Privacy Policy
Last updated: May 15, 2026
1. Information We Collect
Account information
- Email address, password (hashed), first and last name.
- Two-factor authentication secret (encrypted at rest).
Identity verification (KYC)
- Government-issued ID document (passport, national ID, or driver's license).
- Document type and submission timestamp.
Activity data
- Orders placed, trade history, deposit and withdrawal events.
- Login IP addresses and user-agent strings.
- Session activity for active-device review and revocation.
Traffic and security monitoring
To keep the Service available and secure, we record technical data about requests made to it:
- IP address and the country reported by our network provider (Cloudflare).
- The path visited and the referring website's hostname (never the full referring URL or query string).
- Browser and device type, and an automated classification of whether the request came from a bot.
- The account ID a request is linked to, when you are signed in.
- Security events such as blocked sign-in attempts, geo-blocked requests, rate-limit hits, and scanner/probe activity.
We use this data for traffic analytics, fraud prevention, abuse detection, and account security only. Raw records are visible to administrators only and are automatically deleted after 30 days. Non-personal daily totals (for example, total views per country) may be retained longer for trend analysis.
2. How We Use Information
- To operate the Service: process orders, match trades, settle balances.
- To comply with applicable law (AML/KYC obligations).
- To detect and prevent fraud, account takeover, and abuse.
- To send transactional emails (verification, password reset, KYC status, security alerts).
3. How We Protect Information
- Passwords stored using bcrypt at cost factor 12.
- Access tokens stored in HTTP-only cookies; never accessible to client-side JavaScript.
- CSRF protection via double-submit token on state-changing requests.
- KYC documents served only to authenticated administrators via short-lived authed endpoints.
- All transport encrypted via TLS 1.2+.
4. Information Sharing
We do not sell your personal information. We share data only with:
- Service providers (email delivery, hosting, payment processing) bound by data-processing agreements.
- Regulators and law enforcement when legally compelled.
- Third parties in the event of a merger or acquisition, subject to this Policy.
5. Retention
Account data is retained while your account is active. After account closure we retain records as required by financial-services regulations (typically 5–7 years), then delete them. You may request early deletion subject to legal-hold requirements. Raw traffic and security monitoring records (Section 1) are deleted automatically after 30 days; only non-personal daily aggregates may be kept longer.
6. Your Rights
Depending on your jurisdiction you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion (subject to regulatory retention).
- Object to certain processing or withdraw consent.
- Lodge a complaint with a data protection authority.
To exercise these rights, email [email protected].
7. Cookies
We use cookies for authentication (HTTP-only access and refresh tokens, plus a non-HTTP-only CSRF token) and basic preference storage (theme). We also set a first-party tp_vidcookie to count unique visitors for the traffic monitoring described in Section 1; it contains a random identifier only. We do not use third-party advertising cookies.
8. International Transfers
Your data may be processed in countries other than your own. We use appropriate safeguards (standard contractual clauses or equivalent).
9. Changes
We will post any changes to this Policy on this page and, for material changes, send an email notification.
10. Contact
Privacy questions: [email protected].