Privacy Policy

North Crest Group ("North Crest", "we", "us", "our") is the trading name used by a group of affiliated companies that operate the website northcrestgroup.com and provide online trading in contracts for difference (CFDs) on forex, indices, commodities, shares and cryptocurrencies. This Privacy Policy explains how we collect, use, disclose and protect personal data when you visit our website, open a demo or live account, or otherwise interact with our services.

The website is owned and operated by North Crest Capital Holdings Ltd, with its registered office at Suite 4, Maeva Plaza, Pope Hennessy Street, Port Louis 11328, Mauritius. Trading services are provided by the operating entity that contracts with you, which depends on your country of residence: North Crest Securities (Pty) Ltd, authorised by the Financial Sector Conduct Authority of South Africa (FSP 53197); North Crest Capital Markets Ltd, authorised by the Cyprus Securities and Exchange Commission (licence 412/22); North Crest International Ltd, authorised by the Financial Services Commission of Mauritius (licence GB22200851); and North Crest Global Ltd, authorised by the Mwali International Services Authority, Comoros (licence T2023123).

For the purposes of data protection law, North Crest Capital Holdings Ltd and the operating entity that contracts with you each act as a controller of your personal data: the holding company in respect of the website and group-wide systems, and your contracting entity in respect of your client relationship. Where your contracting entity is North Crest Capital Markets Ltd, the EU General Data Protection Regulation (GDPR) applies to the processing of your personal data; in other jurisdictions, local data protection legislation applies. We apply GDPR-grade standards across the group as a common baseline.

This policy should be read together with our Cookie Policy and the Terms of Service that govern your account. If you do not agree with the way we handle personal data as described here, you should not use our services.

We collect information you provide directly to us when you register, verify your identity, fund your account, trade or contact support. This includes identity and contact data (full name, email address, telephone number, postal address, date of birth, nationality, country of residence and tax residency), and the verification documents we are legally required to obtain before you can trade with real funds, such as a government-issued identity document, proof of address and, where used, a verification photograph processed through our identity-verification provider.

Because we are regulated financial services firms, we also collect financial and suitability information: your employment status, the source of the funds and wealth you intend to trade with, indicative income and net-worth ranges, your prior trading experience, and the payment details used to deposit to and withdraw from your account. Once your account is open, we maintain a full record of your trading activity, including orders, executions, open and closed positions, account balances, deposits and withdrawals.

When you use the website or trading platform we collect technical data automatically: IP address, device and browser type, operating system, language settings, pages viewed, timestamps, approximate location derived from your IP address, and cookie or similar identifiers as described in the Cookies and Tracking section below. We also keep records of our communications with you, including support chats, emails and, where applicable regulation requires it, recordings of telephone conversations relating to your account or orders.

Finally, we receive information about you from third parties we are required or entitled to use: identity-verification and fraud-prevention providers, sanctions and politically-exposed-person screening services, payment service providers and, where permitted, publicly available sources. If you open a demo account only, we collect a reduced data set, typically your name, email address and telephone number, together with technical data about your use of the platform.

We process personal data only where we have a legal basis to do so, and for each purpose we rely on one of the following grounds.

To perform our contract with you, we use your data to open and administer your account, verify your identity, execute and settle your orders, process deposits and withdrawals, provide the trading platform and respond to your support requests. Without this processing we cannot provide the service at all.

To comply with our legal obligations, we use your data to carry out know-your-client checks, anti-money-laundering and counter-terrorist-financing screening, sanctions checks, appropriateness assessments, transaction and regulatory reporting to the supervisory authorities of our operating entities, statutory record-keeping, and the recording of communications where the rules of the relevant regulator require it. These obligations apply across the group and cannot be waived at your request.

In our legitimate interests, we use personal data to secure the platform and detect fraud and abuse, to monitor and improve the performance of our services, to produce aggregated and de-identified analytics, and to establish, exercise or defend legal claims. Where we rely on legitimate interests we balance them against your rights, and you may object as described in the Your Rights section. With your consent, we send you direct marketing about our products and services; you can withdraw that consent at any time without affecting the lawfulness of earlier processing. North Crest does not provide investment advice, and we do not use your personal data to generate personal investment recommendations. Parts of our identity-verification and fraud-screening processes are automated; where the law gives you the right to human review of a decision based solely on automated processing, you may request it via privacy@northcrestgroup.com.

We do not sell personal data. We share it only where this policy describes, under contractual or legal safeguards.

Within North Crest Group, personal data is shared between North Crest Capital Holdings Ltd and the regulated operating entities listed in the Introduction, to the extent needed to operate shared systems, route you to the correct contracting entity for your country of residence, meet group-wide compliance obligations and provide consistent support. Intra-group sharing is governed by a group data-transfer arrangement that applies a common standard of protection.

We engage carefully selected service providers who process data on our behalf and only on our documented instructions: identity-verification and screening providers, payment service providers and banking partners, cloud hosting and IT infrastructure suppliers, communications and customer-support tooling, and analytics providers. Each is bound by contract to confidentiality and to security obligations consistent with this policy.

We disclose personal data to the regulators and supervisory authorities of our operating entities, to tax authorities, to our external auditors and professional advisers, and to law enforcement agencies or courts where disclosure is required by applicable law, regulation or legal process, or is necessary to protect the rights, property or safety of North Crest, our clients or others. If we are involved in a merger, acquisition, restructuring or sale of assets, personal data may be transferred to the counterparty under confidentiality obligations, and we will inform you of any resulting change of controller.

We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss or destruction. These include encryption of data in transit and of sensitive records at rest, role-based access controls so that staff see only the data their role requires, multi-factor authentication on internal systems, network segregation, continuous logging and monitoring, due diligence over service providers, regular staff training and documented incident-response procedures.

If a personal data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority and, where the risk is high, notify you directly, in each case within the timeframes required by applicable law.

No method of transmission over the internet or of electronic storage is completely secure, and we cannot guarantee absolute security. You play a part too: keep your account credentials confidential, enable the security features we offer, and contact support@northcrestgroup.com immediately if you suspect unauthorised access to your account.

We keep personal data for as long as your relationship with us lasts and afterwards for as long as we are required or permitted to keep it. The governing periods come primarily from anti-money-laundering, financial-services and tax legislation in the jurisdiction of your contracting entity: client identification records, transaction records and account documentation are typically retained for five to seven years after the relationship ends, and longer where a specific law, regulator request, investigation or legal claim requires it.

Recorded communications are retained for the periods prescribed by the rules of the relevant regulator. Data processed on the basis of your consent, such as marketing preferences, is kept only until you withdraw consent. Technical and analytics data is retained for shorter operational periods or held in aggregated form that no longer identifies you.

When a retention period expires, we delete the data or irreversibly anonymise it. Because most of our retention obligations are statutory, we cannot delete regulatory records earlier on request, even if you close your account; this is explained further in the Your Rights section.

Depending on your country of residence and the entity you contract with, you have rights over your personal data. Where the GDPR applies, and as a baseline standard we apply across the group, these include: the right of access to the personal data we hold about you and to information about how we process it; the right to rectification of inaccurate or incomplete data; the right to erasure of data we no longer have a legal basis to keep; the right to restriction of processing in certain circumstances; the right to data portability, meaning a copy of the data you provided to us in a structured, commonly used, machine-readable format; the right to object to processing based on legitimate interests and, at any time, to processing for direct marketing; and the right to withdraw consent where processing is based on consent.

To exercise any of these rights, contact privacy@northcrestgroup.com. We will verify your identity before acting on a request, and we respond within one month, or any different period applicable law allows for complex requests, in which case we will tell you and explain why.

These rights have limits. In particular, we cannot erase or restrict data we are legally required to retain, such as identification and transaction records held under anti-money-laundering law, and objection does not apply to processing we carry out to meet legal obligations. If you are dissatisfied with our response, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence or in the jurisdiction of your contracting entity.

We use cookies and similar technologies on northcrestgroup.com and the trading platform, in the four categories defined in our Cookie Policy: essential cookies that keep you signed in, maintain your session and security settings and make the platform work (these cannot be switched off); performance cookies that help us understand how the site is used so we can improve it; functional cookies that remember preferences such as your language; and targeting cookies that measure and personalise our advertising. Performance, functional and targeting cookies are set only with your consent.

When you first visit the website you are asked to choose which non-essential cookies to allow, and you can change or withdraw that choice at any time through the cookie settings on the site. You can also configure your browser to refuse or delete cookies, although blocking essential cookies may prevent parts of the platform from functioning.

Each category, and how to review the specific cookies in use through the cookie settings panel, is described in our Cookie Policy, which forms part of this Privacy Policy. Questions about cookies can be sent to privacy@northcrestgroup.com.

Our website and services are intended for adults and are not directed at anyone under the age of 18. We do not knowingly collect personal data from minors, and our account-opening process includes mandatory date-of-birth and identity verification specifically so that a live trading account cannot be opened by anyone under 18.

If you believe that a person under 18 has provided personal data to us, contact privacy@northcrestgroup.com. If we confirm that we hold data collected from a minor, we will close any associated account and delete the data, except where a law requires us to retain a record of the event.

North Crest Group operates through entities in South Africa, Cyprus, Mauritius and Mwali (Comoros), and uses service providers that may store or process data in other countries. Your personal data may therefore be transferred to, and maintained in, jurisdictions other than your own, where data protection laws may differ from those of your country of residence.

Wherever your data travels within the group or to our providers, it remains protected by this policy and by the safeguards we put in place. For personal data subject to the GDPR, we transfer data outside the European Economic Area only on the basis of an adequacy decision or appropriate safeguards such as the European Commission's standard contractual clauses, supplemented where necessary by additional technical and organisational measures. Transfers between group entities are governed by an intra-group data-transfer arrangement applying an equivalent standard.

You can request information about the safeguards applied to a specific transfer, including a copy of the relevant contractual clauses where applicable, by contacting privacy@northcrestgroup.com.

We review this Privacy Policy regularly and update it when our processing, our group structure or the law changes. The version published on this page is the version in force, and each update is identified by its effective date shown alongside the policy.

If we make a material change, such as processing data for a new purpose, sharing it with a new category of recipient or changing your contracting entity, we will give you advance notice by email or through a prominent notice on the website or trading platform before the change takes effect. We encourage you to review this page periodically; your continued use of our services after an updated version takes effect constitutes acknowledgement of the updated policy. Nothing in any update reduces your rights under applicable data protection law.

Questions, requests and complaints about this Privacy Policy or about how we handle your personal data should be addressed to privacy@northcrestgroup.com. This mailbox is monitored by the team responsible for data protection across North Crest Group, and it is the fastest route for exercising the rights described in this policy.

You can also write to us at: North Crest Capital Holdings Ltd, Suite 4, Maeva Plaza, Pope Hennessy Street, Port Louis 11328, Mauritius. For general account or platform questions unrelated to privacy, contact support@northcrestgroup.com.

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence or in the jurisdiction of the North Crest entity you contract with. We would, however, appreciate the chance to resolve the matter directly first.