We are delighted about your interest in our services and take your privacy very seriously. This data protection policy sets out and explains the nature, scope and purpose of the processing of personal data ("data") through the services and presence of AYA Markets Ltd and the related websites (e.g., www.ayamarkets.com or social/info network websites), features, content, business processes and external offline and online services (all of which are referred to herein as “service(s)”).
Categories of affected persons (data subjects)
Users, visitors, interested parties, clients and business partners of AYA’s services (in this policy all categories are referred to as "users")
Categories of processed data
Inventory data (e.g., name, postal address), contact details (e.g., email address, telephone number), identity details, content data (e.g., submitted or transmitted texts, photographs, videos or other content), usage data (e.g., visited websites, content-related interests, time and duration of access), metadata and communication data (e.g., information about accessing devices, type of browser, IP addresses),
as well as business-related processing
contract data (e.g., commencement of contract, duration, subject matter of the contract, preferred means of communication), payment details (bank details, currency, payment history)
Purposes of data processing
- Provision, maintenance and optimisation of the services including their functions and content
- Answering contact and support requests and communicating with users
- Security and integrity
- Marketing and determination of reach
- Additional business-related contract fulfilment, provision of services, customer care as well as marketing, advertising and market research
Legal bases and terms
In accordance with the requirements of Art. 13 GDPR, we are informing you of the legal bases of our data processing. If the legal basis is not mentioned in this data protection policy, the following applies:
As far as permissible, AYA uses the data processing of cookies and so-called tracking (analysis of visitor behaviour, measurement of reach, among other things) with regard to the users, in return for the services we provide free of charge, including support.
The legal basis for obtaining consent is Art. 6 (1)(a) and Art. 7 GDPR, the legal basis for the processing of data for the performance of our services and the execution of contractual measures as well as the response to inquiries is Art. 6 (1)(b) GDPR. The same applies to processing operations that are necessary to carry out pre-contractual measures, such as in cases of inquiries about our services or the utilisation of the test phases. The legal basis for processing in order to comply with our legal obligations is Art. 6 (1)(c) GDPR, the legal basis for processing in order to protect our legitimate interests is Art. 6 (1)(f) GDPR. Art. 6 (1)(d) GDPR serves as the legal basis in the case of essential interests of the affected person or of another natural person as a necessity for the processing of personal data.
is the natural or juridical person, authority, agency or other body that, alone or together with others, decides on the purposes and means of processing personal data
is a natural or juridical person, authority, agency or body other than the affected person, the responsible person, the order processor and the persons authorised under the direct responsibility of the responsible person or the order processor, to process the personal data
- Personal data
refers to all information that is about an identified or identifiable natural person (hereinafter "the affected person"); a natural person is considered to be identifiable, directly or indirectly, particularly through association with an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie) or one or more special features, which can identify the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person
is any process or series of operations related to personal data carried out with or without the assistance of automated processes; this term is extensive and includes practically every manner of handling data
refers to all kinds of automated processing of personal data which consists of using that personal data to evaluate certain personal aspects about a natural person, in particular to analyse or predict aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or location of this natural person
refers to the processing of personal data in such a manner that personal data can no longer be ascribed to a specific data subject (affected person) without the need for additional information, provided that such additional information is kept separate and subject to technical and organisational measures, which ensure that the personal data cannot be ascribed to an identified or identifiable natural person
- Order processor
is a natural or juridical person, authority, agency or other body that processes personal data on behalf of the responsible person
refers to a voluntary statement from the affected person, in an informed and unequivocal manner, in the form of a declaration or other unambiguous confirmatory act expressing that this person agrees to the processing of the personal data concerning him/her
Affected persons (data subjects) have the right…
... to revoke their consent according to Art. 7 (3) GDPR with effect in the future (right of revocation).
... to contradict to future processing of the data concerning them according to Art. 21 GDPR at any time (right of contradiction). The objection can particularly be made against processing for direct marketing purposes.
... to request a confirmation as to whether relevant data is being processed and to information about this data, as well as to further information and a copy of the data in accordance with Art. 15 GDPR.
... to demand the completion of the data concerning them or the correction of the incorrect data, in accordance with Art. 16 GDPR.
... to demand that relevant data be deleted immediately according to Art. 17 GDPR or, alternatively, according to Art. 18 GDPR, to demand limitation of the data being processed.
... to demand that the data about you, which you provided to us, be obtained in accordance with Art. 20 GDPR and to request the transmission thereof to other responsible persons.
..., to make a complaint with the responsible supervisory authority pursuant to Art. 77 GDPR.
Duration of storage, deletion of data
The data processed by us is deleted or limited in accordance with Art. 17 and Art. 18 GDPR. Unless expressly stated in this data protection policy, the data stored by us is deleted as soon as it is no longer necessary for its purpose and the deletion does not conflict with any statutory storage requirements. If the data is not deleted because it is required for other legitimate purposes, the processing thereof is limited. In these cases, the data is blocked and not processed for other purposes. This is the case, for example, with data that must be kept in order to comply with commercial, tax or real estate law.
Cooperation with externals and transfer/transmission to third countries
If we disclose data to external persons or companies (order processors or third parties), transmit data to third parties or otherwise grant others access to the data, then only on the basis of juridical consent (e.g., transmission of data to a payment service provider in accordance with Art. 6 (1)(b) GDPR for fulfilment of the contract), if the affected person has given his/her consent, if there is a legal obligation to do so or if it is based on our legitimate interests or of the external. The processing of data by third parties through our order based on a so-called processing contract takes place in accordance with Art. 28 GDPR.
If we process data outside of the European Union (EU) or the European Economic Area (EEA), or if we utilise third-party services or disclosure or transmit data to third parties, this will only be done if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, due to a legal obligation or if it is justified based on our legitimate interests. Subject to legal or contractual permission, we only process or have the data processed in a third country if the special conditions of Art. 44 et seqq. GDPR are complied with. Specifically, processing takes place, for example, based on specific guarantees, such as the officially recognised level of data protection (implemented for the USA by the "Privacy Shield") or the compliance with officially recognised special contractual obligations ("standard contractual clauses").
Data processing regarding contractual relationships
AYA enters into a manifold of contractual relationships and pre-contractual relationships. These include contractual relationships with contractual partners such as customers and ordering parties, but also with interested parties and other users (collectively "contractual partners"). We process the data of our contractual partners in accordance with Art. 6 (1)(b) GDPR in order to fulfil our contractual or pre-contractual services. The processed data itself, the nature, the scope, the purpose and the necessity of its processing are determined by the underlying contractual relationship.
The processed data includes the master data of the contractual partner (a.o. name, address), contact details (a.o. address, email address, telephone number), as well as contract data (a.o. services utilised, content of the contract, contractual communication, name of a contact person) and payment data (bank details, payment history, etc.,). In principle, we do not process any special categories of personal data, except when these are part of contracted or contractual processing.
We process data required for the establishment and fulfilment of the contractual services. We hereby point out the necessity of the indication, insofar as this is not obvious to the contractual partner. Disclosure to external persons or companies will only take place if this is necessary to fulfil the contract or service. When processing the data provided to us through an order, we act in accordance with the instructions of the client and the legal requirements.
When utilising our services, we can store the IP address and the time of the respective action of the user. The storage takes place based on our legitimate interests as well as the interests of the users with regard to protection against misuse and other unauthorised use. In principle, this data will not be disclosed to third parties unless this is necessary in order to pursue our claims pursuant to Art. 6 (1)(f) GDPR, or there is a legal obligation pursuant to Art. 6 (1)(c) GDPR. The data will be deleted if it is no longer required to fulfil contractual or statutory duties of care and any warranty, consumer protection or similar obligations. For this purpose, the necessity of keeping the data is reviewed every three years. Furthermore, legal storage obligations apply.
Hosting, log files, email dispatch
The hosting services we utilise are necessary to provide the following services: infrastructure and application services, computing and storage capacity, database services, email dispatch, as well as security and technical maintenance services, which we implement to operate our services.
Hereby, we, or if applicable, our hosting providers, process inventory data, contact details, content data, contract data, usage data, meta and communication data of clients, interested parties and visitors of our service on the basis of our legitimate interests in the efficient and secure provision of our services in accordance with Art. 6 (1)(f) GDPR in conjunction with Art. 28 GDPR (conclusion of processing contract). Our website is hosted by Amazon Web Service (AWS).
For the possible processing of data in this context, there is a corresponding order processing contract to ensure data protection. We or our hosting provider, collect(s) data on the basis of legitimate interests in line with Art. 6 (1)(f) GDPR about every access to the server, on which this service is located (so-called server log files). Access data includes the name of the visited website, file, date and time of visit, amount of data transferred, information about successful retrieval, browser type and version, user's operating system, referrer URL (previously visited page), IP address and the requested provider. Further basis for data processing in the corresponding case is Art. 6 (1)(b) GDPR, which allows the processing of data to fulfil contractual or pre-contractual measures. Log file information is used for security reasons, such as, for example, to investigation misuse or fraud, and is stored for a maximum of 7 days and deleted thereafter. Data, of which further retention is required for evidential purposes, shall be exempted from deletion until final clarification of the event.
Registration function, verification
Users have the possibility to create an account. Upon registration, the required mandatory information is communicated to users and processed based on Art. 6 (1)(b) GDPR for purposes of providing the account or to provide the service itself. The processed data includes, in particular, the login information (email address, password, country). This data, as well as other data entered during or after registration, will be used for the purpose of providing the account and the use of related services. A legally required verification requires the collection and proof of name, address, date of birth and in the case of legal entities beyond that.
The users can be informed by email about information that is related to their account or the booked service (e.g., technical changes, news). As soon as users have cancelled their account, or the term has expired, their data concerning the account will be deleted, subject to legal storage obligations or our legitimate interests. It is the users’ responsibility to back up their data before the end of the contract. We are entitled to irretrievably delete all user data stored during the contract duration.
When using our registration and login functions, as well as the account usage and verification, we store the IP address and the time of the corresponding action of the user. This storage is based on our legitimate interests and on the interest of the user’s protection against misuse and other unauthorised use. Disclosure of this data to third parties does generally not take place unless it is necessary to pursue our claims or there is a legal obligation in accordance with Art. 6 (1)(c) GDPR. IP addresses are anonymised or deleted after 7 days at the latest.
When contacting us (e.g., by contact form, email, telephone or on social networks), the user’s information is processed for the purpose of processing the request in accordance with Art. 6 (1)(b) GDPR (pre-contractual and contractual relationships) and Art. 6 (1)(f) GDPR (other inquires). User information can be stored in a Customer Relationship Management (CRM) system or a similar organisational system to optimise contact. We delete the contact inquiries, if it is no longer necessary to keep them. We check the necessity every two years. In all other cases, juridical archiving obligations apply.
What follows is the explanation of the content of our regular (approximately weekly) newsletter, as well as the registration, sending and statistical evaluation procedure, as well as the right of objection. By subscribing to our newsletter, you consent to the receipt and the procedures described.
Content of the newsletter:
We only send newsletters, emails and other electronic notifications with advertising information (hereinafter "newsletter") with the consent of the recipient or legal permission. Insofar as the contents of a newsletter are concretely outlined, they are essential for the consent of the users. In addition, our newsletters contain information about our services and our company itself.
Double opt-in and logging:
Registration for our newsletter is made using the double-opt-in method, if legally necessary. After registration, an email is sent asking for confirmation of the registration. This confirmation is necessary so that nobody can register with strange email addresses. The registration for the newsletter will be logged to prove the registration process in line with legal requirements. This includes storing the login and confirmation times and the IP address. Likewise, changes to your data stored with the mailing provider will be logged.
To register for the newsletter, it is sufficient to enter your own correct email address. We sometimes also ask for the name, so that it is possible to personally address the individual or in connection with a further contact request.
The dispatch of the newsletter and the associated performance measurement are based on the consent of the recipients in accordance with Art. 6 (1)(a) and Art. 7 GDPR in conjunction with § 7 (2)(3) UC. Otherwise, if consent is not required, based on our legitimate interests in direct marketing pursuant to Art. 6 (1)(f) GDPR in connection with § 7 (3) UC.
Logging of the application is based on our legitimate interests in line with Art. 6 (1)(f) GDPR. Our interest lies in the application of a user-friendly and secure newsletter process that serves our business interests and meets the expectations of our users. In addition, proof of consent should be possible for us.
Termination or revocation (cancellation, deregistration):
You can cancel the receipt of our newsletter at any time, in other words, revoke your consent. An unsubscribe link to cancel the newsletter can be found at the end of every newsletter. Alternatively, a corresponding message to the contact person specified in our imprint is sufficient. We can save the email addresses for up to three years based on our legitimate interests before we delete them, in order to be able to prove prior consent. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for cancellation is possible at any time, if prior existence of consent is confirmed at the same time.
Performance measurement of newsletters
The newsletters contain a so-called Web-Beacon. This is a pixel-sized file which is retrieved by our server when you open the newsletter or from the server of a mail service provider. Upon retrieval, technical information, for example information about the browser and the computer system, as well as your IP address and the time of retrieval are collected. This information is used for the technical improvement of the services based on the technical data, the target groups and their reading behaviour, which is based on the location that the information is retrieved (can be determined with the help of the IP address) or the access times. Statistical surveys also include determining if the newsletter were opened, when they were opened, and which links were clicked on. Although this information can be technically ascribed to the individual recipients, there is no intention on our part or the mail service providers to monitor individual recipients. Instead, the evaluations serve to identify the reading habits of the recipients and to adapt our content to suit these habits or to send different content according to the interests of the recipients. A separate revocation of the performance measurement is not possible. In order to do this, the newsletter itself would have to be cancelled.
Cookies, right to contradict to direct advertising
A cookie is a small file that is stored on a user’s computer. Different information can be stored within the cookie. A cookie is primarily used to store information about a user or the device during and after the user’s visit to an online service. A temporary cookie, session cookie, or transient cookie is a cookie that is deleted after a user leaves an online service and closes the browser. In a cookie of this nature, the login status or subscription status can be stored. A cookie is referred to as permanent or persistent when it remains in storage even after the browser has been closed. This allows, for example, the login status to be saved when users return to the online service after a few days. Likewise, such cookies may store the interests of the users, which is used to establish the reach or for marketing purposes. Third party cookies are cookies that are offered by providers other than the provider responsible for running the online service. With a cookie set by the responsible provider, one refers to it as a first-party cookie. We can use temporary and permanent cookies and explains this in this data protection policy. If users do not want cookies to be stored on their computers, they can use the appropriate option in the system settings of the browser to disable this process. Saved cookies can be deleted in the system settings of the respective browser. The exclusion of cookies can lead to functional limitations of this service.
Incorporation of third-party services and contents
Within our service, based on our legitimate interests in the analysis, optimisation and economic operation of our services in line with Art. 6 (1)(f) GDPR, we incorporate third-party content or service offers into our content and services (hereinafter "content"). This always presupposes that the third-party providers of this content detect the IP addresses of the users, since they would not be able to send the content to the users' browsers without the IP address. The IP address is therefore required for the presentation of this content. We make a concerted effort to only use content whose respective providers solely use the IP address for the delivery of content. Third parties may also use so-called Pixel-Tags (invisible graphics, also referred to as Web-Beacons) for statistical or marketing purposes. The Pixel-Tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include, among other things, technical information about the browser and operating system, referring web pages, visiting time, and other information regarding the use of our services.
Our presence on social networks and information platforms
We are present on social networks and platforms in order to communicate with (potential) clients, interested parties, business partners and users, and to inform them about our services there.
Hence, data of users outside of the European Union can thereby be processed. This may result in risks for the users. For example, the enforcement of user rights could be made more difficult. Regarding US providers, who are certified under the Privacy Shield, we would like to note that they are committed to upholding the EU's data privacy standards.
Furthermore, user data is regularly processed for market research and advertising purposes. Thus, for example, user profiles can be created from the user behaviour and recognisable interests of the users. These user profiles may be used to place advertisements or the like within and outside the networks, which may be in the interests of the users. For this purpose, cookies are usually stored on the computers of the users, in which the user behaviour and the interests of the users are stored. In addition, the user profiles can also store data independently of the devices used by the users. This happens, in particular, when the users are members of the respective social network and are logged in.
The processing of users' personal data takes place in accordance with our legitimate interests in effectively informing users and communicating with users in accordance with Art. 6 (1)(f) GDPR. If users of a social network provider are asked to consent to data processing, the legal basis for processing is Art. 6 (1)(a) and Art. 7 GDPR.
We would like to take the opportunity to refer to the statements of the providers of the following networks. The links contain a detailed description of the respective processing and the objection options.
In the case of requests for information and the assertion of user rights, these can be most effectively asserted with the relevant providers because only the providers have the required access to the user data and can immediately implement measures or provide information. Furthermore, we are always available as a contact should you require information.
Protection and security measures
In accordance with Art. 32 GDPR, AYA takes into account the currency of technology, the costs of implementation, and the type, scope, circumstances and purposes of processing, as well as the different probabilities of occurrence and severity of the risk to the rights and freedoms of natural persons, and appropriate technical and organisational measures to ensure a level of protection appropriate to the risk incurred. This includes, above all, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data and controlling access, input, disclosure, security of availability and separation of such data. In addition, there are procedures that introduce observance of data subject rights, data deletion and responses to data threats. Furthermore, according to Art. 25 GDPR, the protection of personal data is already taken into account in the development and selection of hardware, software and procedures, in accordance with the principle of data protection, through the design of technology and privacy-friendly default settings.
AYA Markets Ltd, Bonovo Road, Fomboni, Island of Mohéli, Comoros Union
AYA Markets (Comoros) Ltd, Bonovo Road – Fomboni, Island of Mohéli – Comoros Union, is incorporated under registered number HY00423002 and licensed by the Mwali International Services Authority, Island of Mohéli as an International Brokerage and Clearing House under License number T2023263.
Risk Note: Trading financial instruments carries a high level of risk and may not be suitable for all investors. CFDs and Forex are complex instruments and come with a high risk of losing money rapidly due to leverage (trading on margin). Before deciding to trade any financial instrument or making any other decision with financial impact you should carefully consider your investment objectives, level of experience and risk appetite. Only invest with money you can afford to lose. If necessary you should seek independent advice.
AYA Markets complies with local legal restrictions and does not provide services to USA, Japan and other countries where this is not permitted for legal reasons.