This Privacy Policy applies to Bequant Pro Limited (Malta), acting as data controller under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and to Bequant Prime Limited (Seychelles). It sets out how we collect, use, store, and protect personal data in connection with the services we provide. For all data protection enquiries, please contact: compliance@bequant.io.
1. Who We Are
1.1Bequant Pro Limited.A private limited liability company incorporated under the laws of Malta, with Company Registration Number C 88065. Registered and principal place of business: The Core, Valley Road, Msida, MSD 9021, Malta. Bequant Pro Limited is the data controller for personal data processed in connection with services provided under its VFA Licence (Licence No. VFA/06) and, upon authorisation, under MiCA.
1.2Bequant Prime Limited.A company incorporated under the laws of the Republic of Seychelles, with Company Registration Number 218593. Registered address: Suite 3, Global Village, Mahé, Republic of Seychelles. Bequant Prime Limited processes personal data in connection with services provided under the Seychelles VASP Act 2024. Where GDPR applies to such processing (for example, in respect of EU data subjects), Bequant Pro Limited acts as the responsible data controller.
1.3References in this Policy to “Bequant”, “we”, “us”, or “our” refer to Bequant Pro Limited and, where relevant to the specific processing activity, Bequant Prime Limited.
2. Data We Collect
| Category | Examples | Why we collect it |
|---|
| Identity Data | Name, date of birth, nationality, passport number, national ID number | KYC onboarding; AML/CFT compliance; regulatory identity verification |
| Contact Data | Email address, telephone number, postal address | Communications; service delivery; compliance notifications |
| Financial Data | Bank account details, transaction history, source of funds, source of wealth declarations | AML/KYC compliance; transaction processing; regulatory reporting |
| KYC / AML Data | Verification documents, UBO declarations, PEP screening results, sanctions screening results, enhanced due diligence records | Regulatory compliance under PMLA, VFAA, MiCA, VASP Act |
| Technical Data | IP address, device identifier, browser type, operating system, login timestamps, API access logs | Security; fraud detection and prevention; service integrity |
| Usage Data | Website browsing behaviour, session data, service usage patterns, feature interaction data | Service improvement; performance analytics; user experience optimisation |
3. How We Use Your Data
3.1To provide the services set out in the applicable Terms of Business and any associated Schedule, including OTC execution, custody, prime brokerage, and ClearLoop settlement.
3.2To comply with applicable AML/CFT legislation, including the Prevention of Money Laundering Act (PMLA), the Virtual Financial Assets Act (VFAA), Regulation (EU) 2023/1114 (MiCA), and the Virtual Asset Service Providers Act 2024 (Seychelles), including verification of client identity, monitoring of transactions, and reporting of suspicious activity.
3.3To screen clients and transactions against applicable international and domestic sanctions lists, including OFAC, EU, UN, and HM Treasury consolidated lists, and to take required action in the event of a match or potential match.
3.4To detect, prevent, and investigate fraud, unauthorised access, and other security incidents affecting our systems or the assets or data of our clients.
3.5To carry out internal analytics, service performance monitoring, and product improvement activities, using technical and usage data in aggregated or pseudonymised form where possible.
3.6To send marketing communications, service updates, and regulatory notices where the Client has provided consent or where we have a legitimate interest in doing so, subject to the Client's right to object or withdraw consent at any time.
4. Legal Bases for Processing
| Legal Basis | Categories of Data Processed |
|---|
| Performance of contract (Article 6(1)(b) GDPR) | Identity Data; Contact Data; Financial Data — processing necessary to provide the services under the Terms of Business |
| Legal obligation (Article 6(1)(c) GDPR) | KYC / AML Data; Financial Data — processing required by PMLA, VFAA, MiCA, VASP Act, and applicable AML/CFT legislation |
| Legitimate interests (Article 6(1)(f) GDPR) | Technical Data; Usage Data — fraud prevention, security monitoring, service improvement |
| Consent (Article 6(1)(a) GDPR) | Contact Data; Usage Data — marketing communications and non-essential analytics cookies, where applicable |
5. Who We Share Your Data With
5.1Competent Authorities.We are required by law to share personal data with relevant competent authorities, including the Malta Financial Services Authority (“MFSA”), the Financial Intelligence Analysis Unit (“FIAU”), the Financial Services Authority of the Seychelles (“FSA”), and law enforcement agencies, when legally required to do so. Such disclosures are made without prior notice to the data subject where required by law.
5.2Sub-Custodians and Banking Partners.Where necessary for service delivery, personal data may be shared with regulated sub-custodians and banking partners engaged by Bequant. All such third parties are subject to contractual confidentiality obligations and, where applicable, data processing agreements.
5.3Professional Advisers.Personal data may be shared with external lawyers, auditors, compliance consultants, and other professional advisers where required for the provision of services to Bequant. All professional advisers are bound by applicable duties of confidentiality.
5.4IT Service Providers.We use a limited number of IT service providers — including cloud infrastructure, data storage, and security monitoring providers — who may process personal data on our behalf. All such providers are engaged under data processing agreements that comply with GDPR requirements.
5.5We do not sell personal data to third parties and do not share personal data with third parties for their own marketing purposes.
6. International Transfers
6.1Personal data may be transferred to and processed in countries outside the European Economic Area (“EEA”), including the Republic of Seychelles, in connection with the provision of services by Bequant Prime Limited or the use of third-party IT service providers.
6.2Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. Such safeguards include Standard Contractual Clauses (“SCCs”) approved by the European Commission, or equivalent protection mechanisms. Details of the relevant safeguards are available on request from compliance@bequant.io.
7. Data Retention
| Category | Retention Period | Basis |
|---|
| KYC / AML Records | 5 years from the end of the business relationship | Required by PMLA (Malta), MiCA Article 83, and VASP Act 2024 (Seychelles) |
| Transaction Records | 5 years from the date of the transaction | MiCA Article 83; MFSA record-keeping rules |
| Complaints Records | 5 years from the date of resolution | CDR (EU) 2025/294; MFSA complaints rules |
| Marketing Data | Until consent is withdrawn or objection is received | Consent basis (Article 6(1)(a) GDPR) |
7.1Where data is retained beyond the minimum period required by law, it is retained only to the extent necessary for the purposes for which it was collected and in accordance with applicable data minimisation principles. Data held beyond the required period is securely deleted or anonymised.
8. Your GDPR Rights
Where GDPR applies, data subjects have the following rights in relation to their personal data. Requests should be submitted to compliance@bequant.io. We will respond within one month of receipt of a valid request, subject to any applicable exemptions.
8.1Right of Access (Article 15).You have the right to request a copy of the personal data we hold about you and information about how it is processed.
8.2Right to Rectification (Article 16).You have the right to request correction of inaccurate or incomplete personal data we hold about you.
8.3Right to Erasure (Article 17).You have the right to request deletion of your personal data in certain circumstances. This right is subject to our legal obligations to retain data under applicable AML/CFT and financial services legislation, which may override an erasure request.
8.4Right to Restriction of Processing (Article 18).You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while the accuracy of the data is contested or where you have objected to processing.
8.5Right to Data Portability (Article 20).Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request its transfer to another controller.
8.6Right to Object (Article 21).You have the right to object to the processing of your personal data on grounds of legitimate interests, including profiling. You also have the right to object to processing for direct marketing purposes at any time.
8.7Right to Lodge a Complaint.You have the right to lodge a complaint with the Information and Data Protection Commissioner (“IDPC”) of Malta (website: www.idpc.org.mt) or with any other competent supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
9. Cookies
9.1This Privacy Policy should be read together with our Cookie Policy, which sets out details of the cookies used on Bequant websites, the purposes for which they are used, and how you can manage your cookie preferences. The Cookie Policy is available at bequant.pro/legal/cookie-policy.
10. Changes to This Policy
10.1We may update this Privacy Policy from time to time to reflect changes in applicable law, regulatory requirements, or our data processing practices. Where changes are material, we will notify affected clients in advance of the changes taking effect. The current version of this Policy is always published on our website.
11. Contact
| Purpose | Contact |
|---|
| Data protection enquiries | compliance@bequant.io |
| Registered office (Malta) | The Core, Valley Road, Msida, MSD 9021, Malta |
| Registered office (Seychelles) | Suite 3, Global Village, Mahé, Republic of Seychelles |
© 2026 Bequant Pro Limited & Bequant Prime Limited. This Privacy Policy is prepared in accordance with GDPR (EU) 2016/679. GDPR compliant. Version BQ-PP-2026-01.