Privacy Notice
How we handle your data
TEMPLATE — bracketed items must be completed and this notice reviewed before real members are admitted.
1. Who we are
[BROKER LEGAL NAME] [(company number [______])] of [registered address] (“we”, “us”) operates the Blind Exchange platform, a private, invitation-only marketplace. We are the data controller for the personal data described in this notice. Contact: [privacy contact email].
2. What we collect
Account and identity data: your name, company, email address, and the identity and verification (KYC) information you provide or we obtain during checks.
Transaction data: offers, counter-offers, deals, messages sent through the platform, and documents you upload to a deal room.
Technical and security data: sign-in events, IP addresses, device information, page and image access logs, watermark attribution data, and the record of your acceptance of the Member Terms (version, time, IP address).
3. Why we process it and our lawful bases
To operate your membership and the platform (performance of a contract): account management, showing you listings, handling offers, deals, messaging and documents.
To meet our legal obligations (legal obligation): identity verification, anti-money laundering and sanctions checks, record-keeping, and any reports we are required to make to authorities.
To protect the platform and its participants (legitimate interests): security monitoring, access logging, watermarking and leak attribution, fraud prevention, and enforcing the Member Terms including the confidentiality and non-circumvention provisions.
4. Who we share it with
Service providers who host and support the platform ([hosting, database, email providers]), acting under contract on our instructions.
Identity-verification providers, where used for KYC checks.
Professional advisers, and courts, regulators or law-enforcement authorities where the law requires or permits it — including reports under anti-money laundering laws.
We do not sell personal data, and we never disclose a member’s identity to other members. Seller identities are likewise never disclosed to members.
5. How long we keep it
Account and transaction records: for the life of your membership and for [6] years afterwards (limitation periods and dispute defence).
KYC and anti-money laundering records: at least [5] years after the end of the business relationship, as required by law.
Security and access logs: [12–24] months, unless needed longer for an investigation.
6. Your rights
Under the UK GDPR you have rights of access, rectification, erasure, restriction, portability and objection, subject to the exemptions that apply to legal-compliance records. To exercise them, contact [privacy contact email]. You can complain to the Information Commissioner’s Office (ico.org.uk) if you are unhappy with our response.
7. International transfers and security
Data is hosted with [hosting provider(s) and region(s)]. Where data leaves the UK, we rely on adequacy regulations or the appropriate safeguards required by the UK GDPR.
Access to the platform requires two-factor authentication; data is encrypted in transit; media is served through short-lived signed links; and access is restricted by role-based rules enforced in the database.
8. Changes
We will post any changes to this notice here and, where the changes are material, notify members by email. Last updated: [date].