Privacy Policy

Last updated: 10 April 2026

APEX Capitals Ltd (“APEX”, “we”, “us”, or “our”) takes the privacy of your data seriously. This policy explains what personal data we collect when you use the APEX Capitals platform and associated services, why we collect it, how we process it, and what rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. By using our services, you acknowledge that you have read and understood it. If you do not agree with any part of this policy, please discontinue use of the platform and contact us at privacy@apexcapitals.co.uk.

1. Who we are

APEX Capitals Ltd is the data controller for personal data processed through the APEX Capitals platform. We are a company incorporated in England and Wales.

• Registered address: 71–75 Shelton Street, London, WC2H 9JQ
• Company registration number: 15842937
• ICO registration number: ZB741205
• Data Protection Officer: privacy@apexcapitals.co.uk

If your organisation has entered into a Data Processing Agreement (DPA) with us — as is standard for all paid subscriptions — that DPA governs our processing of personal data on your behalf as a processor. This Privacy Policy applies to APEX's role as a data controller in respect of account and contact data.

2. What data we collect

We collect the following categories of personal data:

Account data

When you register for an account, we collect your full name, email address, phone number, company name, and your chosen password (stored as a bcrypt hash — never in plain text). If you invite team members, we collect their names and email addresses in order to provision their access.

Portfolio and financial data

The platform is designed to store asset data, financial records, valuations, documents, and related information that you choose to upload. This data belongs entirely to you. We process it solely to provide the service and do not access it except where required to deliver a support request, resolve a technical incident, or comply with a legal obligation.

Usage and analytics data

We collect information about how you interact with the platform — including pages visited, features used, session duration, and error events. This data is pseudonymised and is used only to improve the platform. We do not use it to profile individuals for marketing purposes.

Cookies and similar technologies

We use strictly necessary cookies to maintain your authenticated session and remember your preferences. With your consent, we set analytics cookies (via a first-party analytics service) to understand aggregate usage patterns. See Section 7 for full cookie details.

3. How we use your data

We process personal data for the following purposes, each with its corresponding legal basis:

• Service delivery — providing, maintaining, and improving the platform. Legal basis: performance of a contract (Article 6(1)(b) UK GDPR).
• Account security — detecting and preventing fraud, unauthorised access, and abuse. Legal basis: legitimate interests (Article 6(1)(f)) — specifically protecting our platform and your data.
• Analytics and product improvement — understanding how the platform is used so we can improve it. Legal basis: legitimate interests, balanced against your right to privacy. Analytics data is pseudonymised and not used for individual profiling.
• Transactional communications — sending you invoices, account notices, and service-critical updates. Legal basis: performance of a contract.
• Marketing communications — only where you have opted in, we may send you product updates, insights, and news about APEX. Legal basis: consent (Article 6(1)(a)). You can withdraw consent at any time by clicking the unsubscribe link in any email.
• Legal compliance — meeting our obligations under UK law, including financial record-keeping, responding to lawful requests from regulators or law enforcement. Legal basis: legal obligation (Article 6(1)(c)).

4. Data sharing

We do not sell, rent, or trade your personal data to any third party — ever. We share data only in the following limited circumstances:

• Sub-processors: We use a small number of carefully selected sub-processors to operate the platform. These include Amazon Web Services (UK region, for hosting and storage), Prisma Data (database infrastructure), and Stripe (payment processing). Each sub-processor is bound by a Data Processing Agreement and may only process data under our documented instructions.
• Professional advisers: Our legal, accounting, and insurance advisers may have access to personal data where strictly necessary and are bound by confidentiality obligations.
• Law enforcement and regulators: We will disclose personal data where required to do so by law, or where necessary to protect the rights, property, or safety of APEX, our users, or others. Where legally permitted, we will notify you before disclosing.
• Business transfers: If APEX is acquired, merged, or its assets are transferred, personal data may be transferred to the acquirer, subject to the same privacy protections. We will provide notice of any such transfer.

All data processing takes place within the United Kingdom or the European Economic Area. We do not transfer personal data to countries outside the UK/EEA unless an appropriate safeguard (such as an adequacy decision or standard contractual clauses) is in place.

5. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

• Account data: Retained for the duration of your subscription and for 7 years after account closure, in line with HMRC record-keeping requirements and the Limitation Act 1980 (which sets a 6-year limitation period for contract claims).
• Financial records: Retained for 7 years from the end of the relevant accounting period, as required by HMRC Making Tax Digital obligations.
• Usage and analytics data: Aggregated analytics are retained indefinitely in anonymised form. Individual session logs are retained for 90 days then deleted.
• Support correspondence: Retained for 3 years following resolution of the support request.
• Deleted content: When you delete data within the platform (assets, documents, records), we permanently delete it from our primary database within 30 days and from backups within 90 days.

6. Your rights under UK GDPR

As a data subject, you have the following rights under UK GDPR. We will respond to any request within 30 days (or within 3 months for complex requests, with notice to you).

• Right of access: You may request a copy of all personal data we hold about you, along with information about how and why we process it.
• Right to rectification: You may request that we correct any inaccurate or incomplete personal data without undue delay.
• Right to erasure (“right to be forgotten”): You may request deletion of your personal data where there is no overriding legitimate reason for us to continue processing it. Note that we may be required to retain certain financial records by law.
• Right to data portability: You may request a machine-readable copy of the personal data you have provided to us, and request that we transmit it directly to another controller where technically feasible.
• Right to restriction of processing: You may request that we restrict how we use your data in certain circumstances — for example, while you contest its accuracy.
• Right to object: You may object to processing based on legitimate interests (including profiling) and to direct marketing at any time.
• Rights related to automated decision-making: We do not make solely automated decisions that produce significant legal or similarly significant effects on individuals.

To exercise any of these rights, email privacy@apexcapitals.co.uk. We may ask you to verify your identity before proceeding.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

7. Cookies

We use cookies and similar browser storage technologies on the APEX platform.

Strictly necessary cookies

These are essential to the operation of the platform. They maintain your authenticated session, store your CSRF protection token, and remember your cookie consent preferences. You cannot opt out of these cookies without ceasing to use the platform. No consent is required for these cookies under the Privacy and Electronic Communications Regulations (PECR).

Analytics cookies

With your consent, we set analytics cookies to measure aggregate usage — such as which features are most used and where users encounter errors. We use a self-hosted, privacy-preserving analytics tool. IP addresses are anonymised, and data is not shared with third parties. You can withdraw your consent at any time via the cookie settings panel, accessible from the footer of any marketing page.

8. Security

We implement technical and organisational measures appropriate to the sensitivity of the data we hold. These include:

• AES-256 encryption for all data at rest, including database contents, uploaded documents, and backups.
• TLS 1.3 for all data in transit. We enforce HSTS and do not support TLS versions below 1.2.
• Multi-factor authentication available on all account types and enforced for administrator accounts.
• Role-based access controls ensuring that users can only access data within their organisation's tenancy.
• Full audit logging of all data access and modification events, retained for 12 months.
• Annual penetration testing by an independent CREST-certified security firm. Results are reviewed by our engineering leadership and critical findings remediated within 30 days.
• Security operations aligned with ISO 27001 principles and SOC 2 Type II practices.
• Regular staff training on data handling, phishing awareness, and incident response.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.

9. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Send an in-platform notification and email to all account holders at least 14 days before the new policy takes effect.
• For significant changes that affect how we use your data, we will seek fresh consent where required.

Your continued use of the platform after the effective date of a revised policy constitutes acceptance of the updated policy, provided you have been given adequate notice as described above.

10. Contact us

For any questions, requests, or concerns relating to this Privacy Policy or our data practices, please contact our Data Protection Officer: