Privacy Policy

Last updated: June 2026

1. What We Collect

To operate the service, we collect:

  • Account data: username, email, password (hashed), phone number, country.
  • KYC data: government-issued ID images, selfie, date of birth, residential address.
  • Transaction data: deposits, withdrawals, trades, wallet addresses, on-chain transaction hashes.
  • Technical data: IP address, browser type, device identifiers, access timestamps.
  • Communications: messages you send us through the contact form, support inbox, or in-app notifications.

2. How We Use It

We use your data to:

  • Verify your identity as required by anti-money-laundering (AML) and counter-terrorism-financing (CTF) law.
  • Process deposits, withdrawals, and trades, and to record the audit trail required by financial regulation.
  • Detect and prevent fraud, abuse, and security incidents.
  • Send you service notifications (deposits, withdrawals, KYC status, security alerts).
  • Comply with subpoenas, court orders, and lawful regulatory requests.

We do not sell your personal data. We do not use your data for advertising.

3. Legal Basis

We process your data on the legal basis of (a) performing the contract you entered into by creating an account, (b) complying with our legal obligations as a regulated Digital Asset Service Provider, and (c) our legitimate interest in operating a secure and compliant service.

4. Data Sharing

We share data only with:

  • KYC vendors who perform identity verification on our behalf.
  • Cloud hosting and storage providers who operate infrastructure for us (including Cloudinary for image storage).
  • Email service providers who deliver transactional emails on our behalf.
  • Regulators, tax authorities, and law enforcement when we are legally required to disclose.

Each third party is bound by data-processing terms no less protective than this policy.

5. Data Retention

We retain account and KYC data for at least five (5) years after account closure, in line with El Salvadoran AML record-keeping requirements. Transaction records are retained for at least the same period. After expiry, data is securely deleted or anonymized.

6. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of data, subject to our legal retention obligations.
  • Object to processing based on legitimate interest.
  • Withdraw consent, where processing is based on consent.

To exercise these rights, contact us. We respond within 30 days.

7. Security

We apply industry-standard controls: TLS in transit, encryption at rest for sensitive fields, hashed passwords (Argon2/PBKDF2), two-factor authentication where enabled, and segregated access controls. No system is 100% secure; if you discover a vulnerability, please report it to us via the contact page.

8. International Transfers

We are headquartered in El Salvador. Some of our service providers process data in other countries. Where required, we use Standard Contractual Clauses or other lawful transfer mechanisms to protect your data.

9. Cookies and Local Storage

We use a minimal set of cookies and local storage items: a session cookie for authentication, a CSRF cookie for security, and your notification preferences. We do not use third-party tracking cookies or analytics that profile you across sites.

10. Changes

We will notify you of material changes by email and in-app notification. Continued use after the effective date constitutes acceptance.