PRIVACY POLICY
Last updated on 24th June 2024
A – ABOUT THIS POLICY
Purpose and scope
- This section outlines our policy relating to any personal information you might wish to provide us when you visit our site. Your use of our website indicates your acceptance of our website Terms of Use and this Privacy Policy (“Policy”).
- The purpose of this Policy is to provide information about:
- the Personal Data that Ypsilon Capital (DIFC) Ltd (“Ypsilon DIFC“, “we”, “our” or “us“) collects;
- how we process that Personal Data, including how we use and disclose it; and
- your rights as an individual in respect of Personal Data we hold about you.
- Our business is built on trust between our clients and ourselves. Unless legally compelled to disclose, we have a commitment to safeguard and keep confidential any information relating to our clients or their financial affairs. Whether it is provided to us in person, over the phone, or online, including while visiting this site, we will always strive to ensure that the information is kept confidential and secure.
- We may pass information about you and your dealings with us to other entities within the Ypsilon Group or our agents to the extent allowed by law.
- Ypsilon DIFC, our staff, and all third parties with permission to access your information are specifically required to observe our confidentiality obligations.
- We will not collect any personal information that identifies a visitor to this website individually unless otherwise specified. Your visit to this website will record only the Domain Name Server part of your email address and of the pages visited. Such information will be used to prepare aggregate information about the number of visitors to the site and general statistics on usage patterns.
- Some of this information will be gathered using ‘cookies’. Cookies are small pieces of information that are automatically stored on a person’s web browser in their computer that can be retrieved by this website. We use cookies exclusively for remembering basic user information, such as IP address and other personal preference settings. This type of cookie is categorised as a “functional cookie.” We do not build a profile of users but rather, they enable our website to remember a visitor’s user preferences solely for website functionality purposes.
- For visitors to the website, the data provided and collected is subject to the Dubai International Financial Centre (“DIFC”) Data Protection Law, DIFC Law No. 5 of 2020 and the DIFC Data Protection Regulations (the “DP Law & Regulations”).
- For visitors that sign up as client or user of a platform operated by Ypsilon DIFC, any Personal Data provided to us will be subject to the data protection laws and regulations applicable to us in the jurisdiction(s) in which we operate (“DP Law & Regulations”). This Policy applies to all Personal Data and Special Categories of Personal Data collected by us.
- “Personal Data” is any information referring to an identified or identifiable natural, living person.
- “Special Categories of Personal Data” is Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations, or opinions, religious or philosophical beliefs, criminal record, trade-union membership, and health or sex life and including genetic data, and biometric data where it is used for the purpose of uniquely identifying a natural person.
- DP Law & Regulations regulate how data controllers may collect, use, store and disclose Personal Data, and give individuals certain rights in respect of Personal Data held about them. This policy sets out how we comply with our obligations under the DP Law & Regulations, and how individuals may exercise their rights under that legislation, including the right to access Personal Data held about them.
- The DP Law & Regulations are located on the relevant government or regulatory website within the jurisdictions in which we operate. For example, in the Dubai International Financial Centre the DIFC DP Law & Regulations can be found on difc.ae.
Confidentiality
- Personal Data held by us will often be confidential information that we received from a client while providing financial services. Further information on how we protect, uses and discloses such confidential information can be found in the relevant client terms of business and/or client agreement applicable to the services provided.
Outline of this policy
- “Section A” is a brief outline of this Policy, including its purpose and scope.
- “Section B” sets out our Personal Data collection and processing practices and contact details for our Data Protection Officer.
- “Section C” sets out your rights as a data subject, including how to contact us to exercise your rights or make a complaint about how we process your Personal Data. This section also explains certain circumstances where you may not be able to exercise your rights.
B – OUR PERSONAL DATA COLLECTION AND PROCESSING PRACTICES
Lawful basis for data collection and processing
- We collect Personal Data only where it is relevant to and necessary for specified, explicit and legitimate purposes determined at the time of its collection.
- Generally, we process Personal Data for one or more of the following reasons:
- for the provision of financial services that you, or an organisation associated with you (for example, your employer), has requested;
- for the provision of material that you have requested (for example, updates to our website, marketing material, research, newsletters, media alerts, etc.)’
- in fulfilment of our regulatory obligations imposed upon us by laws, regulations, or rules (for example, DP Law & Regulations, anti-money laundering (know your customer) regulations, etc.);
- for the performance of a task carried out by us at the request of a supervisory or regulatory authority;
- for the performance of a contract to which an individual is a party or to take steps at the request of an individual before entering such contract;
- where processing is necessary for us to comply with laws that we are subject to;
- in certain circumstances, we may rely upon your consent for specific purposes in accordance with the relevant DP Law & Regulations; and
- for our legitimate interests, which include: making sure our client accounts are operational; delivering, developing and improving our products and services; business growth and marketing strategies; legal and compliance reasons, such as AML, fraud and criminal activity checks; record keeping and keeping our regulatory records up-to-date; improving our website and applications from a security perspective; enforcing or applying our terms or other agreements with you, including recovering securities, fees or other debts and obligations due to us; and giving you information about our products and services that you may be interested in and, in the case of electronic marketing, where we have your permission to do so.
- If we collect Personal Data while providing financial services to you and that Personal Data is relevant to providing you financial services from another Ypsilon Group entity, we will, in general, use or share that Personal Data for that other purpose and vice versa.
- We may ask for Special Categories of Personal Data from you to satisfy our Know Your Customer obligations pertaining to anti-money laundering regulations or financial services rules concerning suitability.
- DP Law & Regulations identify certain Personal Data processing which leads to a high risk to the rights and freedoms of individuals by virtue of the nature, scope, context, and purposes of the processing of their Personal Data and imposes specific requirements concerning such activities. We do not undertake any of the high-risk processing activities as described in DP Law & Regulations.
- We do not engage in automated decision-making when processing Personal Data.
- We do not collect, use, or process Personal Data for direct unsolicited marketing purposes.
How we collect Personal Data
- We collect Personal Data about individuals either directly or indirectly (for example, from their employer, power-of-attorney, an authorised representative, public sources, etc.). There are several ways in which we may collect this data, including through:
- email and telephone contact with us;
- video calls or other meetings that take place with us in person;
- applications, surveys, online forms, and systems available on our website;
- through your registration on an Ypsilon Group electronic platform;
- correspondence and other documents (whether electronic or physical);
- publicly available information (for example, public directories, media, social media, internet, news articles etc.);
- professional screening programs and facilities such as ComplyAdvantage;
- third party goods or services providers;
- recruitment service providers
- Our front-of-house reception sign-in;
- Our office security cameras;
- Our guest Wi-Fi; and
- Any Ypsilon DIFC subscriptions (for example, updates to our website, marketing material, research, newsletters, media alerts, etc.).
- If you contact us, we will keep at least an electronic or digital record of the correspondence, including Personal Data shared at that time.
- In some circumstances we may collect Personal Data about individuals from third parties, for example when:
- onboarding a client for the provision of financial services;
- preparing or receiving reports or documents that relate to the provision of financial services;
- carrying out credit checks, we may obtain Personal Data from credit bureaus or credit reference agencies to assess creditworthiness and make financing decisions;
- processing payments we may receive Personal Data from third-party payment processors, such as banks, PayPal, or Stripe;
- receiving information from or co-operating with other governmental, regulatory or law enforcement agencies or public bodies;
- receiving other documents (such as subscription forms or applications that contain Personal Data); and
- recruiting our employees and contractors or service providers.
- Collecting Personal Data from third parties: Where we collect your Personal Data from third parties, we do so on the legal bases set out in paragraphs 12 and 13 of this policy.
Where we store your Data
- We are headquartered in the Dubai International Financial Services (DIFC) in the United Arab Emirates (UAE). We may transfer your Personal Data within the UAE and to other countries where we (or other Ypsilon Group entities) or our service providers maintain operations.
- When we do this, we will ensure the data is subject to an appropriate level of protection and that the transfer is lawful. This includes relying on adequacy decisions issued by the relevant data protection authority and using standard contractual clauses for transfers of Personal Data. You can obtain more details of the protection given to your information when it is transferred by contacting us using the details below.
Sharing Personal Data with third parties
- We may share your Personal Data across the Ypsilon Group of entities. We may also disclose your Personal Data to third parties. These third parties may include service providers; agents; subcontractors; regulators; official bodies; cloud service providers; hosting, email, and content providers; regulated financial institutions, such as banks and brokers; professional services firms such a lawyers, auditors, consultants and accountants; and other service providers who we engage from time to time.
- When we pass Personal Data to third parties, we only disclose to them those aspects of Personal Data that we are legally bound, or that is necessary for them to provide their service and we have contracts in place that require them to keep your Personal Data confidential and secure, only use it for the stated purpose and subject to compliance with applicable laws. The obligations of confidentiality imposed on Ypsilon DIFC also apply to such persons who come into possession of any confidential information.
- In most cases, the DP Laws & Regulations and our policies allow us to share information without the consent of the individual to whom the Personal Data relates. Where we are required to obtain such consent, we ensure that we obtain adequate consent from the relevant individual in accordance with the relevant DP Laws & Regulations. In other cases, we may be compelled to disclose Personal Data due to a mandatory legal obligation or by order of a court or other adjudicatory body or tribunal of competent jurisdiction.
Data access, rectification, and erasure
- You and your representatives (for example, your employer, power-of-attorney, etc.) are responsible for the accuracy, completeness, correctness, and relevance of Personal Data provided to us.
- The relevant DP Laws & Regulations allows you to seek access to the Personal Data we hold about you, and, in certain circumstances, to seek to rectify inaccurate or incomplete data, or, to require the erasure of your Personal Data.
- Unless certain conditions or exemptions apply, and we will inform when they do, we will respond to your request to access, rectify or erase your Personal Data within one month of receiving your request provided we have received sufficient evidence from you that reasonably establishes your identity as the individual making the request.
- Please keep in mind that:
- if your request is complex or you make numerous requests, we may need to increase the period for complying with your request;
- in certain circumstances, it may not be feasible for us to rectify or erase Personal Data for technical reasons; and
- we may refuse to comply with a request we consider manifestly unfounded or excessive, in which event (as applicable) we will respond in accordance with the relevant DP Laws & Regulations and notify you of our reasons.
- Otherwise, we may be entitled to refuse your request to access, rectify or erase your Personal Data in circumstances where we have relied upon the general exemption set out in the relevant DP Laws & Regulations. For further information, please refer to Section C – Rights of Data Subjects.
Storage and security of Personal Data
- We store Personal Data in electronic, digital and paper format.
- We take all reasonable steps to secure the Personal Data we hold against unauthorised access, use, modification or disclosure, accidental loss and against other inappropriate alteration or misuse. These steps include:
- controlled, secure and restricted access to our physical premises and IT systems;
- implementing technical and operational measures to secure Personal Data;
- establishing and implementing policies for securing Personal Data;
- applying password protection, data authentication, encryption, and access privileges to our IT systems;
- implementing specific IT software and systems to detect and protect against viruses or other harmful programs or computer code;
- securing paper format information in locked cabinets;
- limiting employee access to Personal Data to the extent that it is necessary to carry out their responsibilities;
- conducting integrity checks on employees;
- including confidentiality and data protection obligations in our contracts with contractors, services providers, consultants, experts, agents, and employees;
- implementing measures for the proper and secure disposal of Personal Data; and
- imposing clear desk and clear screen procedures.
- We seek to adopt commercially reasonable security measures to assist in protecting against the loss, misuse, and alteration of personally identifiable information which is under our control. Unfortunately, no security system, or system of transmitting data over the internet, can ever be guaranteed to be 100% secure. As a result of the foregoing, while we undertake commercially reasonable efforts to protect your personally identifiable information, we cannot guarantee the security of our servers, how information is transmitted between your computer and our servers, or any information provided to us or to any third party through or in connection with our website. You provide all such information entirely at your own risk.
- When your Personal Data is no longer required, it will be securely and permanently deleted, anonymised, pseudonymised, securely encrypted or otherwise put beyond further use in accordance with our data retention policy, unless it is needed to establish or defend legal claims, or we are required by law to retain it.
How long do we keep your Data
- We do not keep your Personal Data for any period longer than is necessary for the purpose for which your Personal Data was collected, processed, required by law or where we may need it for our legitimate purposes such as maintaining records for analysis or audit purposes, regulatory purposes, responding to queries or complaints, monitoring fraud, defending or taking legal action and responding to requests from regulators.
- If you opt out from receiving marketing or other communications or object to any other processing of your Personal Data, we may keep a record of your objection to ensure that we continue to respect your wishes and do not contact you further.
Notification of Personal Data breaches
- If a Personal Data breach occurs and the Personal Data that we hold about you is subject to unauthorised access, loss, use or destruction, we will respond in accordance with the relevant DP Laws & Regulations.
- We will notify you of any Personal Data breach in respect of your Personal Data which is likely to result in a high risk to your security or rights as soon as is practicable in the circumstances, or, where there is an immediate risk of damage to you, promptly. Where a direct communication to you will involve disproportionate effort, we may instead inform you via a public communication or other similar measures that are equally effective.
Media and publications
- Where our website or publications include photographs of identifiable individuals, we ensure that we obtain an express and specific permission from those individuals.
- If our website features any film taken in a public place, we ensure that the footage only captures individuals in the background. For all other forms of video recording, we obtain express and specific permission from everyone who appears in our films, which includes individuals participating in conferences and webinars.
Use of our website, cookies, subscriptions and technology
- When someone visits our website, we may use a third-party service, for example, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns for statistical purposes. This information is processed in a way that does not identify any individual.
- We use functional cookies exclusively for remembering a visitor or registered user’s preferred language setting when visiting our website. We do not use cookies to identify or build a profile of any individual.
- When you subscribe for information (for example, updates to our website, marketing material, research, newsletters, media alerts, etc.), by providing your email address and subscription preferences, you consent to us processing that information to provide you with the updates you have requested. You can unsubscribe or modify your subscription for updates to our website here: notices@ydifc.ae.
Employees, contractors, and service providers
- We collect and process Personal Data, including Special Categories of Personal Data, for the purposes of assessing an individual’s suitability for employment within Ypsilon DIFC, and engaging, managing and supporting our employees.
- We will also collect and process Personal Data when engaging contractors, service providers, consultants and experts. This will be limited to the specific purposes for engaging such persons, including to undertake appropriate due diligence before any appointment, for administration purposes and during the performance of the specific contract.
- There may also be circumstances where we collect and process Personal Data concerning employees, contractors and service providers to obtain security clearances, manage conflicts of interest or to fulfil our regulatory obligations.
Our Data Protection Officer
- As a responsible financial institution, we have elected to appoint a Data Protection Officer who monitors our compliance with the relevant DP Laws & Regulations and our internal policies relating to Personal Data, advises us on our data assessment and other data protection obligations, and acts as our contact point for regulators and official bodies and agents such as a Data Protection Commissioner.
- If you have any questions or requests, please email our Data Protection Officer at: dpo@ydifc.ae or by writing to:
Ypsilon Capital (DIFC) Ltd
Level 6, Office 3
Gate District Precinct Building 4, DIFC, Dubai, UAE
Changes to this policy
- We review this policy regularly and may update it from time to time without prior notice. The most recent version of this policy is available on our website ypsilondifc.ae and the date of the ‘last update’ is stated at the top of the first page.
C – RIGHTS OF DATA SUBJECTS
Your rights
- Under the relevant DP Laws & Regulation, you have rights as an individual, which you can exercise in respect of the Personal Data we hold about you. For example, you can exercise the following rights:
- The right to be provided with specified information about the processing of your Personal Data (‘The Right to be Informed’).
- The right to access your Personal Data and certain supplementary information (‘The Right of Access’).
- The right to have your Personal Data rectified if it is inaccurate or incomplete (‘The Right of Rectification’).
- The right to have, in certain circumstances, your Personal Data deleted or removed (‘The Right of Erasure’).
- The right, in certain circumstances, to restrict the processing of your Personal Data (‘The Right to Restrict Processing’).
- The right, in certain circumstances, to move Personal Data you have provided to us to another organisation (‘The Right of Data Portability’).
- The right, in certain circumstances, to object to the processing of your Personal Data and, potentially, require us to stop processing that data (‘The Right to Object’).
- In the event processing of your Personal Data is based on your consent, the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal (‘The Right to Withdraw Consent’).
How to exercise your rights
- If you wish to find out what Personal Data, if any, we hold about you, or if you wish to exercise other rights in respect of your Personal Data, you can contact our Data Protection Officer by email: dpo@ydifc.ae or at the address mentioned above at paragraph 56.
- To enable us to process your request promptly, we will need you to provide us with certain information about yourself including:
- first name;
- last name;
- any other names that you may have been known by (including nicknames and previous surnames);
- home address;
- date of birth;
- telephone number; and
- email address
Data rectification and erasure
- In certain circumstances, there may be technical reasons why it is not feasible for us to rectify or erase Personal Data when you ask us to do so. For example, it may not be possible to erase data from our information technology systems, or certain records may be incapable of amendment once entered in the system, or it is not possible to remove a single record from our backups, or deleting a backup or manipulating the files therein will create problems for the integrity of our backup system as a whole, or deleting an individual’s data without deleting the whole file or record where the information is contained is not possible.
- If for any reason, we are unable to act in response to a request for erasure or rectification, we will provide a written explanation to you and inform you of your rights and details of how to complain to the relevant Data Protection Commissioner and to seek a judicial remedy. Circumstances where we may be unable to rectify or erase Personal Data include:
- for technical reasons;
- for the establishment, exercise, or defence of legal claims;
- to comply with applicable laws or legal obligations to which the DFSA is subject; or
- an official or legal inquiry, investigation or procedure or prosecution;
Making a complaint
- If you believe we have breached any DP Laws & Regulations, you can make a complaint to our Data Protection Officer here: dpo@ydifc.ae or make a complaint directly to the relevant Data Protection Commissioner whose contact can be found on the relevant government or regulatory website, or we can provide them to you.