you within one month from filing your request;

  • rectify any factual inaccuracies or incompleteness with respect to your personal data - If the personal data we hold about you is inaccurate or incomplete, you may ask us to correct it. Upon receiving such a request from you, we will acknowledge it and respond to you within one month from filing your request. If we have shared your personal information with others, we will let them know about the rectification where possible.

  • request deletion of your personal data - you can ask us to delete or remove your personal data in cases where we no longer need it. However, please note that such requests will be satisfied provided that we have no legal obligation to retain such data and will be subject to any retention periods we are required to comply with in accordance with applicable laws and regulations as specified in section ‘’How long will your data be stored’’ above.

  • request restriction of processing - you can ask us to restrict the processing of your personal data in certain circumstances such as where you contest the accuracy of that personal information, for a period enabling the Company to verify the accuracy of your personal data or in case you deem the processing is unlawful. Such objection may not impede us from storing your personal information though.

  • object to the processing of personal data by the Company – you can require from us to terminate the processing of your personal data, and we will comply with such request in cases where your personal data is processed for the purposes of direct marketing or research (if applicable) or if we are relying on our own legitimate interests to process your data except if we can demonstrate compelling legal grounds for the processing.

  • request portability of your personal data - you have the right, when applicable, to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another entity (data controller) of your choice when this is technically possible.

  • lodge a complaint with a supervisory authority - you have the right to lodge a complaint regarding our processing of your personal data with your supervisory authority.

Please contact us using the contact details provided below to make a request in respect of your rights. We will use commercially reasonable efforts to respond to your request within 30 days of receiving such a request. If we cannot honor your request within the 30-day period, we will let you know the reasons why and when we expect to be able to fulfil your request.

How do we manage and protect your personal data?

We put a lot of effort and apply the highest technical and organizational standards ensuring that your personal data is secured and kept confidential. Any personal data that you provide to us is stored on secure servers, and we use rigorous procedures to protect against loss, misuse, unauthorised access, alteration, disclosure, or destruction of your personal data. We protect your personal information by maintaining physical, electronic, and procedural safeguards in compliance with the applicable laws and regulations. Part of the measures that we apply to provide a high level of security in terms of personal data management include, among others:

  • Pseudonymisation – we process your personal data in such a manner that it can no longer be attributed to a specific person without the use of additional information which additional information is kept separately and is subject to specific technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;

  • Encryption – we apply cryptographic methods which convert certain information or data into a code to make it unreadable for unauthorized users;

  • Minimisation – the personal data we demand from you is adequate, relevant and only limited to what is necessary in relation to the purposes for which such data is processed;

  • Strict internal control on access to your personal data – access to your personal data is allowed only to those of our employees who need such verification to properly exercise their professional duties;

  • Penetration testing – we perform regular scanning and penetration testing and services to identify potential security vulnerabilities and apply the relevant remedies to rectify them;

  • Ensuring ongoing application of integrity, confidentiality and education of all our employees.

We maintain security and incident response plans in the event of a physical or technical incident to handle this in a timely manner and limit any negative effect of such incident. Although we work hard to protect your personal data, we cannot guarantee that our safeguards will prevent every unauthorised attempt to access, use or disclose personal data.

Please recognise that you play a vital role in protecting your own personal data. When registering with our services, it is important to choose a password of sufficient length and complexity, to not reveal this password to any third parties, and immediately notify us if you become aware of any unauthorised access to/use of your account. If you believe that any of your account login details have been or might have been exposed, you can change your password or other credentials at any time through our Application, as well as immediately contact us at [email protected]. Given the nature of communications and information processing technology, we cannot guarantee that information, transmitted through the Internet, will be completely safe from intrusion by others.

How will we store your personal data?

Your information will be held on our secure computer systems. We have in place systems and procedures to prevent unauthorized access, improper modification or disclosure, misuse or loss of information.

We need to hold your information for five (5) years after the termination of the business relationship between us, subject to any applicable legal and regulatory provisions justifying the retention of your information for a longer period of time than stipulated herein. Once we consider that such information is no longer needed, we will destroy it.

How to contact us and how to complain?

If you have any questions with regard to your rights or the present policy or if you consider that we have failed to respect your confidentiality, you may contact us by:

Phone: +357 22730078

Address: 6 Nikou Georgiou Street, Office 302, 1095 Nicosia, Cyprus

You may also contact our Data Protection Officer about any request you have related to your personal data at: [email protected]

If you are not satisfied with our responses to your complaint in respect of your personal data, you have the right to lodge a complaint with the Commissioner for Personal Data Protection at http://www.dataprotection.gov.cy

Address: 1 Issonos Street, 1082 Nicosia

Linking to Other Websites

If you access links on the Website to third party websites which are not owned by the Company, or if you access the Website through links from other websites, please be aware that these websites have their own privacy policies. We do not accept any responsibility or liability for these privacy policies. You should check and review these privacy policies before you submit any personal data to these websites.

Are children allowed to use our services?

The services offered by the Company are not allowed to be used by any person under the age of 18. We do not knowingly collect personal information from children under the age of 18 without the consent of the child's parent or guardian. If you learn that anyone younger than 18 has unlawfully provided us with personal data, please contact us, and we will take steps to delete such information.

Changes to This Privacy Policy

We may change this Privacy Policy from time to time by posting the updated version on our Website and Application. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We advise you to review this page regularly to stay informed and to make sure that you are happy with any changes. If the changes are significant, we will provide you with a more prominent notice such as an email notification or through the Services. If you disagree with the changes to this Privacy Policy, you should discontinue your use of the Website or related Services. If we change this Privacy Policy in a way that will affect how we use your personal data, we will advise you of the choices you may have as a result of those changes.

Personal Data Breaches

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. The Company is obliged to do this within 72 hours of becoming aware of the breach, where feasible following its framework for reporting and managing data security breaches affecting personal or sensitive data held by the Company.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the Company is required to also inform those individuals/data subjects without undue delay.

The below procedures are there to provide a framework for reporting and managing data security breaches affecting personal or sensitive data held by the Company.

A personal data breach is defined as having the potential to affect the confidentiality, integrity or availability of personal data held by the Company in any format. Such breaches may happen for any number of reasons including:

  • The disclosure of confidential data to unauthorised persons;

  • Loss or theft of data and/or equipment on which data is stored;

  • Inappropriate controls allowing for unauthorized use of information;

  • Breaches in the Company’s IT systems and security;

  • Unauthorized access to computer systems e.g. hacking;

  • Viruses or other security attacks;

  • Breaches of physical security where data is kept;

  • Leaving IT equipment unattended allowing unauthorised access;

  • Emails containing personal data sent in error to the wrong recipient.

Legal Disclaimer

The Company may disclose your personally identifiable information as required by rules and regulations and when the Company believes that disclosure is necessary to protect our rights and/or to comply with any proceedings, court order, legal process served or pursuant to governmental, intergovernmental or other regulatory bodies.

The Company shall not be liable for misuse or loss of personal information or otherwise on the Company’s website(s) that the Company does not have access to or control over. The Company will not be liable for unlawful or unauthorized use of your personal information due to misuse or misplacement of your passwords, negligent or malicious intervention and/or otherwise by you or due to your acts or omissions or a person authorized by you (whether that authorization is permitted by the terms of our legal relationship with you or not).

Leading version

This Policy can be translated into different languages. If there are any inconsistencies between different language versions, the English language version shall prevail.

Last updated: 21 May 2024

Did this answer your question?