This policy applies to the APM Trader web application and the APM Trader Android & iOS mobile applications.
Your privacy is very important to us. APM Capital Ltd ("APM Capital", "we", "us", "our") is committed to protecting and respecting your personal data. This Data Privacy Policy ("Policy") describes the types of personal data we collect when you use our services, how we use it, when and with whom we share it, and how we keep it safe.
It also details your rights in respect of our processing of your personal information and how you may exercise those rights. Please read this Policy carefully before using any of our platforms.
Any reference to "us", "our", "we" or "APM Capital" in this Policy refers to APM Capital Ltd. Any reference to "you", "your" or "yourself" refers to our customers, prospective customers, and visitors to our platforms.
This notice is addressed to customers and potential customers. If you are an employee, contractor, or third-party service provider of APM Capital Ltd, your data is governed by separate internal policies available upon request.
APM Capital Ltd is a company registered in the Abu Dhabi Global Market (ADGM) under registration number 000005466, with its registered office at:
APM Capital Ltd is authorised and regulated by the Financial Services Regulatory Authority (FSRA) under Financial Services Permission No. 200034.
We are registered as a Data Controller with the ADGM Office of Data Protection. The ADGM Commissioner of Data Protection oversees the enforcement of data protection obligations and the rights of individuals within ADGM.
We have appointed a Data Protection Officer (DPO) to ensure our management of personal information complies with this Policy and applicable data protection legislation. You may contact our DPO using the details provided in Section 18.
This Policy applies to all of the following APM Capital digital services:
| Platform | Description | Availability |
|---|---|---|
| APM Trader – Web | Progressive Web Application (Flutter Web) accessible at our web portal. Supports account management, live trading, and funds operations. | Web Browser |
| APM Trader – Android | Native Android mobile application providing the full trading experience including live price feeds, order placement, KYC onboarding, and push notifications. | Google Play |
| APM Trader – iOS | Native iOS mobile application with equivalent features to the Android app, distributed via the Apple App Store. | App Store |
All three platforms connect to the same backend infrastructure and are subject to this unified Policy.
As part of our business, we collect personal data from customers and prospective customers. This includes, but is not limited to, the following categories:
When you use our platforms, we automatically collect certain technical data including IP address, browser type, operating system, referring URLs, and app usage patterns. On our web platform, this data is collected via standard server logs and session management mechanisms.
We do not use third-party user-behaviour analytics SDKs (such as Amplitude, Mixpanel, Segment, Adjust, or AppsFlyer), and Firebase Analytics data collection is explicitly disabled across all platforms.
For corporate clients, we collect additional information including corporate registration documents, registered address, details of shareholders, directors, and officers, including additional personal information on those individuals as required under applicable AML legislation.
Our mobile applications request the following device permissions. All permissions are requested only when relevant functionality is first used, and are limited to the minimum necessary to provide the service.
| Permission | Purpose |
|---|---|
INTERNET |
All communication with APM Capital servers, Firebase services, and live market data feeds. |
VIBRATE |
Haptic feedback when order events occur (order filled, rejected, or confirmed). |
ACCESS_NOTIFICATION_POLICY |
Management of notification channels for order alerts and account updates. |
| Camera & Photo Library | Profile picture capture and document upload during account onboarding and KYC, via the system image picker. Requested only when the user initiates photo selection. |
| Storage (older Android) | Downloading trade history, account statements, and other documents to device storage. Applicable only on Android versions below 10. |
FOREGROUND_SERVICE_MICROPHONE, READ_MEDIA_IMAGES, and Google AD_ID (Advertising ID) permissions from the manifest. We do not use advertising identifiers.
| Permission Key | Purpose |
|---|---|
Camera (NSCameraUsageDescription) |
Capturing a profile photo during account onboarding. |
Microphone (NSMicrophoneUsageDescription) |
Required by the camera framework for noise reduction when capturing photos on certain devices. Audio is not recorded or transmitted. |
Photo Library (NSPhotoLibraryUsageDescription) |
Selecting a profile photo or uploading identity documents from the device photo library. |
Downloads Folder (NSDownloadsUsageDescription) |
Saving downloaded trade reports, account statements, and other PDF documents to the device. |
Caches Directory (NSCachesDirectoryUsageDescription) |
Caching images and PDF documents for improved application performance. |
Location (NSLocationWhenInUseUsageDescription) |
Used internally by the identity verification SDK (Sumsub) as part of the regulatory KYC process. Location data is processed by our KYC provider in accordance with their privacy policy and our AML obligations. |
| Push Notifications | Order execution alerts, account balance updates, and important account communications from APM Capital. |
| Background Fetch & Remote Notifications | Receiving push notifications while the application is in the background. |
| Permission | Purpose |
|---|---|
| Notifications | Web push notifications for order and account updates, requested explicitly from the user at login. |
| Camera / File Access | Profile photo upload and identity document submission during onboarding, via the browser's native file picker. |
We use your personal data for the following purposes:
We may record communications, including electronic, telephone, in-person, or social-media communications, that we have with you in relation to the services we provide. Such recordings are our sole property and constitute evidence of the communications between us. Telephone conversations may be recorded without the use of a warning tone or further notice.
We process your personal data under one or more of the following lawful bases:
| Lawful Basis | Examples |
|---|---|
| Contractual Necessity | Opening your account, processing trades, sending order notifications, managing funds withdrawals and deposits. |
| Legal Obligation | KYC/AML identity verification, regulatory record-keeping, reporting to the FSRA or other authorities, responding to court orders. |
| Legitimate Interests | Fraud detection, security monitoring, session management, crash diagnostics, sending service-related communications, protecting our platforms and clients. |
| Consent | Marketing communications, push notifications (FCM token obtained only after explicit user permission), optional cookies beyond those strictly necessary. |
Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, contact us using the details in Section 18 or use the unsubscribe mechanism in any marketing email.
We may share your personal data with the following categories of third parties as necessary to deliver our services, comply with legal obligations, or protect our legitimate interests. We limit disclosure to the minimum data required and require all third parties to maintain confidentiality and comply with applicable data protection laws.
| Provider | Data Shared | Purpose |
|---|---|---|
| Google Firebase (Google LLC) | Authentication credentials, Firestore documents, Storage file URLs, FCM tokens, crash reports (mobile) | Core backend platform: authentication, database, file storage, push messaging, crash diagnostics |
| APM Capital Trading Backend (apmcapital.ae, orders.apmcapital.ae) |
Authentication tokens, order data, account summaries, live prices | Proprietary trading engine, live market data via SignalR and WebSocket |
| Provider | Data Shared | Purpose |
|---|---|---|
| Sumsub (Sum and Substance Ltd) | Identity documents, biometric facial data, liveness check data, personal information, Sumsub applicant ID | KYC/AML identity verification required by FSRA regulations (mobile app). Data processed under Sumsub's own Privacy Policy. |
| Provider | Data Shared | Purpose |
|---|---|---|
| Lean Technologies | Bank account details, IBAN, customer ID | Open banking: linking your bank account as a payment source for deposits and withdrawals |
| Payment Service Provider (payments infrastructure) |
Payment-related transaction data | Processing funds deposits and withdrawals via bank wire transfer |
We do not sell your personal data to third parties. We do not share your personal data with advertising networks, data brokers, or social media platforms for commercial purposes.
Our platforms access Morningstar for equity instrument analytics. This connection uses an API token only — no personal user data is transmitted to Morningstar.
The data we collect may be transferred to and stored at destinations outside Abu Dhabi Global Market (ADGM), including in servers operated by Google (Firebase) and Sumsub, which may be located in various countries including the United States and European Union member states.
When we transfer personal data outside ADGM, we ensure that the receiving jurisdiction provides an adequate level of data protection, or we apply appropriate safeguards such as:
By providing your personal data, you acknowledge that it may be transferred to and processed in countries outside ADGM as described above.
We hold your personal data for as long as is necessary for the purposes for which it was collected, or as required by law and regulation.
| Data Category | Retention Period |
|---|---|
| Account records, KYC documents, trade history, communications | 6 years from the end of the business relationship (or longer if required by the FSRA or other regulators) |
| Incomplete registration / rejected account application data | 6 months from submission, unless a regulatory reason requires longer retention |
| Marketing suppression list (opt-out records) | Indefinitely, to ensure we do not contact you with marketing communications after an opt-out |
| Application crash logs and diagnostic data | 90 days (rolling, within Firebase Crashlytics) |
| Active session and authentication logs | Duration of account relationship plus 6 years |
When data is no longer required, we will securely delete it or anonymise it so that it can no longer be attributed to you. We may retain anonymised, aggregated data for statistical or analytical purposes without limitation.
We are committed to safeguarding your personal data. We implement appropriate technical and organisational measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
Transferring information over the Internet is not completely secure. While we apply all reasonable technical and organisational measures to protect your personal data, we cannot guarantee the security of data you transmit to our website or electronic trading services. Any such transmission is at your own risk. Once we receive your data, we apply strict security procedures and access controls.
You are responsible for maintaining the confidentiality of your account password. We strongly advise you not to share your password with anyone. APM Capital will never ask you for your password.
We may use your contact details to provide you with information about APM Capital's services, market analysis, promotional offers, and news that may be of interest to you. Marketing communications may be sent by:
Your right to opt out: You may opt out of marketing communications at any time by:
After opting out, we will retain your details on our suppression list to ensure we do not send you further marketing communications. Opting out of marketing does not affect service-related communications, such as order execution confirmations and account security alerts, which are required for the delivery of our services.
Subject to applicable data protection law, you are entitled to exercise the following rights. To do so, please contact us using the details in Section 18, including your registered email address for identity verification purposes.
| Right | Description |
|---|---|
| Right of Access | Request a copy of the personal data we hold about you (commonly known as a "data subject access request"). |
| Right to Rectification | Request correction of inaccurate or incomplete personal data we hold about you. |
| Right to Erasure | Request deletion of your personal data. Note that we may be unable to comply where retention is required by law or regulation (e.g., AML record-keeping obligations). |
| Right to Object | Object to processing based on legitimate interests, or to direct marketing. We may demonstrate compelling legitimate grounds that override your objection. |
| Right to Restrict Processing | Request that we suspend processing of your data while a dispute about its accuracy or lawfulness is resolved, or if you need us to retain data to establish, exercise, or defend legal claims. |
| Right to Data Portability | Receive your personal data in a structured, commonly used, machine-readable format, or have it transferred to another organisation, where technically feasible. This applies to data processed on the basis of consent or contract. |
| Right to Withdraw Consent | Withdraw consent at any time for processing activities based on consent, without affecting the lawfulness of prior processing. |
We aim to respond to all data subject requests within one (1) week. Where a request is particularly complex or involves multiple requests, we will acknowledge receipt within one week and provide a full response within one month, keeping you updated throughout.
We reserve the right to charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive. In such cases, we will notify you of the fee before processing your request, or we may decline to comply.
Our services are intended for adults only. You must be at least 18 years of age to open an account or use APM Trader. We do not knowingly collect or process personal data from individuals under the age of 18.
If you believe that we have inadvertently collected personal data from a minor, please contact us immediately at hello@apmcapital.ae and we will take steps to delete such data promptly.
Our platforms may contain links to external websites or services operated by third parties. This Policy does not apply to those third-party websites or services. APM Capital has no control over and accepts no responsibility for the privacy practices or content of those sites.
We recommend that you read the privacy policy of any third-party website you visit. Your use of third-party websites and services is entirely at your own risk.
Where our app uses an in-app browser to display external content (e.g., regulatory documents or educational resources), the privacy practices of those external pages are governed by the respective third party's policies.
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes, we will notify you by:
We encourage you to review this Policy periodically. Continued use of our services after the effective date of a revised Policy constitutes your acceptance of the changes. Any personal data we hold will be governed by the version of this Policy current at the time of processing.
If you wish to exercise any of your data rights, have a query about this Policy, or want to raise a complaint about how we have handled your personal data, please contact us:
We aim to resolve all complaints within one (1) month. If your complaint is complex, we will acknowledge it within one month and keep you informed of progress. If you are not satisfied with our response, you have the right to escalate your complaint to the ADGM Office of Data Protection at data.protection@adgm.com.
APM Capital Ltd does not collect sensitive personal data unless you have explicitly consented, or it is required to meet legal or regulatory obligations. We do not conduct anonymous business with unidentified individuals or entities, as this is impractical and inconsistent with our AML/KYC obligations.