Privacy Policy

Trek Labs Europe Ltd. dba Backpack EU

1. Introduction

Backpack EU is a brand name owned and operated by Trek Labs Europe Ltd (formerly FTX EU and FTX EU Ltd, respectively) (hereinafter referred to as the “Company,” “Backpack EU,” “us,” or “we”), a company incorporated in Cyprus with registration number HE 335683 and authorised by the Cyprus Securities and Exchange Commission (“CySEC”) under license no. 273/15, with registered address at Aiolou & Panagioti Diomidous 9, Katholiki, 3020 Limassol, Cyprus.

This policy outlines the approach and commitment of Trek Lab Europe Ltd (the “Company”) in safeguarding the privacy rights of individuals and any personal data, including special categories of personal data which the Company stores and processes, in compliance with data protection law.

The Company will ensure that all the personal data that it stores and processes is done in line with the principles set out by the applicable Data Protection Legal Framework (including the General Data Protection Regulation (EU) 2016/679 – the “GDPR”, the Law on the protection of natural persons against the processing of personal data and the free movement of such data, Law 125 (I) /2018 and/or other applicable regulations).

This Privacy Policy applies to all clients (potential or existing clients), and it also covers any individuals visiting our website as described further below. Further information to whom this Policy is addressed to can be found below at Section 3.

This Privacy Policy should be read in conjunction with our other corporate policies and procedures.

2. Scope of this Policy

This Data Privacy Policy provides an overview of how the Company is processing Personal Data of natural persons. It is the Company’s policy to respect the confidentiality of information and the privacy of the Individuals. This Policy outlines how the Company manages personal data of the Individuals supplied to it by its Clients or by a third party in connection with the Company’s provision of services or which the Company collects from those that use its services and/or the Company’s app(s) or website(s). Furthermore, this Policy outlines the rights of the Individuals with respect to the processing of their personal data.

This Policy applies to the processing of personal data by the Company in connection with the provision of its services through the Website, including any personal data provided through the use of the Website.

This Policy also applies to the processing of personal data by affiliated companies who may provide financial and other back office services, including IT. For the purposes of this Policy “Processing” refers to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

For the purposes of this Policy, "Personal data" shall mean any information relating to a natural person (‘data subject’) from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

The Company is committed to process Personal Data in compliance with the provisions of applicable Personal Data protection law (including the GDPR, applicable as of 25 May 20018) . The Company has appointed a Data Protection Officer to ensure that the management of personal data is in accordance with this privacy policy and the applicable legislation.

3. How is personal data collected by the Company

As part of the Company’s everyday business, the Company may need to collect personal data from:

the Clients or potential Clients or representatives, executives, shareholders, beneficial owners of Clients;
the customers or potential customers of the Clients,
the individuals that had or have a business relationship with the Company,
the individuals connected with a Client or staff or a business associate of the Company where personal data is provided under a regulatory obligation e.g. to manage possible conflicts of interest and other regulatory obligations; and
visitors to the Company’s website to ensure that the Company can meet the needs for a range of financial services and to provide them with information about the Company’s services.

(collectively referred to as “Individuals”)

We use different methods to collect data from and about the Individuals including through:

Direct interactions. Individuals may give the Company their Identity, Contact and Financial Data by filling in forms or by corresponding with the Company by post, phone, email or otherwise. This includes personal data the Individuals provide when they:
- apply to become Clients;
- create an account on the Company’s website;
- subscribe to the Company’s service or publications;
- request marketing to be sent to them;
- enter a competition, promotion or survey; or
- give the Company feedback or contact the Company and/ or for any other similar purpose or reason.
Automated technologies or interactions. As an Individual interacts with the Company’s website, the Company will automatically collect Technical Data about the Individual’s equipment, browsing actions and patterns, all in accordance with the Company’s Cookies Policy. The Company collects this personal data by using cookies, server logs and other similar technologies. The Company may also receive Technical Data about an Individual if the Individual visits oher websites employing the Company's cookies. Please see our cookie policy for further details.
Third parties or publicly available sources. The Company will receive personal data about an Individual from various third parties and public sources as set out below:

We collect your personal data from the following sources:

Directly from you (e.g., information provided during the onboarding stage, or through email or telephone correspondence).
Background check agencies (e.g., world compliance checks, etc).
Due diligence investigations.
Internet searches.
Other third-parties when we seek to verify your identity – e.g., identity verification agencies etc.
When you visit our website, e.g., collection of personal data when you complete any forms or provide your details via our Website, collection of basic information about your visit provided by your browser.

4. Collection and Processing of personal data by the Company

The Company may collect and process the following types of personal data in relation to the Individuals:

personal details such as name, surname, date of birth, place of birth, citizenship, nationality, including documentation required for the verification of your identity – e.g., passport, utility bills, bank statements etc;
contact data such as residential address, email address and contact details;
financial data, such as bank account details, investment portfolio, income, source of funds evidence (e.g., financial statements, tax returns etc);
profession and employment details;
transaction data on business initiation and ongoing business relationship (including date, time, communication channel, copy of correspondence, records of communication);
usage data, i.e. information about how the Individual uses the Company’s Website.
technical data such as information collected when the Individual accesses the Company’s Website, its internet protocol (IP) address, its login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices the Individual is using;
Profile data includes the Individual’s username and password, purchases or orders made by the individual and interests and preferences; and
marketing and communication data such as marketing and communication preferences of the Individual.

The Company may collect this information through the use of the provision of its investment services. These include, but are not limited to onboarding, news subscriptions and information provided in the course of ongoing client service correspondence. The Company may also collect personal data from other sources such as credit reference agencies, fraud prevention agencies or from publicly available sources to comply with its legal and regulatory obligations, such as Customer Due Diligence (CDD) and Anti-Money Laundering (AML) laws.

The Company may record the communication that takes place between the Individuals and the Company in relation to the provision of investment services. These recordings will be the Company’s sole property and will constitute evidence of the communication between the parties.

The Company may also obtain personal data through the use of its Website. This is achieved by using cookies on its Website, which in particular record which pages the Individual viewed on the Company’s Website. This information is necessary for maintaining the security of the Company’s services, providing necessary functionality, and improving the overall user experience.

5. Why the Company Processes Personal Data and on what legal basis

The Company shall process Personal Data, only if it has a legal basis to do so. Specifically, the Company must have one or more of the following reasons to process an Individual’s Personal Data:

When it is in the legitimate interests of the Company or another person with whom the data is shared, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection. (Art. 6(1)(f) GDPR)
- To investigate or settle enquiries or disputes - The Company may need to use personal data collected from Individuals to investigate issues and/or settle disputes with a Client as it is in the Company’s legitimate interests to ensure that issues and/or disputes get investigated and resolved as quickly and efficiently as possible.
- To help the Company improve its products and services, including Client services, and develop new products and services - the Company may use from time to time personal information provided by the Individuals through the use of the services and/or through member surveys to help the Company improve its products and services. It is in the Company’s legitimate interests to use personal information in this way to ensure that the Company provides the Clients with the best products and services the Company can.
- Data Analysis - The Company’s emails may contain web beacons or pixel tags or any other similar type of data analysis tools which allow the Company to track receipt of correspondence and to count the number of users that have opened the Company’s correspondence. Where an Individual’s personal data is completely anonymised, the Company does not require a legal basis as the information will no longer constitute personal data. However, where the Individual’s personal data is not in an anonymised form, it is in the Company’s legitimate interest to continually evaluate that personal data to ensure that the products and services the Company provides are relevant to the market.
- Corporate restructuring - If the Company undergoes a corporate restructuring or part or all of its business is acquired by a third party, the Company may need to process the personal data of Individuals in connection with that restructuring or acquisition.
- Security - If an Individual enters any of the Company's premises the Company may record the Individual’s image on the Company’s CCTV for security reasons. The Company takes pictures to document who entered its premises on a particular day. It is in the Company’s legitimate interest to do this to maintain a safe and secure working environment.
- Surveys - from time to time, the Company may send the Individual surveys as part of its Client feedback process. It is in the Company’s legitimate interest to ask for feedback to ensure it provides the best service to its Clients. All responses to any survey the Company sends out will be aggregated and anonymised before survey results are shared with any third parties.
When processing is necessary for compliance with a contractual obligation to which the Company is subject (Art. 6 (1) (b) GDPR)
- To manage business relationship and fulfil any contractual obligations - The Company may need to process personal data in order to effectively manage the business relationship between the Company and the Client(e.g. to communicate with its Clients) to ensure that Clients are getting the best possible service from the Company.
When processing is necessary for compliance with a legal obligation to which the Company is subject (Art 6(1)(c) GDPR)
- To comply with applicable law, regulations, directives, court order, other judicial process or the requirements of any applicable regulatory authorities - the Company may need to use the Individual’s personal data to comply with applicable laws, court orders or other judicial process, or the requirements of any applicable regulatory authority. For example, the Company may process personal information to comply with MiFID II requirements in contract reporting and to fulfil its obligations under Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.
- Internal business purposes and record keeping - the Company may need to process personal data in order to comply with its legal and regulatory obligations.
When the Individual has given consent to the processing of his or her personal data for one or more specific purposes (Art 6(1)(a) GDPR)
- Marketing Communications - The Company may use the Individual’s personal data to send marketing communications by email or phone or other forms (including social media campaigns) to ensure that the Individual is always kept up to date with the Company’s latest products and services. When the Company sends marketing communications, the Company does so either because it has a legitimate interest in them (Art. 6(1)(f) GDPR) or with the Individual’s consent (Art. 6(1)(a) GDPR).
- Surveys - from time to time the Company may ask Individuals to participate in order surveys (not part of the member feedback process). If the Individual agrees to participate in such surveys, the Company relies on its consent to use the personal data it collects as part of such surveys. All responses to any survey the Company sends out will be aggregated and anonymised before survey results are shared with any third parties.

6. Who receives the Personal Data

6.1 Within the Company

Within the Company, access to Individuals’ Personal data is given to those officers who require such access to perform the Company’s contractual, legal obligations and other required by law internal activities.

6.2 Outside the Company

We shall collect, use or otherwise process your personal data when the applicable Data Protection Legal Framework allows us to. More specifically, and depending on the processing activity, we rely on the following lawful basis for collecting, using or otherwise processing your personal data:

You have provided us specifically with your consent to the processing of your personal data – Article 6(1)(a) of the GDPR.
Necessary for the Performance of a Contract – Article 6(1)(b) of the GDPR.
Necessary for Complying with a Legal Obligation as a duly authorized investment firm – Article 6(1)(c) of the GDPR.
To pursue our legitimate interests (except in cases where such interests are overridden by your interests or fundamental rights) – Article 6(1)(f) of the GDPR.

The Company requires organisations that are not affiliated with it and process personal data to respect the confidentiality of that information, to undertake to respect the privacy of individuals, and to comply with all applicable data protection laws and this privacy notice.

With regard to transfers of personal data to companies outside of the EU or the European Economic Area, refer to the section below entitled ‘Transfers outside of the European Economic Area’.

Third party service providers such as credit referencing agencies may keep a record of any searches performed on the Company’s behalf and may use the search details to assist other companies in performing their searches.

6.3 List of Data Recipients

We may disclose personal data to third parties where necessary for regulatory compliance, operational requirements, or service provision. These recipients include:

Regulatory and Supervisory Authorities – We may share data with the Cyprus Securities and Exchange Commission (CySEC), the European Securities and Markets Authority (ESMA), and other competent authorities as required under applicable laws and regulatory obligations.
Financial Institutions and Legal Advisors – This includes banks, payment service providers, auditors, legal advisors, and compliance consultants involved in transaction processing, anti-money laundering (AML) compliance, and legal obligations.
Third-Party Service Providers – We may engage cloud storage providers such as AWS, IT system vendors, KYC/AML screening service providers such as Sumsub Refinitiv and AristaFlow GMBH, trading platform operators, and other outsourced service providers who process data on our behalf under strict confidentiality and security measures.
Affiliated Entities – Where applicable, data may be shared within our corporate group for internal administration, risk management, or business operations such Trek Labs Ltd FZE (United Arab Emirates), Trek Labs Japan KK (Japan) and Trek Labs Ltd (BVI).
Law Enforcement and Judicial Authorities – We may disclose personal data to law enforcement agencies, courts, or other competent authorities in response to legal requests, fraud prevention measures, or regulatory investigations.
Clients and Counterparties – In cases where transactions require the involvement of liquidity providers, executing brokers, or counterparties, data may be shared to facilitate trade execution.
Marketing and Communication Partners (if applicable) – If you have provided consent, we may share limited data with marketing partners for promotional communications, with the option to withdraw consent at any time.

All data disclosures are conducted in compliance with the General Data Protection Regulation (GDPR) and applicable CySEC regulatory requirements, ensuring appropriate safeguards, contractual agreements, and confidentiality measures are in place.

7. Transfers outside of the European Economic Area

The Company may transfer Individuals’ personal data to countries outside of the European Union and/ or the European Economic Area, ensuring that the Personal Data are adequately protected and that such transfer will comply with the requirements of the Data Protection Legislation at all times.

If the Company transfers Individual’s Personal Data to a third country outside the European Economic Area, the Company will make sure that Personal Data is protected in the same way as if it was being used in the ΕΕΑ. The Company will ensure that at least one of the following safeguards is implemented:

Personal Data is transferred to a third country with privacy laws that give the same protection as the ΕΕΑ, as certified by an adequacy decision of the European Commission.
Personal Data is transferred to organisations that comply with binding corporate rules, or an approved code of conduct or certification mechanism that requires its protection to the same standards as applicable in the ΕΕΑ.
Put in place a contract with the recipient which includes the standard data protection clauses adopted by the European Commission or adopted by the supervisory authority and approved by the European Commission.
Where the recipient in the third country has signed up to a code of conduct, which has been approved by a competent supervisory authority. The code of conduct must include appropriate safeguards to protect the rights of individuals whose Personal Data transferred, and which can be directly enforced.
Where the recipient in the third country has a certification, under a scheme approved by a competent supervisory authority. The certification scheme must include appropriate safeguards to protect the rights of individuals whose Personal Data transferred, and which can be directly enforced.

In the case where none of those bases apply, an Individual’s Personal Data may still be transferred to a third country under the following conditions/ derogations, where:

the Individual explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the Individual and the Company, or the implementation of pre-contractual measures taken at the Individual’s request;
the transfer is necessary for the establishment, exercise or defence of legal claims;

8. Cloud Services and storage of Personal Data

Safeguarding the privacy of information is important to the Company, whether an Individual interacts with the Company personally, by phone, by mail, over the internet or any other electronic medium.

The Company holds personal data in a combination of secure computer storage facilities and paper-based files and other records, and takes steps to protect the personal data it holds from misuse, loss, unauthorised access, modification or disclosure.

The Company uses cloud technology to store Individuals’ Personal Data. The cloud service providers used by the Company and their data centres , are located in the European Union or outside EEA acting in accordance with the necessary provisions as stated under section 8. and thus, bound by the GDPR requirements.

Despite this, there are cases where Personal Data may be transferred to or accessed from a third country for the purposes of the provision of the services outsourced or, if required by law, In such case the Company shall ensure that the relevant safeguards as mentioned above will apply so that the Company is in compliance with its GDPR obligations.

The Company ensures contractually that the cloud service provider will apply principles of data minimization and will not use or otherwise process Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, or (c) market research aimed at creating new functionalities, services, or products or (d) any other purpose, unless such use or Processing is in accordance with Company’s documented instructions.

Retention of Personal Data on cloud shall be in line with the general retention policy of the Company as described below.

9. For how long is Personal Data retained

The Company shall retain your data as a duly authorised investment firm for a period of five (5) years, a timeframe that can be extended to seven (7) years under certain circumstances, specifically if this is requested by any competent authority.

Your data will be securely destroyed when it is no longer required for the fulfilment of the purposes for which such data was collected.

10. Rights of Individuals in relation to their Personal Data

The Individuals’ data protection rights, granted by GDPR regarding the processing of your personal data, are described below:

10.1 Right of Access

The Individuals have the right to request access to their personal information; this enables them to receive a copy of the personal information the Company holds about them and check that the Company is lawfully processing it.

10.2 Right to be informed

The Individuals have the right to be provided with clear and concise information about what the Company does with their personal data. Data subjects have the right to know how their personal information is collected and used. Under “the right to be informed”, businesses and websites must provide individuals with details of their personal data collection and processing.

10.3 Right to Rectification

The Individuals have the right to request to correct their personal information the Company holds about them that is inaccurate or incomplete and the Company must inform them and any third parties to whom they disclose Individuals’ information about the rectification.

10.4 Right to Erasure (also known as the “Right to be forgotten”)

The Individuals have the right to have the Company delete or remove their Personal Data in the following circumstances:

The Processing of the Personal Data by the Company is no longer necessary for any of the reasons the Personal Data was collected and used.
The Individual has withdrawn his/her consent and there is no other legal ground for the Personal Data Processing.
The Individual has successfully objected to the Processing of the Personal Data by the Company
The Personal Data has been unlawfully processed.
Deletion is required by law.

It is clarified that the Company reserves its right to deny the said erasure, if the Processing is necessary for the Company to comply with its legal obligations, for reasons of public interest and/or for the exercise or defence of its legal claims, i.e. the right is not absolute, since it applies only in certain circumstances.

10.5 Right to restriction of Processing of Personal Data

The Individuals also have the right to restrict the Company's use of their Personal Data in the following circumstances:

pending verification by the Company of Personal Data the accuracy of which the Individual has contested
the Processing is unlawful, but the Individual does not want his/her Personal Data to be erased
the Company no longer needs the Personal Data, but the Individual does not want it to be erased because the Individual needs it for the establishment, exercise or defence of legal claims
pending the Company's assessment where the Individual has objected to Processing intended to safeguard the Company's legitimate interests.

10.6 Right to data portability

The Individuals have the right to receive their Personal Data from the Company in a structured, commonly used and machine-readable form. The Individuals can also ask the Company to transfer their Personal Data in this format to other organisations, where this is technically feasible. This right relates to the Personal Data which the Individuals have provided to the Company and which the Company processes electronically in reliance on their consent or for fulfilling the contract between the Individual and the Company.

10.7 Right to object

The Individuals have the right to object to the Company's use of their Personal Data and ask the Company to stop using their Personal Data in any of the following circumstances:

The Individual has the right to object to the Processing of his/her Personal Data on grounds relating to the Individual’s particular situation, at any time to Processing of his/her Personal Data which is intended by the Company to safeguard its legitimate interests or to serve the public interest. If the Individual lodges an objection, the Company will no longer process his/her Personal Data unless the Company can demonstrate compelling legitimate grounds for the Processing which override the Individual’s interests, rights and freedoms or unless the Processing is for the establishment, exercise or defence of legal claims.
The Individual has the right to object to the Processing of his/her Personal Data for direct marketing purposes, including profiling. If the Individual lodges such an objection, his/her Personal Data will no longer be processed for such purposes.
The Individual has the right to object to the Processing of his/her Personal Data for scientific or historical research purposes or statistical purposes, on grounds relating to his/her particular situation, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.

Where the Company relies on the Individual’s consent for the Processing of his/her Personal Data, the Individual can withdraw his/her consent at any time. If the Individual withdraws his/her consent, the Company may not be able to provide certain products or services to the Individual. If this is so, the Company will inform the Individual before giving effect to his/her withdrawal notification. Please note that the withdrawal of the consent does not affect the legality of the Personal Data processed prior to the withdrawal.

If the Individual wishes to exercise any of the above rights or seek more information about the collection, storage and handling of their personal data by the Company he must send an email to the designated Data Protection Officer of the Company at “privacy@eu.backpack.exchange” or contact the Company’s Customer Support Department at “support@eu.backpack.exchange”.

Note:

The Company reserves the right to request specific information to confirm the Individual’s identity, speed up its response and ensure the Individual’s right to access their personal data or any other right as data subject.
The Company must always respond to Individuals’ requests within reasonable time and keep them updated.
Responses to ARs shall normally be made within one month of receipt, however this may be extended by up to two months if the AR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed accordingly without undue delay.

(*) Kindly be informed that there might be certain exceptions to the applicability of the aforesaid rights. If you have any questions or concerns about the exercise of your personal data rights, please contact us at support@eu.backpack.exchange.

11. Security and Data Breach

The Company always takes appropriate technical and organisational measures to ensure that Personal Data is secure. In particular, the Company trains its employees who handle personal data to respect the confidentiality of Client information and the privacy of individuals

In order to maintain security and prevent processing in infringement of the GDPR, the Company, in particular the Data Protection Officer, shall constantly monitor and evaluate the risks involved with data processing and implement measures to mitigate those risks.

As soon as the Company becomes aware that a personal data breach has occurred, the responsible person should notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Additionally, the Company shall communicate with data subject to a personal data breach without undue delay, where that personal data breach is likely to result in high risk to the rights and freedoms of the natural person in order to allow him or her to take necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.

The Company regards breaches of privacy very seriously and will impose appropriate penalties, including dismissal where necessary.

Our website may contain links to external sites. In such a case, this Privacy Policy will no longer apply, since we are not responsible for the personal data handling practices followed by third-party sites. We, therefore, encourage you to consult the other sites’ privacy policies.

12. Changes / Amendments to the Privacy Policy

This Privacy Policy sets out the information that the Company must provide to the Individuals for the purposes of the GDPR. Any information in relation to the Processing of Personal Data that is included in any of the Company's existing circulars, manuals and associated forms on matters which are covered by this Policy are deemed to be superseded by the information in this Policy. The Company may revise or update this Policy from time to time. The new version of this Policy will be available on the Company’s website. ln case of significant changes (such as in relation to the reasons for which the Company uses Personal Data or to the way in which Individuals may exercise the rights described above), the Company will bring these changes to the Individuals’ attention.

13. Complaints

If you have a concern about any aspect of our privacy practices, you can submit a complaint. This will be acted upon promptly. To make a complaint, please contact us via email at support@eu.backpack.exchange.

If you are not satisfied with our response to your complaint, you have the right to submit a complaint with our supervisory authority, the Office of the Commissioner for Personal Data Protection (the “Commissioner”). You can find details about how to do this on the Commissioner’s website at http://www.dataprotection.gov.cy or by calling them on +357 22818456.

14. Contact us

If you have any questions regarding this policy, wish to access or change your information or have a complaint, or if you have any questions about security on our website, you may email us at support@eu.backpack.exchange .

February 2025

Risk warning: Our products are traded on margin and carry a high level of risk and it is possible to lose all of your capital. Please consider our Risk Disclosure.

Legal: This website is operated by Trek Labs Europe Ltd (formerly FTX EU Ltd), registration number HE335683, with registered address at Aiolou & Panagioti Diomidous 9, Katholiki, 3020 Limassol, Cyprus. Trek Labs Europe Ltd (formerly FTX EU Ltd) is authorized and regulated by the Cyprus Securities and Exchange Commission (CySEC) under license number 273/15.

The company operates through https://eu.backpack.exchange (formerly http://www.ftx.com/eu and https://ftxeurope.eu) and uses the trade name Backpack EU (formerly FTX EU).

PreviousUser Agreement NextCookie Policy

Last updated 1 month ago

Privacy Policy

Trek Labs Europe Ltd. dba Backpack EU

1. Introduction

This Privacy Policy should be read in conjunction with our other corporate policies and procedures.

2. Scope of this Policy

3. How is personal data collected by the Company

As part of the Company’s everyday business, the Company may need to collect personal data from:

the Clients or potential Clients or representatives, executives, shareholders, beneficial owners of Clients;
the customers or potential customers of the Clients,
the individuals that had or have a business relationship with the Company,
the individuals connected with a Client or staff or a business associate of the Company where personal data is provided under a regulatory obligation e.g. to manage possible conflicts of interest and other regulatory obligations; and
visitors to the Company’s website to ensure that the Company can meet the needs for a range of financial services and to provide them with information about the Company’s services.

(collectively referred to as “Individuals”)

We use different methods to collect data from and about the Individuals including through:

Direct interactions. Individuals may give the Company their Identity, Contact and Financial Data by filling in forms or by corresponding with the Company by post, phone, email or otherwise. This includes personal data the Individuals provide when they:
- apply to become Clients;
- create an account on the Company’s website;
- subscribe to the Company’s service or publications;
- request marketing to be sent to them;
- enter a competition, promotion or survey; or
- give the Company feedback or contact the Company and/ or for any other similar purpose or reason.
Automated technologies or interactions. As an Individual interacts with the Company’s website, the Company will automatically collect Technical Data about the Individual’s equipment, browsing actions and patterns, all in accordance with the Company’s Cookies Policy. The Company collects this personal data by using cookies, server logs and other similar technologies. The Company may also receive Technical Data about an Individual if the Individual visits oher websites employing the Company's cookies. Please see our cookie policy for further details.
Third parties or publicly available sources. The Company will receive personal data about an Individual from various third parties and public sources as set out below:

We collect your personal data from the following sources:

Directly from you (e.g., information provided during the onboarding stage, or through email or telephone correspondence).
Background check agencies (e.g., world compliance checks, etc).
Due diligence investigations.
Internet searches.
Other third-parties when we seek to verify your identity – e.g., identity verification agencies etc.
When you visit our website, e.g., collection of personal data when you complete any forms or provide your details via our Website, collection of basic information about your visit provided by your browser.

4. Collection and Processing of personal data by the Company

The Company may collect and process the following types of personal data in relation to the Individuals:

personal details such as name, surname, date of birth, place of birth, citizenship, nationality, including documentation required for the verification of your identity – e.g., passport, utility bills, bank statements etc;
contact data such as residential address, email address and contact details;
financial data, such as bank account details, investment portfolio, income, source of funds evidence (e.g., financial statements, tax returns etc);
profession and employment details;
transaction data on business initiation and ongoing business relationship (including date, time, communication channel, copy of correspondence, records of communication);
usage data, i.e. information about how the Individual uses the Company’s Website.
technical data such as information collected when the Individual accesses the Company’s Website, its internet protocol (IP) address, its login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices the Individual is using;
Profile data includes the Individual’s username and password, purchases or orders made by the individual and interests and preferences; and
marketing and communication data such as marketing and communication preferences of the Individual.

5. Why the Company Processes Personal Data and on what legal basis

The Company shall process Personal Data, only if it has a legal basis to do so. Specifically, the Company must have one or more of the following reasons to process an Individual’s Personal Data:

When it is in the legitimate interests of the Company or another person with whom the data is shared, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection. (Art. 6(1)(f) GDPR)
- To investigate or settle enquiries or disputes - The Company may need to use personal data collected from Individuals to investigate issues and/or settle disputes with a Client as it is in the Company’s legitimate interests to ensure that issues and/or disputes get investigated and resolved as quickly and efficiently as possible.
- To help the Company improve its products and services, including Client services, and develop new products and services - the Company may use from time to time personal information provided by the Individuals through the use of the services and/or through member surveys to help the Company improve its products and services. It is in the Company’s legitimate interests to use personal information in this way to ensure that the Company provides the Clients with the best products and services the Company can.
- Data Analysis - The Company’s emails may contain web beacons or pixel tags or any other similar type of data analysis tools which allow the Company to track receipt of correspondence and to count the number of users that have opened the Company’s correspondence. Where an Individual’s personal data is completely anonymised, the Company does not require a legal basis as the information will no longer constitute personal data. However, where the Individual’s personal data is not in an anonymised form, it is in the Company’s legitimate interest to continually evaluate that personal data to ensure that the products and services the Company provides are relevant to the market.
- Corporate restructuring - If the Company undergoes a corporate restructuring or part or all of its business is acquired by a third party, the Company may need to process the personal data of Individuals in connection with that restructuring or acquisition.
- Security - If an Individual enters any of the Company's premises the Company may record the Individual’s image on the Company’s CCTV for security reasons. The Company takes pictures to document who entered its premises on a particular day. It is in the Company’s legitimate interest to do this to maintain a safe and secure working environment.
- Surveys - from time to time, the Company may send the Individual surveys as part of its Client feedback process. It is in the Company’s legitimate interest to ask for feedback to ensure it provides the best service to its Clients. All responses to any survey the Company sends out will be aggregated and anonymised before survey results are shared with any third parties.
When processing is necessary for compliance with a contractual obligation to which the Company is subject (Art. 6 (1) (b) GDPR)
- To manage business relationship and fulfil any contractual obligations - The Company may need to process personal data in order to effectively manage the business relationship between the Company and the Client(e.g. to communicate with its Clients) to ensure that Clients are getting the best possible service from the Company.
When processing is necessary for compliance with a legal obligation to which the Company is subject (Art 6(1)(c) GDPR)
- To comply with applicable law, regulations, directives, court order, other judicial process or the requirements of any applicable regulatory authorities - the Company may need to use the Individual’s personal data to comply with applicable laws, court orders or other judicial process, or the requirements of any applicable regulatory authority. For example, the Company may process personal information to comply with MiFID II requirements in contract reporting and to fulfil its obligations under Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.
- Internal business purposes and record keeping - the Company may need to process personal data in order to comply with its legal and regulatory obligations.
When the Individual has given consent to the processing of his or her personal data for one or more specific purposes (Art 6(1)(a) GDPR)
- Marketing Communications - The Company may use the Individual’s personal data to send marketing communications by email or phone or other forms (including social media campaigns) to ensure that the Individual is always kept up to date with the Company’s latest products and services. When the Company sends marketing communications, the Company does so either because it has a legitimate interest in them (Art. 6(1)(f) GDPR) or with the Individual’s consent (Art. 6(1)(a) GDPR).
- Surveys - from time to time the Company may ask Individuals to participate in order surveys (not part of the member feedback process). If the Individual agrees to participate in such surveys, the Company relies on its consent to use the personal data it collects as part of such surveys. All responses to any survey the Company sends out will be aggregated and anonymised before survey results are shared with any third parties.

6. Who receives the Personal Data

6.1 Within the Company

6.2 Outside the Company

You have provided us specifically with your consent to the processing of your personal data – Article 6(1)(a) of the GDPR.
Necessary for the Performance of a Contract – Article 6(1)(b) of the GDPR.
Necessary for Complying with a Legal Obligation as a duly authorized investment firm – Article 6(1)(c) of the GDPR.
To pursue our legitimate interests (except in cases where such interests are overridden by your interests or fundamental rights) – Article 6(1)(f) of the GDPR.

With regard to transfers of personal data to companies outside of the EU or the European Economic Area, refer to the section below entitled ‘Transfers outside of the European Economic Area’.

6.3 List of Data Recipients

We may disclose personal data to third parties where necessary for regulatory compliance, operational requirements, or service provision. These recipients include:

Regulatory and Supervisory Authorities – We may share data with the Cyprus Securities and Exchange Commission (CySEC), the European Securities and Markets Authority (ESMA), and other competent authorities as required under applicable laws and regulatory obligations.
Financial Institutions and Legal Advisors – This includes banks, payment service providers, auditors, legal advisors, and compliance consultants involved in transaction processing, anti-money laundering (AML) compliance, and legal obligations.
Third-Party Service Providers – We may engage cloud storage providers such as AWS, IT system vendors, KYC/AML screening service providers such as Sumsub Refinitiv and AristaFlow GMBH, trading platform operators, and other outsourced service providers who process data on our behalf under strict confidentiality and security measures.
Affiliated Entities – Where applicable, data may be shared within our corporate group for internal administration, risk management, or business operations such Trek Labs Ltd FZE (United Arab Emirates), Trek Labs Japan KK (Japan) and Trek Labs Ltd (BVI).
Law Enforcement and Judicial Authorities – We may disclose personal data to law enforcement agencies, courts, or other competent authorities in response to legal requests, fraud prevention measures, or regulatory investigations.
Clients and Counterparties – In cases where transactions require the involvement of liquidity providers, executing brokers, or counterparties, data may be shared to facilitate trade execution.
Marketing and Communication Partners (if applicable) – If you have provided consent, we may share limited data with marketing partners for promotional communications, with the option to withdraw consent at any time.

7. Transfers outside of the European Economic Area

Personal Data is transferred to a third country with privacy laws that give the same protection as the ΕΕΑ, as certified by an adequacy decision of the European Commission.
Personal Data is transferred to organisations that comply with binding corporate rules, or an approved code of conduct or certification mechanism that requires its protection to the same standards as applicable in the ΕΕΑ.
Put in place a contract with the recipient which includes the standard data protection clauses adopted by the European Commission or adopted by the supervisory authority and approved by the European Commission.
Where the recipient in the third country has signed up to a code of conduct, which has been approved by a competent supervisory authority. The code of conduct must include appropriate safeguards to protect the rights of individuals whose Personal Data transferred, and which can be directly enforced.
Where the recipient in the third country has a certification, under a scheme approved by a competent supervisory authority. The certification scheme must include appropriate safeguards to protect the rights of individuals whose Personal Data transferred, and which can be directly enforced.

In the case where none of those bases apply, an Individual’s Personal Data may still be transferred to a third country under the following conditions/ derogations, where:

the Individual explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the Individual and the Company, or the implementation of pre-contractual measures taken at the Individual’s request;
the transfer is necessary for the establishment, exercise or defence of legal claims;

8. Cloud Services and storage of Personal Data

Safeguarding the privacy of information is important to the Company, whether an Individual interacts with the Company personally, by phone, by mail, over the internet or any other electronic medium.

Retention of Personal Data on cloud shall be in line with the general retention policy of the Company as described below.

9. For how long is Personal Data retained

Your data will be securely destroyed when it is no longer required for the fulfilment of the purposes for which such data was collected.

10. Rights of Individuals in relation to their Personal Data

The Individuals’ data protection rights, granted by GDPR regarding the processing of your personal data, are described below:

10.1 Right of Access

10.2 Right to be informed

10.3 Right to Rectification

10.4 Right to Erasure (also known as the “Right to be forgotten”)

The Individuals have the right to have the Company delete or remove their Personal Data in the following circumstances:

The Processing of the Personal Data by the Company is no longer necessary for any of the reasons the Personal Data was collected and used.
The Individual has withdrawn his/her consent and there is no other legal ground for the Personal Data Processing.
The Individual has successfully objected to the Processing of the Personal Data by the Company
The Personal Data has been unlawfully processed.
Deletion is required by law.

10.5 Right to restriction of Processing of Personal Data

The Individuals also have the right to restrict the Company's use of their Personal Data in the following circumstances:

pending verification by the Company of Personal Data the accuracy of which the Individual has contested
the Processing is unlawful, but the Individual does not want his/her Personal Data to be erased
the Company no longer needs the Personal Data, but the Individual does not want it to be erased because the Individual needs it for the establishment, exercise or defence of legal claims
pending the Company's assessment where the Individual has objected to Processing intended to safeguard the Company's legitimate interests.

10.6 Right to data portability

10.7 Right to object

The Individuals have the right to object to the Company's use of their Personal Data and ask the Company to stop using their Personal Data in any of the following circumstances:

The Individual has the right to object to the Processing of his/her Personal Data on grounds relating to the Individual’s particular situation, at any time to Processing of his/her Personal Data which is intended by the Company to safeguard its legitimate interests or to serve the public interest. If the Individual lodges an objection, the Company will no longer process his/her Personal Data unless the Company can demonstrate compelling legitimate grounds for the Processing which override the Individual’s interests, rights and freedoms or unless the Processing is for the establishment, exercise or defence of legal claims.
The Individual has the right to object to the Processing of his/her Personal Data for direct marketing purposes, including profiling. If the Individual lodges such an objection, his/her Personal Data will no longer be processed for such purposes.
The Individual has the right to object to the Processing of his/her Personal Data for scientific or historical research purposes or statistical purposes, on grounds relating to his/her particular situation, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.

Note:

The Company reserves the right to request specific information to confirm the Individual’s identity, speed up its response and ensure the Individual’s right to access their personal data or any other right as data subject.
The Company must always respond to Individuals’ requests within reasonable time and keep them updated.
Responses to ARs shall normally be made within one month of receipt, however this may be extended by up to two months if the AR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed accordingly without undue delay.

11. Security and Data Breach

The Company regards breaches of privacy very seriously and will impose appropriate penalties, including dismissal where necessary.

12. Changes / Amendments to the Privacy Policy

13. Complaints

14. Contact us

February 2025

Risk warning: Our products are traded on margin and carry a high level of risk and it is possible to lose all of your capital. Please consider our Risk Disclosure.

The company operates through https://eu.backpack.exchange (formerly http://www.ftx.com/eu and https://ftxeurope.eu) and uses the trade name Backpack EU (formerly FTX EU).

PreviousUser Agreement NextCookie Policy

Last updated 1 month ago

1. Introduction

2. Scope of this Policy

3. How is personal data collected by the Company

4. Collection and Processing of personal data by the Company

5. Why the Company Processes Personal Data and on what legal basis

6. Who receives the Personal Data

6.1 Within the Company

6.2 Outside the Company

6.3 List of Data Recipients

7. Transfers outside of the European Economic Area

8. Cloud Services and storage of Personal Data

9. For how long is Personal Data retained

10. Rights of Individuals in relation to their Personal Data

10.1 Right of Access

10.2 Right to be informed

10.3 Right to Rectification

10.4 Right to Erasure (also known as the “Right to be forgotten”)

10.5 Right to restriction of Processing of Personal Data

10.6 Right to data portability

10.7 Right to object

10.8 Right to withdraw consent

11. Security and Data Breach

12. Changes / Amendments to the Privacy Policy

13. Complaints

14. Contact us

1. Introduction

2. Scope of this Policy

3. How is personal data collected by the Company

4. Collection and Processing of personal data by the Company

5. Why the Company Processes Personal Data and on what legal basis

6. Who receives the Personal Data

6.1 Within the Company

6.2 Outside the Company

6.3 List of Data Recipients

7. Transfers outside of the European Economic Area

8. Cloud Services and storage of Personal Data

9. For how long is Personal Data retained

10. Rights of Individuals in relation to their Personal Data

10.1 Right of Access

10.2 Right to be informed

10.3 Right to Rectification

10.4 Right to Erasure (also known as the “Right to be forgotten”)

10.5 Right to restriction of Processing of Personal Data

10.6 Right to data portability

10.7 Right to object

10.8 Right to withdraw consent

11. Security and Data Breach

12. Changes / Amendments to the Privacy Policy

13. Complaints

14. Contact us