Legal
Privacy Notice
How personal data is collected, used, shared and protected across the BlackCores Responsible Markets programme. Operated by BlackCores and Partners LLP.
Last updated:
Jump to section
1. Who we are
The data controller for personal data processed through this Site and programme is BlackCores and Partners LLP, trading as BlackCores & Partners, a limited liability partnership registered in England and Wales with company number OC459454.
Registered office: First Floor Office, 3 Hornton Place, London, W8 4LZ, United Kingdom. Public contact: rm@blackcores.org.
2. Scope of this notice
This notice applies to personal data processed through BlackCores.org, register.blackcores.org, programme application submissions, general enquiries, corrections and profile concern submissions, certificate verification requests, programme communications and related services operated by BlackCores and Partners LLP.
3. Personal data we collect
We may collect and process the following categories of personal data depending on how you interact with the programme:
- Contact details: name, email address, telephone number, postal address.
- Business and firm details: legal name, trading name, company number, jurisdiction, website, regulatory reference.
- Application details: the content of expressions of interest, application forms and supporting submissions.
- Corporate profile information: group structure, ownership, beneficial ownership or control information where voluntarily submitted or requested.
- Evidence metadata: documentary references, audit trail identifiers, submission timestamps.
- Correspondence: the content of emails, messages and written communications.
- Website technical data: IP address, browser type, page visit data, session data necessary for secure operation.
- Cookie and analytics preferences.
- Correction and concern submissions: the content of profile concerns or factual correction requests.
- Use-of-mark records: references to programme mark use submitted by or relating to a participant firm.
- Certificate and profile status records: profile ID, certificate ID, status, scope, issue and expiry dates.
4. How we collect data
We collect personal data through the following means:
- Website forms, including application, enquiry and corrections forms.
- Email correspondence directed to programme contact addresses.
- Application and expression-of-interest submissions.
- Evidence uploads, where that functionality is enabled.
- Publicly available sources including corporate registers, regulatory registers and company registries.
- Participant firm submissions and profile update communications.
- Third-party professional communications where lawful and relevant to programme administration.
5. Purposes
We process personal data for the following purposes:
- Responding to enquiries and programme communications.
- Assessing and processing applications and expressions of interest.
- Carrying out eligibility and risk screens relevant to programme scope.
- Requesting, reviewing and handling evidence submissions.
- Maintaining Register profiles, Profile IDs and Certificate IDs.
- Operating certificate verification and profile status records.
- Managing corrections and profile concern submissions.
- Administering programme terms, renewals and annual updates.
- Complying with applicable legal and regulatory obligations.
- Protecting against misuse of the programme, its marks and its records.
- Maintaining website security and integrity.
- Sending programme communications where appropriate.
6. Lawful bases
We process personal data under the following lawful bases under UK GDPR:
- Legitimate interests: operating the programme, maintaining accurate records, protecting register integrity and preventing misuse of marks and certificates.
- Contract / steps before contract: processing applications, managing participation terms and administering renewals.
- Legal obligation: where processing is required to comply with applicable law.
- Consent: where required, for example for non-essential analytics cookies or direct marketing communications.
7. Legitimate interests
Where we rely on legitimate interests, those interests are:
- Operating a responsible-market standards programme in the public interest of the FX/CFD institutional ecosystem.
- Maintaining accurate, verifiable and up-to-date public profiles on the Register.
- Handling applications and evidence in a fair and consistent manner.
- Protecting the integrity of the Register, certificates and Programme ID system.
- Preventing misuse of programme marks, status references and certificates.
- Responding appropriately to profile concerns and factual corrections.
We balance these interests against the rights and expectations of individuals. Where the balance may favour individual rights, we apply appropriate protections.
8. Special category and sensitive data
We do not generally request special category personal data as defined under UK GDPR. If such data is received incidentally in the course of a submission, it will be handled only where we have a lawful basis to do so and only to the extent relevant to programme purposes.
9. Sharing
We may share personal data with the following categories of recipient:
- BlackCores-related operating platforms and internal teams where relevant to programme administration.
- Technology service providers, hosting providers and IT support services acting as data processors.
- Professional advisers including legal counsel, accountants and compliance reviewers.
- Payment processors, if and when fee payment functionality is enabled.
- Competent authorities where required by law or lawful request.
- Third parties where a participant firm has authorised publication or reference.
- Public Register viewers — but only information expressly selected for publication.
We do not sell personal data. We do not share personal data for advertising purposes.
10. Public profile publication
Where a firm is accepted for publication, the following information may appear on the public Register:
- Firm legal name and trading name.
- Principal jurisdiction and website.
- Profile ID and, where issued, Certificate ID.
- Programme status, declared scope and annual update status.
- Public profile details as agreed within the programme terms.
Confidential evidence, beneficial ownership details and internal correspondence are not published unless expressly agreed in writing.
11. International transfers
Personal data is processed primarily within the United Kingdom. Where service providers or communication platforms involve processing outside the UK, we apply appropriate safeguards in accordance with UK GDPR, including standard contractual clauses or reliance on adequacy decisions where applicable.
12. Retention
We retain personal data only for as long as necessary for the purposes described in this notice or as required by law. Our general retention periods are as follows:
- General enquiries: up to 24 months from receipt unless further interaction occurs.
- Application records: duration of the assessment process plus a reasonable post-process business and legal period.
- Participant records: active participation period plus 6 years after programme end, expiry or withdrawal, unless a longer period is required by law.
- Certificate and profile records: may be retained as historical verification records beyond active participation, with status updated accordingly.
- Correction and concern submissions: retained for the duration of the review process and a reasonable period thereafter.
- Cookies and analytics data: in accordance with the Cookie Notice.
13. Your rights
Subject to applicable law and our legitimate interests in maintaining accurate programme records, you may have the following rights:
- Access: to request a copy of personal data we hold about you.
- Rectification: to request correction of inaccurate personal data.
- Erasure: to request deletion of personal data in certain circumstances.
- Restriction: to request restriction of processing in certain circumstances.
- Objection: to object to processing based on legitimate interests.
- Portability: to receive personal data in a structured, commonly used format where applicable.
- Withdraw consent: where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at rm@blackcores.org. We will respond within the timeframes required by law.
14. ICO complaint right
If you have concerns about how we handle your personal data and we have been unable to resolve them, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), the supervisory authority for data protection in the United Kingdom.
Information about how to contact or complain to the ICO is available on the ICO website at ico.org.uk.
15. Direct marketing and programme communications
We may send programme communications — such as updates, renewal notices or material changes to the programme — to participant firms or enquirers where there is a legitimate programme basis to do so.
Where direct marketing communications require consent under applicable law, we will obtain that consent separately and clearly. We do not use pre-ticked boxes. You may withdraw consent for marketing communications at any time.
17. Security
We apply reasonable technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure. No method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
18. Children
This Site is intended for institutional and business users and is not directed at children under the age of 18. We do not knowingly collect personal data from children.
19. Automated decisions
We do not currently make solely automated decisions — without any human review — that produce legal or similarly significant effects on acceptance for publication, profile listing or certificate issuance. If this changes, we will update this notice and provide the disclosures required by applicable law.
20. Contact
Data protection enquiries should be directed to rm@blackcores.org.
Correspondence may also be sent to: BlackCores and Partners LLP, First Floor Office, 3 Hornton Place, London, W8 4LZ, United Kingdom.