Privacy Notice

Monex Europa S.L. ('we', 'our' or 'us') may process certain personal data about you, depending on the scope of your specific relationship with us. This processing of personal data is regulated under the General Data Protection Regulation (2016/679) (the 'GDPR') of the European Parliament and of the Council of 27 April 2016, the e-Commerce Directive (2000/31/EC) and the e-Privacy Directive (2002/58/EC), which all apply across the European Union, as well as any national implementations, including the Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, the Spanish Law 34/2002 of 11 July on Information Society Services and Electronic Commerce, and the Spanish Royal Decree-Law 13/2012 of 30 March (together, the 'Data Protection Laws'). We are responsible as 'controller' of your personal data for the purposes of those laws.

For more information about privacy guarantees, you may contact the Controller at:

Address: Monex Europa S.L., Torre Picasso, Plaza Pablo Ruiz Picasso, 1, 31 – 28020 Madrid, Spain
E-mail: gdpr@monexeurope.eu
Data Protection Officer: RS SERVICIOS JURÍDICOS S.L., Calle Santiago 3, 2ºDcha, 47001 Valladolid – dpo@rsprivacidad.es

Transparency is one of our core values, and we place great importance on the privacy of your data.

Users, by checking the appropriate boxes and entering data in fields marked with an asterisk (*) on the contact form or submitted via download forms, expressly and freely consent to their data being necessary to handle their request. Monex Europa S.L. informs that all data requested through the website is mandatory, as it is required to provide optimal service to users.

This Privacy Notice applies to the following three circumstances:

1. personal data processed when you visit and use our website;
2. any natural person that has been contacted through our direct marketing strategy, either via phone or email; and
3. personal data processed to service our potential and existing clients.

We will comply with the principles set out in the GDPR, which states that the personal data we hold about you must be:

• used lawfully, fairly, and in a transparent way;
• collected only for valid purposes that we have clearly explained to you;
• relevant to the purposes we have told you about and limited only to what is necessary in relation to those purposes;
• accurate and kept up to date;
• kept only as long as necessary for the purposes we have told you about, subject to any limitation periods imposed by law; and
• kept securely.

4.1 Personal data gathered from you

4.1.1 Website
When you visit our website we collect minimal personal data including: information about your computer or device, including browser type and settings; log data (the webpage you were visiting before you came to our site, pages you visit, time spent, IP address, access times/dates); history of interaction with our webpages; and other data that does not directly identify you.

4.1.2 Marketing
We collect personal data you provide directly only if you respond to our marketing campaigns, such as call logs and email exchanges with our staff.

4.1.3 Client
We collect the following personal data at onboarding: full name; email address; phone number; address; nationality; date of birth; identification documents; and signature. Throughout the business relationship we collect: account activity including payment instructions; communications with our staff; and usage of online portals.

4.2 Personal data from other sources

4.2.2 Marketing
If we have contacted you during a marketing campaign, we may have collected personal data from third parties via publicly accessible sources including LinkedIn, Companies House, and news sources. You can object to our processing at any stage; please see section '13. What rights do you have?'.

4.2.3 Client
We may receive personal data about you from other sources including credit information, business partners, and legal and compliance checks, which we add to the personal data we hold to check creditworthiness, prevent fraud, comply with legal obligations, and improve our service.

4.3 Cookies and similar technologies
Cookies are small text files placed on your computer or device. You can access our Cookie Policy at: https://www.monexeurope.eu/en/mesl/cookie-policy/.

5.1 Website
We primarily use your personal data to interact with you, provide assistance services, facilitate navigation, improve our website and products, and offer content and services that may be of interest to you.

5.2 Marketing
We collect personal data about you to directly market services we legitimately believe will be of interest to you. This data is used exclusively to communicate with you. We may monitor and record communications such as emails and telephone calls for quality assurance, training, fraud prevention, management information, and compliance with relevant laws.

5.3 Client
We collect personal data for onboarding; identifying you and managing accounts; sending contract notes; complying with regulation; processing trades; and statistical and behavioural analysis. We may also monitor and record communications for the same purposes as described above.

Provision and development of our services will necessarily involve the sharing of your data with the parties involved, intermediaries, and, in the case of international money transfers, with payee correspondents in the destination country. We may share your personal information with:

• members of the Monex group;
• contractors, sub-contractors, business partners, introducers, suppliers, and/or service providers;
• credit reference agents;
• law enforcement agencies in connection with any investigation to help prevent unlawful activity;
• legal representatives and consultants; and/or
• IT service providers (ClaireLogic, DataArt Solutions, Microsoft Exchange, Microsoft Azure).

Your personal data is never sold and any personal data that is shared is done so in line with the Data Protection Laws. We collect and use personal data to provide a service or product you have requested, to comply with a legal obligation, or based on the legitimate interests of the Monex Group. The legal bases for processing include:

• Consent (Art. 6.1.a GDPR): for specific cases such as ticking the privacy policy acceptance box on website forms.
• Contractual necessity (Art. 6.1.b GDPR): processing necessary for the performance of services, payment, billing, and delivery.
• Legitimate interest (Art. 6.1.f GDPR): for sending newsletters about services, events, and professional news.
• Providing evidence in litigation, compliance with foreign laws, and conducting business in accordance with reasonable market standards.
• Processing personal data in connection with submitting CVs or job applications is based on user consent, which can be withdrawn at any time.

We retain personal data in accordance with our Data Retention Policy for as long as necessary for the purposes for which it was collected. We may retain data for longer periods when required to comply with legal obligations, respond to claims, or prevent fraud. Specific retention periods include:

• Dissociated data: Retained indefinitely.
• Contact data for marketing purposes: Retained until consent is withdrawn.
• Client data: Depends on the service; minimum necessary period: 4 years plus the current year (Arts. 66 et seq. General Tax Law); 5 years (Art. 1964 Civil Code); 6 years (Art. 30 Commercial Code); 10 years for anti-money laundering (Art. 25 Law 10/2010).
• Contact form data: Retained until your request is satisfactorily completed or until you withdraw consent.

We store your personal data in a secure environment with appropriate security measures in place to prevent personal data from being lost, accessed, or used in an unauthorized way, including encryption and other forms of security. We limit access to your personal data to those who have a genuine business need to know it.

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Whilst we will use all reasonable efforts to secure your personal data, in using the website you acknowledge the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of personal data that is transferred from you.

International data transfers involve the flow of personal data from Spain to recipients located in countries outside the European Economic Area. When such transfers occur, we ensure that the receiving entity has an adequate level of protection through safeguards such as standard contractual clauses.

Transfers will be conducted in accordance with one of the following provisions: an adequacy decision by the EU Commission (Art. 45 GDPR); or, in the absence of an adequacy decision, where the transfer is necessary for the performance of a contract in the data subject's interest (Art. 49.1(c) GDPR).

We may wish to send you information about products, services, and our company that may be of interest, by postal mail, email, or telephone.

11.1 Client: We will ask whether you would like to receive marketing messages on the first occasion that you provide any relevant contact information. If you opt in, you can opt out at any time (see '13. What rights do you have?').

11.2 Potential client: You may be sent marketing information where personal data has been collected and processed in line with the processes described in sections 4.1.2, 4.2.2, and 5.2.

We may do a credit check on you so that we can make credit decisions about you and prevent financial crime. Any such search will be recorded on the files of the credit reference agency.

If you provide false or inaccurate information to us and we suspect fraud, we will record this. We will ask for your explicit consent before any credit search is performed.

The USER guarantees being of legal age and providing accurate and truthful information. The USER commits to informing Monex Europa, S.L. of any changes to the provided information by email to gdpr@monexeurope.eu.

The USER commits to keeping passwords and identification codes confidential and to notifying Monex Europa, S.L. immediately in case of loss, theft, or unauthorized access. Until such notification is made, Monex Europa, S.L. is not liable for misuse by unauthorized third parties.

If the USER provides personal data of third parties, they guarantee that consent has been obtained and the third parties have been informed. The USER is responsible for any consequences arising from failure to comply with these obligations.

We would like to make sure you are fully aware of all your data protection rights:

• The right to access – You have the right to request copies of your personal data and how we process it.
• The right to rectification – You have the right to request that we correct inaccurate or incomplete personal data.
• The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
• The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
• The right to object to processing – You have the right to object to our processing of your personal data, including for marketing purposes.
• The right to data portability – You have the right to request that we transfer your data to another organisation, or directly to you, under certain conditions.

If you make a request, we have one month to respond. You can exercise these rights by email to gdpr@monexeurope.eu or by post to Torre Picasso, Plaza Pablo Ruiz Picasso, 1, 31 – 28020 Madrid, Spain.

You also have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD): Calle de Jorge Juan, 6, 28001 Madrid, Spain.

This Privacy Notice was published on 1 January 2021. Last updated on March 3, 2026. We may update or amend this Privacy Notice from time to time. We will notify users of any substantial changes by email (if you have opted to receive emails) and/or a notice on the website header.

If you have any questions about this Privacy Notice or the personal data we hold about you, please contact us:

Email: gdpr@monexeurope.eu
Post: Monex Europa S.L., Torre Picasso, Plaza Pablo Ruiz Picasso, 1, 28020 Madrid, Spain

If you have any complaints about this Privacy Notice or the personal data we hold about you, please contact us using the information above.

If you are unsatisfied with our response, you can contact the Agencia Española de Protección de Datos (AEPD):

Contact number: +34 901 100 099
Website: https://www.aepd.es/

In accordance with applicable personal data protection regulations, the DATA CONTROLLER complies with GDPR and LOPDGDD provisions. Personal data is processed lawfully, fairly, and transparently, in line with Art. 5 GDPR principles.

The DATA CONTROLLER ensures that appropriate technical and organizational policies are in place to safeguard user rights and freedoms and provides sufficient information to exercise them.

For more information, contact Monex Europa, S.L. at Torre Picasso, Plaza Pablo Ruiz Picasso, 1, 28020 Madrid, Spain, or email gdpr@monexeurope.eu.

Monex Europa, S.L., as an obligated entity, complies with Law 10/2010 of April 28 on the prevention of money laundering and terrorist financing.

Under these regulations, and pursuant to GDPR Art. 14, Monex Europa, S.L. has registered your personal data related to your relationship with the company to comply with Art. 4 of Law 10/2010 (beneficial owner identification). The data is stored in Monex Europa, S.L. files (B56461320) exclusively to fulfil AML obligations and will be retained as required by law.

According to Art. 32 of Law 10/2010, consent from the data subject is not required for this processing.