Shares • Privacy Policy

Summary

Introduction

Hello! 👋We’re Shares.

We really value our users and by extension, we value your trust and privacy. That’s why we’ve developed this privacy policy; to be transparent about the personal data we collect, how it’s used, who it’s shared with and what choices our users have over their data.

This privacy policy applies to the personal data that Shares processes in connection with the platform and applications, webServices, products and services that are referenced in this policy (collectively, the "Services").

If you live in the European Economic Area (“EEA”)and avail of our digital assets (cryptocurrency) and social interactive Services, Shares Digital Assets Poland controls your personal data.

If you live in the United Kingdom (“UK”) and avail of our trading and social interactive Services, Shares App Limited controls your personal data. We process personal data in accordance with this Privacy Policy. You can find the contact details for both of these data controllers at the bottom of this policy.

Before we dive in, we want to clarify a few points:

Sorry kids! Our services aren’t intended for children and we don’t knowingly collect data relating to children.
Stay informed! If we provide you with another privacy policy relating to specific processing, you should read it alongside this one.
Legalese alert! This policy isn’t much use if you can’t understand it. That’s why we’ve put together a glossary to explain some of the legal terms used in it. You can find it at the end of this policy.

What personal data do we process and how do we collect it?

We may collect, use, store and transfer different kinds of personal data for a variety of purposes.

In this section, we provide information about what personal data we process, categorised by where we got it from.

Data collected from direct interactions with us. We collect data you provide us with when you use our Services or engage or communicate with us, for example when you create an account or participate in research.

Identity Data. This includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data. This includes billing address, delivery address, email address and telephone numbers.
Due Diligence Data. This may include copies of identification document(s), nationality, national insurance number, social security number (or other government issued identification number), citizenship and residency status, tax information, source of income / funds (including assets), occupation and employment information, your image and other data we may need to successfully verify users.
Financial Data. This may include open banking data, bank account and payment card details.
Customer Interactions. This includes responses to surveys, research, promotions, customer support conversations and history (including interactions made on the Shares app, via social media and email).

Data collected from automated technologies or interactions. As you interact with our Services, we may automatically collect certain Usage Data and Technical Data about your equipment, browsing actions and patterns. We collect this personal data using cookies, web beacons, pixel tags, server logs and other similar technologies, which are sometimes provided by a third party.

We may also receive Technical Data about you if you visit other web services employing our cookies.

Transaction Data. This includes details about payments to and from you and other details of products and services you have purchased from us, including the value and currency of your activity.
Social Activity. This includes your news feed activity, interests, community membership(s), platform interactions, messages, comments and friends.
Device Data. This includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Services.
Location Data. We may collect geolocation data from your device, where you have set permissions that allow this.
Profile Data. This includes your username and password, pin, profile photo, bio, settings and preferences.
Usage Data. This includes information about how you use our Services,, including your browsing habits, profit and usage statistics.

Data collected from third parties. We collect personal data from third parties, who you may or may not have a direct relationship with. Some of the data we collect from you may be shared with vendors and other service providers who help us improve the Services we provide.

Third Party Technical Data. We may collect personal data such as inferred data, website usage data and demographic data from relevant third parties, including analytics providers and advertising networks.
Marketing and Communications Data. This includes your preferences in receiving promotional and marketing material from us and our third parties, or any other communication preferences you’ve expressed.
Partners and Vendors Data. We may collect personal data from third parties if we enter into a partnership or when we’re seeking to verify your identity as part of our regulatory requirements. We rely on third parties such as identity verification agencies, credit referencing agencies, anti-money laundering solution providers and others. This data may include:
. Contact data
. Publicly available information from searches
. Data from providers of technical, payment and delivery services
. Data from data brokers or aggregators
. Data available from public sources such as Companies House and the Electoral Register based inside the EU

Additional points to note…

Aggregated Data

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be based on personal data, but it’s not considered personal data by law as the data does not directly or indirectly reveal your identity. For example, we may tot up your Usage Data to calculate the percentage of users accessing a specific feature.

If we combine or connect Aggregated Data with your personal data in a way that can directly or indirectly identify you, we process it as Personal Data and in accordance with this privacy policy.

Special Categories of Personal Data

We don’t intentionally collect Special Categories of Personal Data (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).

We may, however, process data relating to: criminal convictions and offences; political affiliation(s) from searches performed for source of funds, source of wealth and enhanced due diligence checks; and as per regulatory guidelines.

In the event we start processing special category personal data (for example, should you voluntarily provide us with information regarding your health), we‘ll handle it in accordance with the Data Protection Act 2018 (“DPA”) and the General Data Protection Regulation (“GDPR”).

If you fail to provide personal data

Sometimes, we need to collect personal data by law. Sometimes, we need to collect personal data under the terms of a contract we have with you. Should you fail to provide this data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our Services).

In this case, we may have to cancel a product or service you have with us, but we will notify you in advance

Why do we process this personal data?

We want to be clear about what we do with personal data and how we make sure our data processing is lawful. This section describes our reasons for processing personal data and the lawful basis we rely on for such processing.

Before we dive into that, we want to provide a brief explanation of what the phrase ‘lawful basis’ means. The law requires us to have an appropriate basis to process personal data. There are a number of bases available and we must choose the most appropriate one before processing data. If we can’t find an appropriate lawful basis, we won’t process the data. Simple. Most commonly, we’ll use your personal data in the following circumstances:

Where we need to perform the contract we are about to enter into or have entered into with you
Where it’s necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
Where we need to meet a legal or regulatory obligation

Generally, we don’t rely on consent as a lawful basis for processing personal data; if we do, we’ll explicitly ask for your consent. You have the right to withdraw your consent at any time, if this is the lawful basis we use to process personal data.

Data Processing Activity & Purpose

Lawful Basis

To open a Shares account

In order to open a Shares account with limited functionality / access to features, we must process your personal data, including Identity and Contact Data.

Necessary for the performance of a contract

To access Shares’ additional features

Check your suitability for using our Services (which involves assessing your credit risk)
Verify your identity and enable the performance of required checks (in accordance with applicable legislation and regulation), including but not limited to: “know your customer”, anti-money laundering, fraud, sanctions and politically exposed person checks
Provide our Services

Necessary for the performance of a contract
Necessary to fulfil our legitimate interests (for effectively running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
Necessary to comply with a legal obligation(s)

To communicate with you about your account, contract or relationship with us

We must communicate with you for a number of reasons, including updates about our Services, our Terms and privacy policy, or when we need to request further documentation / information from you.

Additionally, we may contact you with marketing materials or ask you to take part in research, surveys or competitions.

If you don’t have a Shares account but signed up to receive our marketing, we’ll process your personal data for the sole purpose of sending you marketing communications, which you can opt out of at any time

Necessary for the performance of a contract with you
Necessary to comply with a legal obligation(s)
Necessary to fulfil our legitimate interests (to keep our records updated and to study how customers use our products/services, to create and develop them and grow our business, to market Services we believe will be of interest)

To protect your account

We process your data to establish data security measures and safeguards. We do this by administering and protecting our business and the Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

Necessary to fulfil our legitimate interests (for effectively running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
Necessary to comply with a legal obligation

To continuously and appropriately service your account

We process personal data to continuously and appropriately service your account; this includes the processing of Transaction Data, Usage Data, Profile Data, Social Activity. We must maintain accurate records, fairly monitor account activity and analyse engagement to deliver the best Service we can to our users.

Where we have reason to believe that you may need additional support or level(s) of care, we’ll reach out to you and provide you with resources. We’ll also seek your consent to mark you as a ‘vulnerable customer’ on our system, which will enable Customer Support to handle your contacts / requests appropriately.

Necessary for the performance of a contract
Consent (we’ll ask your consent before marking you as a ‘vulnerable customer’ on our system)
Necessary to comply with a legal obligation(s)
Necessary to fulfil our legitimate interests (to fairly monitor customers’ use of the Services to deliver an optimally performing Service(s), improve functionality and offer additional support, where appropriate)

To provide interactive and social features on the app

To provide social engagement and interactive features on the app (such as Communities and Watchlists).

Necessary for the performance of a contract
Necessary for our legitimate interests (including to keep our records updated and to study how customers use our products/services, to create and develop them and grow our business, to market Services we believe will be of interest)

To provide trading features on the app

You can make Market Orders on the Shares app. We’ll coordinate the fulfilment of these by processing data including: Contact, Identity, Financial, Usage Data.

To facilitate Market Orders, we set up an Electronic Money Account for you and engage an Execution Broker to transmit orders on your behalf.

Necessary for the performance of a contract

To provide digital asset (cryptocurrency) features on the app.

For users in applicable regions with our cryptocurrency features on the app. This includes the purchase, sale and visibility of cryptocurrency assets. We process your information including Location, Transaction, Identity, Device and Contact Data.

Necessary for the performance of a contract
Necessary to comply with a legal obligation(s)

To provide payment and repayment features on the app

To manage payments, fees and charges, and collect and recover money owed to us, we must process personal data including Transaction Data and Financial Data.

Necessary for the performance of a contract
Necessary for our legitimate interests (to recover debts due)

To develop and use automated ways to identify suspicious, inappropriate, unlawful or prohibited behaviours on our Services.

To develop technology that can immediately identify and flag behaviour that is suspicious, inappropriate, unlawful or prohibited on our Services, we may process personal data including Profile Data, Social Activity and Identity Data.

Necessary for our legitimate interests (to develop advanced and effective automated ways to maintain the legitimacy and security of the app)
Necessary for our legitimate interests (to develop our products / services and grow our business)

To provide Customer Support

To deliver efficient Customer Support and improve related processes

Necessary for our legitimate interests (to provide effective customer support services)

To deliver tailored Services

To provide you with suggestions about features we think you’ll like or personalised news stories, we use personal data including Usage Data.

Necessary for our legitimate interests (to develop our products / services and grow our business)

To collect information and create insights about your browsing habits on our Services

To obtain insights into the use of, effectiveness and engagement with our Services, we process and use personal data.

If we use tags to obtain your personal data, or use your location data for insight and analysis purposes, we’ll get your consent.

Necessary for our legitimate interests (for us to measure the effectiveness of our content and how visitors use our Services. This allows us to learn what pages of our Services are most attractive to our visitors, which parts of our Services are the most interesting and what kind of features and functionalities our visitors like to see. We also use this information to help us select future product and service lines, website designs and to remember your preferences. We may also use this information for marketing purposes)
Consent

To deliver relevant website content and advertisements to you, and measure or understand the effectiveness of the advertising we serve to you

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To investigate and report, where appropriate, data breaches, incidents, requests and complaints

Necessary to comply with a legal obligation(s)
Necessary for our legitimate interests (to maintain the legitimacy and security of the app)

To moderate our Services.

We must effectively moderate the content, interactions and engagement on our platform to monitor for violations of our Terms and Conditions, Community Guidelines and / or applicable legislation.

Necessary for our legitimate interests (to maintain the legitimacy and security of the app)

To investigate and report, where appropriate, incidents of suspected financial crime.

We must review and process data to investigate and report cases of suspected financial crime. This may be shared with relevant third parties, such as law enforcement.

Necessary to comply with a legal obligation(s)
Necessary for our legitimate interests (to maintain the legitimacy and security of the app)

To improve our Services, marketing, customer relationships, experiences and grow through our use of data analytics.

We work independently – and with third party affiliates — to promote Shares and encourage prospective customers to join our Services. We also evaluate the service the affiliates provide by measuring metrics.

We may share both pseudonymised (UserID) and aggregated data about you (including the fact that you have signed up to our Services and information relating to your financial performance) with our third party affiliates. We and our affiliates will only use this data to evaluate the services our affiliates provide.

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Services updated and relevant, to develop our business and to inform our marketing strategy)
Necessary for our legitimate interest (to expand our customer base and grow the business).

We may process your personal data on more than one lawful ground, depending on why we’re using your data. Please contact us if you need details about the specific legal ground we’re relying on to process your personal data, where more than one ground is set out in the table below.

Change of purpose

We’ll only use your personal data for the purposes we collected it, unless we reasonably consider that we need to use it for another purpose which is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we’ll notify you and explain the legal basis that allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Who do we share personal data with?

Internal Recipients

We may share personal data with entities within the Shares Group.

We do this as our entities rely on each other to provide a variety of Services which are necessary for us to provide the Shares app and all of its services.

External Recipients

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Third-party data processors can’t use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our written instructions.

Third Party Service Providers. These include IT and cloud service providers, third party software and platform providers, vendors, compliance partners (including identity verifiers and performers of relevant checks), analytics services providers, advertising affiliates, card payment service providers, open banking providers (Plaid), execution brokers (Alpaca Securities LLC), digital assets partners and Shares’ electronic money account provider (Modulr FS Limited).
Regulators and Authorities. These include regulatory bodies, such as the UK’s Financial Conduct Authority and Information Commissioner’s Office, authorities including tax authorities and the National Crime Agency (NCA), as well as other formal bodies who we must engage / report to.
Professional advisers. These including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.

If we choose to sell, transfer or merge parts of our business or our assets, we’ll share your personal data with the new owners of our business, who may use your personal data in the same way set out in this privacy policy.

Do we transfer your data internationally?

We may transfer your data outside the UK or the European Economic Area (EEA).

Whenever we transfer your personal data out of the UK or the EEA, we make sure it’s given a similar degree of protection by guaranteeing at least one of the following safeguards is implemented:

We’ll only transfer your personal data to countries that provide an adequate level of protection for personal data by the European Commission and Information Commissioner’s Office (“ICO”).
We’ll make sure that appropriate contractual protections are in place with third parties that we share personal data with outside of the EEA & UK (as approved by the European Commission or the ICO, where relevant).

How long do we retain personal data for?

We’ll only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes. In this case, we may use this information indefinitely without giving you further notice.

What rights do you have over your personal data?

In certain circumstances, you have the right under data protection law to:

Request access to your personal data. This is the right to access and receive a copy of your personal data and other supplementary information. This right is not absolute and may be subject to certain limitations and exemptions.
Request correction of your personal data. This is where we’ll rectify inaccurate or incorrect data we process about you.
Request erasure of your personal data. This is the right to request the erasure of your personal data. This right is not absolute and may be subject to certain limitations, depending on our lawful basis for processing your personal data.
Object to our processing of your personal data. This is only an absolute right when related to direct marketing. For all other data processing, you can object. We‘ll then review and process your request subject to relevant limitations, such as the lawful basis for processing your personal data in the first instance.
Request restriction of processing your personal data. This is not an absolute right. Where you have a particular reason for requesting that we restrict our processing of your data, you can request to do so. This may limit the way we use your personal data.
Request transfer of your personal data. This is the right to data portability; it allows individuals to obtain and reuse their personal data for their own purposes across different services.
Right to withdraw consent. Where you have provided your consent for us to process your personal data, you have the right to withdraw such consent.
Right to object to solely automated decision-making and profiling that produces legal or similar effects. This right is not relevant to Shares users as we do not presently participate in data processing that is solely automated and makes decisions which have a legal (or similar) effect.

Should you wish to make such a request, you can do so by messaging us in the ‘Support’ section of the Shares app or emailing us at privacyrequests@shares.io . You can also opt out of direct marketing by clicking unsubscribe at the bottom of any marketing email.

Generally, you don’t have to pay a fee to exercise any of these rights, and we'll confirm completion of your request within one calendar month.

However, we may charge a reasonable fee or extend our timeline for responding in cases where a request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We’ll always notify you in the event this occurs.

You have the right to make a complaint at any time to the relevant data protection authority;

UK: Information Commissioner's Office (ICO), https://ico.org.uk/
EEA: Personal Data Protection Office (UODO), https://uodo.gov.pl/en

We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us or our DPO in the first instance and we will do our best to help.

Contact Us & Our Data Protection Officer

Should you wish to contact us, you can do so by writing to the appropriate address, depending on your location.

For UK data subjects: Shares App Limited, 6 Ramillies Street, London, England, W1F 7TY, United Kingdom.

For EEA data subjects: Shares Digital Assets Spółka Z Ograniczoną Odpowiedzialnością, Mogilska 43 Cowork ul. Mogilska 43 31-545 Kraków Polska.

We always want to protect your data and as such, we’ve appointed a Data Protection Officer (“DPO”) who acts as a contact and voice within the organisation for data subjects.

Contact Our DPO

We value your data and we want to protect it, so we’ve appointed a dedicated DPO. The DPO is the point of contact for data subjects within our organisation; they’re there to assist data subjects generally. The most efficient way to exercise your rights under data protection legislation is by emailing privacyrequests@shares.io.

You can contact our DPO by writing or email;

For EEA data subjects:

Address: FAO: Shares Europe DPO, 6 Ramillies Street, London, England, W1F 7TY, United Kingdom.
Email: eu-dpo@shares.io

For users in the UK

Address: FAO: Shares UK DPO, 6 Ramillies Street, London, England, W1F 7TY, United Kingdom.
Email: uk-dpo@shares.io

Glossary

Personal Data

Personal data, or personal information, means any information about an individual which could identify that person. It does not include data where the identity has been removed (anonymous data).

Data Subject

An identified or identifiable living individual to whom personal data relates.

Data Controller

Controllers are the main decision-makers of personal data processing. They have overall control for the purposes and means of processing personal data.

Lawful Basis

For every processing activity we take part in, we must have a valid lawful basis to do so. The following are considered lawful bases under applicable data protection legislation:

Consent
Legitimate Interest
Contract
Legal Obligation
Vital Interests
Public Interest
Consent. An unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.
Legitimate Interest. If the processing is in the legitimate interests of Shares and the data subject’s interests / expectations do not override our legitimate interests, this lawful basis can be relied on. An assessment must be performed to identify whether this is an appropriate lawful basis.
Contract. Data can be processed if the data is necessary to perform a contract with the data subject.
Legal Obligation. If processing personal data is required to comply with a common law or statutory obligation under UK or EU law, then this is considered a lawful basis.
Vital Interests. If the data processing is in the Vital Interests of the data subject, then this is a lawful basis. If it’s possible to protect the person’s vital interests in an alternative and less intrusive way, then this basis doesn’t apply.
Public Interest. If processing personal data is required ‘in the exercise of official duty’ or to perform a specific task in the public interest that is set out in law, then this is a lawful basis.

As detailed in Section 7 of the Privacy Policy, data subjects have rights over their personal data. These rights aren’t always absolute, meaning they sometimes depend on which lawful basis a data controller relies on to process the data. The ICO has included a table of how some lawful bases and rights interact here.

Pseudonymisation

Pseudonymisation is the processing of personal data in a way that it can no longer be attributed to a specific data subject without the use of additional information. This is provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person

Anonymisation

Data can be considered 'anonymised' when individuals are no longer identifiable. If data is ‘fully 'anonymised', it doesn’t qualify as personal data.