Effective Date: September, 2023
Your privacy is important to us. This privacy notice (“Privacy Notice”) applies to every person from the EEA, Switzerland and the UK:
This Privacy Notice explains to data subjects in the EEA, Switzerland and the UK the type of personal data that Citadel Enterprise Americas LLC, Citadel Securities Americas LLC, Citadel Americas LLC and their affiliates (“Citadel”, “we”, or “us”) might collect from you, or which we have obtained about you from a third party, the purposes for which we process your personal data and your rights in respect of our processing of your personal data.
Please also note that this Privacy Notice only applies to the use of your personal data obtained by us, it does not apply to your personal data collected during your communications with third parties.
We are the data controllers responsible for your personal data processed via the Site.
Please note that depending on which Citadel entity you contract with in relation to the Services, or to which Citadel entity you apply for a job, other Citadel group companies or companies managed by Citadel (the “Citadel Group”) may also be data controllers responsible for your personal data processed in relation to the Services.
Our primary goal in collecting personal data from you may be: (i) to verify your identity; (ii) to help us deliver the Services; (iii) to develop new products or Services and conduct analysis to enhance current products and Services; (iv) to review the usage and operations of the Site (and related Citadel digital channels, including Citadel social media channels) and to improve its content; (v) to provide you with customised Site content and Site experience (including on related Citadel digital channels, including Citadel social media channels); (vi) to carry out requests made by you on the Site or in relation to Services; (vii) to investigate or settle inquiries or disputes; (vi) to comply with any applicable law, court order, other judicial process, or the requirements of any relevant regulator; (vii) to enforce our agreements with you; (viii) to protect our rights, property or safety or third parties, including our other clients and users of the Site or Services; (ix) to provide support for the provision of Services; (x) for recruitment, talent management, brand building, company communications, employment and academic trading program administration purposes; and (xi) to use as otherwise required or permitted by law.
To undertake these goals we may process the following personal data:
Primarily Citadel is engaged by corporate clients, investors or intermediaries (i.e. other corporate entities) and as such those clients, investors or intermediaries are not data subjects (except with respect to Switzerland as under Swiss data protection law, not only individuals but also legal entities may be data subjects). However as part of such instructions personal data about other persons may be provided to us, e.g. personal data relating, without limitation, to any workers, employees, partners, members, directors, representatives or similar of our corporate clients, investors or intermediaries or prospective clients, investors or intermediaries).
The following is a non-exhaustive list which is reflective of the varied nature of the personal data processed as part of our business.
For instance, if we are providing Services to a corporate client, investor or intermediary we may be provided with, and then process, personal data about their representatives including but not limited to the representative’s name and contact details and any other information necessary to fulfil the Services (e.g. including, without limitation, any regulatory Know Your Client and/or Anti Money Laundering regulations (or similar) information).
In using the Alpha League platform, we may process personal data provided by such representatives in relation to the User Investment Profile section of the platform.
We might also need to process personal data in relation to a corporate client’s, investor’s or shareholder’s workers who use a Service in the course of their work for such corporate entity.
We may also need to process voice recordings where we are required to record telephone calls for financial regulatory purposes or other proportionate purposes (e.g. to establish the existence of facts relevant to Citadel’s business; to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to Citadel’s business; to ascertain or demonstrate standards that are or ought to be achieved by persons using the system; to prevent or detect crime or to investigate or detect the unauthorised use of the communications system or ensure the effective operation of the system.)
Please note that in this Privacy Notice, when we reference the processing of personal data related to any corporate clients, investors, or intermediaries, we also mean any of their personnel whose personal data may be processed by us in connection with our engagement and provision of the Services.
We collect and process personal data about our suppliers (including trading counterparties) and their representatives in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide the Services to our clients.
We may also need to process voice recordings where we are required to record telephone calls for financial regulatory purposes or other proportionate purposes (e.g. to establish the existence of facts relevant to the business; to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the business; to ascertain or demonstrate standards that are or ought to be achieved by persons using the system; to prevent or detect crime or to investigate or detect the unauthorised use of the communications system or ensure the effective operation of the system).
If you attend one of our physical offices or other locations, we may process personal data that you volunteer in connection with your visit and any enquiries you make. For example, you may provide personal data when signing in as a guest. CCTV footage may also be collected for security purposes.
For the purposes of using entrance kiosks that rely on facial recognition technology to permit you access to our premises, we may process your government issued ID card, a RFID card that sets out your access rights (for regular visitors), and biometric data in the form of facial scans to ensure that your face matches that on the government issued ID / RFID card and that access is being granted to the correct individual.
We may use your personal data for the following purposes:
What is our legal basis?
Where we use your personal data in connection with a business transition, to enforce our legal rights, or to protect the rights of third parties it is in our or a third party’s legitimate interest to do so. For all other purposes described in this section, it is our legal obligation to use your personal data to comply with any legal obligations imposed upon us.
Where we use your personal data in connection with recruitment, talent management and brand awareness, it will be in connection with us taking steps at your request to enter a contract we may have with you or it is in our legitimate interest to use personal data in such a way to ensure that we can make the best recruitment, brand awareness and talent management decisions for Citadel or it is our legal obligation to use your personal data to comply with any legal obligations imposed upon us. We will not process any special data except where we are able to do so under applicable legislation or with your explicit consent, or if relating to diversity and inclusion personal data, if such processing is in the substantial public interest (and permissible under local laws). Any personal data we process relating to criminal convictions and offences will be to comply with our legal obligation as a part of financial regulatory compliance and for the prevention of crime (financial or otherwise).
If we have engaged you or the organisation you represent to provide us with products or services (for example, if you or the organisation you represent provide us with services such as IT support or financial advice), we will collect and process your personal data in order to manage our relationship with you or the organisation you represent, to receive products and services from you or the organisation you represent and, where relevant, to provide our Services to others.
It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you or the organisation you represent, or it is in our legitimate interest to use personal data in such a way to ensure that we have an effective working relationship with you or the organisation you represent and are able to receive the products and services that you or your organisation provides, and, where relevant, to provide our Services to others, in an effective way.
We have security measures in place at our offices, including CCTV and building access controls. There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft). We require visitors to our offices to sign in at reception and keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need to know basis (e.g. to look into an incident).
Facial recognition technology may also be used to ensure that only those with the right to access our premises do so.
In relation to pandemic prevention measures, limited health data (e.g. temperature testing or questions about travel) may be processed.
It is in our legitimate interests to process your personal data so that we can keep our premises secure and provide a safe environment for our personnel and visitors to our premises.
Facial recognition technology is used in conjunction with Citadel’s entrance kiosks. Should you not wish to enter through a kiosk, you can let a member of staff know and they will provide an alternative that does not rely on such processing. When using a kiosk, you provide your explicit consent for such processing.
Any processing in relation to pandemic prevention measures will only be undertaken in line with relevant government guidance and where there is a clear lawful basis to process such data (e.g. legitimate interests, legal obligations and public interest).
We analyse your contact details with other personal data that we observe about you from your interactions with our Site and/or with our Services.
By using this information, we are able to measure the effectiveness of our content, digital channels, and branding efforts, count users who have visited our Site or opened an email and collect other types of information, including insights about how visitors use our Site.
This allows us to learn what pages of our Site are most attractive to our visitors, the effectiveness of our emails, which parts of our Site are the most interesting and what kind of information our registered users like to see. The information is also used to create profiles and insights about your demographic. We also use this information to improve the content on our Site and in our marketing efforts- both online and offline. This information also helps us with the selection of future service lines, web design and to remember your preferences.
We also use this information for marketing purposes (see the “Marketing communications” section below for further details), and for recruitment and talent management purposes (see the “Recruitment, Talent Management and Brand Awareness” section above for further details). We may share this information with third parties for these purposes (see the “Personal Information Sharing” section below for further details).
In some of our email messages, we use a “click-through URL” linked to certain websites administered by us or on our behalf. We may track click-through data to assist in determining interest in particular topics and measure the effectiveness of these communications.
Where your data is collected through the use of non-essential cookies, we rely on consent to collect your data. Please see Manage My Preferences for further details about the cookies that we use, and to update your preferences.
Where we use this personal data for the purposes described in the “Marketing communications” section of this Privacy Notice, please see this section for details of the legal basis that we rely on.
We collect and maintain such databases to be primarily used for research and statistical analysis for business investment purposes, and to gain further global insights.
It is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that we provide the Services in the best way that we can. Further, as part of our legitimate interests assessment, we rely on the fact that the personal data has been manifestly made public by individuals to process their personal data.
We use information that we observe about you from your interactions with our Site, our email communications to you, our interactions with you on our other digital channels such as social media and/or with Services (see the “Insight and Analysis” section above for more details of the information collected and how it is collected) and/or your address details, to provide information that we think will be of interest about us, our Services and where relevant our recruitment practice. For example, industry updates and insights, newsletters, invites to events and, where permitted by applicable law, promotional materials from Citadel (including in relation to recruitment).
We will only send you marketing communications via email where you have consented to receive such marketing communications, or where it is otherwise within our legitimate interests to do so. You have the right to opt-out of email marketing communications at any time.
We share your email address (usually in an encrypted or ‘hashed’ form) with third-party providers of social media platforms and other services, such as LinkedIn and other similar platforms (“Social Platforms”), so that the third party providers can try to “match” your data with the data of their registered users of their Social Platforms.
Where there is a successful match, we will display our advertising to you when you use the relevant Social Platform (e.g. on your LinkedIn newsfeed). We may do this through LinkedIn Custom Audiences. This is known as “custom audience” advertising, because we “customise” the audience that we want to reach on the relevant service.
Please note that such activity is also subject to the privacy choices you have elected to make on such Social Platforms.
Where we use your personal data to provide you with personalised advertising on Social Platforms, we rely on the consent that you have provided in respect of the collection of such data, or it is otherwise in our legitimate interests to promote our Site and our Services to you when you use those Social Platforms (including in relation to recruitment).
From time to time we will contact you to invite you to provide feedback about our Services. We use this information to help us improve the quality of service provided by our staff. We also use your feedback to monitor the quality of our Services.
It is in our legitimate business interests to use the information you provide to us in your feedback for the purposes described above.
From time to time, we may organise and host events for the purpose of promoting our business or for charitable causes or other reasons. We may process your personal data to communicate with you about such events where you have specifically requested information about such events or where we have another lawful basis for sending that information to you.
If you attend one of our events, we may process your personal data to record your attendance at the event and for related record-keeping purposes and, if relevant, we may collect and process any dietary requirements you may have. You may also feature in photographs taken at our events and such photographs may appear in publications that we make available.
It is necessary for us to use your personal data in this way to perform our obligations in accordance with any contract that we may have with you where you have signed up to attend an event, or it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that the event is operated in an effective way.
We may specifically ask your permission to use your photographs, quotes, testimonials, or other content that you make available or publish at the event. Where this is the case, our processing of your such personal data will be based on consent.
Where we are required by law to collect your personal data, or we need to collect your personal data under the terms of a contract we have with you, and you fail to provide that personal data when we request it, we may not be able to perform the contract we have or are trying to enter into with you. This may apply where you do not provide the personal data we need in order to provide the Services you have requested from us or to process an application to register an account. In these circumstances, we may have to cancel your application or the provision of the relevant Services to you, in which case we will notify you.
Where our use of your personal data requires your consent, you can provide such consent:
The Site uses certain essential, functional, marketing and analytics cookies, pixels, beacons, log files and other technologies to allow the Site to function (all referred to as “cookies”).
There are various ways that you can manage your cookie preferences, but please be aware that in order to use some parts of our Site you will need to allow certain essential or functional cookies. If you block or subsequently delete those cookies, some aspects of our Site may not work properly, and you may not be able to access all or part of our Site.
For further information about types of cookies used and to customise your cookie preferences please visit Manage My Preferences.
For more information on cookie management and blocking or deleting cookies for a wide variety of browsers, visit www.allaboutcookies.org.
We will only share personal data with others when we are legally permitted to do so. When we share personal data with others, we use reasonable efforts to put contractual arrangements and security mechanisms in place to protect the personal data and to comply with our data protection, confidentiality and security standards.
Please note that when processing your personal data we may need to share it with other third parties as follows:
Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
Please note that, due to the international operations of Citadel, where necessary to deliver the Services (as set out in this Privacy Notice) we will transfer personal data to countries outside the EEA, Switzerland and the UK (including to Citadel’s US affiliates) and such personal data may be stored on servers located outside the EEA, Switzerland and the UK; in principle, in any country in the world. Citadel – and many third-party service providers that Citadel works with – are based in the US, but Citadel also has material operations in the UK and the EEA. As such, your personal data will be transferred (both to other companies within the Citadel Group as well as to third party service providers) to the US, the UK, and the EEA as required to deliver the Services. However, your personal data may also be shared with other companies within the Citadel Group or third-party service providers outside of the EEA, Switzerland, and/or the UK, on a less frequent basis, where necessary to deliver the Services.
When transferring your personal data outside of the UK, the EEA, and/or Switzerland, we will use reasonable efforts to comply with applicable legal and regulatory obligations in relation to the personal data, including but without limitation having a lawful basis for transferring personal data where required and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. Unless we can rely on a derogation under Art. 49 GDPR or equivalent provision under applicable law (e.g., if the transfer is necessary for the performance of a contract, in the case of legal proceedings abroad, or if you have consented to the transfer in question), we will, where required by applicable law, implement at least one of the safeguards set out below. Please contact us if you would like further information on the specific mechanisms used by us when transferring your personal data outside the UK, the EEA, and/or Switzerland.
Regarding visitors to the Site, we will retain relevant personal data for at least six years from the date of our last interaction with you and in compliance with our obligations under the EU General Data Protection Regulation, the Swiss Federal Data Protection Act, the UK GDPR and the UK Data Protection Act 2018, the Irish Data Protection Act 2018 or similar legislation around the world (or for longer as we are required to do so according to our regulatory obligations or professional indemnity obligations).
Regarding personal data we have processed as part of providing you with the Services, we will retain relevant personal data for at least six years from the date of our last interaction with you and in compliance with our obligations under the EU General Data Protection Regulation, the Swiss Federal Data Protection Act, the UK GDPR and the UK Data Protection Act 2018, the Irish Data Protection Act 2018 or similar legislation around the world (or for longer as we are required to do so according to our regulatory obligations or professional indemnity obligations). We may then destroy such files without further notice or liability. If you request your files and documents we may charge you for the costs of copying a duplicate.
Regarding personal data we have processed in relation to any recruitment activity, if you are unsuccessful in your application your personal data will be kept for a period after informing you that you were unsuccessful. If you are successful any retention protocols that apply to staff members at Citadel will apply. In considering how long to keep your personal data, its relevance to Citadel’s business and your potential employment either as a record or in the event of a legal claim will be taken into account.
If personal data is only useful for a short period, e.g. for specific marketing campaigns or CCTV footage, we may delete it after such retention period.
We take the security of all the personal data we hold very seriously. We use reasonable efforts to adhere to internationally recognised security standards. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the personal data we hold secure.
You have the following rights in relation to the personal data we hold about you:
If you ask us, we will confirm whether we are processing your personal data and, if necessary, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
If the personal data we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If you are entitled to rectification and if we have shared your personal data with others, we will let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
You can ask us to delete or remove your personal data in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal data with others, we will let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
You can ask us to ‘block’ or suppress the processing of your personal data in certain circumstances such as where you contest the accuracy of that personal data or you object to us. If you are entitled to restriction and if we have shared your personal data with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
You have the right, in certain circumstances, to obtain personal data you have provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
You can ask us to stop processing your personal data, and we will do so, if we are:
You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.
If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
You have the right to define guidelines as regards the retention, erasure and communication of your personal data after your death. Such guidelines may be general or specific, as set out in the French Data Protection Act.
If you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, you can report it to your local data protection regulators – for instance but without limitation those regulators in the EU, Switzerland and the UK in which Citadel has offices are as follows:
In the UK the data protection regulator is the Information Commissioner’s Office (ICO). You can contact the ICO using the following website https://www.ico.org.uk.
In Ireland the data protection regulator is the Data Protection Commissioner- Ireland (DPC). You can contact the DPC using the following website https://www.dataprotection.ie/docs/Making-a-Complaint-to-the-Data-Protection-Commissioner/r/18.htm.
In France the data protection regulator is the Commission nationale de l’informatique et des libertés (CNIL). You can contact the CNIL using the following website https://www.cnil.fr/.
In Sweden the data protection regulator is the Swedish Data Protection Authority (Datainspektionen). You can contact the Datainspektionen using the following website https://www.datainspektionen.se/other-lang/in-english/.
In Switzerland the data protection regulator is the Federal Data Protection and Information Commissioner (FDPIC). You can contact the FDPIC using the following website https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.
The Site contains links to other sites whose information practices may be different than ours. Visitors should consult the other sites’ privacy notices as Citadel is not responsible for, and has no control over, information that is submitted to, or collected by, these third parties. You may also be giving information to Social Platforms such as LinkedIn who provide us with data which we in turn use to improve our marketing performance. Citadel has no control over the information collected by social media networks. You should review the relevant social media network privacy notice for further information about what information is being collected, the legal basis for such collection and your rights in relation to your personal data.
We may make changes to this Privacy Notice from time to time.
To ensure that you are always aware of how we use your personal data we will update this Privacy Notice from time to time to reflect any changes to our use of your personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. We encourage you to review this Privacy Notice periodically to be informed of how we use your personal data.
If you have any questions about this Privacy Notice or want to exercise your rights set out in this Privacy Notice, please contact us by:
Citadel Enterprise Americas LLC
ATTN: Corporate Communications
Southeast Financial Center
200 S. Biscayne Blvd.
Miami, FL 33131