Privacy policy

PRIVACY POLICY
Version 6, November 2022


KEY WAY INVESTMENTS LTD (the ‘Company’) operating trading name “EVP Market”, is a Cypriot Investment
Firm (CIF) authorised by the Cyprus Securities and Exchange Commission (CySEC) with CIF License number
292/16.
KEY WAY INVESTMENTS LTD is committed to protect individuals’ personal data in line with the requirements of
applicable law.
KEY WAY INVESTMENTS LTD commitment applies to all individuals whose personal data the Company may
process. “Personal Data” means any information relating to an identified or identifiable natural person. The
Company acts as a controller in relation to such personal data.
This Privacy Policy or Notice describes what types of personal data we collect about you when you choose to
use our services, how we will use your personal data, when and with whom we share it and how we will keep it
safe. It also details your rights in respect of our processing of your personal information and how you may
exercise them. Please take the time to read and understand this policy.
We may make changes to this Notice from time to time and it is important that you check this Notice for any
updates. Any personal information we hold will be governed by our current privacy notice. If we make changes
we consider to be important, we will communicate them to you.
Please note that this notice is addressed to customers and potential customers.

1. Personal Data that we may collect:
When you create an account with the Company, we require you to provide your first and last name, e-mail
address, details about your financial status, your residential address, phone number, date of birth, a copy of
your national identity card or passport or driving license, a copy of a recent utility bill/bank statement (or
similar) as evidence of your residential address, credit card or bank card details, Tax residence and Tax
Identification Number, profession and employment details, knowledge and experience in trading, risk
tolerance and risk profile and other information we may consider necessary to our functions and activities
and in order to be in a position and be permitted to provide our services to you.
If the Company requests you to provide it with personal data and you fail to do so, the Company may not be
in a position to provide a service and/or enter into an agreement with you, in which case it will inform you
accordingly.
The abovementioned data are collected by the Company when you are going to open a trading account with
the Company. It is required by the AML Law (the Prevention and Suppression of Money laundering and
Terrorist Financing Law of 2007 L. 188(I)/2007 as amended from time to time) and CySEC’s AML Directive, as
well as by any other AML laws governing countries where the Company has branches, that the Company
collects the necessary data for verifying your identity, constructing your economic profile, monitoring your
account and verifying the source of funds (when it is necessary). Additionally, we use this data to set up and
administer your trading account, and to provide technical and customer support.
If you have not created an account with the Company and request for a Chat session, you will be required to
provide your e-mail address, first and last name. Any further personal data (including text, files etc.) that
may be provided during the Chat session will be stored for quality monitoring, training and regulatory
purposes.
If you are a corporate client, we are required to collect information related to the legal entity (e.g. corporate
and constitutional documents), additional personal information on the shareholders, directors and other
officers that we deem as necessary in order to be compliant with our legal and regulatory requirements.
We record any communications, electronic, by telephone, in person or otherwise, that we have with you in
relation to the services we provide to you and our relationship with you. These recordings will be our sole
property and will constitute evidence of the communications between us. Such telephone conversations
may be recorded without the use of a warning tone or any other further notice, taking into consideration
that consent is not required as per the following information.
It should be noted that we are obliged by Law 87(I)/2017 to keep records of all telephone conversations and
electronic communications that are related to transactions concluded or intended to result in transactions
when dealing on own account and the provision of client order services that relate to the reception,
transmission and execution of client orders.

2. Legal Ground for personal Data processing:
We may process your personal data for one or more lawful bases of processing (“Lawful Basis”) depending
on the specific purpose for which we are using your data.
The Lawful Basis are the following:
– to perform our contractual obligations towards you
– to be compliant with applicable legal and regulatory requirements
– to pursue our legitimate interests
Where our use of your personal information does not fall under one of the abovementioned Lawful Basses,
we will require you to provide your consent. Such consent shall be freely given by you and you will have the
right to withdraw your consent at any time by contacting us using the contact details set out in this privacy
notice or by unsubscribing from email lists.

3. How we use your personal data:
Client information which the Company holds is to be treated by the Company as confidential and will not be
used for any purpose other than in connection with the provision, administration and improvement of the
Services, anti-money laundering and due diligence checks, for research and statistical purposes and for
marketing purposes when express consent has been provided. Information already in the public domain, or
already possessed by the Company without a duty of confidentiality will not be regarded as confidential.
The Company has the right to disclose Client information (including recordings and documents of a
confidential nature, card details) in the following circumstances:

(a) where required by law or a court order by a competent Court.
(b) where requested by CySEC or any other regulatory authority having control or jurisdiction over the
Company or the Client or their associates or in whose territory the Company has Clients.
(c) to government bodies and law enforcement agencies where required by law and in response to
other legal and regulatory requests;
(d) to relevant authorities to investigate or prevent fraud, money laundering or other illegal activity;
(e) where necessary in order for the Company to defend or exercise its legal rights to any court or
tribunal or arbitrator or Ombudsman or governmental authority;
(f) to such an extent as reasonably required so as to execute Orders and for purposes ancillary to the
provision of the Services;
(g) to payment service providers and banks processing your transactions;
(h) to auditors or contractors or other advisers auditing, assisting with or advising on any of our
business purposes, provided that in each case the relevant professional shall
be informed about the confidential nature of such information and commit to the confidentiality herein
obligations as well;
(i) only to the extent required and only the contact details to other service providers who create,
maintain or process databases (whether electronic or not), offer record keeping services, email
transmission services, messaging services or similar services which aim to assist the Company
collect, storage, process and use Client information or get in touch with the Client or improve the
provision of the Services under this Agreement;
(j) to a Trade Repository or similar under the Regulation (EU) No 648/2012 of the European Parliament
and of the Council of 4 July 2012 on OTC derivatives, central counterparties (CCPs) and trade
repositories (TRs) (EMIR).
(k) only to the extent required, to other service providers for statistical purposes in order to improve the
Company’s marketing, in such a case the data will be provided in an aggregate form and
anonymized.
(l) only to the extent required, to market research call centres that provide telephone or email surveys
with the purpose to improve the services of the Company, in such a case only the contact details will
be provided, granted that express consent has been provided.
(m) to anyone authorised by you.
(n) to an Affiliate or introducing broker of the Company or any other company in the same group of the
Company.
(o) to any third-party where such disclosure is required in order to enforce or apply our Terms and
Conditions or other relevant agreements.
(p) to successors or assignees or transferees or buyers, with ten Business Days prior Written Notice to
the Client; this will happen in the event that the Company decides to sell, transfer, assign or novate
to a third party any or all of its rights, benefits or obligations under the Agreement with you or the
performance of the entire Agreement subject to providing 15 Business Days Prior Written Notice to
the Client. This may be done without limitation in the event of merger or acquisition of the Company
with a third party, reorganisation of the Company, winding up of the Company or sale or transfer of
all or part of the business or the assets of the Company to a third party.
(q) Client Information is disclosed in relation to US taxpayers to the Inland Revenue in Cyprus, which will
in turn report this information to the IRS of the US according to the Foreign Account Tax Compliance
Act (FATCA) of the USA and the relevant intergovernmental agreement between Cyprus and the US.

4. The safety of your personal data
Key Way Investments Ltd takes the appropriate measures to ensure a level of enhanced security to protect
any personal data provided to us from accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to personal data transmitted, stored or otherwise processed.
The Company implements appropriate technical and organisational measures such as data encryption,
access management procedure, clean desk policy, business continuity and disaster recovery, IT systems risk
assessment, physical and logical access segregation, process in case of personal data breach policy, etc.
Additionally, the Company limits access to the Client’s personal data to those employees, agents,
contractors and other third parties who have a business need to know. They will only process the Client’s
personal data on the Company’s instructions and they are subject to a duty of confidentiality.
Your personal data may be stored electronically or in paper form.

5. Automated decision – making and Profiling
In order to perform the contact between us and as required by Law 87(I)/2017 and the relevant Circulars
issued by CySEC, it is requested for the provision of the investment services to you, to assess your knowledge
and experience, your financial situation and investment objectives.
We will fulfil the above requirements through the following tools:
Appropriateness Test: it takes place when you require registering as client of the Company. Hence, we need
to check and ensure that you are suitable for the provision of the Company’s services and products by taking
an appropriateness test in regard to your knowledge, financial background and experience in regards to
financial services. Based on the scoring you receive; you will be informed whether you are eligible to receive
our services and become our Client and the maximum level of leverage you are eligible for. The reason for
assessing your appropriateness is to enable the Company to offer you services suitable for you and act in the
client’s best interest.
The scorings above are monitored by the Company’s Compliance department. During these processes, the
Company takes all the technical and operational measures to correct inaccuracies and minimise the risk of
errors, to prevent any discrimination and to secure personal data of the client.

6. How we treat your personal data for marketing activities and whether
profiling is used for such activities – How to opt out?
We may process your personal data to tell you about products, services and offers that may be of interest to
you or your business. The personal data that we process for this purpose consists of information you provide
to us and data we collect and/or infer when you use our services. This information helps the Company to
improve its services, customise browsing experience and enables it to inform its clients of additional
products, services or promotions relevant to clients. In some cases, profiling is used, i.e. we process your
data automatically with the aim of evaluating certain personal aspects in order to provide you with targeted
marketing information on products.
We can only use your personal data to promote our products and services to you if we have your explicit
consent to do so or, in certain cases, if we consider that it is in our legitimate interest to do so.
Opt out from receiving marketing information:
You have the access and right to opt out at any time:
From your settings of your trading platform, you can contact the Company’s Customer Support Team if any
assistance is needed at +357 22 000 358 or by email at [email protected]; or
By contacting at any time, the Company’s Data Protection Officer to the following e- mail address:
[email protected]
How long we store your personal data for:
We will only retain your personal data for as long as we reasonably require it for legal or business purposes
subject to a maximum of five (5) years, and where requested by the CySEC for a period of up to seven (7)
years, after termination of the Agreement. In determining data retention periods, we take into account local
laws (in the case of Spain and, due to Anti-Money Laundering regulation, this period of time is up to ten (10)
years –art. 25 Law 10/2010), contractual obligations, and the expectations and requirements of our
customers. When we no longer need personal data, we securely delete or destroy it.
For example, we are subject to investment services and anti-money laundering laws which require us to
retain copies and evidence of the actions taken by us in regard to your identity verification, sources of
incomes and wealth, monitoring of your transactions, telephone, chat and email communications, orders
and trades history, handling of your complaints and records that can demonstrate that we have acted in line
with regulatory code of conduct throughout the business relationship. These records must be maintained
for a period of five years after our business relationship with you has ended or even longer if we are asked by
our Regulators.
Where you have opted out of receiving marketing communications, we will hold your details on our
suppression list so that we know you do not want to receive these communications.

7. Transfers of personal data to third countries
Copies of your agreement with us may be transferred to and stored at banking institutions in a destination
outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA
who works for one of our suppliers or Affiliate companies. We will take all steps reasonably necessary to
ensure that where we carry out such transfers this will be made subject to applicable, Cyprus laws and where
required subject to the appropriate safeguards. You may contact the Company in order to be informed of the
appropriate or suitable safeguards (as the case may be).
When we transfer your data to other third parties outside the EEA such transfers will comply with the General
Data Protection Regulation (Regulation EU 2016/679, and hence we may in some cases rely on a Commission
Adequacy decision, or appropriate safeguards (e.g. applicable standard contractual clauses, binding
corporate rules, or any other equivalent applicable arrangements) or other grounds provided by the GDPR.
You may contact the Company in order to be informed of the appropriate or suitable safeguards.

8. Your rights as a data subject
Right of access – you have the right to request from us to provide you with a copy of the personal data that
we hold about you.
Right of rectification – you have a right to request from us to correct the personal data we hold about you
that is inaccurate or incomplete.
Right to be forgotten – you have a right to request from us in certain circumstances to erase your personal
data from our records. In case that these circumstances apply to your case and provided that no exception
to this obligation applies (e.g. where we are obliged to store your personal data in compliance with a legal
obligation under Cypriot or EU law), the Company acting as your controller will erase your personal data
from its records.
Right to restriction of processing – you have a right to request from us where certain conditions apply, to
restrict the processing of your personal data.
Right of portability – you have the right to request from us where certain conditions apply, to have the data
we hold about you transferred to another organisation. Where these conditions apply the Company will
transfer your personal data to another organisation.
Right to object – you have the right to object on grounds relating to your particular situation, to certain types
of processing such as direct marketing or where we are relying on a legitimate interest (or those of a third
party) and there is something about your particular situation which makes you want to object to processing
on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may
demonstrate that we have compelling legitimate grounds to process your information which override your
rights and freedoms.
Right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third
party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note
that this right only applies to automated information which you initially provided consent for us to use or
where we used the information to perform a contract with you.
Right to withdraw consent where we are relying on consent to process your personal data. However, this will
not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw
your consent, we may not be able to provide certain products or services to you. We will advise you if this is
the case at the time you withdraw your consent.
In respect to the aforementioned rights, we will respond to requests for personal data and, where
applicable, will correct, amend or delete your personal data. You can send the relevant request to the
following e-mail address: [email protected]

9. Contacting us about this Policy or making a complaint
If you have any queries about the contents of this Policy or wish to inform us of a change or correction to
your personal data, would like a copy of the data we collect on you or would like to raise a complaint or
comment, please contact us using the details set out below.
Data Protection Officer
E-mail: [email protected]
We try to respond to your request without undue delay and in any case within one month of receipt of the
request. In case that your request takes us longer than one month we will notify you accordingly and keep
you updated. In this respect it should be noted that the information to be provided as a result of exercising
your right shall be provided free of charge. Nonetheless and where requests are manifestly unfounded or
excessive, in particular because of their repetitive character, the Company may either:
charge a reasonable fee taking into account the administrative costs of providing the information or
communication or taking the action requested; or refuse to act on the request
If you are not satisfied with our response to your complaint and/or your request was not handled within the
specified timeframes, you have the right to lodge a complaint with our supervisory authority, the Cyprus
Data Protection Commissioner. Alternatively, you also have the right to lodge a complaint with the data
protection authority of your country of residence.
You can find information about how to contact the Cyprus Data Protection Commissioner on the following
website: http://www.dataprotection.gov.cy