Privacy Policy

Privacy Policy
Version 1.0
Effective Date: 19 June 2025
Entity: JMS Trading Limited (C 108433), trading as BCXPro
Website: https://bcxpro.io/

Introduction

Welcome to the Privacy Policy of JMS Trading Limited (C 108433), trading under the name BCXPro.

This Policy applies to your use of the services offered via https://bcxpro.io, including any of its subdomains, country-specific extensions, associated software applications, APIs, mobile applications, forums, social media pages, or related platforms operated or maintained by BCXPro (collectively referred to as the “Website”, “Site”, or “Platform”). BCXPro (“we”, “us” or “our”) respects your privacy and is committed to protecting your personal data.

We do so in accordance with applicable data protection laws, including but not limited to:

  • The General Data Protection Regulation (EU) 2016/679 (GDPR)
  • The Maltese Data Protection Act (Chapter 586 of the Laws of Malta)
  • The Markets in Crypto-Assets Regulation (MiCA)
  • Any other relevant national or EU regulations, and
  • Guidelines issued by supervisory authorities such as the Information and Data Protection Commissioner (IDPC).

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you visit our Website or use our services. It also outlines your rights in relation to your personal data and how you can exercise them. “Personal data” means any information that can directly or indirectly identify you as an individual.

Controller: JMS Trading Limited acts as the data controller, determining the purposes and means of processing your personal data.

Applicability

This Policy applies only where BCXPro acts as a data controller, meaning we determine the purposes and means of processing your personal data.

It does not apply to:

  • Third-party websites or services you may access through links or referrals
  • Online stores where you install our mobile applications or purchase related tools

We are not responsible for the privacy practices of any third parties. By accessing our Site or using our services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

In summary of this Privacy Policy, we consider the following key points most relevant for you:

Purpose of Processing: We process your personal data to provide our services, facilitate your access to our Website, comply with legal obligations (such as anti-money laundering and counter-financing of terrorism obligations), comply with our contractual obligations, detect and prevent fraud or abuse, and grow our business responsibly, including through limited direct marketing.

Controller: JMS Trading Limited acts as the data controller in relation to your personal data collected through our Website and in the course of delivering our services.

Your Rights: You have several rights under data protection law, including the right to object to processing based on our legitimate interests—such as direct marketing or certain profiling activities. Where we rely on your consent, you can withdraw it at any time. You also have the right to access your data, request correction, or request its deletion when no longer necessary.

Implications of Processing: The processing of your data enables us to provide you with access to our services. Refusal to provide certain data may prevent us from onboarding you or fulfilling our obligations. You may also receive marketing or service-related communication, and your data may be used in risk categorisation or eligibility assessments for certain features or promotions. Whilst some of the processing is automated for all decision making there is human intervention.

Our Details

Controller: JMS Trading Limited registration number (C108433) With respect to this domain, the primary responsible entity is JMS Trading Limited.

registered office is at:
Level G (Office 1/0967)
Quantum House 75
Triq L-Abate Rigord
Ta Xbiex
XBX 1120
Malta

VFASP Licence: we are licenced by the Malta Financial Services Authority (MFSA) under the Virtual Financial Assets Act as a class 3 Virtual Financial Assets Service Provider (VFASP). The Company’s Data Protection Officer can be contacted by email at dpo@bcxpro.io.

Scope

This policy applies to personal data collected through our website http://bcxpro.io. any related mobile applications APIs, forms and communication channels and the services we offer.

Information We Collect About You and Source

While using our Site or App, we may collect, store and process different kinds of personal data about you which we have categorised below.

Our Services are not directed to anyone under the age of 18. Our Site or App do not knowingly collect or solicit information from anyone under the age of 18 or allow anyone under the age of 18 to sign up for the Service. If we learn that we have gathered personal information from anyone under the age of 18, we will delete the information as soon as possible. If you believe we have collected such information, please contact us at dpo@bcxpro.io.

How information is collected

We collect your personal data in the following manner:

  • Information you provide to us directly when contacting us;
  • Information you provide to any of our affiliates including parent companies, subsidiaries, and companies under common control and ownership;
  • Information we receive from third parties, such as third-party service providers;
  • Information acquired by us during the course of our relationship and dealings with you;
  • Information collected through the use by you of our website, platforms and applications; and
  • Information gathered from publicly available sources.

Forms you submit
Account registration and communication with us
Automated tracking technologies (cookies, beacons, pixels)

We may collect any information about the communication and any additional information that you choose to give us. We will use this information to review, investigate and respond to any comment or question that you may raise. Please note that we record your communication with us and may use it in our dealings with you, including any dispute resolution.

CATEGORIES OF PERSONAL DATA

We may collect and process the following categories of data about you:

  • identity data (e.g., name, ID number, date of birth)
  • contact data (email, phone number, address, verification data (KYC, AML info, UBO status)
  • due diligence data based on type and volume of activity such as source of funds, proof of address, source of wealth, bank statements, tax returns
  • financial data (transaction records, wallet addresses)
  • technical data (IP addresses, browser device type, OS)
  • Usage Data (page visits, session activity)
  • marketing and communications data

How we use information

We have set out below the purposes for which we may process your personal data and the legal basis of the processing. We have also identified what our legitimate interests are where appropriate.

The following table:

Purpose Categories of Personal Data Legal Basis Relevant Law or Interest
To register you as a new customer and provide platform access Contact data, Account data, Identification/verification data Performance of a contract; Legal obligation VFA Act, AML Regulations
To fulfil AML/CFT and due diligence requirements Identity data, KYC data, UBO data, Account data Legal obligation S.L. 373.01 (AML/CFT), VFA Act
To fulfil legal, tax, and accounting obligations Account management Financial data, Transaction data, Identity data Legal obligation Income Tax Act, Companies Act, VFA Act
To deliver services and process transactions/orders Contact data, Account data, Transaction data, Financial data Performance of a contract Customer onboarding & service delivery
To send direct marketing (existing customers) Contact data, Usage data Legitimate interest or consent Soft opt-in under S.L. 586.01, GDPR Recital 47
To send marketing (new customers/prospects) Contact data Consent GDPR Art. 6(1)(a), ePrivacy
To detect, investigate and prevent fraud or misuse Identity data, Account data, Transaction data, Technical data, source of wealth, source of funds, proof of address and any due diligence documentation required. Legal obligation and/or Legitimate interest AML/CFT Laws, Platform Integrity
To manage our relationship with you (support, notifications) Contact data, Communication data, Usage data Performance of a contract Contractual necessity
To use data analytics to improve services Usage data, Technical data Legitimate interest Website optimisation, service improvement
To exercise or defend legal claims Contact data, Transaction data, KYC data Legitimate interest GDPR Art. 6(1)(f), Civil Code obligations

We will use your personal data for purposes for which it was collected, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. We have a legitimate interest in understanding how customers and potential customers use this website. This would assist us with providing more tailored products and services to meet customer needs.

We rarely rely on your consent to process your personal data, as usually another lawful basis will be more suitable. Where we do seek to rely on your consent, we will always ensure that this consent is fairly obtained by clearly informing you about why your consent is needed. We will usually require that you provide your consent through a clear, affirmative action such as ticking a box, toggling/swiping a button or switch on our website or on a mobile application, signing your name or other suitable method that can clearly evidence your consent.

Non-exhaustive examples of when we may need your consent are:
to enable a feature on a mobile device application;
or
to enable us to place cookies and similar technologies in accordance with our Cookie Policy.
For direct marketing purposes.

Please note that depending on the circumstances you might be asked to provide further information. For instance, when you approach us or have been approached by us either as our partner or client with regards to the provision of our Services as well as services provided to us by you, you shall be asked to provide us KYC data. Such data might include:

  • Personal details of directors.
  • Personal details of UBOs.
  • Account signatory personal details (if applicable).
  • Additional information such as personal information on PEPs.
  • Due Diligence documentation such as source of funds, source of wealth, proof of address, etc.

Data Sharing

We may share your personal data with trusted third parties in accordance with this Privacy Policy and applicable data protection laws. We ensure that such sharing is limited, secure, and necessary for the purposes outlined in this Policy.

Group Companies

JMS Trading Limited may share personal data with other companies within its group for internal administrative purposes and to provide consistent, secure services across entities.

This may include:

  • Customer account management
  • AML/CFT compliance reviews
  • IT systems and infrastructure management
  • Centralised data analytics or risk scoring
  • Regulatory reporting across jurisdictions (where required)

Group companies are subject to internal data protection agreements that ensure equivalent standards of confidentiality and compliance.

Regulatory Authorities and Compliance with the Law

We may disclose your information, including personal information, to courts, law enforcement or governmental authorities, or authorized third parties, if and to the extent we are required or permitted to do so by law or if such disclosure is reasonably necessary:

  • to comply with our legal obligations and binding requests,
  • to comply with legal process and to respond to claims asserted against us,
  • to respond to requests relating to a criminal investigation or alleged or suspected illegal activity or any other activity that may expose us, you, or any other of our users to legal liability.
  • Necessary for compliance with our VFASP license or anti-money laundering obligations

We may disclose your personal data to regulators, competent authorities, and enforcement bodies, including the:

  • Malta Financial Services Authority (MFSA)
  • Financial Intelligence Analysis Unit (FIAU)
  • Information and Data Protection Commissioner (IDPC)
  • European Securities and Markets Authority (ESMA)
  • Law enforcement agencies or courts

International Data Transfers and SCCs

We do not generally transfer your personal data to entities outside the European Economic Area (“EEA”) of our service providers or group entities).

However, in such cases, we ensure that your personal data continues to benefit from a level of protection essentially equivalent to that guaranteed within the EEA.

Where required, we rely on one or more of the following safeguards:

  • Adequacy decisions issued by the European Commission
  • The European Commission’s Standard Contractual Clauses (SCCs)
  • Additional supplementary technical and organisational safeguards (e.g., encryption in transit and at rest)

except as may be necessary to:

  • enable your use of the web site,
  • fulfil our contractual obligations to you or exercise our contractual obligations against you,
  • assert, file, or exercise a legal claim.

Where we do need to transfer your personal data outside the EEA (whether for these stated purposes or any other purpose listed above), we will ensure a similar degree of protection is afforded to that personal data by ensuring at least one of the following safeguards applies or is otherwise implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • In the absence of an adequacy decision, we will use standard contractual clauses that have been approved by the European Commission.
  • Where we use providers based in the U.S., we may transfer data to them if they are part of the EU – U.S. Data Privacy Framework which requires them to provide similar protection to personal data shared between Europe and the US.
  • Our third-party service providers that may receive such data include cloud service providers, analytics providers (such as Google Analytics), and email marketing platforms.

Third-party service providers

We may disclose your personal data to external service providers (data processors) who assist us in delivering our services, such as:

  • Identity verification and AML/CFT screening tools
  • IT service and infrastructure providers
  • Cloud hosting and data storage services
  • Analytics and performance monitoring providers
  • Communication and customer support tools
  • Marketing and CRM systems (where applicable)

All such providers are contractually bound by data processing agreements to:

  • Only process your personal data on our documented instructions
  • Ensure confidentiality, integrity, and availability of the data
  • Implement appropriate technical and organisational security measures
  • Assist us with data subject rights requests and data breach management

We do not permit any third-party provider to use your personal data for their own purposes. You can always contact us to receive the full list of our service providers which process your data.

Retention Periods

Our Company securely stores your data in UK and EU, in line with the below security measures. Our Company will keep your personal data only for the time period allowed by law. Once this time period has expired, we will delete your data.

We keep personal information only for as long as is reasonably necessary for the purpose for which it was collected or to comply with any applicable legal or ethical reporting or document retention requirements. We will not retain your personal data in a form which permits the identification of the data subject for longer than needed for the legitimate purpose or purposes for which we originally collected it, including for the purpose of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we will anonymize your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.

We are obligated to retain personal data about you and your transactions for such time until the retention of your personal data is no longer necessary for any business or legal purpose, i.e., in order to comply with anti-money laundering and countering the financing of terrorism and other obligations applicable to us. Once collected, we may retain your data related to financial transactions for up to 5 years following the date of your last transaction or the date you close your account (whichever is the later). This time limit may be additionally extended if a reasonable ground exists.

The personal data storage period is set based on the below principles:

  • Usually, we keep data during the course of the provision of services, during the validity of the contract and 10 years after the expiration of the contract or legal relationships, while executing the requirements set forth in legal acts related to document archiving and in order to declare, execute or defend the legal claims;
  • If the transaction has not been concluded, we will store personal data for up to 5 years from the date of its receipt.
  • If a transaction is refused due to the implementation of money laundering and terrorist financing prevention measures, personal data shall be stored for 5 years from the moment of refusal;
  • According to the requirements of legal acts regulating the prevention of money laundering and terrorist financing, we will process personal data for as long as the business relationship subsists and for 5 years after termination of the relationship. This time limit may be additionally extended if a reasonable ground exists;
  • If you revoke your consent for data processing or the data processing term expires (when the data is processed on the basis of your consent), only the data confirming the fact of your consent is retained for 5 years from the end of the consent period or the cancellation of consent in order to declare, execute or defend the legal claims.

At the end of the retention period, we will securely delete or destroy data retained and require our sub-processors or third-party suppliers to do likewise.

Data security measures

We will always process, store and transmit your information securely.

Safeguarding

We are committed to safeguarding your personal data and have implemented a range of organisational, technical, and physical security measures designed to protect it from unauthorised access, disclosure, alteration, or destruction.

b. Secure Hosting Environment Our platform and associated data are hosted on Amazon Web Services (AWS) in the United Kingdom region. AWS maintains robust security protocols and is certified under internationally recognised standards, including: ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, and CSA STAR CCM v3.0.1. and others. For a full list of certifications, please refer to: https://aws.amazon.com/compliance/iso-certified/.

c. Encryption All sensitive data transmitted between your device and our servers is encrypted using industry-standard encryption technologies, supported by certificates issued by trusted certificate authorities.

d. Access Controls Personal data is protected by advanced access control and network security measures including firewalls, anti-virus, access lists, intrusion detection and prevention systems. Multi-factor authentication (MFA) is enforced for access to critical systems, and activity logging is implemented to monitor and audit access events. The need to know and least privilege concepts are also applied to ensure only authorised persons access the data they need to perform their roles.

f. Security Disclaimer While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no method can ensure complete security, and there is no guarantee that your information will not be accessed, disclosed, altered, or destroyed. By using our Service, you acknowledge that you understand and agree to assume these risks.

Marketing

We process your personal data for direct marketing purposes based on your consent. In cases where you are an existing customer, we may rely on our legitimate interest to inform you about similar products or services in accordance with applicable laws.

If you have agreed to receive marketing, by clicking on the consent button you should be aware that you may, at any moment opt out, or unsubscribe at a later date. Direct marketing to existing clients is based on legitimate interest, while all others require opt-in consent, in line with S.L. 586.01 Regulation 9 and ePrivacy rules. You have the right at any time to stop Our Company from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please unsubscribe or contact info@bcxpro.io.

Your Rights

We would like to make sure you are fully aware of all your data protection rights. Every person is entitled to the following:

  • The right to be informed – you have the right to be informed about the collection and use of your personal data. This Privacy Policy aims to satisfy this right.
  • The right to access – You have the right to request copies of your personal data we hold about you. Normally this right is free, however, we may charge you a small fee for this service. You will always be informed should a decision be made to charge a fee.
  • The right to rectification – You have the right to request that we correct any information you believe is inaccurate or incomplete.
  • The right to erasure – You have the right to request that we erase your personal data, under certain limitations and exceptions.
  • The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain limitations and exceptions.
  • The right to object to process – You have the right to object to the processing of your personal data, under certain limitations and exceptions.
  • The right to data portability – You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, under certain limitations and exceptions.
  • The right to complain to a supervisory authority – You have the right to complain about our processing of your personal data; and You may exercise any of your rights in relation to your personal data by writing to us at the postal address above or by email. or file a complaint with the IDPC www.idpc.org.mt a response will be given within 30 days.
  • And;
  • The right to withdraw consent – to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent.

You have a right not to be subject to a decision based solely on automated processing (i.e., by computers and without human intervention), including profiling, which produces legal effects concerning you or similarly significantly affects you.

However, this right does not apply when the decision:

  • is necessary for entering into, or performance of, a contract between you and us;
  • is required or authorised by law; or
  • is based on your explicit consent.

Automated Decision Making

Although certain third parties may use automated decision-making tools or software, we do not use automatic decision-making or profiling when processing personal data. If this changes, we will confirm this with you and provide meaningful information about the logic involved, as well as the significance and the envisaged consequences for you.

Incomplete and Inaccurate Information

If you do not provide us with some or all of the information that we ask for, we may not be able to verify your identity and as such you may not be able to open a trading account with the Company. You can provide and update your information at any time by visiting our website. We recommend that you update your profile in your account regularly, to ensure that the functions offered to you are appropriate for your current circumstances. You may have to update such information upon our request, if we consider the information provided as untrue, incorrect, incomplete and/or inconsistent with other information provided by you at any time. You acknowledge that we may rely upon such information and that you are responsible for any damages or losses which may result from any inaccuracies, including without limitation, the inappropriateness of our services to you.

Data Breaches

In the event of a personal data breach, we will notify you and /or the supervisory authority of a personal data breach In accordance to legal requirements. Art 33

Advertising and Analytics Services Provided by Others

We may allow others to provide analytics services and serve advertisements about our products and services on our behalf across the web and in mobile applications. This may involve cookies and other technologies to collect information about your use of the Services. This information may be used by BCXPro to, among other things, analyse and track data, determine the popularity of certain content, and better understand your online activity in connection with the Services. Please refer to the About Cookies section and our Cookie Policy for more information about the cookies involved and the process of consenting or refusing cookies.

About Cookies [link to cookie policy]

Like many sites, we use “cookies” to collect information. Cookies are files with small amount of data, which may include an anounymous unique identifier. Cookies are sent to your browser from our Site and stored on your computer’s hard drive. Cookies allow us to store your preferences to present content, options or functions that are specific to you. They also enable us to see information like how many people use the Site and what pages they tend to visit.

We may use cookies to:

  • Analyse our web traffic using Google Analytics. Aggregated usage data helps us improve the Site structure, design, content and functions.
  • Identify whether you are signed into our Site.
  • Store information about your preferences. The Site can then present you with information you will find more relevant and interesting.
  • To recognise when you return to our Site. We may show your relevant content or provide functionality you used previously.

Cookies do not provide us with access to your computer or any information about you, other than that which you choose to share with us. Where required by law, we will ask for your consent before placing non-essential cookies on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some features of our Site.

Changes to our Privacy Policy

We may revise this Privacy Policy from time to time to reflect changes in legal or regulatory requirements (including under the GDPR, the Maltese Data Protection Act, MiCA, or other applicable laws), operational changes, or updates in how we process personal data. Where the changes are material and significantly affect your rights or how we process your personal data, we will provide a clear notification—such as by email or through a prominent notice on our website—before those changes take effect.

We encourage you to review this Privacy Notice regularly to stay informed of how we collect, use, and protect your personal data. The date of the latest update will always be clearly indicated at the top of this notice. Your continued use of our services following the update constitutes your acknowledgment and understanding of the revised terms.

How to Contact the Appropriate Authority

If you are dissatisfied with how we have handled your personal data that has been processed in connection with the use of our Services, you are in the first instance encouraged to contact our Data Protection Officer

Email: dpo@bcxpro.io

Alternatively, you may contact us generally at: info@bcxpro.io so that we can address your concerns. If you remain unsatisfied with our response or believe that we are not processing your personal data in accordance with applicable data protection laws, you have the right to lodge a complaint with the supervisory authority in Malta:

The Office of the Information and Data Protection Commissioner can be contacted at:
Information and Data Protection Commissioner
Level 2, Airways House
High Street, Sliema SLM 1549 Malta
www.idpc.org.mt

Warning: crypto products and markets are unregulated, and you may not be protected by government compensation and/or regulatory protection schemes. The unpredictable nature of the cryptoasset markets can lead to loss of funds. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment and you should not expect to be protected if something goes wrong.