Sign in

Privacy Policy of Eona

Privacy Policy of Eona

Last updated: April 2026

This Privacy Policy describes how Bullion Link Trading – FZCO ("Eona", "we", "us", or "our") collects, uses, shares, and protects personal data when you interact with our services via the Eona platform.

This policy is designed to comply with:

  • UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)
  • UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Counter-Terrorism Financing
  • EU General Data Protection Regulation (GDPR) — applied to any EU residents who voluntarily use the service. Eona does not actively target or market to the EU.
  • UK General Data Protection Regulation and the Data Protection Act 2018
  • Swiss Federal Act on Data Protection (revised FADP, effective September 2023)
  • Brazil Lei Geral de Proteção de Dados (LGPD)
  • Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
  • California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA)

Geographic restrictions. Eona does not accept users resident in the United States or the Russian Federation. The platform is geo-blocked for these jurisdictions.

1. Data Controller

Bullion Link Trading – FZCO Dubai Digital Park – Dubai Silicon Oasis, United Arab Emirates Licence Number: 53684 Email: compliance@eona.ae

We act as the data controller for all personal data processed in connection with your use of the Eona platform.

2. Categories of Data We Collect

2.1 Identification data

Name, date of birth, nationality, government-issued identification numbers and documents, tax identification numbers.

2.2 Contact data

Email address, phone number, physical address, country of residence.

2.3 Biometric data (special category)

Facial images and liveness-check data captured during identity verification. This data is processed by our KYC partner Sumsub under their biometric-data handling policies. We rely on your explicit consent (GDPR Art. 9(2)(a) and equivalent provisions under UAE PDPL) for this processing, as it is required to onboard you. Withdrawing consent means we cannot provide the service.

2.4 Financial data

Bank account details, wire instructions, transaction records, holdings, and platform balances.

2.5 Source-of-funds data

Documentation evidencing the legitimate origin of funds used to purchase gold or silver, including bank statements, payslips, sale-of-asset documentation, inheritance or gift documentation, and corporate distributions. Collected where required by UAE AML law and our internal risk-based onboarding procedures.

2.6 Compliance and inferred data

Outputs of automated KYC, AML, and sanctions screening processes, including politically-exposed-person (PEP) status, adverse-media matches, sanctions-list matches, and risk scores assigned by our screening systems.

2.7 Technical data

IP address, browser type, device identifiers, session logs, and usage analytics.

2.8 Communications data

Messages exchanged with our support and compliance teams, including chat transcripts and email correspondence.

3. Automated Decision-Making

Our onboarding and ongoing monitoring systems use automated processing to screen for AML, sanctions, and fraud risk. Outputs of these systems may result in:

  • Onboarding delay pending manual review
  • Requests for additional documentation
  • Account restriction or termination
  • Mandatory reporting to relevant authorities

Where automated decisions produce legal or similarly significant effects on you, you have the right to request human review of the decision, to express your point of view, and to contest the outcome. Contact compliance@eona.ae.

4. Lawful Bases for Processing

We process your data under the following lawful bases:

  • Performance of a contract — to provide the Eona platform and services.
  • Legal obligation — to comply with AML, CTF, tax, financial regulation, and sanctions laws.
  • Legitimate interest — for security monitoring, fraud prevention, dispute resolution, and service improvement.
  • Explicit consent — for biometric processing during identity verification, and for any marketing communications.

5. How We Use Your Data

  • To verify your identity and onboard you as a client.
  • To process deposits, gold and silver purchases, sales, withdrawals, and account actions.
  • To comply with AML/CTF obligations and conduct sanctions and PEP screening.
  • To record and reconcile physical metal allocations with our custodian.
  • To communicate service updates, transaction confirmations, and security alerts.
  • To detect and prevent fraud, abuse, and unauthorized access.
  • To meet tax, reporting, and regulatory obligations.

6. Sub-Processors and Recipients

We do not sell your personal data. We share it only with the following categories of recipients.

6.1 Sub-processors

  • Sumsub — KYC, AML, biometric verification, and sanctions screening
  • AKW Consultants — AML compliance advisory and review
  • Loomis International — physical custody of gold and silver; allocation record-keeping
  • Our hosting and infrastructure provider — platform hosting
  • Our transactional email provider — service communications and notifications

An up-to-date list of active sub-processors is available on request from compliance@eona.ae.

6.2 Regulatory authorities

UAE Financial Intelligence Unit, tax authorities, and other regulators where legally required.

6.3 Professional advisors

Auditors, legal counsel, and compliance consultants under confidentiality obligations.

7. International Transfers

Your personal data is primarily processed in the United Arab Emirates. Where data is transferred to sub-processors or recipients in other jurisdictions, we rely on:

  • Adequacy decisions where available
  • Standard Contractual Clauses approved by the European Commission, and the UK International Data Transfer Addendum where applicable
  • Swiss FADP-compliant transfer mechanisms where Swiss data subjects are involved
  • Data Processing Agreements with all sub-processors covering confidentiality, security, and onward-transfer restrictions

8. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected, subject to legal retention obligations.

  • KYC and AML records — 5 years after termination of the client relationship (UAE AML Law)
  • Transaction records — 5 years after the transaction (UAE AML Law)
  • Account data — duration of the relationship plus 5 years
  • Biometric verification data — retained by Sumsub per their policy; not stored long-term by Eona
  • Source-of-funds documentation — 5 years after termination of the client relationship
  • Support communications — 2 years
  • Website analytics — 14 months
  • Marketing consent records — until consent is withdrawn, plus 3 years for proof of consent

After the retention period, data is deleted or anonymised.

9. Your Rights

Depending on your jurisdiction, you may have the following rights.

9.1 UAE PDPL

Rights of access, rectification, erasure, restriction, objection, and data portability, subject to applicable exemptions under UAE law. Complaints may be lodged with the UAE Data Office.

9.2 GDPR (EU) and UK GDPR

  • Right of access
  • Right to rectification
  • Right to erasure, subject to AML retention obligations
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent
  • Right to lodge a complaint with your national supervisory authority or the UK Information Commissioner's Office

9.3 Swiss FADP

Rights equivalent to GDPR, including access, rectification, erasure, restriction, and portability. Complaints may be lodged with the Swiss Federal Data Protection and Information Commissioner (FDPIC).

9.4 Brazil LGPD

Rights of confirmation, access, correction, anonymisation, portability, deletion, information on sharing, and revocation of consent. Complaints may be lodged with the Autoridade Nacional de Proteção de Dados (ANPD).

9.5 Canada PIPEDA

Rights of access, correction, and withdrawal of consent. Complaints may be lodged with the Office of the Privacy Commissioner of Canada.

9.6 CCPA / CPRA (California)

  • Right to know what personal information is collected and why
  • Right to delete, subject to legal retention obligations
  • Right to correct inaccurate information
  • Right to opt out of the sale or sharing of personal information (we do not sell or share as defined under CCPA/CPRA)
  • Right to limit the use of sensitive personal information
  • Right to non-discrimination

To exercise any of these rights, contact compliance@eona.ae. We will respond within the timeframes required by applicable law, typically 30 days.

10. Security Measures

We implement technical and organisational measures appropriate to the risk of processing, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Role-based access control (RBAC)
  • Two-factor authentication on user accounts
  • Segregated environments for production and development
  • Regular penetration testing and vulnerability scanning
  • Anomaly detection and fraud monitoring
  • Staff access logging and periodic access reviews

11. Data Breach Notification

In the event of a personal-data breach, we will:

  • Notify the UAE Data Office without undue delay, consistent with UAE PDPL requirements.
  • Notify the UK Information Commissioner's Office within 72 hours where UK data subjects are affected.
  • Notify the relevant EU supervisory authority within 72 hours where EU data subjects are affected.
  • Notify affected data subjects directly where the breach is likely to result in a high risk to their rights and freedoms.

12. Children's Data

Eona services are not intended for, directed at, or offered to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it without delay.

13. Cookies and Analytics

Our platform uses cookies and similar technologies in the following categories:

  • Strictly necessary — required for platform functionality (authentication, session management).
  • Functional — remember user preferences.
  • Analytics — understand usage patterns. Deployed only with your consent where required by law.
  • Marketing — not currently used.

You can manage your cookie preferences via the cookie banner on first visit or through your browser settings.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via email or in-platform notification at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For privacy-related questions, requests, or complaints:

Email: compliance@eona.ae

Address: Bullion Link Trading – FZCO Dubai Digital Park – Dubai Silicon Oasis United Arab Emirates