FX3Fair
Home Features Pricing About Contact Request Demo

Privacy Policy

Last updated: March 2026

1. Introduction

Bootcore LLC ("Company", "we", "us") operates the FX3Fair platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting the privacy and security of your data.

2. Information We Collect

2.1 Account Information

When your organization creates your account, we collect:

  • Name (first, middle, last), employee ID, and date of birth
  • Email address and mobile phone number
  • Secondary phone number (if provided)
  • Residential address (street, city, region, postal code, country)
  • User role, permissions, and branch assignment

2.2 Usage and Security Information

We automatically collect:

  • Login timestamps and failed login attempts
  • IP address and user agent (browser/device) on each login
  • Actions performed within the system (audit trail)
  • Multi-factor authentication (MFA) events

2.3 Transaction Data

Customer and transaction records processed through the system are owned by your employer (the licensed forex bureau). We process this data on your behalf to provide the Service.

2.4 Identity Documents

  • Government-issued identification documents (front and back images)
  • ID type, ID number, issue date, and expiry date
  • Documents are automatically processed upon upload: images are compressed and standardized to JPEG format, single-page PDFs are converted to JPEG, and multi-page PDFs are optimized for reduced file size. Original uploaded files are not retained after processing.
  • Processed documents are encrypted at rest using AES-256-CBC encryption
  • Employee identity documents are stored locally and accessible only to your employer
  • Full Access User (account owner) documents may be shared with the System for onboarding verification, compliance, and account recovery

2.5 Security Data

  • MFA authenticator secret (encrypted at rest)
  • Password hash (bcrypt — the plaintext password is never stored)
  • Session data and authentication tokens

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity (MFA/login codes via SMS and email)
  • Send system notifications and account alerts
  • Maintain audit trails for regulatory compliance
  • Verify identity documents as required by your employer
  • Facilitate account recovery when you are locked out
  • Improve and secure the Service
  • Comply with legal obligations

4. SMS and Email Communications

4.1 Purpose

We collect your mobile phone number and email address to send:

  • Multi-factor authentication (MFA) codes for login (via SMS or email)
  • Email verification codes for address changes
  • Account activation and recovery communications
  • Important system notifications

4.2 No Third-Party Sharing

SMS opt-in data and consent will not be shared with any third parties.

4.3 We Do Not Sell Your Data

We do not sell, rent, or share your phone number or email address with third parties for marketing purposes.

4.4 Opt-Out

Reply STOP to any SMS message to opt-out of SMS communications. Reply HELP for assistance or submit a support ticket through the app. Email communications required for authentication and security cannot be opted out of.

5. Information Sharing

We do not sell your personal information. We may share your information only:

  • With your employer/organization: As the data owner, your forex bureau has access to all data entered on their behalf
  • With service providers: Third-party providers (e.g., AWS for hosting, SMS, and email delivery) who process data on our behalf
  • With the System: For user account management, license compliance, support tickets, document review, and account recovery facilitation
  • Legal requirements: When required by law, court order, or regulatory authority
  • Safety: To protect our rights or safety

We may integrate with third-party exchange rate providers to fetch market rates. No user data is shared with these providers.

We do not share SMS opt-in data or consent with third parties.

For full details refer to the Data Sharing Policy available within the application.

6. Data Security

We implement industry-standard security measures including:

  • Encryption at rest: Multi-layered AES-256 encryption for sensitive data, with independent encryption keys for each data category (personal identification data, document files, authentication secrets, and API credentials)
  • Encryption in transit: HTTPS/TLS for all communications
  • API authentication: HMAC-SHA256 authenticated requests
  • Password security: bcrypt hashing (plaintext never stored) with password history enforcement
  • PII protection: Personally identifiable information redacted in audit logs where possible
  • Access controls: Role-based permissions with granular controls
  • Mandatory MFA: Multi-factor authentication for all users
  • Regular security assessments

7. Data Retention

We retain data in accordance with financial services regulatory requirements:

  • Account data: Retained while your account is active and after deactivation for regulatory compliance
  • Transaction data: Retained per regulatory requirements (minimum 7 years)
  • Audit logs: Retained for a minimum of 7 years; may be retained indefinitely for compliance
  • Sessions: Automatically expire after 2 hours of inactivity
  • Deactivated accounts: Account data retained indefinitely to satisfy financial record-keeping requirements

Accounts are deactivated rather than deleted to maintain regulatory compliance and audit trail integrity.

8. Cookies and Sessions

The Service uses a session cookie to maintain your authenticated session. This cookie is:

  • HTTP-only (not accessible via JavaScript)
  • Secure in production (transmitted only over HTTPS)
  • Limited to a 2-hour lifetime matching the session timeout
  • Essential for the Service to function — it cannot be disabled

No third-party tracking cookies or analytics cookies are used.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data by contacting your administrator
  • Request correction of inaccurate data through your administrator
  • Opt out of SMS communications
  • Request information about what data is held about you

Due to financial regulatory requirements, accounts are deactivated rather than deleted. Complete deletion of account data is not available, as transaction records, audit logs, and account data must be retained for compliance. Self-service data export is not currently available; contact your administrator for data access requests.

10. International Data

The Service is hosted on cloud infrastructure. Hosting region is determined by your service agreement. By using the Service, you consent to the transfer and processing of your data in accordance with this Privacy Policy.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the Service or by email. Continued use after changes constitutes acceptance.

13. Contact

For privacy-related questions or requests, contact us or submit a support ticket through the app.