Privacy Policy | Tirnu
Legal

Privacy Policy

Last updated: May 2026  ·  Version 1.0  ·  Applies to EU and Switzerland
This Privacy Policy explains how Tirnu collects, uses, stores, and protects your personal data. We are committed to handling your information with transparency and in full compliance with the General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (nFADP), and other applicable data protection laws.
Contents

1. Who We Are

Tirnu is an investment platform that enables users to trade stocks, cryptocurrencies, and ETFs through a single unified interface. For the purposes of this Privacy Policy, Tirnu acts as the data controller in respect of the personal data it processes.

Our contact details for data protection matters are set out in Section 12 of this policy.

2. Data We Collect

We collect personal data in the following categories depending on how you interact with our platform:

2.1 Account & Identity Data

  • Full name, date of birth, nationality
  • Email address, phone number
  • Government-issued identity documents (passport, national ID) for KYC purposes
  • Proof of address documentation
  • Username and password (stored in encrypted form)

2.2 Financial Data

  • Bank account details for deposits and withdrawals
  • Transaction history, trade records, portfolio holdings
  • Source of funds information (required for AML compliance)
  • Tax identification numbers where required by applicable law

2.3 Technical & Usage Data

  • IP address, device identifiers, browser type and version
  • Operating system and platform
  • Pages visited, features used, time and duration of visits
  • Login history and session data

2.4 Communications Data

  • Messages sent to our support team
  • Responses to surveys or feedback requests
  • Email and in-app communication preferences

2.5 Data From Third Parties

  • Identity verification data from our KYC provider (Sumsub)
  • Fraud and sanctions screening data from compliance providers
  • Market and pricing data from third-party data providers

3. How We Use Your Data

Purpose Data Used Legal Basis
Account creation and onboarding Identity, contact data Contract
KYC and identity verification Identity documents, address Legal obligation
Processing transactions Financial data, account data Contract
AML and fraud prevention Financial data, transaction history Legal obligation
Platform operation and security Technical data, usage data Legitimate interest
Customer support Communications data, account data Contract
Service improvement and analytics Usage data, technical data Legitimate interest
Marketing communications Contact data, preferences Consent
Regulatory reporting Identity, financial data Legal obligation

Under GDPR and applicable Swiss data protection law, we rely on the following legal bases to process your personal data:

  • Contract — processing is necessary to provide the services you have signed up for
  • Legal obligation — processing is required to comply with applicable laws, including AML, KYC, and financial regulatory requirements
  • Legitimate interests — processing is necessary for our legitimate business interests, such as improving our platform and preventing fraud, where these interests are not overridden by your rights
  • Consent — where we rely on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing before withdrawal

5. Sharing Your Data

We do not sell your personal data. We share your data only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party providers who process data on our behalf under strict data processing agreements. These include:

  • Sumsub — identity verification and KYC compliance
  • Fireblocks — digital asset custody infrastructure
  • Amazon Web Services (AWS) — cloud hosting and infrastructure
  • BCB Group — payment processing and banking infrastructure

5.2 Regulatory & Legal Disclosure

We may disclose your data to regulatory authorities, law enforcement agencies, or courts where required by applicable law, including for AML, tax reporting, and regulatory compliance purposes.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the relevant third party. You will be notified of any such transfer in advance.

6. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by applicable law. Our standard retention periods are:

  • Account and identity data — for the duration of your account plus 5 years after closure (AML regulatory requirement)
  • Transaction records — 5–10 years depending on applicable financial regulations
  • KYC documents — 5 years after the end of the business relationship
  • Communications data — 3 years from last interaction
  • Technical and usage data — 13 months from collection

Where data is no longer required, it is securely deleted or anonymised.

7. Your Rights

Under GDPR and Swiss data protection law, you have the following rights in relation to your personal data:

Right of Access
You can request a copy of the personal data we hold about you.
Right to Rectification
You can ask us to correct inaccurate or incomplete data.
Right to Erasure
You can request deletion of your data where we no longer have a lawful basis to retain it.
Right to Restriction
You can ask us to limit how we process your data in certain circumstances.
Right to Portability
You can request your data in a structured, machine-readable format.
Right to Object
You can object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time.
Right to Complain
You have the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, please contact us at privacy@tirnu.com. We will respond within 30 days. We may need to verify your identity before processing your request.

EU users — you may lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.

Swiss users — you may contact the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

8. Cookies

We use cookies and similar tracking technologies to operate and improve our platform. Cookies are small text files stored on your device when you visit our website.

Types of cookies we use:

  • Strictly necessary cookies — required for the platform to function. These cannot be disabled.
  • Analytics cookies — help us understand how users interact with our platform so we can improve it. Used only with your consent.
  • Preference cookies — remember your settings and preferences. Used only with your consent.
  • Marketing cookies — used to deliver relevant content and measure the effectiveness of our communications. Used only with your consent.

You can manage your cookie preferences at any time through your browser settings or our cookie consent tool. Withdrawing consent for non-essential cookies will not affect your ability to use the platform.

9. Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, loss, disclosure, or destruction. These include:

  • 256-bit SSL/TLS encryption for all data in transit
  • Encryption of sensitive data at rest
  • Multi-factor authentication for account access
  • Access controls limiting data access to authorised personnel only
  • Regular security audits and penetration testing
  • Infrastructure hosted on AWS with SOC 2 and ISO 27001 certified data centres

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law — within 72 hours of becoming aware of the breach where required under GDPR.

10. International Data Transfers

Your personal data may be processed in countries outside your country of residence, including outside the European Economic Area (EEA) and Switzerland. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Transfers to countries recognised by the European Commission as providing an adequate level of data protection
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules where applicable
  • The EU-US Data Privacy Framework where applicable

You can request information about the specific safeguards in place for any international transfers by contacting us at privacy@tirnu.com.

11. Children

Our platform is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@tirnu.com and we will delete it promptly.

12. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:

Data Protection Contact

Email
Subject
Please include "Privacy Request" in the subject line
Response
We aim to respond to all privacy requests within 30 days

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable legal requirements. The date of the most recent revision is shown at the top of this page. Where changes are material, we will notify you by email or through the platform before the changes take effect.