Privacy & Data Protection Notice

Last updated: June 22, 2025

This Privacy & Data Protection Notice (“Notice”) explains how Abra Securities (“we,” “us,” “our”) collects, uses, discloses, retains, and safeguards personal data in connection with our U.S. equities and options trading services, website, and related platforms (collectively, “Services”). By accessing or using our Services, you consent to the practices described herein.

1. Scope & Applicability

1.1 Who Is Covered: This Notice applies to all individuals whose personal data we process, including prospective, current, and former clients, website visitors, and service partners.
 1.2 Territorial Scope: We process data in compliance with applicable data protection laws, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) for EU/EEA data subjects, and other local privacy requirements.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, email, IP address).
• Processing: Collection, recording, organization, storage, alteration, retrieval, use, disclosure, or erasure of Personal Data.
• Data Subject Rights: Rights granted to individuals under applicable law (e.g., access, correction, deletion).

3. Categories of Personal Data Collected

3.1 Client Onboarding & KYC

• Identity Data: name, date of birth, government ID numbers, passport, driver’s license.
• Contact Data: residential/mailing address, email, phone number.
• Corporate Data (for entities): registration numbers, beneficial owner information, corporate structure.

3.2 Transactional & Account Data

• Trading Records: orders placed, executed trades, volumes, prices.
• Financial Data: bank account details, brokerage account numbers, margin/credit limits.
• Performance Data: P&L reports, statements, margin calls.

3.3 Usage & Technical Data

• Device Data: IP address, browser type/version, operating system.
• Platform Activity: login/logout timestamps, feature usage logs, API call records.
• Cookie Data: identifiers, session tokens, preference settings.

3.4 Communications Data

• Correspondence: emails, chat transcripts, call recordings (where permitted).
• Support Requests: inquiry details, attachments, resolution logs.
  
  

4. Purposes & Legal Bases for Processing

Purpose	Legal Basis (GDPR)	CCPA Basis
Client onboarding & KYC/AML compliance	Legal obligation; legitimate interest	“Business purpose” necessity
Trade execution & account management	Contract performance; legitimate interest	“Business purpose” necessity
System security & fraud prevention	Legitimate interest; legal obligation	“Business purpose” necessity
Customer support & communications	Contract performance; legitimate interest	“Business purpose” necessity
Marketing & product updates	Consent (where required); legitimate interest	“Opt-in” for marketing
Analytics & platform improvement	Legitimate interest	“Business purpose” necessity
Legal & regulatory reporting	Legal obligation	“Legal compliance”

5. Data Sharing & Disclosure

5.1 Service Providers & Vendors

• We share Personal Data with third-party processors for KYC verification, payment/settlement services, data hosting, and analytics, under strict contractual data-privacy obligations.

5.2 Affiliates & Agents

• Within the Abra group, data may be shared for risk management, compliance oversight, and consolidated reporting.

5.3 Regulators & Authorities

• We disclose required data to FINRA, SEC, CFTC, IRS, or other governmental bodies for lawful reporting and investigations.

5.4 Legal Requests & Protections

• Personal Data may be disclosed in response to a lawful subpoena, court order, or to defend our legal rights, subject to applicable notice requirements.

5.5 Business Transfers

• In the event of a merger, acquisition, or sale of assets, Personal Data may be transferred to a successor entity, subject to this Notice and applicable law.

6. International Data Transfers

6.1 Cross-Border Transfers

• We may transfer Personal Data to jurisdictions outside your country of residence, including the U.S., Turkey, UAE, or other partner regions.

6.2 Safeguards

• Transfers are protected by one of the following mechanisms:
  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Binding Corporate Rules (BCRs) for intra-group transfers.
  • Adequacy decisions where recognized.

7. Data Retention & Deletion

7.1 Retention Periods

• We retain onboarding and KYC records for a minimum of seven years after account closure or relationship termination, in compliance with AML/CFT laws.
• Transactional data and trade records are retained for at least five years or longer if required by applicable law.
• Usage logs and analytics data are retained for up to two years for performance tuning and fraud detection.

7.2 Deletion & Anonymization

• Upon request and where no legal hold applies, we will delete or anonymize Personal Data within 30 days of verified deletion requests.

8. Data Subject Rights

8.1 Access & Portability

• You may request a copy of your Personal Data in a structured, machine-readable format.

8.2 Correction & Rectification

• If your Personal Data is inaccurate or incomplete, you may request correction.

8.3 Deletion (“Right to be Forgotten”)

• Subject to legal exceptions, you may request erasure of your Personal Data.

8.4 Restriction of Processing

• You may request limits on processing where accuracy is contested or processing is unlawful.

8.5 Objection to Processing

• You may object to processing based on legitimate interests or for direct marketing purposes; we will cease processing unless we demonstrate compelling legitimate grounds.

8.6 Withdraw Consent

• Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.

8.7 How to Exercise Rights

• Submit requests via email to privacy@abrasecurities.com. We will respond within 30 days in accordance with applicable law.

9. Data Security Measures

9.1 Technical Controls

• Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Multi-factor authentication for all user and administrative access.
• Network segmentation, firewalls, and intrusion detection/prevention systems.

9.2 Organizational Controls

• Role-based access control (least privilege).
• Annual security awareness training for all staff.
• Regular vulnerability assessments, penetration tests, and third-party audits.

9.3 Incident Response

• Data breaches or security incidents impacting Personal Data are managed under our Incident Response Protocol. Affected individuals and regulators will be notified within applicable timelines (e.g., 72 hours under GDPR).

10. Cookies & Tracking Technologies

10.1 Essential Cookies

• Necessary for platform functionality (session management, security tokens).

10.2 Performance & Analytics Cookies

• Used to analyze site usage and improve user experience. May be disabled via browser settings.

10.3 Marketing & Social Media Cookies

• Employed for personalized marketing; processed only with user consent.

10.4 Cookie Management

• A cookie banner allows you to accept or decline non-essential cookies. Detailed cookie list and management instructions are available in our Cookie Policy.

11. Children’s Privacy

• Our Services are intended for institutional clients and qualified entities. We do not knowingly collect Personal Data from individuals under 18 years of age. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@abrasecurities.com.

12. Changes to This Notice

• We may update this Notice to reflect changes in law, technology, or business practices. The “Last updated” date at the top indicates the effective version. Material changes will be communicated via email or platform notification prior to implementation.

13. Contact Information

For questions, concerns, or to exercise your data subject rights, please contact:
Email: info@abrasecurities.com

---

By using Abra Securities’ Services, you acknowledge that you have read, understood, and agreed to this Privacy & Data Protection Notice.