Privacy Policy
This Policy explains how the Investor Protection Service processes personal data submitted through its complaints portal, in accordance with applicable data protection legislation.
Last updated: 1 January 2026
Version: 3.0
1. Data controller
The Investor Protection Service (the "Controller", "we" or "us") is responsible for the processing of personal data described in this Policy. Inquiries regarding this Policy may be addressed to the Data Protection Officer at dpo@fraudreclaim.example.
2. Scope
This Policy applies to all personal data collected through the portal, by email, by telephone or through any official channel of the Service in connection with the submission, registration and handling of a complaint.
3. Categories of personal data
We collect and process the following categories of personal data:
- Identification data: first and last name, date of birth where required, country of residence, identification document references when supplied.
- Contact data: email address, telephone number, postal address.
- Account data: login credentials in hashed form, security log records, IP address and browser fingerprint metadata.
- Case data: details of the respondent firm, narrative of events, transaction history, claimed amounts and supporting documents (correspondence, account statements, screenshots, contracts).
- Financial data: bank or wallet identifiers strictly to the extent they appear in the evidence you supply.
- Communications: messages exchanged with the Service through the portal and by email.
You should not submit special categories of data (such as data revealing health, religion or political opinions) unless they are strictly necessary to the matter; if you do, we will process them only to the extent required and on the basis set out in section 4.
4. Purposes and legal bases
Personal data are processed for the following purposes and on the following legal bases:
- Registration and handling of complaints — performance of a task carried out in the public interest and steps taken at your request prior to entering into a contract.
- Communication with regulators and accredited partners — performance of a task in the public interest and, where required, your consent.
- Compliance with statutory and regulatory obligations, including anti-money-laundering and counter-terrorist-financing requirements — compliance with a legal obligation.
- Security, fraud prevention and audit logging — legitimate interests in ensuring the integrity of the Service.
- Internal statistics and service improvement, in aggregated and non-identifiable form — legitimate interests.
5. Recipients of personal data
Personal data may be disclosed to the following categories of recipient:
- regulators, supervisory authorities and law-enforcement bodies, where required by law or to advance the matter;
- accredited law firms, analytical partners and independent experts engaged on your case, under written confidentiality undertakings;
- payment institutions, where chargebacks or account-freezing measures are pursued;
- processors providing hosting, email, security and analytics services under written data-processing agreements;
- courts, tribunals and other competent bodies, where disclosure is compelled by law.
We do not sell personal data and do not share it for marketing purposes.
6. International transfers
Where personal data are transferred outside the jurisdiction of the Controller, the transfer is governed by appropriate safeguards, including standard contractual clauses adopted by the competent authority or transfers to jurisdictions recognised as offering an adequate level of protection.
7. Retention
Personal data are retained only for as long as is necessary for the purposes for which they were collected, and in accordance with the following indicative periods:
- active case files: for the duration of the matter plus seven (7) years;
- account credentials: until account closure;
- security and audit logs: 24 months;
- data retained pursuant to a statutory obligation: for the period prescribed by that obligation.
At the end of the applicable retention period, data are securely deleted or irreversibly anonymised.
8. Your rights
Subject to the conditions laid down by applicable law, you have the right to:
- obtain confirmation as to whether personal data concerning you are being processed and to receive a copy;
- rectify inaccurate or incomplete data;
- request the erasure of data where the legal grounds for erasure are met;
- request the restriction of processing in defined circumstances;
- object to processing carried out on the basis of legitimate interests;
- receive your data in a structured, commonly used and machine-readable format (data portability) where applicable;
- withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing;
- lodge a complaint with the competent supervisory authority in your jurisdiction.
Requests should be addressed to dpo@fraudreclaim.example. Identity verification may be required before a request is processed.
9. Security measures
The Service implements appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure or destruction. These measures include encryption in transit, role-based access controls, audit logging, documented incident response procedures and regular review of supplier security arrangements. No system is infallible, and you are responsible for safeguarding the credentials used to access your account.
10. Cookies and similar technologies
The portal uses strictly necessary cookies required for authentication, session management and security. No advertising or third-party tracking cookies are deployed. Where analytical cookies are used, they are aggregated, do not identify individuals and may be declined without loss of functionality.
11. Children
The portal is not directed at, and the Service does not knowingly collect personal data from, persons under the age of 18. Where the Service becomes aware that data of a minor has been submitted without the consent of a parent or guardian, those data will be deleted.
12. Data breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the Service will notify the competent supervisory authority without undue delay and, where required by law, will inform the affected individuals.
13. Changes to this Policy
The Service may amend this Policy from time to time. The "Last updated" date at the top of this Policy indicates the date of the most recent revision. Material changes will be brought to your attention through the portal or by email.
14. Contact
For any question relating to the processing of your personal data, please contact the Data Protection Officer at dpo@fraudreclaim.example.