Last Updated: 27/01/2026
This Privacy Policy explains how Legend Financial Ireland Limited (“Legend Trading”, “we”, “us”, or “our”) collects, uses, discloses, and protects your personal data when you use our cryptocurrency on-ramp and off-ramp services across Europe. We are committed to safeguarding your privacy and ensuring that we handle personal data in compliance with the EU General Data Protection Regulation (“GDPR”) and applicable data protection laws. Our services enable crypto-to-fiat and fiat-to-crypto transactions, and in providing these services we must collect certain information to meet legal and regulatory obligations (such as Know-Your-Customer and Anti-Money Laundering requirements). This Policy applies to clients and prospective clients of Legend, as well as visitors to our websites or users of our applications. By using our services, you acknowledge that you have read and understood this Privacy Policy. Please read it carefully to understand how we process your data and to learn about your rights.
Not for Children: Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information. If you are a parent or guardian and believe your child has provided personal data to us, please contact us so we can remove the data.
Legend Trading (registered in Ireland) is the data controller responsible for your personal data. As the data controller, we determine the purposes and means of processing your personal data. Legend Trading is a company authorised as a Virtual Asset Service Provider (VASP) in Ireland. Our registered address is Blanchardstown Corporate Park, Block 1, Ballycoolin Road, Dublin 15, D15 AKK1, Ireland. If you have any questions about this Policy or our data practices, please see the Contact Information section at the end of this document.
We collect personal data (information relating to an identified or identifiable natural person) from you and about you from various sources. This includes:
Information You Provide Directly
When you create an account or use our services, we will ask for details needed to establish your identity, comply with legal obligations, and facilitate transactions. This includes:
Identity and Contact Data
Your full name, date of birth, place of birth, nationality, residential address, email address, phone number, and other contact details. We also collect identification details such as your government-issued ID numbers (e.g. passport number or national ID number) and copies of identification documents (e.g. passport, driver’s license) for verification.
Biometric Data (when required)
As part of identity verification, you may be asked to provide a selfie photograph or live video. We use this to compare against your ID document and ensure it is truly you. The technologies we use may extract biometric identifiers (e.g. facial recognition data) to verify that your selfie matches your ID photo. We will only process biometric data where necessary for fraud prevention and identity verification, and in compliance with GDPR. If required by law or for certain jurisdictions, we will obtain your explicit consent before processing biometric data.
Financial and Transaction Data
Information about the bank account or payment method you use to send or receive fiat funds (such as your bank account number or IBAN, and bank name), crypto wallet addresses you provide for crypto transfers, your transaction history on our platform, and details about the trades or conversions you perform. We also collect information on your source of funds and the expected trading volume or transaction amount you anticipate using with our services. This expected volume and purpose-of-transaction information helps us understand the intended nature of your relationship with us and comply with customer due diligence obligations.
Compliance Data
As a regulated financial service, we gather data for Anti-Money Laundering (“AML”) and Countering the Financing of Terrorism (“CFT”) checks. This includes responses to compliance questionnaires (e.g. whether you are a Politically Exposed Person (“PEP”), the nature of your business or occupation, and the intended use of our platform), as well as any supporting documents you provide (such as proof of address, source of wealth documentation, or declarations regarding your financial status). We may also require you to complete know-your-customer (“KYC”) verification through our designated verification process.
Communications
Any correspondence you send to us or communications with our support team. For example, if you contact customer support via email, chat, or phone, we may keep records of those communications and any information you choose to provide during the interaction.
Information Collected Automatically
When you interact with our websites or online services, we automatically collect certain technical and usage information:
Device and Browser Data
This includes your IP address, device identifiers, browser type and version, operating system, language preferences, time zone, and other technical data about the device or software you use to access our services. Our systems may also log information like the pages you visit, the features you use, clickstream data (how you navigated to and through our site), and the dates/times of your visits.
Log and Usage Data
We maintain logs of certain activities on our platform for security, analytics, and compliance. This may include login timestamps, account settings changes, transaction requests, error logs, and other user activity information. We may collect geolocation information (such as general city or country location) based on your IP address to detect possible fraud or unauthorized access.
Cookies and Tracking Technologies
We use cookies, web beacons, and similar technologies to collect information about your interactions with our site (see Cookies and Tracking Technologies section below for details). For example, cookies help us recognize you when you return and can track your preferences and activities on our site.
Information from Third Parties
We may receive personal data about you from third-party sources, which we use to supplement or verify the information you provide:
Identity Verification Providers
We partner with third-party verification services such as Sumsub and Veriff to conduct identity and document verification. These service providers act on our behalf to verify the authenticity of your ID documents and, in some cases, perform biometric checks (e.g. facial comparison and liveness detection). In the course of verification, they may collect and process your identification documents and biometric data (like facial images) to confirm your identity. The results of these verifications (e.g. confirmation that your ID is valid or that your selfie matches your ID photo) are shared back with us. We only use reputable verification providers that are GDPR-compliant, and they are contractually bound to protect your data and use it solely for verification purposes.
Payments and Banking Partners
If you transfer fiat currency to or from us, we may receive information from banks or payment processors involved in the transaction. For example, if you send a wire transfer, we might receive your name and account details from the remitting bank. Similarly, if we send money to your bank, that bank may confirm certain details. We use this information to ensure the funds reach the right person and to comply with financial regulations (for instance, verifying that the bank account is in your name).
Sanctions and Risk Databases
We may receive reports or flags from third-party compliance tools that screen users against sanction lists, watchlists, or adverse media. These tools can provide us with information if your name appears on a list (for example, EU/UN/OFAC sanctions lists or PEP lists) so that we can take appropriate compliance measures.
Analytics and Advertising Partners
We may utilize analytics services (for example, tools that help us understand how users engage with our website) which might collect aggregated information about you (such as device identifiers or browsing events). This data typically does not identify you personally and is used to improve our online services. (Note: See Cookies section for more detail on analytics cookies).
Public Sources
Where legally permitted, we might use publicly available information to help verify your identity or perform due diligence. For instance, we might find public corporate records to confirm the existence of a business you mention, or look at social media or public database information to corroborate personal details in certain cases. We may also read blockchain ledgers or public crypto transaction records related to addresses you provide, since cryptocurrency transactions are often publicly visible on blockchains. Keep in mind that transactions to and from blockchain addresses can be linked to personal data when you provide us those addresses.
We limit our collection to what is necessary in relation to the purposes described in this Policy. If you choose not to provide certain information required for us to fulfill these purposes (for example, if you refused to provide identity details required by law), we may not be able to offer or continue services to you.
We use the personal data we collect for the following purposes, and we ensure we have a valid legal basis for each use (see Legal Bases section below):
To Provide and Operate Our Services
We process your data to create and administer your account, enable your crypto-fiat and fiat-crypto transactions, and generally provide the on-ramp/off-ramp services you request. For example, we use your personal and financial information to execute currency exchanges or transfers on your behalf, to credit or debit your account, and to facilitate withdrawals or deposits. This includes using your login credentials and identification data to authenticate you when you access your account, and using transaction data to carry out the conversions or trades you initiate.
Identity Verification and KYC/AML Compliance
A core use of your data is to verify your identity and meet our legal obligations under AML, CFT, and KYC regulations. We use your submitted identity documents, personal information, and biometric data (if collected) to confirm who you are and to screen for any flags (such as sanctions or politically exposed status). We may run checks against government sanction lists, criminal databases, or other risk indicators as required by law. We also use the information about your intended trading volume, source of funds, and purpose of using our service to assess your risk profile and to detect unusual or potentially suspicious activities. For instance, knowing your expected transaction patterns helps us identify transactions that fall outside of that scope and investigate them if needed. All such processing for compliance is done to prevent fraud, money laundering, and other illicit activities and to fulfill our legal obligations in various jurisdictions.
Transaction Processing
We use relevant personal data to process your fiat and crypto transactions. This includes sharing necessary details with payment intermediaries. For example, if you are buying cryptocurrency with a bank transfer, we will use your provided bank details and share them (along with your name or reference number) with our bank to match your deposit. If you are selling cryptocurrency for fiat, we will use your bank account details to send you money and may share your name and account number with our bank or payment partner to complete the transfer. When you transfer crypto assets, we use your provided wallet addresses to send or receive funds on the blockchain. Note that crypto transactions themselves are recorded on public blockchains and could be visible to third parties; however, we associate your identity with those addresses internally for compliance and service purposes.
Communications and Customer Support
We will use your contact information (such as email or phone number) to send you service-related communications. This includes sending account confirmations, transaction receipts, alerts about account activity, and notices about updates or security. For example, we may email you to confirm a successful deposit, or to notify you of a password change. We also may send you information about new features or updates to our terms or this Privacy Policy. If you contact us for support, we will use the details you provided and information about your issue to assist you. We may also contact you to notify you of any important security issues (like if we detect suspicious login attempts) or to provide verification codes when you log in.
Improving and Developing our Services
We may analyse usage data, feedback, and other information (mostly in aggregated or pseudonymized form) to understand how our services are used and how we can improve them. For instance, we might look at patterns in transaction volume or website navigation to enhance user experience, or review support inquiries to identify common issues that could be addressed in our platform. We use cookies and analytics tools to help with this analysis. Where possible, we use de-identified data for analytics to avoid unnecessary identification.
Security and Fraud Prevention
We process personal data to maintain the security of our platform, accounts, and users. This includes using device and account usage information to detect and prevent fraudulent or unauthorised activities. For example, we might use IP address and device data to recognise if an unknown device is attempting to access your account, so we can prompt for additional verification. We also use data such as your identification info and transaction patterns to help us monitor for fraud or money laundering attempts. If we detect potential fraud, we may use personal data to investigate and mitigate it (such as pausing transactions or reaching out to you for confirmation).
Legal Compliance and Enforcement
Aside from AML/KYC laws, there are other legal obligations we must comply with. We will use and retain personal data as necessary to comply with laws such as financial reporting requirements, tax regulations (if applicable), and lawful requests from authorities. For example, under certain laws we might need to report transactions above a certain threshold or any suspicious activity to the relevant financial intelligence unit. If we receive a lawful subpoena or information request from law enforcement or a regulatory body, we may process and disclose personal data in response (after verifying the request’s validity). Additionally, we may process your data to exercise or defend our legal rights, for instance, to enforce our Terms of Service, to handle any disputes with users, or to address any allegations of wrongdoing.
Marketing and Optional Communications
We do not sell your data to third parties for marketing. We may, however, use your contact information to send you marketing communications about our own products or new services if you have given us consent or if otherwise permitted by law. For example, if you opt in to a newsletter, we will send updates such as company news or promotions. You have the choice to opt out of marketing emails at any time. (Transactional or service emails, as noted above, will still be sent as needed for your account.)
Cookies and Analytics
As described, we use cookies and similar tools to personalise your experience and analyse site performance. For instance, cookies help keep you logged in, and analytics help us understand user engagement. Some of these tools might involve processing of personal data (like your online identifiers). We use this information to enhance functionality and optimise our services.
We will not use your personal data for purposes that are incompatible with the above, nor do we engage in any form of automated decision-making that produces legal or similarly significant effects without human involvement, unless such processing is necessary and permitted by law. If in the future we intend to process your data for a new purpose not listed above, we will update this Privacy Policy or provide you with a separate notice, and if required, seek your consent.
Under the GDPR, we must have a valid legal basis to process your personal data. Depending on the specific processing activity, we rely on one or more of the following legal justifications:
Performance of a Contract (GDPR Article 6(1)(b))
We process personal data that is necessary to provide our services and fulfill our contract with you. When you sign up for an account or use Legend’s on-ramp/off-ramp services, a contractual relationship is formed. For us to deliver the services, such as creating your account, verifying your identity to allow trading, processing your buy/sell orders, and transferring funds, we must process your personal data. This includes basics like your name and contact info, as well as transaction details. Without this data, we cannot perform the services you expect from us. In short, processing for account setup, transactions, and routine service operations is carried out on the basis that it is necessary for the performance of our contract with you.
Compliance with a Legal Obligation (GDPR Article 6(1)(c))
Certain processing is required for us to meet our legal obligations under EU or member state laws. The foremost example is processing for AML and KYC regulations, we are legally obliged to verify customer identities and monitor transactions for illicit activity. This means we process your identification documents, collect required KYC information, and keep records of your transactions and personal data as mandated by law. We also may process and retain data to comply with other laws (tax, accounting, corporate reporting, etc.) and to respond to lawful requests by public authorities. In these cases, the law is the basis for processing. For instance, EU anti-money laundering laws require financial institutions to retain customer due diligence data for at least five years after the end of the customer relationship. We process and store data to satisfy such requirements.
Legitimate Interests (GDPR Article 6(1)(f))
We process certain data as necessary for our legitimate interests (or those of third parties) in running an effective, secure, and lawful business – provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:
Preventing fraud and securing our platform
We have a legitimate interest in ensuring our services are not misused for fraud, theft, or other abuses. To this end, we may, for example, monitor account behaviors, verify identity beyond strict legal requirements, and use anti-fraud tools.
Improving our service
It’s in our interest to analyze how users use our platform so we can improve functionality and user experience. For instance, analyzing aggregate usage data to debug performance issues or optimize user interface is done under legitimate interests.
Direct marketing to customers
If you are an existing customer, we may send you information about similar products or services as allowed by law, based on our interest in developing our business. (You will always have the opportunity to opt out of such communications.)
Enforcing legal claims and compliance
We might retain and use data to defend against legal claims, audit our compliance, or pursue our rights (for example, if we need to investigate a breach of our terms). This is considered within our legitimate interests as well.
Whenever we rely on legitimate interests, we balance our interests against your privacy rights. We do not use this basis for processing that is particularly intrusive or unexpected. You have the right to object to processing based on legitimate interests (see Your Rights below).
Consent (GDPR Article 6(1)(a) and Article 9(2)(a) for special data)
In some cases, we rely on your consent. For example, where we process biometric data (such as facial recognition scans) purely to verify your identity, we may do so on the basis of your explicit consent, unless another legal basis (such as substantial public interest under AML laws) applies. We will present you with clear information and obtain your agreement before capturing or using biometric identifiers when required. Another example is cookies used for analytics or marketing – we seek your consent via the cookie banner for non-essential cookies. Additionally, if we ever process your data for optional purposes (like publishing a testimonial with your name, or sending third-party marketing), we would ask for your consent. Where consent is our legal basis, you have the right to withdraw it at any time (with effect going forward), which we will make easy for you (for instance, an “unsubscribe” link in marketing emails or a setting in your account).
(Note: There are other legal bases in GDPR, such as “vital interests” or “public task”, which typically apply to emergency or governmental situations. These are generally not applicable to our ordinary processing. If they ever become relevant – for example, if we had to process data to protect someone’s life in an emergency – we would only do so in compliance with the law.)
In summary, the majority of our processing is justified by contractual necessity and legal obligations, with some supporting activities under legitimate interests, and certain data (especially sensitive biometric data or cookies) under consent. We are happy to explain the specific legal basis for particular processing upon request. We also ensure to document our legal bases internally as required. There are six lawful bases under GDPR: consent, contract, legal obligation, vital interests, public task, and legitimate interests, and we have aligned our practices with these grounds as outlined above.
We treat your personal data with care and confidentiality. However, in order to run our business and comply with laws, we sometimes need to share your information with third parties. We only share the data that is necessary for the specific purpose and, when applicable, we ensure that the third parties are bound to protect your privacy (through contractual agreements or as required by law). The key categories of third parties with whom we share data are:
Identity Verification and KYC Service Providers
As noted, we use external providers to perform identity verification checks. We currently utilise services like Sumsub (Sum and Substance) and Veriff for this purpose. When you go through our verification process, these providers will receive some of your personal information (such as your name, date of birth, and copies of your ID documents, and in some cases a selfie video) in order to carry out the verification on our behalf. They process your data only for verification and fraud prevention purposes and are not permitted to use it for anything else. These providers may extract biometric data from your photos to confirm identity, but again, strictly for the verification. We have contracts in place with each such provider under which they act as our data processors, meaning they must follow our instructions and protect your data in line with GDPR. We also take steps to ensure these vendors have robust security measures. For example, Sumsub and Veriff are well-known regulated providers that comply with data protection standards. By using our service, you understand that your data will be shared with these verification partners for the purpose of fulfilling legal KYC/AML requirements.
Financial Institutions and Payment Processors
When you engage in fiat transactions (for example, sending a bank transfer to buy crypto, or receiving funds from a crypto sale), we will share certain information with banks or payment processing partners to execute the transaction. This typically includes your name, bank account number or IBAN, transaction amount, and any necessary reference or identification number to link the payment to your account. For incoming payments, the sending bank will also see our account details and your reference code, etc. For outgoing payments, our banking partner will see your beneficiary details. Additionally, if we use third-party e-money or payment services to disburse or collect funds (such as a card payment processor or a payment gateway), those entities will process your data as needed for the payment. All such third parties are themselves regulated financial services that must keep your information secure and use it only for executing the transaction or meeting their legal obligations.
Group Companies and Affiliates
Legend Trading is part of the broader Legend Trading group of companies. We may need to share data with our parent company or affiliates for business administration, technical support, and compliance consolidation. For instance, our parent company (Legend Trading, Inc.) or other affiliates might provide certain IT infrastructure, development, or compliance oversight. If they require access to personal data for these internal purposes, we ensure any intra-group data sharing is done in compliance with GDPR and with appropriate safeguards (such as intra-group data protection agreements). Any group company accessing EU personal data will adhere to the same level of protection as described in this Policy. If any affiliate is outside the European Economic Area (EEA), we will handle that transfer as described in the “International Transfers” section below.
Regulators and Law Enforcement
We may disclose personal data to regulatory authorities, government agencies, law enforcement, or other public bodies when required by law or legal process. For example, under anti-money laundering laws, we are obligated to report certain suspicious transactions or provide data during inspections or audits by our regulator (such as the Central Bank of Ireland (“CBI”)). Law enforcement may lawfully request information from us (e.g. via a subpoena or court order) as part of investigations. We will carefully review each request to ensure it has a proper legal basis before disclosing any data. Where allowed, we might narrow the scope and only provide what is necessary. We may also share information with authorities to protect our rights, property, or the safety of our customers or others (for instance, to report fraud or respond to a cyber incident).
Other Service Providers:
We employ certain third-party companies and contractors to support our operations and deliver our services. These can include:
Business Transfers
If we undergo a business transaction such as a merger, acquisition by another company, reorganisation, or sale of all or part of our assets, personal data may be transferred as part of that deal. We would ensure that any such transfer is done in compliance with data protection laws. The new owner or merged entity would be required to honor the same commitments we have made in this Privacy Policy (or provide you notice and obtain consent if laws require for any material changes). If such a change in ownership occurs, we will notify users if their personal data becomes subject to a new privacy policy or a different controller.
Other Users or Third Parties at Your Direction
Generally, we do not share your information with other users. However, if a particular service feature involves sharing data (for example, if you participate in a referral program or a joint account where information is visible to another designated user), we will disclose data according to your instructions or the feature’s requirements. Additionally, per regulatory requirements often termed the “Travel Rule,” when we facilitate a transfer of crypto assets to another financial institution or VASP on your behalf, we may be required to transmit sender and recipient information along with that transfer. This means if you send crypto from your Legend account to another exchange or platform, we might have to send your name, account number, and similar identifying details to the receiving institution (and they would send similar data to us for incoming transfers). This is to increase transparency and combat financial crime. We only share the legally required information in such cases.
We do not sell or rent your personal data to third parties for their own marketing. All third-party sharing is limited to the purposes described above. Whenever your data is shared, we take steps to ensure it’s handled securely and lawfully. If you want more details about which third parties might have your data (for example, which verification service checked your ID, or which bank handled your payment), you can contact us and we will provide you with relevant information, to the extent permissible.
Legend primarily stores and processes personal data within the European Economic Area (“EEA”). However, some of the third parties and group companies with whom we share data may be located outside of the EEA. For example, our parent company Legend Trading, Inc. is based in the United States, and some of our service providers (cloud hosts, analytics tools, etc.) might be in the United States or other countries. In addition, using Sumsub for verification may involve data processing in the UK (which, while having its own UK GDPR, is outside the EU) and possibly other locations. Whenever we transfer your personal data to a country that is not deemed to have “adequate” data protection laws equivalent to those in the EU, we will ensure that appropriate safeguards are in place as required by GDPR Chapter V.
Our measures for international transfers include:
EU Commission Adequacy Decisions
If the country has been officially recognized by the European Commission as providing an adequate level of data protection (for example, transfers to companies in countries like Japan, Canada, or to the UK under the current adequacy decision), your data may flow on that basis. We will still ensure the recipient only uses the data for the intended purpose.
Standard Contractual Clauses (SCCs)
For transfers to our U.S. parent company or to service providers in countries without an adequacy decision (such as the United States, if not covered by another framework), we implement the European Commission’s Standard Contractual Clauses in our contracts with those entities. These are legal contracts that oblige the recipient to protect your data to EU standards, and grant you enforceable rights. Where needed, we also assess if additional technical or organisational measures are required (like encryption in transit and at rest, or commitments from the recipient on handling government data requests) to ensure your data is secure.
Binding Corporate Rules
Although we do not currently rely on Binding Corporate Rules, if our group puts such rules in place in the future, they could facilitate safe intra-group data transfers globally.
Derogations in Specific Situations
In very limited cases, we might transfer data based on an exception under GDPR Article 49, for example, if a transfer is necessary to perform a contract with you (like sending money via an international intermediary bank you chose), or with your explicit consent, or to establish or defend legal claims. However, our policy is to generally rely on structured safeguards like SCCs, not these exceptions.
By using our services or submitting your information to us, you understand that your personal data may be transferred internationally, including to countries outside your own. We will always take steps to ensure such transfers comply with applicable privacy laws and that your data remains protected by contractual and technical measures. If you would like to know more about international data transfers or obtain a copy of the SCCs or other safeguards we use, you can contact us (see Contact Information section below).
Please note that regardless of where your data is processed, we will ensure it is handled in accordance with this Privacy Policy. Our stringent security measures and privacy standards apply globally to all of our operations.
We take data security very seriously at Legend Trading. We have implemented a variety of technical and organisational measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These measures include:
Encryption
We use industry-standard encryption protocols to protect data in transit and at rest. For example, our websites and apps are secured via HTTPS/TLS encryption (you’ll see the padlock in your browser for our web app), which protects data as it travels between your device and our servers. Sensitive data (such as passwords, identification documents, and biometric identifiers) is encrypted when stored in our systems to prevent unauthorised access even if our databases were compromised.
Access Controls
We restrict access to personal data strictly to personnel and service providers who need it to perform their job duties or services. Legend Trading employees and contractors are bound by confidentiality and are only permitted to access user data on a need-to-know basis (for instance, a compliance officer reviewing your KYC documents or a support agent assisting you). Our systems implement role-based access control, two-factor authentication for administrators, and regular access reviews to ensure appropriate access.
Secure Infrastructure
We maintain the security of our IT infrastructure through a cloud-first security model underpinned by multiple layers of defence. Access to our systems is controlled by cloud-native firewalls, intrusion detection and prevention services, and advanced anti-malware/endpoint protection solutions, all integrated into a central monitoring framework. We leverage the physical and logical protections of reputable public cloud providers, including certified data centres with strict access controls, redundancy, and continuous environmental monitoring.
Our infrastructure benefits from cloud security services such as Security Information and Event Management (SIEM), threat intelligence feeds, and automated anomaly detection, ensuring round-the-clock oversight of network traffic and user activity. Security patches and updates are applied on a rolling basis through automated patch management pipelines and hardened baseline images, ensuring that known vulnerabilities are addressed in a timely and consistent manner.
Testing and Audits
We conduct periodic security assessments, including vulnerability scans and penetration testing by independent experts, to evaluate and improve our defenses. We also comply with any security audits required by our regulators. Internally, we have policies and procedures (like incident response plans and data breach handling protocols) that align with best practices. Our staff receive training on cybersecurity and data protection practices so they are aware of how to protect your data and respond to potential threats.
Anonymisation and Pseudonymization
Where possible, especially for analytics or long-term storage, we may anonymise or pseudonymize personal data so that it can no longer be linked to you. For example, after a certain period we might retain transaction data in aggregate form for statistical purposes but remove direct personal identifiers.
Vendor Due Diligence
We carefully vet our third-party service providers for their security measures as well. We choose partners who have strong security credentials and require them to protect data with high standards. Many of our critical providers (like verification services and cloud hosts) have industry certifications (such as ISO 27001 or SOC 2) demonstrating their security posture.
While we strive to protect your information, it’s important to note that no system is 100% secure. The transmission of information via the internet, in particular, carries inherent risks. However, we work hard to mitigate these risks. You also play a role in security: please use a strong, unique password for your account, enable two-factor authentication if we offer it, and guard your account details. If you suspect any unauthorised access or security issue concerning your data or our services, notify us immediately so we can investigate.
In the event of a data breach that poses a high risk to your rights and freedoms, we will inform you and the relevant authorities as required by law. We follow the GDPR’s breach notification rules and have procedures in place to handle such incidents responsibly.
We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Because we operate in a regulated industry, there are specific retention periods mandated by law that we must adhere to, particularly for KYC/AML data.
Account and KYC Information
Under EU AML regulations and Irish law, we are generally required to keep copies of customer identification and due diligence documents for at least five years after the end of the customer relationship or the date of an occasional transaction. This means that even if you close your account with us, we will retain your ID documents, verification information, and certain personal details for five years (and possibly longer if required by law). In some cases, this retention period can be extended for an additional period (up to a total of 10 years) if required by local law or if authorities request us to retain data longer (for example, in the case of an ongoing investigation). We retain this data to comply with AML law and to be able to respond to inquiries from regulators or law enforcement even after our relationship with you ends.
Transaction Records
We retain records of your transactions, including crypto trades, fiat deposits/withdrawals, and related communications, for a period required under financial regulations and our internal record-keeping policies. Like KYC data, transaction data is typically kept for a minimum of five years after the transaction or account closure. This helps us detect and report any illicit activity and is often mandated by law. Additionally, keeping these records allows us to address any disputes or audits regarding your transactions.
Communications and Support Records
If you contacted customer support or otherwise communicated with us, we may retain those communications for a certain period. This could be useful if you have future issues or questions, and for our training/quality assurance. Typically, routine support emails or chats might be kept for a few years. Phone call recordings (if applicable) are usually kept for a shorter period unless needed for a specific reason. We ensure any sensitive information in support logs is protected during storage.
Website and Analytics Data
Data collected via cookies and similar tracking might be retained according to the lifespan of the cookie or the needs of our analytics. For example, certain analytics data might be kept for up to 14 months, or as configured in our analytics tool, after which it’s automatically deleted or anonymised. You have control over cookie retention (see Cookies section). If you disable certain cookies, associated data collection will stop for those.
Legal Holds and Disputes
If we are involved in a legal dispute with you or if we have a reasonable belief that we need to retain data to establish, exercise, or defend against legal claims, we will keep the relevant data as long as that dispute might reasonably continue. Similarly, if instructed by law enforcement or regulators to retain data (e.g., through a preservation order or similar), we will do so for as long as instructed. Data that is part of our business records (invoices, ledgers) may be kept for the duration required by financial laws (often seven years for company financial records in Ireland, for example).
Backup and Archival
Even after active data is deleted from our main systems, it might persist for a short time in our automated backups or archives. We have retention schedules for backups as well, and when those backup retention periods expire, data is deleted or overwritten. We strive to ensure that deleted data is removed from all systems, or anonymised, so that you are not identifiable, once we no longer need it.
After the applicable retention period has elapsed, we will either securely delete or anonymise your personal data. Secure deletion means we remove it from our live databases and ensure that it cannot be reconstructed. Anonymisation means we strip away personal identifiers so the data can no longer be linked to any individual (for instance, converting transaction logs into statistical summaries). We may use anonymised data for analytics or business development (because it’s no longer personal data).
Please note, if you exercise your right to erasure, we will remove the data we are not obliged to keep. However, any data we must retain by law will be retained despite your erasure request, but we will inform you of this if applicable. We will always comply with legal retention requirements over a deletion request. We store your data securely during the retention period and ensure it’s only used for appropriate purposes.
As a user of our services and a data subject under the GDPR (if you are in the EU/EEA or the law otherwise applies to your data), you have certain rights regarding your personal data. We respect these rights and have processes to help you exercise them. These rights include the following:
Right to Be Informed
You have the right to clear and transparent information about how we process your personal data. This Privacy Policy is intended to provide that information. If anything is unclear, you can always contact us for more details.
Right of Access
You can request a copy of the personal data we hold about you, as well as information on how we use it. This is commonly known as a Subject Access Request. Upon verification of your identity, we will provide you with a summary or a copy of your data, typically within one month as required by GDPR. You will receive the data in a concise and intelligible form, normally electronically. This access is free of charge, though we can charge a reasonable fee or refuse if requests are manifestly unfounded or excessive (but we will explain if that is the case).
Right to Rectification
If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to keep your account information up-to-date and will provide mechanisms (like profile editing tools) for many changes. For changes that require support (like correcting an official date of birth or name after a legal change), you can contact us with proof of the correct information. We will make the corrections promptly and, if applicable, notify any third parties (to whom the data was disclosed) of the change.
Right to Erasure (Right to be Forgotten)
You may request that we delete your personal data in certain circumstances. The GDPR gives you this right if, for example, the data is no longer necessary for the purposes it was collected, or if you withdraw consent (where consent was the basis) and we have no other legal ground to continue processing, or if you object to processing and we have no overriding legitimate grounds. Please note that this right is not absolute – we may not delete data that we are required to keep by law or that is necessary to establish or defend legal claims. For instance, as explained in our retention section, we cannot delete your KYC records immediately upon request if we are obliged to keep them for AML compliance for a certain time. Also, if you have an ongoing transaction or dispute, we would retain data until that is resolved. If you request erasure, we will inform you which data we can erase and will do so promptly, and which we must retain (and for how long). Where possible, we will also inform any third-party processors holding the data to delete it as well.
Right to Restrict Processing
In certain situations, you have the right to ask us to suspend or limit the processing of your data. This can apply while a concern is being resolved. For example, if you contest the accuracy of your data, you can request we restrict processing it (just store it) until we verify accuracy. Or if you have objected to processing (see next point) and we’re considering our legitimate grounds, you can request restriction in the interim. When processing is restricted, we will still store your data but not use it (except to the extent allowed, such as to secure the data or with your consent or for legal claims). If the restriction is lifted (e.g., accuracy is resolved), we will inform you before resuming processing.
Right to Data Portability
You have the right to obtain certain data from us in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible. This right applies to personal data you provided to us, when processing is based on consent or contract and carried out by automated means. For example, you could request a CSV or JSON file of the personal account data you gave us and your transaction history, to port to another provider. We will provide the data in a reasonable format (likely CSV or Excel for most records, or JSON/XML for structured data) that should be usable by other services. If you request, and it’s technically feasible, we can also transmit it directly to another financial services provider you plan to use (but often it’s simpler for you to handle the data transfer).
Right to Object
You have the right to object to certain types of processing of your personal data:
We will inform you of any action taken on an objection, and if we decline your objection, we’ll provide you with the rationale.
Rights Related to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects on you, unless it is necessary for entering or performing a contract, authorized by law, or based on your explicit consent. In plain terms, this means if we ever were to use algorithms to, say, automatically reject a signup or freeze an account without human involvement, we would need to either have your consent or a lawful basis and give you the opportunity to request human review. At present, Legend Trading does not make any final decisions about customers solely by automated means that have a significant effect. While we use automated tools (like for fraud detection or identity verification), a human staff member typically reviews and makes the final determination especially if it would result in denying you a service. If you believe you have been subject to an automated decision unfairly, please let us know and we will ensure a human reviews the situation.
Right to Withdraw Consent
Where we rely on your consent for processing, you have the right to withdraw that consent at any time. For example, you can withdraw consent for marketing emails or for biometric processing (if you initially consented) and we will stop the processing that was based on consent. Withdrawing consent does not affect the lawfulness of processing we conducted prior to withdrawal. If you withdraw consent for something like biometric verification, note that we might not be able to continue providing certain services that require identity verification by law – we’ll discuss alternatives with you if possible.
Right to Lodge a Complaint
If you have concerns about our data practices, you always have the right to file a complaint with a Data Protection Authority (DPA) - in particular, the supervisory authority in the EU country where you live or work, or where we are based. Our lead supervisory authority is the Irish Data Protection Commission (DPC), since we are established in Ireland. Their contact details: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. However, we would appreciate the chance to address your concerns directly before you approach a regulator, so please consider reaching out to us first, and we will do our best to resolve any issue to your satisfaction.
To exercise any of your rights, please contact us (see Contact Information section below). We may need to verify your identity before acting on a request (to ensure we don’t give your data to someone else). We will respond to your request as soon as possible, generally within one month as required by GDPR. If your request is complex or if we have many requests, we may extend this by an additional two months, but we will let you know and explain why. Exercising your rights is free of charge. Only in rare cases (excessive or unfounded requests) might we charge a reasonable fee or refuse, per the law – and we would explain the reasons to you.
We will strive to fulfill your request or inform you of any action taken. For partial or full denials (for example, if you requested deletion but we must retain some data), we will clearly inform you of the reasons (e.g., legal obligations) and advise you on further options. Your rights are very important, and we have dedicated resources to ensure compliance with these rights.
Cookies are small text files placed on your device that help websites function or provide information to the site owners. Like most online services, we use cookies and similar tracking technologies (such as web beacons, pixels, and device fingerprinting scripts) to ensure our platform works smoothly and to enhance your user experience. This section explains how we use these technologies and your options to control them.
Types of Cookies We Use
We use cookies that fall into a few broad categories:
Essential Cookies
These are necessary for our website and services to operate. They include, for example, cookies that enable you to log into secure areas of our site, keep you logged in as you navigate, or remember your input in forms. Without these cookies, certain features (like account login or transaction processing) would not be possible. Because they are essential, these cookies are generally used without requiring consent. They do not gather information for marketing but just for service functionality.
Preference Cookies
These cookies allow our site to remember your choices and preferences (such as your preferred language or region). They provide a more personalised experience and make your use of the site more convenient. For instance, a cookie might remember that you prefer to see prices in a certain currency. While not strictly necessary, they enhance functionality.
Analytics Cookies
We use analytics or performance cookies to collect information about how visitors use our website, which pages are popular, or if any errors occur. This helps us improve the way our services work. We might use third-party analytics tools (like Google Analytics or similar). The information collected by these cookies is typically aggregated and anonymous, meaning it doesn’t directly identify you. For example, we might see that X number of users visited a page or that a certain feature is rarely used, guiding us to improve it. We will ask for your consent before setting non-essential analytics cookies.
Advertising and Tracking Cookies
As of the latest update, Legend does not host third-party advertisements on its site, but we may use tracking cookies or pixels in the context of any marketing campaigns we run. For instance, if we advertise on another platform, a cookie might help us know if you came to our site via that ad (conversion tracking). These cookies and pixels (like those from Google Ads or social media platforms) would only be used with your consent. They record your visit to our site, the pages you visited, and the links you followed, and we might use this to measure the effectiveness of campaigns. If in future we do partner with advertising or retargeting services, those cookies would help show you Legend Trading ads on other websites based on your browsing of our site, again, only if you consent.
Security Cookies
We also may use certain cookies or similar technologies for security purposes, such as to help detect malicious activity or remember choices you’ve made regarding our security features. For example, a cookie might help us identify if your browser has successfully passed a CAPTCHA challenge, so we don’t prompt you again.
Cookie Consent and Management
When you first visit our site (and periodically thereafter), you will see a cookie notice or banner that allows you to manage your cookie preferences. Except for strictly necessary cookies, we will not set cookies on your device without your consent. You have the right to accept or reject non-essential cookies. Our banner or settings will typically allow you to “accept all,” “reject all non-essential,” or customise your choices by category. If you choose to reject or disable certain cookies, you can still use our website, but some features or functionality might be limited or not work as intended (for example, if you disable functional cookies, you might have to re-enter preferences each time, or disabling analytics might limit our ability to troubleshoot issues).
In addition to our own tool, you can manage cookies through your browser settings. Most web browsers allow you to control cookies, including blocking or deleting them. You can usually find these options under the browser’s “Settings” or “Preferences” menu (look for privacy or cookie settings). Keep in mind that if you delete cookies, any preference cookies we set will be cleared, and you may need to set them again. Blocking cookies might also block the essential ones unless you specifically allow them.
For more detailed information about the cookies and tracking technologies we use, you can refer to our separate Cookie Notice (if available on our website) or the Cookie Settings panel on the site, which should list cookie names and their purposes. We will update you of any significant changes to our cookie usage through that notice or via the banner.
Do-Not-Track Signals
Currently, our website does not respond to “Do Not Track” browser signals, because there is no consensus on how to interpret them. We instead provide the cookie controls as described above. We continuously monitor industry developments in this area and may adjust our practice if a standard emerges.
By using our site with cookies enabled, you are agreeing to our use of cookies in line with this section. If you have any questions about our use of cookies or how to manage them, please contact us.
We may update or modify this Privacy Policy from time to time to reflect changes in our business, legal or regulatory obligations, or data processing practices. If we make changes, we will post the revised policy on our website and update the “Last Updated” date at the top. Any changes will become effective when posted unless otherwise indicated.
If we make any material changes, for example, if we start processing data for new purposes that would significantly affect you, or if we change how we share data in a way that you might not expect, we will take additional steps to inform you. This might include sending a notice to the email address associated with your account, or providing a prominent notice on our site or app dashboard. We may also prompt you to review and accept the new policy if required by law.
We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. If you continue to use our services after changes to this Privacy Policy take effect, such continued use will be deemed your acknowledgement of the updated Policy, except where applicable law requires us to obtain your explicit consent.
If you do not agree with the changes or any aspect of the revised policy, you should discontinue use of our services and can request us to deactivate your account and/or delete your data (as per your rights described above, keeping in mind our retention obligations). We will honor such requests in line with our legal obligations.
If you have any questions, concerns, or requests regarding this Privacy Policy or our personal data practices, please do not hesitate to contact us. We are here to help and committed to addressing any privacy-related issues.
Data Protection Officer (DPO)
We have appointed a Data Protection Officer to oversee compliance with GDPR and this Privacy Policy. You may contact our DPO for any privacy or data protection queries.
Postal Address:
Legend Financial Ireland Limited
Data Protection Officer
Blanchardstown Corporate Park, Block 1
Ballycoolin Road
Dublin 15, D15 AKK1
Ireland
Email: compliance.eu@legendtrading.com
We will respond to inquiries as soon as possible, generally within 30 days. If you are making a request to exercise your data rights, please provide sufficient information for us to verify your identity (for example, you might need to write from your registered email or provide information that only you would know) so we can safeguard against unauthorised requests.
If you have a complaint about how we handled your personal data, we would appreciate the chance to resolve it directly. However, as noted above, you also have the right to lodge a complaint with the Irish Data Protection Commission or your local supervisory authority.
Thank you for taking the time to read our Privacy Policy. We value your trust and are dedicated to protecting your personal data while providing secure and compliant financial services.