Privacy Policy

TFI Markets Ltd (the ‘Company’) is a licensed Electronic Money Institution regulated by the Central Bank of Cyprus (License No. and licensed Investment Firm, regulated by the Cyprus Securities and Exchange Commission (License No. 117/10).

TFI Markets Ltd (the ‘Company’) is a licensed Electronic Money Institution, regulated by the Central Bank of Cyprus (License No. and licensed Investment Firm, regulated by the Cyprus Securities and Exchange Commission (License No. 117/10).

TFI Markets pays particular attention to handling personal data, thus creating this Privacy Policy (the ‘Policy’). TFI Markets is subject to the provisions of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and any other relevant law or regulation. The Company acts as a controller of personal data under GDPR, which means that it determines alone or jointly with others, the purposes and means of processing of personal data.

This Privacy Policy concerns natural persons who are currently or potentially customers of the Company, or who are natural persons who act on behalf of legal entities or are directors or shareholders or beneficial owners of legal entities who are currently or potentially Clients of the Company. The Policy also concerns natural persons who had such business relationship with the Company in the past.

Collection of personal data

In order to apply for an account with TFI Markets, the following personal data might be required from natural persons:

    1. Personal information: Full Name, date and place of birth, nationality, residence address, passport/ID number, FATCA/CRS information (tax residency, tax identification number), contact details (email, telephone, mobile phone, fax), bank account details, employment details (Name of employer and position), information on politically exposed persons (whether the persons holds or held a prominent public function)
    2. Financial Information: Income, Size of Wealth, Source of Funds
    3. Documents: ID/Passport and utility bills or bank statements, CV or other relevant experience information

Data may also be collected from other public and non-public sources such as the Registrar of Companies or third party databases used for mitigation of risk, such as World-Check.

The Company does not process personal data in relation to persons who are under the age of eighteen (18), unless there is a legal requirement, only after approval from the legal guardian.

The Company takes a number of measures to keep personal data safe and secure. Some of these include:

    1. data encryption and digital signatures to ensure the protection and integrity of data; firewalls, intrusion detection systems, 24/7 physical protection of facilities where the data is stored; background checks for personnel that access physical facilities; and strong security procedures across all service operations.
    2. The Company encrypts the transmission and storage of personal data using the highest standards of security technologies and procedures.

Legal basis for the collection and processing of personal data

Personal data is processed based on the following:

    1. For the fulfilment of contractual obligations: For the execution of transactions either under a E-Money Services contract or Investment Services contract. In order to be able to provide services to clients, the Company is required to collect information about the client’s identity and financial information.
    2. For compliance with legal obligations: Processing of personal data is necessary for compliance of legal obligations arising from various laws such as the European Markets in Financial Instruments Directive (‘MiFID II’) and the relevant Investment Services and Activities and Regulated Markets Law of the Republic of Cyprus, European and Cyprus Laws, Directives and Regulations for the Prevention of Money Laundering and Terrorist Financing, the Common Reporting Standard (‘CRS’), the European Market Infrastructure Regulation (‘EMIR’), the Foreign Account Tax Compliance (‘FATCA’), the E-Money Services law and Directive. In order to comply with these laws, the Company is required to follow identity verification procedures and anti-money laundering controls, retain data for certain periods of time and disclose data to supervisory, regulatory and other public authorities.
    3. For other legitimate reasons, such as for developing and improving the Company’s products and services and for defending the Company in litigation procedures.
    4. Personal data might also be processed in order to send informational or marketing material to natural persons who are currently or potentially Clients, after giving their explicit consent.

Clients are obliged to provide us with their personal data and update them where required, in order for the Company to be able to begin or maintain a business relationship. Failure to provide such information will prevent the Company to comply with its legal obligations and thus may result to the rejection of an application for an account or the closure of an existing account.

Recipients or categories of recipients of personal data

During the course of business and in order to fulfil the Company’s contractual and legal obligations, personal data may be disclosed to:

    1. The Company’s Auditors, Lawyers, Bankers, Consultants, subject to confidentiality agreements
    2. Supervisory, regulatory and other public authorities, upon request or where required.
    3. Third party processors such as companies offering technological solutions and support, file storage and records management companies.

All data processors appointed by us to process personal data on our behalf are bound by contract or other Confidentiality or Non-Disclosure Agreement to comply with the GDPR provisions.

International transfer of personal data

Personal data may be transferred to third countries (countries outside the European Economic Area) to recipients mentioned in the above paragraph, for the purposes described in this Privacy Policy. Although Personal data may be transferred to countries that may have different laws and data protection requirements, processors in those countries are obliged to comply with the European data protection standards when processing personal data of European citizens.

Period for which personal data are stored

Personal data are kept for the duration of the business relationship and for further five (5) years after the termination of the business relationship, unless otherwise instructed by a competent authority. Data may be kept longer where legal proceedings or investigations by public authorities are pending.

Client rights

Clients have the following rights with respect to their personal data the Company controls and processes:

    1. The right to request and get copies of, their personal data
    2. The right to request the correction of inaccurate personal data
    3. The right to request erasure of their personal data, where the Company’s other legal and/or regulatory obligations allow it
    4. The right of their data portability to another data controller
    5. The right to object to the processing of their personal data. In such case, the Company shall no longer process the specific personal data, unless it demonstrates on compelling legitimate grounds for the processing. Clients can also object at any time to processing of their personal data for direct marketing purposes.
    6. The right to request restriction of processing of their personal data where one of the following applies
        1. the accuracy of their personal data is contested, for a period of time, until the Company verifies their accuracy
        2. the processing is unlawful and the client opposes the erasure of their personal data and requests restriction of their use instead
        3. the Company no longer needs their personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
        4. the data subject has objected to processing and is expecting verification from the Company whether legitimate grounds of the controller override those of the data subject

Automated decision making and profiling

The Company is not using automated decision making and profiling to take the decision to establish a business relationship with a potential client. The Company may process some of the current Clients’ personal data automatically during data analysis for the purpose of fraud and money laundering detection which is part of the Company’s legal obligations. This automated processing protects the interests of the Company’s Clients as well.

Changes to the privacy policy

The Company may amend the Privacy Policy at any time. Clients will be notified of material changes however they are advised to check the Privacy Policy regularly so as to stay informed about the processing and protecting of personal data. The Privacy Policy is available on the Company’s Website for the review of clients or prospective clients.


A cookie is a small piece of information stored on computers or mobile devices by websites visited. To find out how the Company uses cookies, please check our Cookie Policy.

Contact Details

Our Data Protection Officer can answer questions and provide information on how the Company uses personal information. The contact details of the DPO are: 178 Athalassas Avenue, ‘Irene Tower’ 2nd Floor, 2025 Nicosia, Cyprus, email: