1. Introduction

FINTRA Securities Limited (“FINTRA,” “we,” “us,” or “our”) is a Bangladesh-based fintech and brokerage firm licensed by the Bangladesh Securities and Exchange Commission (BSEC). We offer digital trading platforms, investment research services, and margin loan products to our clients. We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, store, and disclose your personal data when you use FINTRA’s websites, mobile applications, and services.
Please read this Privacy Policy carefully. By creating an account with FINTRA or otherwise using our services, you acknowledge that you have read and understood this Policy and agree to the collection and use of your information as described herein. If you do not agree with any part of this Policy, you should refrain from using our services.

2. Scope of Policy

This Policy applies to all individuals who interact with FINTRA’s products and services, including visitors to our website, users of our mobile or web trading platforms, recipients of our research offerings, and clients utilizing our margin loan facilities. It covers all personal data that we process in connection with providing these services.
For the purposes of this Policy, “personal data” or “personal information” means any information that identifies you or can reasonably be linked to your identity. This includes information you provide to us directly, information we collect automatically, and information we may obtain from third parties, as described below. This Policy governs how we handle personal data in all of our operations, and it is designed to meet our obligations under applicable laws and regulations in Bangladesh.

3. Information We Collect

To provide our services and comply with regulatory requirements, FINTRA collects various categories of personal and financial information. The types of information we collect include:

• Personal Identification Information: Your full name, date of birth, national identification number (such as National ID or passport details), photographs (for identity verification), and other KYC details like parents’ names, marital status, and nationality as required by account opening regulations.
• Contact Information: Your mailing address, telephone numbers, and email address for communication and account verification purposes.
• Financial and Account Information: Details related to your brokerage account and financial profile. This includes your Beneficiary Owner (BO) account number, bank account details (bank name, account number, branch) for fund transfers, and any information about your income, source of funds, or net worth that we may need for compliance (for example, to meet anti–money laundering requirements or to assess eligibility for margin loans). We also record your trading transaction history, account balances, portfolio holdings, and margin loan utilization details as part of providing brokerage and financing services.
• Authentication Documents: Copies of identification documents and other supporting materials you submit during account registration (such as scanned NID/Passport, proof of address, signatures, and any biometric verification data) which we use to verify your identity and fulfill our Know-Your-Customer (KYC) obligations.
• Usage and Technical Information: When you use our website, trading portal, or mobile app, we automatically collect certain technical data. This includes device identifiers or IDs, your device type and operating system, browser type, IP address, log-in timestamps, and activity logs showing how you interact with our platform (pages or screens viewed, features used, clicks, errors, and crash reports). If you use our research services, we may collect data on which reports or tools you access. This information helps us secure your account and improve our services.
• Cookies and Tracking Data: We use cookies, web beacons, and similar tracking technologies on our websites and apps to enhance your user experience. Cookies are small files stored on your browser or device that allow us to recognize you and remember your preferences. Through these technologies, we may collect information about your browsing actions and patterns, such as the pages you visited on our site, how long you spent, and the links you clicked. Section 5 below (“Cookies & Tracking Technologies”) provides more detail on our use of cookies and how you can control them.
• Communications: If you contact us with an inquiry, feedback, or complaint (for example, by calling customer service, sending an email, or via in-app chat), we will collect the information you provide in these communications. This may include your contact details and the content of your correspondence. We may also keep records of written communications and call logs for quality assurance and legal compliance purposes.

We collect the information described above either directly from you (for instance, when you fill out forms or communicate with us), automatically through your use of our digital platforms, or from third-party sources. Third-party sources may include verification services (e.g., national identity databases or credit bureaus, where allowed) and public databases used to confirm the accuracy of information you provided. We ensure that any information obtained from third parties is treated in accordance with this Policy.

4. Use of Personal Data

FINTRA uses your personal data for the following purposes, in each case only to the extent permitted by applicable law:

• To Provide and Maintain Services: We process your personal information to open, operate, and maintain your brokerage account and any related accounts (such as margin loan accounts). This includes executing your buy/sell orders on the stock exchanges, facilitating research tools or content you request, providing you with real-time market data, and administering any loan or credit facilities (e.g., evaluating and extending margin loans or bridging loans for trade settlements). We also use your data to process deposits, withdrawals, and other transactions you initiate, and to generally ensure our services function as intended for you on our digital platforms.
• Identity Verification and Security: Your information is used to verify your identity when you open an account and log in, in order to protect against unauthorized access and fraudulent activity. For example, we use your National ID or passport information to perform e-KYC verification (which may involve checking against government or authorized databases) and we may use your photo or biometric data to confirm you are the legitimate account holder. We also use personal and device information to implement security measures (such as two-factor authentication, monitoring login locations, and detecting unusual account activities) to safeguard your account and our systems.
• Regulatory Compliance and Legal Obligations: As a regulated financial institution, FINTRA must comply with various legal requirements under Bangladeshi law. We process and retain personal data to fulfill our obligations under laws such as the Securities and Exchange Ordinance, 1969; the Money Laundering Prevention Act, 2012 (and related anti-financial crime regulations); the Cyber Security Act, 2023; and any rules or guidelines issued by BSEC, the Dhaka Stock Exchange (DSE), or other regulatory authorities. For example, we are required to collect certain KYC information at account opening, report large or suspicious transactions to the Bangladesh Financial Intelligence Unit (BFIU), maintain transaction records for a minimum period, and ensure confidentiality of client data. Your data may also be used to satisfy other legal obligations such as responding to lawful requests from government authorities or court orders.
• Communication with You: We use your contact information to communicate with you about your account and our services. This includes sending trade confirmations, contract notes, account statements, transaction alerts, login notifications, margin call or loan-related notices, and updates on any changes to our terms or policies. We may also send service-related announcements (for instance, if our platform is undergoing maintenance, or in the event of any security incident). These communications are considered part of our service to you and you may not opt out of receiving them, as they are necessary for the management of your account.
• Providing Research and Educational Content: If you subscribe to our research services or market insights, we will use your information to deliver newsletters, analysis reports, stock updates, and other research content to you. We may tailor the research or news we send you based on your investment profile or interests (for example, focusing on sectors you have invested in or topics you have shown interest in on our platform). This is done to enhance the relevance and usefulness of our research offerings for you.
• Marketing and Promotional Purposes: With your consent (where required), we may use your contact details and certain profile information to inform you about new products, services, or promotions offered by FINTRA that might be of interest. For instance, we might send you emails or notifications about a new feature in our app, a new investment product, upcoming seminars or webinars, or special offers on margin loan rates. You have the choice to opt out of marketing communications as described in Section 10 (“User Rights and Choices”) below, and we will not spam you or share your contact information with external parties for their own marketing.
• Service Improvement and Analytics: We analyze usage and technical data (including via cookies and similar tools) to understand how our customers use our digital platforms. This information helps us troubleshoot issues, improve the performance and user experience of our website and app, and develop new features. For example, we might track which features are most used or where users encounter errors, and use that insight to enhance those aspects of the platform. We may also use analytics to measure the effectiveness of our customer support and to ensure our security measures are working properly (such as identifying potential cyber threats). All analysis is done in aggregate or pseudonymized form whenever possible, and we do not use this data to make any automated decisions about you that would have legal or significant effects without human review.
• Risk Management and Credit Assessment: In relation to our margin loan and financing services, we use personal and financial information to manage credit and risk. This includes assessing your eligibility for margin loans or credit limits (based on factors like your account equity, transaction history, and regulatory guidelines), monitoring your account for margin compliance (for example, ensuring sufficient collateral is maintained), and contacting you if action is needed (such as a margin call to deposit additional funds or sell securities). These activities are necessary for the prudent provision of financial accommodations and to protect both you and FINTRA from excessive risk.
• Other Business and Legal Purposes: We may process your information for other legitimate business purposes, such as internal audits, financing and accounting operations, implementing business continuity plans, and maintaining records of business activities. If we need to use your personal data for a purpose materially different from those listed above, we will seek your consent or provide notice as required by law.

We ensure that we have an appropriate legal basis for each use of your personal data. In most cases, the processing is justified by our need to fulfill a contract with you (e.g., providing the services you requested), to comply with a legal obligation, or to pursue our legitimate business interests (such as securing our platform or improving services) in a manner that does not override your privacy rights. Where we rely on your consent (for example, for optional marketing or certain data sharing), you have the right to withdraw that consent at any time as described in Section 10.

5. Cookies & Tracking Technologies

When you use the FINTRA website or mobile applications, we and our third-party service providers may use cookies and similar tracking technologies to collect and store certain information. These technologies serve several purposes:

• Essential Cookies: Some cookies are necessary for our website and trading portal to function properly. For example, they help authenticate your login session and keep you securely logged in as you navigate through secure areas of the site. They also enable core features like transaction processing and user preferences (such as language or interface settings). Without these cookies, services you have requested (like accessing your account or placing orders) cannot be provided.
• Analytics and Performance Tracking: We use cookies and tracking tools to understand how users interact with our website and app. For instance, we may use Google Analytics or similar services that set cookies to collect information about site traffic and usage patterns. This data includes details like which pages of our site are visited, how long users stay, how they arrived at our site, and what features of the app are used most frequently. We use this aggregated information to improve our platform’s functionality, performance, and user experience. These analytics cookies do not directly identify you but simply provide statistics that help us optimize our services.
• Functionality Cookies: These cookies remember your preferences and enhance the personalization of your experience. For example, a functionality cookie might remember your chosen dashboard settings or your preference to see content in a certain layout. This way, you don’t have to reconfigure settings each time you log in.
• Advertising and Marketing: As of now, FINTRA’s platforms are not used to display third-party ads, and we do not use third-party advertising cookies to target you with ads unrelated to FINTRA’s own services. If in the future we partner with advertising or social media networks for marketing campaigns, we will update this Policy accordingly. Any marketing-related tracking currently in use is limited to FINTRA’s own promotions (such as tracking the effectiveness of an email campaign by seeing if you clicked a link). We do not sell or share your browsing behavior with outside advertisers.

Our website may implement a cookie notice or preference center to allow you to manage your cookie settings for our site. Please be aware that if you disable or reject certain cookies, some parts of our website or services may become inaccessible or not function properly (for example, you might not be able to log in or use certain interactive features).
For mobile app usage, you can reset your device’s advertising identifiers or limit ad tracking in your device settings if applicable. Also, note that technologies like web beacons or in-app tracking may be present; these typically work in conjunction with cookies or specific app analytics SDKs. By using our site and app, you consent to our use of cookies and similar technologies as described above. However, if you choose to adjust your settings to limit cookies, we will respect those settings in accordance with applicable law.

6. Data Sharing and Disclosure

FINTRA understands the importance of keeping your personal information confidential. We do not sell your personal data to third parties for their marketing purposes. However, in the course of running our business and as required by law, we may share your information with certain trusted parties, as outlined below:

• Regulatory Authorities and Exchanges: As a licensed broker, we are legally obligated to share client information and transaction details with regulators and market institutions. This includes BSEC (for regulatory oversight), the National Board Of Revenue (NBR) for taxation purposes, the stock exchanges where we operate such as the Dhaka Stock Exchange (and Chittagong Stock Exchange, if applicable), and the Central Depository Bangladesh Limited (CDBL) which manages your BO account and holds securities in electronic form. These entities may require information for purposes like market surveillance, compliance audits, or reporting of trade data. We only provide what is necessary and ensure that such disclosures are done under proper authority. Additionally, if required by the Bangladesh Financial Intelligence Unit or other government agencies for anti-money laundering or anti-terrorism financing monitoring, we will provide relevant data as mandated by law.
• Banks and Financial Partners: When you link a bank account to your FINTRA account or engage in financial transactions, we share necessary information with relevant financial institutions. For example, we will share your account number and name with our partner bank when you initiate a fund withdrawal, or we may confirm your identity and account details with a bank when you deposit funds. In the context of margin or loan products, if we collaborate with a bank or financing partner to extend credit facilities, we might share some of your information (such as identification and credit-related data) with that partner strictly for the purpose of providing the service. In all cases, these institutions are themselves bound by confidentiality and data protection obligations under law and/or contract.
• Service Providers and Vendors: We employ third-party companies and individuals to support our operations and services. This includes, for example: cloud hosting providers and data center services (to store and process data securely), IT support and software developers (who may work on our platform or provide tools we use), payment processors or payment gateway services (to handle online payments), identity verification services (such as platforms that verify NID or biometric data on our behalf), analytics and security service providers (who help us analyze data or monitor for fraud), and professional advisors (like auditors or legal counsel who may need to review certain records). These service providers are given access only to the information necessary to perform their specific tasks on our behalf. We require them to protect your information and not use it for any other purpose. They are contractually obligated to maintain confidentiality and comply with appropriate data protection standards.
• Affiliates and Corporate Group: FINTRA Securities Limited is part of the broader Cotton Group, and there may be times when we share your information within our family of affiliated companies (for instance, a parent or sister company) for internal administrative purposes, centralized compliance management, or to facilitate services you have requested. Any such affiliate receiving your data will treat it with the same level of care and security as we do and will use it only for purposes consistent with this Privacy Policy. If our corporate structure changes in the future (for example, through a merger, acquisition, or formation of new subsidiaries), we may share your data with the new or related entities as needed to continue providing services, subject to the same privacy safeguards.
• Business Transfers: In the event that FINTRA undergoes a business transaction such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personal data may be among the transferred assets. Should such a transfer occur, we will ensure that your information remains protected by requiring the acquiring entity to continue using your personal data in accordance with this Policy and applicable law. We will notify you (for example, via email or a prominent notice on our website) of any change in ownership or use of your personal information as a result of a business transaction, as well as any choices you may have regarding your information in that context.
• Legal and Law Enforcement Purposes: We may disclose your personal information to governmental authorities, law enforcement agencies, courts, or other third parties when we believe in good faith that such disclosure is necessary to comply with a legal obligation. This includes responding to subpoenas, court orders, or other legal process; cooperating with investigations (for example, providing information to law enforcement regarding suspected fraudulent or illegal activities related to our services); enforcing our account agreements or other contracts; or protecting the rights, property, or safety of FINTRA, our customers, or others. If we receive a request for your data that we believe we are not legally required to comply with, we will contest it as appropriate. In situations where the law allows, we will attempt to notify you of such requests before sharing your information, unless we are legally prohibited from doing so (for instance, by a confidentiality order or exigent circumstances).
• With Your Consent or At Your Direction: In all other cases not covered above, we will not share your personal data with third parties unless you have given us explicit consent to do so. For example, at your direction, we might share your account information with a third-party financial app or advisor if you use such services and authorize the data connection. Similarly, if we ever wish to use your information in a way not covered by this Policy, we will seek your consent. You are in control of whether we disclose your information in these circumstances, and you can revoke your consent at any time.

We want to assure you that whenever your information is shared, we take steps to safeguard your data. We strive to anonymize or aggregate data before sharing when possible (for instance, providing market statistics that don’t identify individuals). All sharing is done on a need-to-know basis and in accordance with applicable Bangladeshi laws and regulations governing confidentiality and data protection.

7. International Data Transfers

FINTRA primarily stores and processes personal data within Bangladesh. However, in today’s interconnected digital environment, some of your information may be transferred to, stored in, or accessed from jurisdictions outside of Bangladesh. For example, if we use cloud computing services or email service providers that have servers in other countries, or if our technical support team or vendors operate from overseas locations, your data might be processed in those locations.

When we transfer personal data outside Bangladesh, we take appropriate measures to ensure that your data remains protected. Such measures may include:

• Contractual Safeguards: We require foreign service providers handling personal data to sign data protection agreements or contractual clauses that oblige them to protect your information to standards commensurate with Bangladeshi law and this Privacy Policy. These contracts typically include commitments such as maintaining confidentiality, implementing security measures, and using the data only for the purposes we specify.
• Encryption and Security: We use strong encryption and security protocols when transmitting data internationally, reducing the risk that unauthorized parties could access your information in transit.
• Jurisdictional Protections: In cases where data is transferred to countries that have robust data protection laws (for example, countries recognized for having GDPR-equivalent protections), we rely on those legal frameworks as an added layer of reassurance. If data is transferred to a country without similar privacy laws, we will ensure additional safeguards are in place or obtain your consent as required.

It’s important to note that different countries may have different laws and requirements concerning personal data. Regardless of where we process your information, we will continue to treat it in line with this Privacy Policy. Our data handling practices will not materially change just because your data is moved to another country. We remain accountable for its safety and use.
By using our services or providing us with your information, you consent to the transfer of your personal data to countries outside of Bangladesh in the situations described above. If at any time Bangladesh enacts specific restrictions or conditions on cross border data transfers (for instance, under a data protection law), we will comply with those conditions. This could include obtaining your explicit consent for certain transfers or meeting any regulatory notification requirements.
If you have questions about international data transfers or want more information about where your data may be stored or accessed, you can contact us as described in the “Contact Us” section at the end of this Policy.

8. Data Retention

FINTRA retains personal data for as long as necessary to fulfill the purposes for which it was collected, including for satisfying any legal, regulatory, or reporting requirements. In practice, this means:

• We will keep your personal and transactional information while your account is active and you are a user of our services. An “active” account means you have not requested deletion or closure and we believe you are still interested in our services (for example, you continue to log in or hold funds/securities with us).
• If you close your account or become inactive, we do not immediately delete your data. We will retain relevant information for a period of time thereafter as required by Bangladeshi law and regulatory guidelines. For instance, brokerage firms are subject to various record-keeping rules: the Companies Act 1994 and BSEC regulations mandate retention of certain business records, and anti-money laundering laws require retention of customer identification and transaction records for a minimum period (commonly at least five years after the end of the customer relationship or the date of a transaction). We adhere to these requirements by retaining data for the mandated durations.
• We also consider the statute of limitations for legal claims and the need to preserve evidence. For example, if a law allows customers to bring a claim against us within a certain number of years, we may keep relevant data until that period expires to protect against and address potential disputes.
• Personal data that is no longer needed for any business or legal purpose will be disposed of securely. When deleting data, we follow documented procedures to ensure that the information cannot be reconstructed or read. In some cases, rather than deleting, we may anonymize your data (so it can no longer be associated with you) for analytical or statistical purposes, since anonymized data is not considered personal information and may be retained indefinitely without identifying you.

In summary, we retain your personal information only for as long as necessary. The exact time frames depend on the type of data and the specific laws or regulations that apply. Once the retention period is over, we will ensure that your data is erased, anonymized, or securely destroyed.
If you have specific questions about how long a particular type of data will be retained, feel free to contact us. In certain cases, we might be able to honor requests to delete data sooner (for example, removing you from a marketing list) as long as we are not required to keep it. Refer to Section 10 on “User Rights and Choices” for how you can request deletion.

9. Data Security

We take the security of your personal and financial information very seriously. FINTRA has implemented a range of administrative, technical, and physical safeguards designed to protect your data against loss, misuse, unauthorized access or disclosure, alteration, and destruction. These measures include, but are not limited to, the following:

• Encryption: We use industry-standard encryption protocols (such as TLS/SSL) to protect data transmitted between your device and our servers. Sensitive data (like passwords, transaction details, and personal identification numbers) is encrypted in transit, and in many cases also encrypted at rest in our databases, so that even if data were to be intercepted or improperly accessed, it would be unreadable to unauthorized parties.
• Access Controls: We restrict access to personal data strictly to authorized personnel who need that information to perform their job duties. Employees of FINTRA and our service providers are given access based on the principle of least privilege. We employ authentication measures (strong passwords, multi factor authentication, biometric access controls, etc.) to prevent unauthorized access to our systems. Regular reviews are conducted to revoke access for those who no longer require it.
• Network and System Security: Our IT infrastructure is protected by firewalls, intrusion detection and prevention systems, antivirus and anti-malware solutions, and continuous monitoring of network traffic. We regularly update our software and systems to patch vulnerabilities and use advanced threat detection tools to identify and respond to suspicious activities.
• Physical Security: The data centers and offices where personal data is stored are secured with appropriate physical controls. This may include 24/7 security personnel, CCTV surveillance, access card entry, biometric scanners, and secure server room environments with climate control and backup power. Only authorized individuals are allowed on premises where sensitive data is stored.
• Security Policies and Training: We maintain comprehensive information security policies that align with industry best practices and regulatory requirements. Our staff receives training on confidentiality, data protection, and cybersecurity practices. We also perform background checks on employees where applicable, especially those handling sensitive financial data. Vendors handling data on our behalf are contractually required to uphold stringent security standards.
• Audits and Testing: FINTRA conducts periodic security audits, vulnerability assessments, and penetration testing (sometimes with the help of external experts) to evaluate the strength of our security measures. Any identified weaknesses are promptly addressed. We also maintain incident response plans so that we can react swiftly and effectively in the event of a security incident or data breach.
• Data Backups and Recovery: We routinely back up critical data to prevent loss in case of system failures or disasters. Backup data is stored securely (with encryption and physical safeguards) and tested for integrity. In the event of a technical issue or natural disaster, we have business continuity and disaster recovery plans to restore services and data access with minimal disruption.

While we strive to protect your information with these robust measures, it’s important to note that no security system is infallible. Transmission of data over the internet, in particular, can never be guaranteed to be 100% secure. Therefore, we cannot warrant the absolute security of information during its transmission or storage in our systems. However, we continually update and improve our security practices to meet evolving threats.
Your Responsibilities: You also play a vital role in keeping your data secure. We urge you to maintain the confidentiality of your account login credentials and to use unique, strong passwords for your FINTRA account. Implement any recommended security features we offer, such as two-factor authentication, to add an extra layer of protection. If you become aware of any unauthorized access or suspect that your account or personal data has been compromised, please contact us immediately so we can assist in securing your account.
In the unfortunate event of a data breach that affects your personal information, we will follow applicable laws and regulations regarding notification. This may include informing you and relevant authorities within the required time frames and providing guidance on steps you may need to take to protect yourself.

10. User Rights and Choices

You have certain rights regarding your personal data held by FINTRA, as well as choices about how we communicate with you and use your information. We are committed to honoring these rights and providing you with control over your personal data. Below is a summary of your key rights and choices:

• Right to Access Your Information: You have the right to request access to the personal data we hold about you. Upon verification of your identity, we will provide you with a copy of your personal information in our records, as well as information about how we have used or disclosed it, as required by law. This helps you understand what data we have and confirm that we are processing it in accordance with the law.
• Right to Correction: If any of your personal data with us is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to review and update your account information (for example, contact details or identification documents) via our platform or by contacting us whenever changes occur, so we can keep our records current. We will promptly make the requested corrections upon verification.
• Right to Withdraw Consent: In situations where we rely on your consent to process your personal data (such as for sending marketing communications or for any optional data processing that is not strictly necessary for service provision or legal compliance), you have the right to withdraw that consent at any time. For example, you can opt out of receiving promotional emails or SMS by following the unsubscribe instructions provided in those messages or by contacting us directly. Please note that withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and in some cases, withdrawing consent for certain uses of your data may limit our ability to provide you with the full range of services (for instance, if you withdraw consent for essential data use, we may need to close your account as described in Section 11).
• Right to Deletion (Right to be Forgotten): You may request that we delete your personal data under certain circumstances. For example, if you no longer have an account with us and believe there is no legitimate reason for us to retain your data, you can ask that it be erased. We will evaluate such requests in light of our legal obligations and retention policies. If we have no ongoing lawful basis or requirement to keep your information, we will delete or anonymize it. However, please understand that we cannot honor deletion requests for data we are required to maintain by law or for data critical to our legitimate interests (e.g., fraud prevention records) as long as those interests remain lawful and override your deletion request. We will inform you of the outcome of your request and any data we cannot delete and the reasons why.
• Right to Object to Processing: In certain cases, you have the right to object to our processing of your personal data. For instance, if we were processing your data based on a legitimate interest (or for direct marketing purposes), and you feel that our use of your data is impacting your rights or freedoms, you can object to that processing. We will review objections and, if required by law, cease processing the data in question unless we have a compelling legitimate ground to continue or it is needed for legal claims. Currently, because comprehensive data protection laws are in the process of being implemented in Bangladesh, we extend this right in alignment with emerging best practices and will fully honor it as local laws become effective.
• Right to Restrict Processing: You may have the right to request that we limit the processing of your personal data in certain situations. This can apply, for example, if you contest the accuracy of the data (while we are verifying it) or if you have objected to processing (while we determine whether our grounds override yours). During such disputes, you can ask that we halt further processing of your data (aside from simply storing it) until the issue is resolved.
• Right to Data Portability: To the extent applicable under future data protection regulations, you might have the right to receive certain personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another service provider. For instance, if you decide to move to another brokerage and request a transfer of your personal data, we will assist in providing your basic account data in a convenient format, if technically feasible and legally required.
• Marketing Communications Choices: As mentioned, you can always choose not to receive marketing or promotional communications from us. If you prefer not to get such messages, you can click the “unsubscribe” link in the emails we send or reply with an opt-out request to SMS communications. You can also adjust your preferences in your account settings if that functionality is available, or contact us directly to be removed from our marketing lists. Please note, even if you opt out of marketing messages, we will still send you transactional or service-related communications (e.g., notices about your account, security alerts, confirmations of transactions) as these are necessary for our relationship with you.
• Cookies Preferences: As detailed in Section 5, you have control over cookies through your browser settings and any tools we provide. You can adjust your browser or device settings to refuse cookies or delete them. Additionally, if we utilize any optional cookies (like for certain analytics or personalization), we will offer you a way to opt out, either via a cookie consent banner or a settings page on our site. Keep in mind that essential cookies cannot be disabled if you wish to use our secure services (other than by not using the service), because they are fundamental to site operation.
• Not Providing Data: You have the right to choose not to provide certain information. However, please be aware that refusing to provide information that we require to open or service your account (such as identification information or contact details) will likely result in our inability to offer you some or all FINTRA services. We will inform you when personal data is required to fulfill a contract or comply with a legal obligation, and what the consequences are if you do not provide it. For discretionary data fields, you can always choose not to fill them out.

Exercising Your Rights: To make any request related to your personal data or to exercise any of the rights outlined above, please contact us using the information in the “Contact Us” section (Section 15). We may ask you to verify your identity (for example, by providing identification or going through verification steps) before acting on your request, to ensure that we do not disclose data to the wrong person or make incorrect changes. We will respond to your request within a reasonable timeframe and in accordance with applicable law. In general, we will not charge a fee for processing your request, but if your requests are manifestly unfounded or excessive (for example, repetitive requests), we reserve the right to charge a reasonable fee or refuse to act on the request as permitted by law.
FINTRA is committed to upholding your rights and ensuring fair and transparent processing of your data. If you have any questions or need assistance regarding your rights and choices, do not hesitate to reach out to us.

11. Consent and Account Closure

Consent to Processing: By using FINTRA’s services, creating an account, or otherwise submitting your personal information to us, you are consenting to the collection and processing of your data as outlined in this Privacy Policy. In certain cases, we may ask for your consent in a more direct manner (for example, by having you check a box or click “Agree”) especially if the law requires explicit consent for particular data practices. Where we rely on consent as the legal basis for processing your data, you have the right to withdraw that consent at any time (see Section 10 above). Please note, however, that withdrawing consent for essential processing may impact our ability to continue providing services to you.
We also want to clarify that when you consent to this Privacy Policy, you are not only agreeing to current practices but also acknowledging that we may introduce new features or services in the future that align with the purposes described here. We will notify you and seek fresh consent if we ever intend to process your personal data for a purpose that is materially different from what is described in this Policy (unless it is otherwise permitted or required by law).
Account Closure: You have the option to close your FINTRA account at any time, should you wish to discontinue using our services. The process for account closure may require you to submit a request through our platform or to contact our customer service with a written request. For security reasons, and to ensure it’s a genuine request, we will take steps to verify your identity and confirm your intent before closing the account. Before requesting closure, please ensure that any pending transactions are settled. If you have any outstanding obligations, such as negative balances, unsettled trades, or outstanding loans (for instance, an active margin loan), you will need to address those (through repayment or other arrangements) as part of the closure process. Account closure may be delayed or conditioned upon fulfilling these obligations in accordance with our customer agreement and regulatory requirements.
Once your account closure is processed:

• We will mark your account in our systems as “Closed” or inactive and cease any further processing of your personal data for active service provision. You will no longer be able to log into the platform or initiate transactions with that account.
• We will stop sending you any routine service communications related to that account. However, we may still contact you for post-closure matters such as final statements, outstanding fee settlements, or required regulatory communications.
• As described in Section 8 (Data Retention), we will retain your data for a period after closure as required by law and internal policies. Closing your account does not immediately erase all your personal data from our records. Instead, your data will be archived and maintained securely until it is no longer needed. During this retention period, your information remains protected under the terms of this Privacy Policy. We will not use it for any new purposes – only for things like legal compliance, audits, or resolving disputes. Once the retention period expires, we will delete or anonymize the data as appropriate.

Importantly, if you withdraw consent for processing of your data, and that data is essential for us to provide the FINTRA service, we may interpret that withdrawal as a request to close your account (since we cannot provide our services without processing certain core data). We will inform you if this is the case and guide you through the account closure process.
After account closure and once required retention periods lapse, we will permanently delete or anonymize the personal data associated with your account. If you ever decide to return to FINTRA after closing your account, you would generally need to create a new account and provide your details again, as we might not retain your previous details beyond what is legally required.
We hope to have you as a long-term client, but we respect your choice to leave and your privacy rights in that process. If you have any questions about closing your account or need assistance, please contact us.

12. Dispute Resolution

FINTRA is dedicated to addressing any concerns or disputes regarding your privacy and the handling of your personal data in a fair and prompt manner. If you have a complaint or believe that we have not complied with this Privacy Policy or applicable data protection laws, we encourage you to reach out to us so that we can work to resolve the issue. Here’s how disputes or complaints will be handled:
Contact Us First: In the event of any grievance, please first contact our Data Protection Officer or the designated privacy team using the contact details provided in Section 15 (“Contact Us”). Provide as much detail as possible about your concern (e.g., the nature of the issue, relevant time frames, and any supporting information). Our team will acknowledge your complaint and initiate an investigation. We may get in touch with you for further information if necessary. We aim to resolve most concerns through this direct communication, and we will inform you of the outcome or any measures taken to address your issue.
Internal Review: FINTRA has internal procedures for investigating and resolving privacy issues. Complaints are reviewed by our compliance and legal teams, and if needed, escalated to senior management. We endeavor to provide a substantive response within a reasonable timeframe. This typically means within 30 days, though some issues (particularly complex ones involving technical investigations or third parties) might require more time. We will keep you updated on the progress if an answer cannot be given quickly.
Regulatory Assistance: If you are not satisfied with our response or believe that we have not addressed your concerns adequately, you have the right to seek assistance or lodge a complaint with the appropriate regulatory bodies in Bangladesh. As of the date of this Policy, Bangladesh is in the process of enhancing its data protection governance. Depending on the nature of the issue, you might consider contacting:

• The Bangladesh Securities and Exchange Commission (BSEC) – since we are regulated by BSEC, if your concern relates to how we handle client confidentiality or any violation of securities laws, BSEC can be apprised.
• The emerging National Data Governance Authority (once fully established under the Personal Data Protection Ordinance, 2025) or any designated Data Protection Office – if your concern pertains to personal data protection and once such authority is officially functioning and accepting complaints.
• The Bangladesh Telecommunication Regulatory Commission (BTRC) – for issues that might involve electronic communications or telecom aspects of data (though primarily they oversee telecom operators).
• Bangladesh’s law enforcement agencies or courts – for serious matters such as data theft, fraud, or harm caused by misuse of data, you have the right to seek legal recourse. You may consult with a legal advisor on how to proceed in such cases.

We hope it never comes to this, but we want you to be aware of your options. We will cooperate fully with any official investigation or inquiry into our privacy practices, and if needed, abide by the decisions or directives issued by regulatory authorities or courts regarding the dispute.
No Retaliation: Rest assured that raising a privacy concern or dispute will not affect the service we provide to you. We value feedback and view complaints as an opportunity to improve. You will not be discriminated against or refused services just because you have lodged a privacy-related complaint.
Informal Resolution: Often, a quick call or email can clear up misunderstandings. We encourage you to reach out with any questions or issues, no matter how small, so that they can be resolved before escalating into disputes. Our customer support and compliance teams are trained to handle such matters sensitively and in accordance with applicable regulations.
In summary, our goal is to maintain your trust. If we fall short, we are committed to doing our best to rectify the situation. Your privacy is of utmost importance, and we will take every complaint seriously.

13. Compliance and Governing Law

FINTRA operates under the laws of the People’s Republic of Bangladesh. We are fully committed to complying with all applicable laws and regulations concerning privacy, data protection, and financial services in Bangladesh. Below are key compliance points and the legal framework governing this Privacy Policy:

• Financial Regulations and Confidentiality: As a licensed brokerage house under BSEC, we abide by the securities laws and regulations of Bangladesh. This includes strict rules on client confidentiality. For example, Section 19 of the Securities and Exchange Ordinance, 1969 prohibits us from disclosing any information about a client’s account or transactions to unauthorized persons. FINTRA upholds these duties by ensuring that your personal and trading information remains confidential, and we only share it as permitted by law or as detailed in this Policy.
• Data Protection and Privacy Laws: Bangladesh is in the process of strengthening its data protection regime. We proactively align our practices with the principles outlined in the draft Personal Data Protection Ordinance, 2025 (PDPO), which, once fully enacted, will be the primary data protection law in Bangladesh. We treat your personal data in line with international best practices, including lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. As sections of the PDPO or related regulations come into effect, FINTRA will ensure full compliance, which may include enabling additional user rights or adjusting data handling procedures as required by law.
• Other Relevant Laws: We also comply with sector-specific and general laws related to information management. This includes the Money Laundering Prevention Act, 2012 and its amendments, the Cyber Security Act, 2023, the Information and Communication Technology (ICT) Act (to the extent applicable), and directives from Bangladesh Bank, BSEC, or other regulators regarding data security and customer confidentiality. If FINTRA handles special categories of data, such as credit bureau or taxpayer information, we strictly adhere to the laws governing those data categories.
• International Standards: In the absence of a fully enacted local data protection law, FINTRA voluntarily refers to international standards such as the EU General Data Protection Regulation (GDPR) as benchmarks for privacy protection. While not legally bound by GDPR for domestic operations, adopting similar principles helps ensure high standards of data security and respect for user rights, including for Bangladeshi expatriates or users subject to foreign data protection regimes.
• Audits and Oversight: Our compliance efforts are subject to oversight by relevant authorities such as BSEC, DSE, and other regulatory bodies. These authorities may audit our operations, including data handling practices, to ensure legal and regulatory compliance. We maintain detailed internal policies, records, and conduct regular internal audits to verify adherence to this Privacy Policy and applicable laws.

Governing Law and Jurisdiction: This Privacy Policy and any disputes or claims arising from it or related to your personal data are governed by the laws of Bangladesh. By using our services, you agree that any legal action or proceeding concerning this Policy or FINTRA’s handling of your information shall be brought in the competent courts or tribunals of Bangladesh. In practice, this means if there is a need for litigation, it would likely be handled by the courts of Dhaka (given that our head office is in Dhaka), unless a regulator’s forum (like a tribunal or arbitrator specified by law) is available and appropriate for the matter.
We note that, as privacy and data protection norms evolve, this Policy may be updated to reflect new compliance requirements. FINTRA will always operate transparently and ethically within the legal frameworks applicable to us. If you are reading this Policy at a time when new laws have come into force, we appreciate your understanding as we adapt to those laws and will update our commitments herein accordingly.

14. Changes to this Policy

We may revise or update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or data processing practices. When we make changes, we will update the “last updated” date at the bottom of the Policy. If changes are significant, we will take additional steps to inform you of these changes:

• Posting on Website/App: We will post the updated Privacy Policy on our website (and make it available through our mobile app, if applicable). The new version will be effective as soon as it is posted, unless otherwise stated. We encourage you to review our Privacy Policy periodically to stay informed about how we are protecting your information.
• Notification of Material Changes: If we make any material changes that significantly affect your rights or the way we handle your personal data, we will provide a prominent notice. This may include notifications via email to the address associated with your account, in-app alerts, or a pop-up notice when you log in. The notification will outline the key changes and direct you to the revised Privacy Policy for details.
• Consent for New Uses: If any change to the Privacy Policy would permit us to handle your personal data in a way that is materially different from that stated at the time of collection, we will seek your consent for those new uses or offer you a choice before the changes take effect, if required by law. For example, if we ever decide to collect new types of data or share data with new categories of third parties not covered by this Policy, we would obtain your consent as necessary.
• Effective Date of Changes: All updates to this Policy are effective when they are posted unless a later date is specified. If you continue to use FINTRA’s services after a Privacy Policy update takes effect, that will indicate your acceptance of the revised Policy. However, if any changes require separate consent, your lack of response or continued use won’t imply consent for those specific changes; we will explicitly seek agreement in those cases.

We maintain archives of previous versions of our Privacy Policy, which can be made available upon request, so you can see how our practices have evolved over time. If you have any questions about the changes or any aspect of the Privacy Policy, you should contact us (see Section 15).
In summary, FINTRA will not reduce your rights under this Privacy Policy without your explicit consent. Our aim is to ensure that our privacy practices stay aligned with our values, our clients’ expectations, and the legal requirements. We appreciate your continued trust in us as we update our policies to serve you better.

Last updated: January 13, 2026.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how FINTRA handles your personal data, please do not hesitate to contact us. We are here to help and address any issues you may have.
Contact Information for Privacy Inquiries:
FINTRA Securities Limited (Attention: Data Protection Officer)
Head Office – Cotton House (Level 01)
House No. 02, Road No. 113/A, Gulshan-2
Dhaka 1212, Bangladesh.
Email: [email protected]
Phone: +880 9606-268866

You may contact us by mail, email, or telephone using the details above. When reaching out, please provide your name and contact information along with a clear description of your question or concern. This will help us route your inquiry to the appropriate team and respond more efficiently.

Our business hours for phone inquiries are Sunday to Thursday, 9:00 AM to 5:00 PM Bangladesh Standard Time (excluding public holidays). Emails can be sent at any time, and we strive to acknowledge receipt within 1-2 business days and provide a full response as soon as possible thereafter.

If you are an existing FINTRA client, you can also contact your relationship manager or our customer service hotline for general queries, but for privacy-specific concerns, the above contact points will ensure your issue is handled by our privacy compliance team.

We value your feedback and are committed to resolving any issues to your satisfaction. Your privacy is important to us, and we appreciate the opportunity to communicate with you about it.