Privacy Policy

1. Introduction

At AutoNom Trading ("we," "our," or "us"), we are committed to protecting your privacy and handling your personal data with transparency. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our EA/AI trading services, website, and related platforms.

As a Sharia-compliant forex trading service operating since 2006, we adhere to Islamic finance principles including the prohibition of riba (interest), gharar (excessive uncertainty), and maisir (gambling). Our data protection practices reflect these ethical commitments.

We comply with international data protection regulations including GDPR (Europe), CCPA/CPRA (California), PIPEDA (Canada), and LGPD (Brazil), as well as financial regulations specific to Islamic forex trading.

2. Regulatory Compliance Framework

As a Sharia-compliant forex trading service provider, we comply with multiple international privacy and financial regulations. Below are the key frameworks we adhere to:

Islamic Forex-Specific Compliance: As a Sharia-compliant trading service, we also adhere to:

• AAOIFI (Accounting and Auditing Organization for Islamic Financial Institutions): Sharia standards for Islamic financial transactions
• IFSB (Islamic Financial Services Board): Prudential standards for Islamic financial institutions
• MiFID II (Markets in Financial Instruments Directive): Transaction reporting and client asset protection
• EMIR (European Market Infrastructure Regulation): Trade reporting requirements
• FATCA (Foreign Account Tax Compliance Act): US account holder reporting
• CRS (Common Reporting Standard): Automatic exchange of financial account information
• AML/KYC (Anti-Money Laundering/Know Your Customer): Identity verification requirements

3. Information We Collect

To provide our Sharia-compliant EA/AI trading services, we collect the following categories of information:

3.1 Personal Identification Information

• Identity Data: Full name, date of birth, nationality, government ID (passport, national ID, driver's license)
• Contact Data: Email address, phone number, residential address
• Financial Data: Bank account details, trading account numbers, source of funds documentation
• Trading Data: MT5 login credentials (AES-256 encrypted), trading history, position sizes, risk parameters
• Verification Data: Proof of address (utility bills), proof of income, tax identification numbers
• Islamic Compliance Data: Confirmation of swap-free account status, Sharia compliance acknowledgment

3.2 Technical & Usage Data

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Patterns: Pages visited, time spent, features used, trading patterns
• Performance Data: EA/AI execution logs, strategy performance metrics, system health checks
• Communication Data: Support tickets, email correspondence, chat transcripts

3.3 Sensitive Data (with explicit consent)

• Biometric Data: Voice recordings for customer service verification (optional)
• Political Exposure: PEP (Politically Exposed Person) status for AML compliance
• Criminal History: For regulatory background checks where required by law

4. How We Use Your Information

We process your personal data for the following legitimate business purposes, all in compliance with Islamic finance principles:

Legal Basis for Processing (GDPR Article 6):

• Contract Performance: To execute your trades and manage your account
• Legal Obligation: For AML/KYC, tax reporting, and regulatory compliance
• Legitimate Interests: To improve our services and prevent fraud
• Consent: For marketing communications and optional data collection

5. Data Protection & Security Measures

We implement enterprise-grade security measures to protect your data, consistent with our ethical obligations under Islamic finance:

5.1 Encryption Standards

• In-Transit Encryption: TLS 1.3 with 256-bit SSL certificates for all data transmissions
• At-Rest Encryption: AES-256 encryption for stored data, including trading credentials
• End-to-End Encryption: For sensitive communications and API integrations

5.2 Infrastructure Security

• ISO 27001 Certified: Information security management systems
• SOC 2 Type II: Regular audits of security controls
• 24/7 Monitoring: Real-time threat detection and intrusion prevention
• Multi-Factor Authentication: Required for all staff and optional for clients
• Regular Penetration Testing: Quarterly security assessments by third-party firms

5.3 Access Controls

• Role-Based Access: Least-privilege principle for data access
• Zero-Trust Architecture: Verify every access request
• Audit Logs: Complete trail of who accessed what data and when
• Session Management: Automatic timeout after 15 minutes of inactivity

6. Data Sharing & Third Parties

We never sell your personal information. We share data only with necessary service providers under strict confidentiality agreements:

6.1 Islamic Forex Broker Partners

• AvaTrade Kenya & Other Brokers: Trading execution, account verification, swap-free/Islamic account compliance
• Liquidity Providers: Price feeds and trade execution (anonymized data only)
• Introducing Brokers: Commission tracking and referral attribution (with consent)
• Sharia Supervisory Board: Anonymized compliance data for Islamic finance certification

6.2 Regulatory & Legal Disclosures

• CySEC, FCA, CMA, CBUAE: Regulatory reporting and audits
• Tax Authorities: KRA (Kenya), IRS (US), HMRC (UK), other tax bodies
• Law Enforcement: Valid court orders, subpoenas, or warrants
• AML Authorities: Suspicious transaction reports (STRs) as required by law

6.3 Service Providers

• Cloud Infrastructure: AWS (Frankfurt & Dublin regions) - GDPR compliant
• Payment Processors: Encrypted transaction processing (no data storage)
• Customer Support: Zendesk (data processing agreement in place)
• Analytics: Privacy-focused analytics (no cross-site tracking)

7. Your Privacy Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

How to Exercise Your Rights

Submit a request via email to privacy@autonom.com with "Data Subject Request" in the subject line. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). All requests are free of charge.

8. Cookies & Tracking Technologies

We use cookies and similar technologies to enhance your experience. You can control cookies through your browser settings.

Do Not Track (DNT): Our systems respect browser DNT signals. We do not engage in cross-site tracking or behavioral advertising.

9. Data Retention Policy

We retain your personal data only as long as necessary for legitimate business purposes and legal compliance:

• Active Accounts: Data retained for the duration of your trading relationship + 30 days
• Inactive Accounts: 5 years from last login (GDPR requirement for financial services)
• Trading Records: 7 years (MiFID II and tax authority requirements)
• KYC/AML Documents: 7 years after account closure (regulatory requirement)
• Islamic Compliance Records: 7 years (Sharia audit requirements)
• Communication Logs: 2 years (customer support and compliance)
• System Logs: 90 days (security and debugging)

After retention periods expire, data is securely deleted using DoD 5220.22-M standards (7-pass overwrite for HDDs, cryptographic erasure for SSDs).

10. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards:

• EU/EEA Clients: Data stored in AWS Frankfurt (Germany) - GDPR compliant
• UK Clients: Data stored in AWS London - UK GDPR compliant
• US Clients: Data stored in AWS N. Virginia - EU-US Data Privacy Framework certified
• MENA Clients: Data stored in AWS Bahrain - Regional compliance
• African Clients: Data stored in AWS Cape Town - Local data sovereignty
• International Transfers: Standard Contractual Clauses (SCCs) + UK Addendum
• Third Countries: Binding Corporate Rules (BCRs) for intra-group transfers

For transfers to countries without adequacy decisions, we implement supplementary measures including encryption, pseudonymization, and contractual protections.

11. Data Breach Notification

In the event of a data breach affecting your personal information:

• Notification Timeline: Within 72 hours (GDPR) or "without unreasonable delay" (CCPA)
• Affected Parties: Direct notification via email and platform notification
• Regulatory Reporting: Supervisory authority notification as required
• Remediation: Immediate investigation and security improvements
• Sharia Compliance: Notification to our Sharia Supervisory Board if breach affects Islamic compliance data

We maintain a dedicated Incident Response Team (IRT) and Data Breach Response Plan tested quarterly through tabletop exercises.

12. Changes to This Privacy Policy

We may update this policy periodically to reflect regulatory changes or new practices. Material changes will be notified via:

• Email notification 30 days before effective date
• Platform announcement banner
• Updated "Last updated" date at the top of this policy
• Sharia compliance update notification (if applicable)

Continued use of our services after changes constitutes acceptance of the updated policy. If you disagree with changes, you may close your account and request data deletion.

13. Contact Information