8 Total
1 High severity
5 Medium severity
2 Low severity
Summary

This document establishes Webull's data collection, use, and sharing practices for users of its trading platform. Webull collects personal information including name, government-issued identification, bank details, trading history, device identifiers, and in-app browsing behavior. The policy authorizes Webull to share collected data with affiliates, business partners, and third-party service providers for purposes including marketing, analytics, and account operations, and establishes procedures for users in California and other jurisdictions with privacy laws to request access to, deletion of, or limitation on use of their personal data.

Technical / Legal Breakdown

This document is Webull Technologies Limited's privacy policy, governing the collection, use, storage, and sharing of personal data for users of the Webull trading platform, with its stated legal basis appearing to rest on user consent and legitimate business operations across multiple jurisdictions. The policy states that Webull collects a broad range of personal information including identity data, financial data, device identifiers, location information, trading activity, and behavioral data derived from platform use, and the terms authorize sharing this information with affiliates, service providers, financial institutions, regulators, and third-party business partners. Notably, the policy asserts the right to share personal data with a wide range of third parties for purposes including marketing and analytics, and the document's scope of data collection across device-level identifiers, behavioral tracking, and financial activity is extensive for a retail investment platform, though applicable law in relevant jurisdictions may constrain certain asserted sharing practices. The policy engages CCPA and other U.S. state privacy frameworks given its explicit California resident rights section, and as a financial services platform it operates within a regulatory environment that includes FINRA, SEC, and CFPB oversight; the policy's treatment of data sharing with affiliates and third parties may require evaluation under Regulation S-P and applicable state financial privacy statutes. Compliance teams should note that the document's cross-border data transfer provisions and the broad affiliate-sharing structure create material obligations under any jurisdiction requiring data transfer safeguards or financial data confidentiality protections.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

3 important changes detected

4 versions captured · Last updated: June 2026

June 19, 2026

unknown
What changed Webull updated their Webull Privacy Policy on June 19, 2026. Change detected: 1 sentence(s) modified. Document contained 197 sentences after update.
View full change record →
What changed Webull updated its privacy policy to clarify that it now offers futures and cleared swaps trading through its Webull Futures LLC subsidiary, and updated risk disclosures to reflect this expanded product offering. The changes rename the specific entity offering these products and extend existing risk warnings to cover cleared swaps in addition to futures contracts.
Why this matters These changes clarify which Webull subsidiary handles futures and cleared swaps trading and ensure risk disclosures explicitly mention cleared swaps alongside futures contracts. The practical impact is minimal for most users, as the risk profile and disclosure requirements remain substantively the same; the change appears primarily organizational and clarificatory.
View full change record →

April 18, 2026 low

Webull updated a navigation element in their privacy policy header on April 18, 2026, adding the word 'WEBTRADE' to the trading platform menu. This is a product branding or menu …

View change record →

Recent Provision Changes Jun 19, 2026

Added (3)
Collection of Sensitive Financial and Identity Data Medium

This new provision explicitly enumerates sensitive identifiers including SSN and government-issued IDs, making clear the scope of financial and identity data collection to users.

Behavioral and Device-Level Data Collection Medium

This new provision separately details automatic tracking and behavioral collection practices, replacing the previous 'Targeted Advertising and Behavioral Tracking' provision with more specific technical details.

Security Measures Disclosure Low

This simplified security provision replaces the previous high-severity 'Security Measures and Breach Notification' with only general protective measures and removes any mention of breach notification obligations.

Removed (5)
Extensive Personal & Financial Data Collection

This high-severity provision was replaced with a medium-severity 'Collection of Sensitive Financial and Identity Data' provision, effectively downgrading the severity classification of data collection practices.

Targeted Advertising and Behavioral Tracking

This provision was replaced with the more neutral 'Behavioral and Device-Level Data Collection' provision that describes practices more technically but without explicitly calling out targeted advertising.

Biometric Data Collection

Complete removal of this high-severity biometric data collection provision suggests either that the practice was discontinued or that disclosure of biometric data collection is no longer included in the policy.

Right to Access and Data Portability

Removal of this low-severity provision eliminates explicit mention of data portability rights, which may have been implied under CCPA but is no longer separately stated.

Security Measures and Breach Notification

Replacement of this high-severity provision with a generic 'Security Measures Disclosure' removes any commitment to breach notification, significantly reducing security transparency obligations.

Modified (5)
Third-Party and Affiliate Data Sharing

Previous version had no excerpt provided; current version now includes detailed disclosure of specific types of third parties and purposes of data sharing.

Cross-Border Data Transfers

Previous version had no excerpt; current version now explicitly details that data transfers occur to the United States where privacy protections may be weaker.

Data Retention

Previous version had no excerpt provided; current version now includes specific criteria for retention duration.

California Resident Privacy Rights

Previous version (CCPA Rights) had no excerpt; current version now provides detailed explanation of specific CCPA rights including deletion, disclosure, and opt-out rights, and severity decreased from medium to low.

Policy Update Provision

Previous version (Policy Changes Without Prior Notice) had no excerpt; current version now includes specific notification methods (date revision, website statements, email notifications) suggesting improved transparency.

1 provision unchanged.

View full change record →
High — 1 provision
Medium — 5 provisions
Low — 2 provisions

Monitoring

Webull has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Affiliate and Third-Party Data Sharing and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FCRA
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GLBA
United States Federal
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured June 19, 2026 00:07 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000057
Version ID CA-V-004006
SHA-256 10f912a3d61c7caccfdda25bb9fe2f8f34e00f955fb65e4bd125a5e742c940c1
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans