Privacy Policy
Effective Date: 01.10.2025 – Last Updated: 01.10.2025
This Policy describes how Capital Pro (“Company”, “we”) collects, uses, discloses, and protects personal data in connection with the provision of investment services and access to the trading platform. This document is prepared in accordance with Regulation (EU) 2016/679 (GDPR) and applicable EU/EEA law.
1. Data Controller and Contact Information
Data Controller: Andata OÜ, Reg. No. 14865034, Address: Mõisa tn 4, Haabersti District, Tallinn, Harju County, 13522.
Data Protection Contact: privacy(at)vigri.eu
2. Categories of Data
- Identification: name, date of birth, nationality, ID/passport, address.
- Contact: email, phone number, postal address.
- KYC/AML: identity verification data, source of funds, sanctions and PEP checks.
- Financial: investment objectives, experience, risk profile, account/payment information.
- Service Usage: logins, IP address, devices, cookie identifiers, events.
- Communications: call/chat/email records, support inquiries.
- Marketing preferences and subscriptions.
3. Sources of Data
- Directly from the client via forms, account portal, or communications.
- From third parties: KYC/AML providers, payment organizations, custodians, IT/analytics outsourcing partners.
- Automatically through website and platform usage (cookies, logs).
4. Purposes and Legal Bases of Processing
- Performance of the investment services agreement and platform access: registration, verification, transactions, reporting (legal basis: Art. 6(1)(b) GDPR).
- Compliance with legal obligations: KYC/AML, tax and regulatory reporting, retention of communication records (legal basis: Art. 6(1)(c) GDPR).
- Legitimate interests: security, fraud prevention, product improvement, internal analytics (legal basis: Art. 6(1)(f) GDPR). A balance of interests is maintained, and data subject rights are respected.
- Marketing and newsletters: based on consent, which can be withdrawn at any time (legal basis: Art. 6(1)(a) GDPR).
- Fulfillment of lawful claims and protection of rights in disputes (legal basis: Art. 6(1)(c)/(f) GDPR).
5. Automated Decisions and Profiling
We may apply automated checks (e.g., anti-fraud, KYC scoring, transaction monitoring) to fulfill security and compliance obligations. Decisions with legal or similarly significant effects on the client are not made solely on the basis of automated processing, except where permitted by law. Data subjects are granted rights to human intervention, to express their position, and to challenge such decisions.
6. Recipients and Data Disclosure
- Service providers: KYC/AML, payment processing, custodian/broker, IT hosting, analytics, communications, newsletters — under Data Processing Agreements (DPA) and the principle of data minimization.
- Competent authorities and regulators — when required by law.
- Partners and affiliates — to provide services when necessary and lawful.
7. Transfers Outside the EEA
If data is transferred to third countries, one of the following mechanisms is applied: EU adequacy decision, Standard Contractual Clauses (SCC), and additional safeguards. A list of recipient categories and countries is available upon request.
8. Data Retention Periods
- Contractual and operational data — for the duration of the contract and for the legally required period after its termination.
- Communication records and registries required by financial regulations — at least 5 years (or longer if required by law).
- KYC/AML data — retention periods as required by applicable law.
- Marketing data — until consent is withdrawn or objection is made.
9. Data Subject Rights
- Access to data and receiving a copy.
- Correction of inaccurate data.
- Deletion (“right to be forgotten”) where applicable.
- Restriction of processing where applicable.
- Data portability.
- Objection to processing based on legitimate interest and objection to marketing.
- Withdrawal of consent at any time without affecting the lawfulness of processing prior to withdrawal.
- Right to lodge a complaint with a supervisory authority (contact details of the regulator in your country or local supervisory authority).
To exercise your rights, please contact us: privacy(AT)vigri.eu. Requests are processed without undue delay, usually within 30 days.
10. Data Security
We implement technical and organizational security measures: encryption during transmission and storage, multi-factor authentication, environment segregation, access control and logging, testing and monitoring, staff training, and incident management. No method of transmission over the Internet can guarantee 100% security; however, we strive to maintain a high level of protection and continuously enhance our security measures.
11. Marketing and Communications
Marketing communications are sent based on your consent or within the limits of lawful interest. You can opt out of marketing messages at any time via the link in the email or by contacting us. Opting out does not affect service notifications (operational messages, legal notices).
12. Cookies and Similar Technologies
We use essential cookies for the website’s functionality and, with your consent, analytical/marketing cookies. Details are provided in our Cookie Policy. Consent can be managed via the banner or browser settings.
13. Children
Our services are not intended for persons under 18 years of age. We do not knowingly collect data from minors. If you become aware that a minor has provided us with personal data, please contact us for its deletion.
14. Policy Updates
We may update this Privacy Policy. The date of the latest update is indicated at the top of the page. Significant changes will be communicated to users via the website or electronic messages.
15. Contact Information
Privacy inquiries and rights requests: privacy(AT)vigri.eu.
Registered address: Mõisa tn 4, Haabersti linnaosa, Tallinn, Harju maakond, 13522. Phone: [+XXX XXX XXXX].