Bequant — Institutional Trading Infrastructure & Prime Services

1. Introduction

Your privacy is important to us.

This Privacy Policy (the “Policy”) explains how Bequant Pro Limited (“BEQUANT”, “we”, “us” or “our”) collects, uses, shares and protects your personal data when you access or use our website, platforms and crypto-asset services, as described in our Terms of Business (together, the “Services”).

We are committed to processing personal data lawfully, fairly and transparently, and in accordance with:

the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”);
the UK GDPR and Data Protection Act 2018, where applicable; and
applicable financial-services regulatory frameworks, including Regulation (EU) 2023/1114 on markets in crypto-assets (“MiCA”) and Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”), to the extent relevant to our operations.

This Privacy Policy also applies to Bequant Prime Limited (“BQ Prime”), under the existing intercompany resource-sharing arrangements between Bequant Pro Limited and Bequant Prime Limited. The Services and related systems described in this Policy are used in common by both entities, and the same data-protection and technical-implementation standards apply. References to MiCA- and DORA-aligned obligations in this Policy are understood to relate to Bequant Pro Limited only, as Bequant Prime Limited does not itself hold MiCA/DORA-level direct obligations.

This Policy sets out:

what personal data we collect;
how and why we use it;
the legal bases we rely on;
how long we retain it;
how we protect it; and
your rights in relation to your personal data.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that your personal data will be processed in accordance with this Policy.

2. Who we are

BEQUANT is a private limited company incorporated in Malta (company registration number C 88065), with its registered office at The Core, Valley Road, Msida, MSD9021, Malta.

We act as the data controller in respect of personal data processed in connection with our Services, except where stated otherwise.

As a regulated crypto-asset service provider, we process personal data not only to provide our Services, but also to comply with applicable legal and regulatory obligations, including requirements relating to anti-money laundering, financial crime prevention and operational resilience.

3. Our approach to data protection

We apply a privacy-by-design and by-default approach across our systems and operations. This means that:

we collect only data that is necessary;
we implement appropriate technical and organizational safeguards;
access to personal data is restricted on a need-to-know basis; and
we continuously monitor and enhance our controls in line with industry standards and regulatory expectations.

Our data-protection practices are integrated with our broader governance, risk and compliance framework, including controls aligned with MiCA and DORA, particularly in relation to ICT security, incident management, and operational resilience.

This website is not intended for individuals under the age of 18 years old and we do not knowingly collect data relating to such individuals. Our Services are also not intended for individuals under the age of 18. We do not knowingly collect or process personal data from children and will delete any such data if we become aware of it. If you believe a child has provided us with personal information, please contact us immediately.

4. Data privacy contact

We have appointed a data privacy manager who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Privacy Policy or how we process your personal data, you may contact us at:

Detail	Information
Full name of legal entity	Bequant Pro Limited
Email	legal@bequant.io
Postal address	The Core, Valley Road, Msida, MSD9021, Malta

5. Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

6. Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

7. The data we collect about you, and why

7.1. Categories of data

We collect and process the following categories of personal data, only where strictly necessary for our business and regulatory purposes:

Identity and formal identification data: Name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Formal Identification Information: Government issued identity document such as Passport, Driver's License, National Identity Card, State ID Card, Tax ID number, passport number, driver's license details, national identity card details, visa information, and/or any other information deemed necessary to comply with our legal obligations under financial or anti-money laundering laws.
Institutional and beneficial-ownership information: Entity name, legal-form documentation (certificate of incorporation, articles of association), and information on material beneficial owners and senior management, where applicable.
Contact information: Billing address, delivery address, email address and telephone numbers.
Financial and transaction data: Bank account details, virtual-asset wallet addresses, payment card primary account number, trading and order-book data, transaction history, fees, charges, and information required for execution, clearing, and settlement of trades.
KYC/AML and sanctions-related data: Source-of-funds and source-of-wealth information, employment or business-activity details, and data required to conduct AML/KYC and sanctions-screening checks.
Technical and device data: IP address, device identifiers, browser and operating-system information, login credentials, cookies, and other technical data when you use our Services.
Usage and profiling data: Details of your interactions with our website and platforms (pages viewed, features used, session duration, click-stream data), and any inferred preferences for risk-profile, product suitability, and service-level monitoring.
Marketing and communications preferences: Whether you have consented to receive marketing communications, and your preferred channels (email, in-app messages, etc.).

7.2. Legal basis and purposes

We rely on one or more of the following lawful bases under the GDPR:

Performance of a contract (Art. 6(1)(b) GDPR)
Legal or regulatory obligation (Art. 6(1)(c) GDPR), including MiCA, AMLD/AMLR, and sanctions-related obligations
Legitimate interests (Art. 6(1)(f) GDPR), where your rights do not override those interests
Explicit consent (Art. 6(1)(a) GDPR), where required

Purpose	Categories of data used	Lawful basis	Notes
On-boarding and identity verification (KYC/AML)	Identity, formal ID, institutional, beneficial-ownership, financial, KYC/AML	(a) Performance of a contract (b) Legal obligation	Required to comply with MiCA-aligned AML/KYC obligations and to prevent fraud, money laundering and sanctions-evasion.
Provision of trading and custody services	Identity, contact, financial, transactional, technical, usage	(a) Performance of a contract (b) Legitimate interests (to recover debts due to us)	To enable you to trade, deposit, withdraw and hold crypto-assets via our platform.
Execution and settlement of orders and transactions	Identity, contact, financial, transactional, KYC, technical	Art. 6(1)(b) and (c)	(a) Performance of a contract (b) Legal and regulatory obligations (c) Legitimate interests (to keep our records updated)
AML, sanctions and transaction monitoring	Identity, financial, transactional, KYC/AML, technical, usage	Legal obligation	Ongoing monitoring for suspicious activity, sanctions-list matching, Travel-Rule-type obligations, and reporting to competent authorities.
IT security, incident detection and response	Technical, identity, contact, some transactional data	Legal obligation	Network-security monitoring, authentication, intrusion detection and response to suspected breaches.
Compliance and record-keeping (incl. MiCA, AMLR, tax)	Identity, contact, financial, transactional, KYC/AML	Legal obligation	To meet MiCA-related record-keeping and reporting obligations, AML-record-retention (5-year baseline under AMLR), and tax/accounting requirements.
Customer-relationship and service-management	Identity, contact, financial, transactional, profile, usage	Legal obligation	To manage your account, resolve disputes, and handle support requests.
Research, development and product personalisation	Technical, usage, profile, some identity/contact	Legitimate interests	To improve our platform and user experience, measure product usage and detect anomalies.
Marketing and promotional communications	Identity, contact, technical, profile, marketing preferences	Consent	Where you have consented to receive marketing, e.g., newsletters, product updates.
To comply with court orders and defend legal rights	Identity, contact, technical, profile	Legal obligation	Required to comply with applicable legal obligations and to prevent fraud, money laundering and sanctions-evasion.

7.3. Marketing and Opting out

We may use your Identity, Contact, Technical, Usage and Profile Data to assess and determine which products, services and offers may be relevant or of interest to you. This activity constitutes direct marketing.

You will receive marketing communications from us where:

you have requested information from us or purchased products or services from us; and
you have not opted out of receiving such communications,

in each case, in accordance with applicable data protection and electronic communications laws.

You may opt out of receiving marketing communications at any time by:

using the “unsubscribe” link included in any marketing communication; or
contacting us using the contact details set out in this Privacy Policy.

Please note that opting out of marketing communications will not affect the processing of your personal data where such processing is necessary for the performance of a contract, compliance with legal obligations, or in connection with your use of our Services (including transactional or Service-related communications).

7.4. Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7.5. Sensitive Data

We do not knowingly seek to collect sensitive personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data for identification purposes, sexual orientation) unless absolutely required by law.

If identification documents contain biometric data (e-passports, etc.), that is processed solely for KYC/AML compliance, subject to strict technical and organizational safeguards and in line with MiCA-aligned GDPR standards.

8. If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a Service you have with us but we will notify you if this is the case at the time.

9. How we collect your data

We collect information from and about you in the following ways:

Directly from you: When you register an account; when you submit KYC/AML documentation; when you open or close a wallet, place trades or initiate transfers; and when you contact us via email, in-platform support, or phone.
Automatically from your devices and activity: When you visit our website or use our platforms (through cookies, log files and other tracking technologies); through application logs and session data, including IP addresses and device identifiers.
From third parties: Identity-verification and AML-screening providers; regulators and supervisory authorities, courts and law-enforcement bodies; and credit and fraud-risk agencies and payment or settlement-service providers.

We will, at all times, limit data collection to what is necessary for the purposes above and in line with MiCA-principles of data minimization and privacy-by-design. To serve you better, we may combine information you give us through various channels.

10. How long we keep your data

We only retain your data for as long as necessary for the purposes above and in line with MiCA, AMLR, tax and accounting requirements. Typical retention periods include:

AML/KYC and transaction records: 5 years after the business relationship ends or the last relevant transaction, in line with the AML-regulation-based 5-year retention rule, unless national law or another Union act requires a longer period. After this, we will delete or anonymise data;
Account and trading activity (operational): Until the account is closed and, thereafter, for the AMLR-aligned period and any separate tax/legal obligations;
Consent and marketing-related logs: At least 5 years after the last consent-related action, unless required to be retained for longer by law or contractual obligations;
Anonymised or aggregated data (e.g., statistical usage): We may retain data in anonymized form indefinitely for research, analytics and product-improvement purposes, provided it is not reversible to your identity.

Data is reviewed regularly and deleted where no longer needed. If you request deletion, we will comply unless retention is required by MiCA, AMLR, tax or other legal obligations.

11. How we protect your data

We implement technical and organizational measures designed to protect your personal data against unauthorized access, loss, destruction, alteration, disclosure or misuse. These include, without limitation:

Secure authentication and access-control mechanisms;
Encryption of data at rest and in transit;
Regular security testing and patching;
Segregation of duties and strict access-logging for personnel and third-party processors (if applicable); and
Monitoring and incident-response procedures aligned with MiCA-related ICT-resilience and DORA-style expectations.

Access to personal data is restricted to those employees, agents, contractors and other third parties who have a legitimate business need to know. Such persons will process personal data only on our documented instructions and are subject to appropriate confidentiality obligations.

We maintain and regularly review procedures for the identification, assessment and management of personal data breaches. In the event of a personal data breach, we will notify the relevant supervisory authority and, where required by applicable law, affected individuals, without undue delay and in accordance with our legal and regulatory obligations.

12. Disclosure of your personal data

We may disclose your personal data to third parties in the following circumstances:

to law enforcement agencies or other competent authorities, where we reasonably consider such disclosure necessary for the prevention, detection or investigation of crime;
where we are subject to a legal, regulatory or professional obligation to disclose such data, including for the purposes of complying with applicable anti-money laundering, counter-terrorist financing and sanctions requirements;
to our affiliated and group entities, for the purposes of administering your account, processing transactions, and providing trading, brokerage or related services;
to third-party service providers, contractors and professional advisers, to the extent reasonably necessary for the provision of our Services;
to our auditors for the purposes of financial, regulatory and compliance audits;
to our agents and third-party verification providers (including credit reference agencies), acting on our behalf to carry out identity verification, credit checks, fraud prevention, anti-money laundering screening and regulatory reporting;
to courts, tribunals, regulatory authorities, law enforcement bodies or other relevant parties, where disclosure is reasonably necessary for the establishment, exercise or defense of legal claims;
where you have provided your consent to such disclosure, or where consent has been obtained by an entity acting on your behalf, where required;
in connection with any actual or proposed sale, transfer, merger or restructuring of all or part of our business or assets;
with group entities for shared compliance, security and operational support functions; and
for the purposes of complying with applicable sanctions regimes and related obligations.

We require all third parties to respect the security and confidentiality of your personal data and to process such data in accordance with applicable data protection laws and this Policy. Where third parties act as data processors on our behalf, they are subject to contractual obligations to process personal data only in accordance with our documented instructions and to implement appropriate technical and organizational safeguards.

We retain control over, and remain responsible for, your personal data and will implement appropriate safeguards, as required by applicable law, to ensure its integrity and security when engaging third-party service providers.

Save as set out above, we will only disclose your personal data where you have directed or authorized us to do so, where required by applicable law or regulation, or where necessary for the purposes of investigating actual or suspected fraudulent or criminal activities.

13. International transfers and data-protection safeguards

We may transfer your personal data between Bequant entities and to third-party service providers located outside the European Economic Area (EEA) and the UK. Where we do so, we ensure an adequate level of protection by one or more of the following mechanisms:

Transfers to countries deemed “adequate” by the European Commission or the UK government;
EU Standard Contractual Clauses (SCCs);
UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs; or
other appropriate safeguards recognized under GDPR and UK-data-protection law.

We will retain responsibility for your personal data and impose contractual obligations on third-party processors to uphold data-protection and information-security standards at least equivalent to those under MiCA, DORA and GDPR.

14. Cookies and similar technologies

Our website and Services use cookies and similar technologies to:

Enable core functionality (login, session management);
Analyze how you use our website and improve our Services; and
Personalize your experience and, where applicable, deliver marketing content.

We distinguish between:

Strictly necessary cookies: Required for the website and Services to operate; set without consent.
Performance and analytics cookies: Used to monitor usage and performance; based on consent where required by ePrivacy/UK-PECR.
Targeting and advertising cookies: Used to build audience profiles or deliver personalized advertising; set only where you have provided explicit consent.

You may manage your cookie preferences through our cookie banner or via your browser settings. For more details, please refer to the Cookies Policy.

15. Your individual rights under data-protection law

You have the following rights in relation to your personal data, subject to certain conditions and lawful derogations under GDPR:

Right to be informed: To receive clear and transparent information about how we process your data;
Right of access: To request a copy of your personal data that we hold;
Right to rectification: To request correction of inaccurate or incomplete data;
Right to erasure (“right to be forgotten”): To request deletion where there is no compelling reason for us to retain your data, subject to MiCA, AMLR, tax and other legal obligations;
Right to restriction of processing: To request that we restrict processing, for example where the accuracy of the data is contested;
Right to object: To object to processing based on legitimate interests, including profiling, and to object to direct marketing at any time;
Right to data portability: To obtain your data in a structured, commonly used and machine-readable format where the processing is based on your consent or on a contract;
Right to withdraw consent: To withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.

If you wish to exercise any of these rights, please contact us using the details in Section 4. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You will not, in general, have to pay a fee to exercise any of your individual rights set out in this Policy. However, should you wish to exercise any of your individual rights, we may not be able to provide services to you and may charge a fee for access to your personal data if the relevant data protection legislation allows us to do so, in which case we will provide reasons for our decision as required by the law.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

If any of the personal data you have provided to us changes, for example if you changed your email address, or if you become aware that we have any inaccurate personal data about you, please let us know by sending an email to legal@bequant.io. We will not be responsible for any losses arising from incomplete, inaccurate, inauthentic or deficient personal data that you have provided to us.

16. Changes to the Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal and regulatory obligations (including MiCA-related developments).

Any material changes will be published on our website and will take effect as soon as they are posted. We strongly encourage you to review this Policy periodically.

17. Supervisory authorities

If you have a concern about how we process your personal data, we will seek to resolve it informally. If you remain dissatisfied, you may lodge a complaint with the relevant supervisory authority.

From the EU: The competent data-protection authority in your jurisdiction.
From the UK: The Information Commissioner's Office (ICO) at https://ico.org.uk.