This Privacy Policy explains how RefundFX, operated by 2M Consulting d.o.o., collects, uses, stores, and protects your personal data when you access our website or engage our services. We are committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.
1 Data Controller
The entity responsible for processing your personal data is:
| Company | 2M Consulting d.o.o. |
|---|---|
| Brand | RefundFX |
| Registered address | Ljubljana, Slovenia |
| office@2m-consulting.si | |
| Website | www.refundfx.eu |
If you have any questions about how your personal data is processed, you may contact us at any time at the email address above.
2 Categories of Personal Data We Collect
We collect personal data that you provide to us directly, as well as data generated through your use of our website and services. The categories of data we process include the following:
2.1 Identification and Contact Data
- Full name
- Email address
- Telephone number
- Country of residence
2.2 Case-Related and Financial Data
- Name and details of the broker or trading platform involved in your case
- Approximate amount of funds at issue
- Trading account statements and deposit/withdrawal records
- Correspondence with the broker (emails, chat logs, written communications)
- Recordings or transcripts of telephone conversations with the broker (where lawfully obtained)
- Timeline of trading activity and any relevant supporting documentation
- Details of any advice received, instructions given, or promises made by the broker
2.3 Technical and Usage Data
- IP address and device identifiers
- Browser type and version
- Pages visited and time spent on the website
- Referring URL and click-path data
- Cookie and tracking data (see our Cookie Policy for details)
2.4 Communication Records
- Records of correspondence between you and RefundFX (emails, written communications, call notes)
- Information provided during intake questionnaires or consultations
3 Purposes of Processing and Legal Basis
We process your personal data only for specified, explicit, and legitimate purposes. The following table sets out the purposes for which we process your data and the corresponding legal basis under the GDPR.
| Purpose of Processing | Legal Basis |
|---|---|
| Responding to enquiries submitted via the contact form | Pre-contractual measures / Legitimate interests (Art. 6(1)(b)(f) GDPR) |
| Preliminary assessment of your case to determine eligibility for our services | Pre-contractual measures (Art. 6(1)(b) GDPR) |
| Performance of the service agreement, including preparation and submission of complaints on your behalf | Performance of a contract (Art. 6(1)(b) GDPR) |
| Communication with regulatory bodies, financial ombudsmen, and financial institutions in connection with your case | Performance of a contract / Legitimate interests (Art. 6(1)(b)(f) GDPR) |
| Compliance with legal obligations (e.g., record-keeping, anti-money laundering obligations) | Legal obligation (Art. 6(1)(c) GDPR) |
| Improving our website and services through analytics | Legitimate interests (Art. 6(1)(f) GDPR) |
| Sending service-related communications and updates on your case | Performance of a contract (Art. 6(1)(b) GDPR) |
| Marketing communications (only with your prior consent) | Consent (Art. 6(1)(a) GDPR) |
4 Data Retention
We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:
- Active case data (case files, correspondence, documentation): retained for the duration of the engagement and for a period of 5 years following the conclusion of the matter, to comply with applicable civil limitation periods.
- Data from unsuccessful case assessments (leads not taken on): deleted within 6 months of the final determination, unless the individual has consented to retention for marketing purposes.
- Website usage and cookie data: retained in accordance with our Cookie Policy; generally not exceeding 13 months.
- Accounting and invoicing records: retained for 10 years in accordance with Slovenian accounting legislation.
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised. Where complete deletion is not technically possible (e.g., in backup systems), data will be isolated and protected until deletion becomes possible.
5 Disclosure of Personal Data to Third Parties
We do not sell, rent, or trade your personal data. We may share your data with third parties only in the following circumstances and to the extent strictly necessary:
5.1 Regulatory and Supervisory Authorities
As part of the complaint and dispute resolution process, we may submit your personal data (including case documentation) to national and European financial regulators, supervisory authorities, and financial ombudsman services. Examples include CySEC, FCA, BaFin, CONSOB, IVASS, and comparable bodies, as applicable to your case.
5.2 Financial Institutions
Where relevant to processing your complaint, we may communicate with banks, payment processors, and credit card companies on your behalf, sharing only the data necessary to pursue your claim.
5.3 Legal and Professional Advisors
We may share data with external legal counsel or other professional advisors engaged in connection with your case, subject to strict confidentiality obligations.
5.4 Service Providers (Data Processors)
We engage certain third-party service providers to support our operations (e.g., cloud storage, email delivery, website hosting, analytics). These providers act as data processors and are contractually bound by Data Processing Agreements (DPAs) compliant with Article 28 GDPR. They may not process your data for any purpose other than that specified by RefundFX.
5.5 Legal Requirements
We may disclose personal data where required to do so by law, court order, or in response to requests from competent public authorities.
6 International Transfers of Personal Data
RefundFX primarily operates within the European Economic Area (EEA). However, in the context of case handling, it may be necessary to transfer personal data to recipients located outside the EEA, including in countries such as the United Kingdom, Canada, or Australia.
Any such transfers will only take place where an adequate level of protection is ensured, by means of one or more of the following safeguards:
- An adequacy decision by the European Commission (e.g., the UK GDPR framework);
- Standard Contractual Clauses (SCCs) as approved by the European Commission;
- Other legally recognised transfer mechanisms under Chapter V of the GDPR.
You may request further information about the safeguards applicable to any specific international transfer by contacting us at office@2m-consulting.si.
7 Your Rights Under the GDPR
As a data subject, you have the following rights under the GDPR, which you may exercise at any time by contacting us:
Access
Rectification
Erasure
Restriction
Portability
Objection
Withdrawal
Automated
To exercise any of the above rights, please contact us in writing at office@2m-consulting.si. We will respond to your request within one (1) calendar month of receipt. This period may be extended by a further two months where the request is complex or where a large number of requests are received, in which case we will notify you accordingly.
8 Right to Lodge a Complaint with a Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a data protection supervisory authority. You may do so in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement.
The supervisory authority competent for RefundFX as data controller is:
| Authority | Information Commissioner (Informacijski pooblaščenec) |
|---|---|
| Country | Republic of Slovenia |
| Website | www.ip-rs.si |
| gp.ip@ip-rs.si |
You may also contact the supervisory authority in your country of residence. A full list of EU/EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
9 Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:
- Encryption of data in transit using TLS/SSL protocols;
- Access controls limiting data access to authorised personnel only;
- Secure document storage and handling procedures for case files;
- Regular review of our data security policies and procedures;
- Staff training on data protection obligations.
While we take all reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.
10 Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyse website usage, and support our marketing activities. The use of cookies is governed by our separate Cookie Policy, which is available on our website.
You may manage your cookie preferences at any time via the cookie settings panel on our website, or by adjusting the settings in your browser. Please note that disabling certain cookies may affect the functionality of our website.
11 Links to Third-Party Websites
Our website may contain links to third-party websites. This Privacy Policy applies solely to our website and our services. We are not responsible for the privacy practices of any third-party websites and encourage you to review their respective privacy policies before submitting any personal data.
12 Persons Under 18 Years of Age
Our services are not directed at, and are not intended to be used by, individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that personal data has been submitted by a person under the age of 18, we will take steps to delete such data promptly. If you believe we may have inadvertently collected data from a minor, please contact us at office@2m-consulting.si.
13 Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. The current version will always be available on our website, together with the effective date of the most recent update.
Where changes are material, we will provide you with prominent notice, which may include notification by email or a notice on the website prior to the change taking effect. Your continued use of our website or services following any update constitutes acceptance of the revised Privacy Policy.
14 Contact and Data Protection Enquiries
For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us:
| office@2m-consulting.si | |
| Address | 2M Consulting d.o.o., Ljubljana, Slovenia |
| Response time | Within 30 calendar days of receipt |
We are committed to resolving any concerns you may have regarding the processing of your personal data. If you are not satisfied with our response, you retain the right to lodge a complaint with the competent supervisory authority as described in Section 8 of this Policy.
This document was prepared in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national legislation.