your data.
What personal information we hold, why we hold it, how long we keep it, and the rights you have over it under UK data-protection law.
draft — not legal advice
DRAFT — not legal advice; must be reviewed and approved by a qualified solicitor before publication. Bracketed fields are placeholders for details to be confirmed before going live.
Who controls your data
The data controller is [Company legal name], registered in England & Wales (company number [Companies House no.]), registered office [registered address], trading as BullionExchange. We are registered with the Information Commissioner's Office under registration number [ICO registration no.].
For any question about your personal data, contact our data protection contact at [DPO contact] or write to us at the registered address above marked "Data Protection".
What we collect
We collect and use the following kinds of personal data:
- Identity & contact data — your name, date of birth, address, email and phone number.
- Identity-verification data — copies of identity documents (for example passport or driving licence) and the results of electronic identity checks, collected to meet our legal anti-money-laundering duties.
- Transaction data — details of the gold you sell, buy or exchange, valuations, offers, dates and amounts.
- Payment data — the bank-account details we pay into or take payment from. We do not store full card numbers; card payments are handled by our payment provider.
- Correspondence — messages, call notes and emails between you and our desk.
- Technical data — limited information your browser sends when you use the site, such as IP address and approximate page activity, used to keep the site secure and working.
Why we use it & our lawful bases
Under UK GDPR we must have a lawful basis for each use:
- To perform our contract with you — assaying, valuing, paying, dispatching and keeping you informed about your transaction.
- To meet a legal obligation — running identity and source-of-funds checks, keeping records, and reporting where the law requires it under the Money Laundering Regulations 2017 and tax law.
- For our legitimate interests — preventing fraud, securing the site, keeping business records and improving our service, balanced against your interests.
- With your consent — only where we ask for it, such as sending you the morning-rate email. You may withdraw consent at any time.
AML & the legal-obligation basis
As a gold dealer we are legally required to identify and verify our customers, to understand the source of the goods and funds involved, and to keep records of that work. We process the identity-verification data described above to meet this legal obligation. You cannot opt out of these checks while still transacting with us, because the law does not allow us to proceed without them.
Where the law requires it, we may make a report to the relevant authority. In limited circumstances the law prevents us from telling you that such a report has been made.
How long we keep it
We keep transaction and identity records for at least five years after our business relationship with you ends, as required by the Money Laundering Regulations 2017, and longer where tax law or a legal claim requires it. Marketing-consent records are kept until you withdraw consent. When data is no longer needed we delete or securely anonymise it.
Your rights
Under UK GDPR you have the right to:
- ask for a copy of the personal data we hold about you;
- ask us to correct data that is wrong or incomplete;
- ask us to erase data, where we are not required to keep it;
- ask us to restrict or object to certain processing;
- ask for your data in a portable format, where that applies;
- withdraw consent at any time, where we rely on consent.
Some rights are limited where we must keep data to meet our legal duties — for example, we cannot erase records we are required to retain for anti-money-laundering purposes. To exercise a right, contact [DPO contact]. We respond within one month.
Security
We use appropriate technical and organisational measures to keep your data secure, including encryption in transit, access controls, and staff handling rules. No system is perfectly secure, but we take the protection of identity and payment data seriously and review our measures regularly.
International transfers
We aim to keep personal data in the UK. Where a provider we use processes data outside the UK, we make sure an appropriate safeguard recognised under UK data-protection law is in place, such as adequacy regulations or standard contractual clauses.
Complaints & the ICO
If you are unhappy with how we handle your data, please tell us first so we can try to put it right — see our complaints procedure. You also have the right to complain to the Information Commissioner's Office, the UK regulator for data protection, at ico.org.uk or by calling its helpline.