Privacy Policy

This is the privacy policy of Excellium Securities S.A., a Luxembourg public limited liability company (société anonyme) and a securitisation company (société de titrisation) under the Luxembourg law on securitisation dated 22 March 2004 (the “Luxembourg Securitisation Law”), as amended, with registered office at 412 Rte d’Esch, 1471 Cessange Luxembourg, and registered with the Luxembourg Register of Commerce and Companies (R.C.S. Luxembourg) under number B290294 (“we,” “us,” or “our”) (the “Privacy Policy”).

This Policy explains how we collect, share, use, and protect your personal information when you access or use our website www.excellium-securities.com (the “Site”) and/or related services. The term “user”, or “you” shall refer to any person or entity who views, uses, accesses, browses, or submits any content or material to, the Site. This Privacy Policy does not apply to the practices of third parties not owned or controlled by us.

We are committed to protecting our user’s personal information and being compliant with all data protection laws, including the Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). One of the requirements under data protection legislation is to make information accessible to users under this Privacy Policy. This Privacy Policy additionally sets out which measures are taken to protect your privacy when accessing or using our Site, or any related services or products, and which rights you have in return.

As part of our day-to-day business, we need to collect personal information from users and potential users to ensure that we can meet your needs for a range of transactional services and provide you with any relevant information about our services or products.

Your privacy is important to us, and it is our policy to respect the confidentiality of information and the privacy of individuals. This notice outlines how we manage your personal information supplied to us by you or a third party, or which we collect from your access to, or use of, our Site or any related services. It also details your rights in respect of our processing of your personal information.

Our Privacy Policy will be reviewed from time to time to take account of any regulatory changes and any changes to our operations and practices. Your personal information will be governed by our most current Privacy Policy.

Please note that if you are our contractor or third-party service provider, your personal information will be used in connection with your contractual relationship with us.

WHO WE ARE
This Privacy Policy applies to the controlling and processing activities of Excellium Securities S.A., the data controller of your personal information in relation to those services (the “Data Controller”). As a Data Controller, we determine why and how we process your personal information. Personal information can be defined as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as, but not limited to, a name, an identification number or location data.

WHY WE COLLECT PERSONAL DATA
We take reasonable steps to ensure that the personal information we process is limited to what we require in connection with the purposes set out in this Privacy Policy. We will retain copies in a form that permits identification for as long as we deem necessary in connection with the purposes set out in this Privacy Policy unless applicable law requires a longer retention period. In particular, we will retain personal information for as long as it is needed to establish, exercise or defend any legal rights.

We use and disclose personal information only for the purposes that we disclose to you. We will request your consent before we use or disclose your personal information for any materially different purpose.

We collect, use and disclose personal information to meet the needs of our users and our business relationship, including:

for the daily management, operation and maintenance of our Site and any related services;
to inform you about any related products or services offered by us or third parties;
to understand your needs, and provide any relevant products or services that you request;
to collect any outstanding payments from you;
to manage, design and improve our Site and any related services;
to administer and process any request for information or job application;
to comply with our regulatory and legal obligations, and to meet any tax or reporting requirements;
to contact you (including by way of e-mail), including, but not limited to:
- in response to your inquiries and comments, and to safeguard your interests;
- to provide you with information about our Site and any related services, or those of others, that you may be interested in;
- to investigate suspicious activities; and
- to protect our rights and property.

We may transfer your personal information to public authorities where this is required by applicable law. A transfer of your personal information is also permitted if there is a suspicion of a criminal offence or the abuse of our Site or any related services. In this event, we shall be entitled to transfer your personal information to the criminal prosecution authority.

PURPOSE FOR WHICH WE PROCESS PERSONAL INFORMATION AND USAGE DATA AND ITS LEGAL BASIS
We collect and process your personal information for the following purposes, and rely on the following legal bases:

Purpose	Description	Legal basis
Providing our Site	We process your personal information to operate and administer our Site to provide you with the content you access and/or use	Our legitimate interest in providing online content to our users and prospective users regarding our Site and related information
Improving our Site	We process your personal information to analyze trends and help us improve the user experience on our Site	Our legitimate interest in providing a relevant and well-functioning Site for the benefit of our users
Promoting the security of our Site	We process your personal information by tracking use of our Site and verifying and investigating activity	Our legitimate interest in promoting the safety and security of our Site and in protecting our rights and the rights of others
Sending communications	We process your personal information to send you information, recommendations, and other communications about us or third parties	Our legitimate interest in communicating with you with your prior consent
Handling contact and user support requests	We process your personal information if you contact us by any means	Necessary for the performance of a contract or our legitimate interest in fulfilling your requests and communicating with you
Providing services	We process your personal information to perform our contract with you for the provision of services and to satisfy our obligations under any applicable terms	Necessary for the performance of a contract or our legitimate interest to provide and administer services
Developing the services	We process your personal information to develop and improve the services or their performance	Legitimate interest to develop and improve services
Providing personalized interactions	We process your personal information to customize our interactions with you	Legitimate interest to offer dedicated support to our users
Managing user accounts	We process your personal information (including usage data) to manage user accounts	Necessary for the performance of a contract or our legitimate interest in the management of user accounts
Managing usage and licensing compliance	We process your personal information (including usage data) to assess and manage usage and licensing compliance with the applicable terms of any services	Necessary for the performance of a contract or our legitimate interest in managing the provision of services to users
Preparing internal reports and business modeling	We process your personal information (including usage data) for internal reporting and business modeling purposes	Our legitimate interest in the management of our business operations
Maintaining our security	We process your personal information (including your usage data) for the purposes of maintaining our own security, including investigating, detecting and preventing suspicious activity, fraud and cybercrime	Our legitimate interest in promoting our own safety and security and to protect our rights and the rights of others
Managing compensation	We process your personal information (including your usage data) for the purposes of determining compensation for our own employees, contractors or service providers	Necessary for the performance of a contract or our legitimate interest in providing compensation
Undertaking financial reporting	We process your personal information (including your personal information) for the purposes of financial reporting	Our legitimate interest in meeting our obligations associated with the reporting of our finances
Aggregating data	We process your personal information (including your usage data) for the purposes of aggregating this information to ensure that it is no longer identifiable	Our legitimate interest in minimizing the amount of personal information processed as part of the noted processing activity
Managing payments	If you have provided financial information to us, we process your personal information to verify that information and to collect payments to the extent that doing so is necessary to complete a transaction and perform our contract with you	Necessary for the performance of a contract
Complying with legal obligations	We process your personal information (including usage data) when cooperating with any authorities, courts or regulators in accordance with our legal obligations under applicable laws, to the extent this requires the processing or disclosure of personal information to protect our rights	Legal obligation or our legitimate interest in protecting against misuse or abuse of our Site or related services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, responding to lawful requests, or for auditing purposes

THE KIND OF PERSONAL INFORMATION THAT WE COLLECT

If you are an actual or potential user, we may collect the following types of information about you:

name, address and contact details;
date of birth and gender;
profession and employment details;
location data;
digital wallet;
information about your income and wealth, including details about your assets and liabilities;
information about balances, trading statements, tax and financial statements, trading performance;
information about trades and investments you have made, including amounts traded or invested;
any information required for Know Your Customer or Anti-Money Laundering purposes.

We obtain this information in a number of ways through your access to, or use of, our Site or related services or other dealings with us. We may also collect this information about you from third parties, including but not limited to any party conducting Know Your Customer or Anti-Money Laundering checks, any regulated partners and any service provider providing or intending to provide technology services to us or to you (including any digital wallet service provider).

We may also obtain personal information about you through the use of cookies on our Site, in particular by recording which pages you look at on our Site.

WHO WE MAY DISCLOSE YOUR PERSONAL INFORMATION TO

As part of using your personal information for the purposes set out above, we may disclose your information to:

other companies within our group or regulated partners that provide trading, transactional, financial and other back office services;
service providers and advisers that provide administrative, IT, digital wallets, financial, regulatory, compliance, insurance, research or other services (including Know Your Customer or Anti-Money Laundering checks);
brokers with whom we have a relationship;
credit providers, courts, tribunals and applicable regulatory authorities; and
anyone authorised by you.

Generally, we require that organisations that handle or obtain personal information acknowledge the confidentiality of this information, undertake to respect any individual’s right to privacy and comply with all relevant data protection laws.

Please note that the use of your personal information by third parties is not covered by this Privacy Policy and is not subject to our privacy standards and procedures.

HOW WE OBTAIN YOUR CONSENT

Where our use of your personal information requires your consent, such consent will be provided using a consent form (including any tick-the-box consent) or any other contract we may have entered into with you or as set out in our communication with you from time to time.

If we rely on your consent as our legal basis for processing your personal information, you have the right to withdraw that consent at any time by contacting us using the contact details set out in this Privacy Policy.

MANAGEMENT OF PERSONAL INFORMATION

We always take appropriate technical and organisational measures to ensure that your information is secure. In particular, we train our officers and employees that handle personal information to respect the confidentiality of user information and the privacy of individuals. We regard breaches of your privacy very seriously and will impose appropriate penalties, including dismissal where appropriate and necessary.

We have assigned the duties of data privacy and security to our board of directors because we are committed to compliance with this Privacy Policy and the applicable legislation.

HOW WE STORE PERSONAL INFORMATION

Safeguarding the privacy of your personal information is important to us, whether you interact with us personally, by phone, by mail, over the internet or any other electronic medium. We hold personal information in secure computer storage facilities, cloud servers, paper-based files and/or other records, and take steps to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure.

When we consider that personal information is no longer needed, we will remove any details that will identify you or we will securely destroy the records. However, we may need to maintain records for a significant period of time. For example, subject to Anti-Money Laundering laws and regulations, we may require to retain:

a copy of the documents we used to comply with our user due diligence obligations; and
supporting evidence and records of transactions with you and your relationship with us, for a period of at least five years after our business relationship with you has ended.

If we hold any personal information in the form of a contract, we may retain this contract in its complete form for a period of 10 years after our business relationship with you has ended.

If we hold any personal information in the form of a recorded communication, by telephone, electronic, in person or otherwise, this information will be compliant with local regulatory requirements, which may be either 5 years or 10 years, subject always to statutory requirements, after our business relationship with you has ended.

Where you have opted out of receiving any communications, we will hold your details on a separate designated list of persons so that we know you do not want to receive such communications.

TRANSFERS OUTSIDE OF THE EUROPEAN ECONOMIC AREA

We may transfer your personal information outside the European Economic Area to processors who are engaged on our behalf. To the extent we transfer your information outside the European Economic Area, we will ensure that the transfer is lawful and that there are appropriate security arrangements.

In order to transfer personal information to third parties in territories that do not have a finding of adequacy by the applicable authority and regulations, we enter into agreements ensuring appropriate and suitable safeguards based on standard contractual terms adopted by the European Commission. Where we make transfers to third parties in the US, we may in some cases rely on applicable standard contractual clauses, binding corporate rules, the EU-US Privacy Shield or any other equivalent applicable arrangements. If you would like to receive more information about such arrangements, please contact us using the contact details in this Privacy Policy.

HOW YOU CAN MODIFY AND/OR DELETE YOUR PERSONAL DATA

To modify and/or delete the information that we hold about you, you can contact us at support@excellium-securities.com. You can also modify certain types of information from your user account page on our Site.

In accordance with the GDPR, you have the right to:

request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you;
request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
request the erasure of your personal information. This enables you to ask us to remove/delete personal information where there is no legitimate reason for us continuing to process it;
object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
withdraw your prior consent to processing of your personal information;
the right to object to a decision based solely on automated processing, including profiling.

To exercise your rights, you can contact us at support@excellium-securities.com or write us at the following registered address:412 Rte d’Esch, 1471 Cessange Luxembourg.We will respond to your request without undue delay and at the latest within 1 calendar month upon receiving your email or letter sent to our registered address.

COOKIES

We use cookies on our Site to provide you with a more relevant and effective experience, including presenting web pages according to your needs or preferences. Cookies are text files that an Internet browser saves on a computer. Cookies are used by numerous web servers and websites. A so-called cookie ID can be found in many cookies, which can be used to identify and recognize a particular Internet browser.

A cookie is made up of a string of characters that allows servers and webpages to be identified with the particular web browser that the cookie was saved in. This enables websites and services that are visited to distinguish the user’s specific browser from other browsers that may contain different cookies.

TECHNOLOGY IMPROVEMENTS

We strive to improve functionality on the Site through technology changes. This may mean a change to the way in which personal information is collected or used. The impact of any technology changes which may affect your privacy will be notified in this Privacy Policy at the time of the change.

LINKS TO THIRD PARTY WEBSITES

Our Site may have links to external third-party websites. Please note, however, that third party websites are not covered by this Privacy Policy and those sites are not subject to our privacy standards and procedures. Please check with each third party as to their privacy practices and procedures.

HANDLING OF COMPLAINTS

If you have a concern about any aspect of our privacy practices, you can make a complaint. This will be acted upon promptly. To make a complaint, please contact us via one of the methods set below.

If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with our supervisory authority, the National Commission for Data Protection (Commission Nationale pour la Protection des Données (CNPD)). You can find details about how to do this on the CNPD website at https://cnpd.public.lu/en.html or by calling their main line on (+352) 26 10 60-1.

HOW TO CONTACT US

If you have any questions about this Privacy Policy or want to exercise your rights, please contact us by:
• email at support@excellium-securities.com; or
• writing at our registered address: 412 Rte d’Esch, 1471 Cessange Luxembourg.

PRIVACY POLICY CHANGES

We reserve the right to update this Privacy Policy at any time. The changes will become effective on the day the revised Privacy Policy is published on our Site. Please do not access or use our Site or related services if you do not want to abide by the revisions to this Privacy Policy.

Last update of this Privacy Policy: 09 January 2025.