Privacy Policy

Version 1.0 — Last updated: February 2026

1. Data Controller

TheBrickExchange Ltd ("TBEX", "we", "our") is the data controller for personal data processed through this platform. We are registered with the Information Commissioner's Office (ICO). Registration number: [To be added upon registration].

Contact: privacy@thebrickexchange.com

2. What Data We Collect

2.1 Account Data

Email address
Username
Password (stored as a hash, never in plain text)
Two-factor authentication secret (encrypted)

2.2 Identity Data (KYC)

Full legal name
Date of birth
Residential address
Identity verification results (via third-party provider)

2.3 Financial Data

UK bank account details (account name, sort code, account number)
Deposit and withdrawal history
Investment records and returns
Source of funds declarations

2.4 Technical Data

IP address (logged for security and audit purposes)
Browser user agent
Login timestamps
Platform activity (audit log)

3. How We Use Your Data

Purpose	Lawful Basis
Account creation and management	Contract
Identity verification (KYC/AML)	Legal obligation
Processing deposits and withdrawals	Contract
Investment allocation and returns	Contract
Fraud prevention and security	Legitimate interest
Regulatory compliance and audit	Legal obligation
Marketing communications	Consent

4. Data Sharing

We share your data only where necessary:

Identity verification providers — to verify your identity as required by law
Banking partners — to process deposits and withdrawals
Supabase (database hosting) — our infrastructure provider, hosted on AWS EU (eu-west-1)
Regulatory bodies — the FCA, HMRC, or law enforcement where required by law
Our AR principal firm — for regulatory oversight purposes

We never sell your personal data to third parties.

5. International Transfers

Our database is hosted on Supabase (AWS) in the EU (eu-west-1, Ireland). Where data is processed outside the UK, we ensure appropriate safeguards are in place including Standard Contractual Clauses or UK adequacy decisions.

6. Data Retention

Financial records — 7 years from the date of the transaction (regulatory requirement)
KYC/identity records — 5 years after the end of the business relationship (Money Laundering Regulations 2017)
Audit logs — 7 years (regulatory requirement)
Account data — retained while account is active, then as above
Marketing consent records — retained for the duration of consent plus 1 year

7. Your Rights

Under UK GDPR, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — request deletion (subject to regulatory retention requirements)
Restriction — limit how we process your data
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent

To exercise any of these rights, contact privacy@thebrickexchange.com. We will respond within 30 days.

8. Cookies

We use only essential cookies required for the platform to function (authentication session). We do not use tracking cookies or third-party analytics. You can manage your cookie preferences via the cookie consent banner.

9. Security

We protect your data using:

Row-level security policies on all database tables
Encrypted storage for sensitive data (2FA secrets, backup codes)
Two-factor authentication available for all accounts
Immutable audit logging of all platform actions
HTTPS encryption for all data in transit

10. Changes to This Policy

We will notify you of material changes via email. The version and date at the top of this page indicate the current version.

11. Complaints

If you are unhappy with how we handle your data, you can contact us at privacy@thebrickexchange.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

12. Contact

Data Protection queries:
TheBrickExchange Ltd
Email: privacy@thebrickexchange.com
[Registered address to be added]