Polityka prywatności

This Privacy Policy (“Policy”), together with our Terms of Use and any related documents, explains how EXMO (“we”) collects, processes, and uses your Personal Data, as well as the rights you have regarding that data and how you can exercise them. This Policy is intended to complement EXMO’s Terms of Use.

Please note that this Policy does not extend to any websites, apps, or services that are not linked to it, nor to those operated by third parties. EXMO is not responsible for how third parties handle your information. We recommend reviewing the privacy policies of any external sites, apps, or services you interact with.

1. DEFINITIONS

“Account” means the personal environment created for the User on the Platform through which the User can access and use the Services, manage Funds, submit Orders, and conduct Transactions. An Account includes all information, settings, credentials, and data associated with the User’s profile on the Platform.

“Services” or any variation means the services and products as set out in our Terms of Use.

“Personal Data” means information that identifies an individual or from which an individual may be identified, or other information defined as “personal information”, “personal data”, or “personally identifiable information” under Personal Data Laws. Personal Data does not include anonymized, de-identified and/or aggregated data that does not identify a specific user.

“Personal Data Laws” means any applicable data protection laws, including but not limited to EU General Data Protection Regulation 2016/679, Panama’s Personal Data Protection Law (Law 81 of 2019) and its successors and subsidiary legislation, and other applicable data protection laws.

“Processing” means the carrying out of any operation or set of operations in relation to Personal Data, including collecting, using, disclosing, recording, holding, organizing, adapting, altering, retrieving, combining, transmitting, transferring, erasing or destroying personal data, and “process” and “processed” and “process” and “processed” will be construed accordingly.

Capitalized terms that are used but not defined in this Policy shall have the meanings ascribed to them in the EXMO’s Terms of Use.

2. BASIS FOR PERSONAL DATA PROCESSING

We collect and process your Personal Data only when we have a legitimate reason for such processing. Legal grounds may include:

• Your consent
• An agreement, where processing is necessary to fulfill the terms and conditions of the agreement between you and EXMO
• Compliance with legal obligations, where EXMO is required to request/receive and process, as well as store your Personal Data in order to comply with the requirements of applicable laws, for example, the laws related to anti-money laundering and counter-terrorist financing
• Legitimate interest

3. HOW WE COLLECT AND PROCESS YOUR PERSONAL DATA

EXMO collects Personal Data in several ways:

• Directly from you, such as during registration and onboarding, when you carry out transactions or use our services, or when you contact us.
• Automatically, as you use our services, through information related to your device, browser, or connection (for example, your IP address or device details).
• From third-party sources, such as reputational or financial information, as well as data related to the business activities of our Users, etc.

In this section, you can find more information about the types of Personal Data we process, the purposes for which we use it, and the legal grounds that allow us to process it. The scope and type of Personal Data described in the tables below may vary depending on the specific circumstances involved, the AML obligations that apply to the relevant entity, and the specific risk considerations. We reserve the right to request additional information when necessary to meet legal, regulatory, or operational requirements.

We may update this section as needed to maintain transparency or to comply with legal, regulatory, or technical requirements.

Account Registration

To use EXMO’s Services, you must first create an Account, which may involve:

• Providing the necessary Personal Data
• Setting a login and a password, and verifying your email address and phone number;
• Communicating with us through email or other electronic means of communication during the registration process.

Registration is not permitted for individuals under 18 years of age or for residents of sanctioned jurisdictions, as well as any other jurisdictions specified in our Terms of Use and AML Program. This eligibility check is automated, and objections cannot be accepted, as it is a mandatory requirement for accessing our Services.

User Identification and Verification

Laws related to anti-money laundering and counter-terrorist financing (“AML/CFT”) require us to carry out User Identification and Verification procedures before we can enter into a business relationship with you. This means:

• You must provide specific Personal Data and documents to verify your identity;
• Screening checks will be undertaken using online tools and compare the information you provide with data already held for AML compliance purposes;
• Additional information may be collected about you or required from you.

These AML obligations also apply to individuals acting on behalf of Users who are acting on behalf of the legal entity, including directors, ultimate beneficial owners, authorized representatives, and others in similar roles.

Management of Account

We use certain Personal Data to enable key features of your Account and ensure you can use our services properly. This may include activities such as:

• Accessing your Account
• Setting up, resetting, or disabling two-factor authentication (2FA)
• Recovering a forgotten password
• Updating or removing your information at your request
• Temporarily freeze your Account
• Closing your Account
• Handling procedures related to a deceased user.

Transaction performance

Your Account allows you, subject to applicable limits, eligibility requirements, and the availability of specific Services, to access and use the Platform, including the ability to:

• Deposit and withdraw Funds, where such functionality is made available under the applicable Services
• Enter into Transactions for the purchase or sale of Digital Assets
• Place, manage, and execute Orders relating to the trading of Digital Assets through the Platform.

To process these operations, we need to handle certain Personal Data; without it, the operation cannot be completed.

Account and Transaction Oversight

AML regulations require us to carry out continuous due diligence, which includes monitoring and reviewing your transactions to ensure they align with the information provided during your onboarding or verification. To meet these obligations, we may:

• Use internal monitoring and risk-assessment tools that can trigger an enhanced or manual review when needed
• Whitelist certain withdrawal addresses
• Comply with “Travel Rule” obligations, which involve exchanging specific information about you with the receiving or sending exchange. Before transferring crypto to another platform, we recommend checking that platform’s Privacy Policy to understand how they handle your Personal Data
• Monitor activity on the blockchain
• Share relevant transactions or user information with payment service providers or banks involved in processing of fiat currency transactions.

Additionally, we may request further information or clarification from you if required to meet AML standards.

Alerts and Notifications

If you opt to enable alerts or notifications, including:

• Alerts relating to Digital Asset or fiat deposits and withdrawals
• Confirmations or updates regarding completed transactions
• Price alerts configured by you.

You consent to send this information to you by electronic means, including by SMS and/or email, depending on your chosen preferences. You can manage, modify, or withdraw your notification preferences, including price alerts, at any time through your Account or other available settings.

Help & Complaints

You can contact us at any time through any of our available communication channels — such as email, support tickets, or social media. When you do, we process the Personal Data necessary to respond to your inquiry, which may vary depending on the nature of your request and any documents you may need from us.

For certain matters, we may ask you to verify your identity to ensure your information is protected and to prevent unauthorized access.

Marketing Communication

We have a legitimate interest in informing you about our company, our products and services, and other relevant updates. To do this, we may send you emails or display pop-up messages (visible only when you are logged into your Account) that include news, service updates, promotions, market insights, or information about new features. This process may involve segmenting users and analyzing whether you viewed, opened, or interacted with these messages.

• You may opt out of receiving this type of communication at any time by clicking the “unsubscribe” link included in the email. Otherwise, we may send direct marketing messages only if you have given us your explicit consent;
• Push notifications are sent only if you enabled them during registration or through your Account settings, and you can change this preference at any time;
• Third-party offers and some additional promotional messages will only be sent if you have expressly agreed to receive them. These settings can also be updated in your Account at any time.

Please note that not all messages we send qualify as direct marketing. Some communications may relate to service updates, security notices, legal obligations, or other operational purposes. Such messages may be sent based on a different legal basis and will continue to be delivered even if you have opted out of marketing communications or have not provided marketing consent.

Internal Analytics

We continually work to enhance our products and services, and this requires us to analyze certain Personal Data. Whenever feasible, we conduct this analysis using pseudonymized information to better protect your privacy.

Safeguarding and Upholding System Security

We continually work to implement advanced security measures to safeguard our systems, protect your Personal Data, and secure any assets you hold with us. To do this, we process only the Personal Data necessary to maintain an appropriate level of security.

Communication with Authorities

We are required by law to provide certain information to relevant authorities, whether through regular reporting obligations or in response to specific requests. The type and amount of Personal Data we disclose depends on what the authority has asked for.

The Prosecution, Defense, or Facilitation of Claims or Legal Actions

In some situations, EXMO may need to process your Personal Data in order to pursue, defend, or support any claims, litigation, or other legal proceedings involving you. For these purposes, your data may be shared with external legal counsel, courts, or other competent authorities.

Internal & External Audit

EXMO may be legally required to engage internal and/or external auditors to review various aspects of our compliance with applicable laws. As part of an audit, auditors may request certain information that could identify you, but only insofar as it is necessary for the specific audit scope.

Changes in Corporate Governance

Over time, EXMO may undergo changes in its corporate governance, organizational structure, or overall business strategy. As part of these developments, the processing of your Personal Data may be required in the following situations:

• Changes to our onboarding approach:
  We may revise our onboarding model, which could involve assigning onboarding responsibilities to a different EXMO entity and transferring your Personal Data accordingly. If such a change occurs, we will notify you in advance. This Policy will continue to apply.
• Corporate restructuring, mergers, or acquisitions:
  If EXMO is involved in a merger, sale, or other corporate transaction, customer data may be treated as an important business asset. As a result, your Personal Data may be transferred to, or made accessible by, prospective buyers, investors, or business partners, subject to appropriate safeguards. We will inform you of any material corporate changes affecting the Processing of your Personal Data, as required by applicable law.

4. THIRD PARTY INDEPENDENT CONTROLLERS

Within the framework of Services rendered by us, some of the third-party service providers may process your personal data as independent data controllers (business partners, sub-contractors, payment and delivery services, advertising networks, analytics providers, due diligence providers, credit reference agencies etc.) for their own purposes, which may include, but are not limited to:

• Enhancing the effectiveness and quality of their fraud prevention services
• User onboarding as the third party’s own client or customer
• Compliance with legal or regulatory obligations under applicable laws.

We may also receive information about you from third parties. Such information may include:

• Information about financial institutions you use to perform Deposits and/or Withdrawal of Funds
• Information about your financial standing, name and/or address that may be provided to us by third parties we collaborate with
• Personal Data collected during user onboarding where you become the third party’s own client or customer.

Each third-party service provider has legal grounds for data processing, as detailed in their privacy policies on their websites. Your Personal Data will be processed only for the period necessary for the relevant purposes and retained according to each provider’s data retention policies.

Where Personal Data is processed by third-party service providers acting as independent data controllers, we do not control their processing activities. Any security incidents or data protection issues occurring on the side of such third parties are governed by their own policies and legal responsibilities. You acknowledge and accept that engaging with third-party services may involve certain risks outside of our control and you shall bear liabilities for any potential consequences.

5. USE OF COOKIE FILES

We use cookies and similar tracking technologies to ensure the proper functioning of our website and Services and to provide you with the features essential to their operation. In addition, we use other types of cookies — such as analytical, social media, and marketing cookies — which are not strictly required but help us improve performance, enhance your experience, and deliver relevant content. You can read more about cookies, consents and how to control your cookie settings in our Cookie Policy.

6. DISCLOSURE OF YOUR PERSONAL DATA

We may share your Personal Data with selected third parties (including intragroup entities), including:

• Business partners, suppliers, subcontractors, service providers performing relevant due diligence checks to fulfill contractual obligations we enter into with them or you
• Banks and financial institutions, where you make transactions such as bank deposits or withdrawals, credit card payments, or other types of transfers. In such cases, the involved financial institutions may require us to provide certain Personal Data relating to the individual carrying out the transaction. Such institutions may also process Personal Data in accordance with their legal obligations
• Analytics and search engine providers that assist us in the improvement and optimization of our website
• Governmental, judicial or law enforcement authorities, where we are required to disclose or transfer Personal Data in accordance with applicable laws, court decisions, or lawful requests from competent authorities.

7. SECURITY AND STORAGE OF PERSONAL DATA

Making sure your Personal Data is safe and secured is a high priority for us. We use secure storage facilities and technical safeguards to protect the Personal Data you share with us at all stages of interaction with our Platform, products, and Services. Appropriate technical and organizational measures are implemented to protect your Personal Data against unauthorized access, loss or misuse.

We have implemented security measures designed to ensure the confidentiality of your Personal Data and to protect it from loss, misuse, alteration or destruction. Access to Personal Data is limited to only authorized personnel of EXMO who are required to treat such information as confidential. Our security measures in place are reviewed periodically and updated where necessary in line with legal, regulatory and technological developments.

Whilst the transmission of information via the internet is not completely secure, we endeavor to protect your Personal Data during transmission. However, we cannot guarantee the security of data transmitted via external communication networks, including the internet, and any transmission is made at your own risk, and you are solely responsible for possible failures in the transfer of your Personal Data. Once we have received your Personal Data, we will apply appropriate technical and organizational measures to prevent unauthorized access or disclosure.

8. TRANSFER TO THIRD COUNTRIES

We primarily keep your Personal Data within the European Union. Nonetheless, certain processing activities or storage solutions may be located in jurisdictions outside the European Union that are not subject to an adequacy decision by the European Commission.

In such circumstances, we ensure that appropriate safeguards are implemented to maintain a high level of protection for your Personal Data. These safeguards may include the use of Standard Contractual Clauses adopted by the European Commission, the application of binding corporate rules, or adherence to an approved code of conduct or certification mechanism.

In limited cases, we may rely on specific derogations permitted under applicable data protection laws, for example, where you have expressly consented to the transfer, or where the transfer is necessary for the performance of an agreement (such as when information must be shared with another crypto-asset service provider in order to execute a transfer to or from another platform).

9. YOUR RIGHTS

You have certain rights with respect to your Personal Data, including those set forth below:

• Right to access: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you are being processed, and, where that is the case, access to the Personal Data which you have provided to EXMO in a machine-readable format;
• Right to rectification: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, as well as the right to have incomplete Personal Data completed;
• Right to erasure: you have the right to ask for the deletion of your Personal Data if the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed or if there is no other legal ground for the processing (all or part thereof, considering, however, our regulatory requirements to retain your Personal Data as set forth in Clause 9 of this Privacy Policy);
• Right to restriction of processing: You can ask us to suspend the processing in certain circumstances (e.g. if you want to establish the accuracy of your Personal Data). Personal Data will solely be used for the purpose of potential establishment, exercise or defense of legal claims or based on your consent.;
• Right to data portability: you have the right to receive your Personal Data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller where technically feasible;
• Right to object: you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data if there are no legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims;
• Right not to be subject to automated decision-making, including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, but only where such decision is not necessary for entering into, or performance of, the agreement between you and EXMO; or where such decision is not authorized by law to which the EXMO is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or where such decision is not based on your explicit consent.
• The right to lodge a complaint to the applicable supervisory authority: you have the right to lodge a complaint with the supervisory authority responsible for the protection of personal data in your place of residence:
  • If you reside in the European Union, you may lodge a complaint with the data protection authority of your EU Member State (for example, in Poland, the Polish Data Protection Authority (UODO));
  • If you are a User onboarded by Blue Isthmus Technologies CORP, you may lodge a complaint with the Autoridad Nacional de Transparencia y Acceso a la Información (ANTAI), which oversees compliance with Panama’s Personal Data Protection Law (Law 81 of 2019).

You have the right to withdraw your consent at any time where the processing of your Personal Data is based on consent. This withdrawal does not affect the lawfulness of processing carried out prior to its withdrawal.

You acknowledge that the implementation of some of your rights, depending on the circumstances, may limit or prevent our ability to continue providing the Services to you.

10. RETENTION OF PERSONAL DATA

We will store your Personal Data for no longer than is necessary in relation to your use of our products and Services through your Account, having regard to the purposes described in this Privacy Policy and the legal and regulatory obligations to which we are subject. In accordance with our record-keeping obligations, we will retain your Account information and your Personal Data for a minimum period of five (5) years after your Account has been closed or terminated. Depending on the category of Personal Data, certain information may be retained for a longer period where required by applicable law.

We may access, process, or retain your Personal Data for a longer period if it is subject to a lawful request, legal obligation, or an investigation by competent governmental, judicial, or law enforcement authorities.

11. CHANGES TO THIS PRIVACY POLICY

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where required by applicable law, we will notify you by email or through the Platform. We encourage you to review this Privacy Policy periodically to stay informed about any updates or modifications.

12. DATA CONTROLLER AND CONTACT INFORMATION

Depending on your country of residence, one of the EXMO entities specified below acts as the data controller of your Personal Data and is responsible for ensuring that your Personal Data is processed in accordance with applicable data protection laws:

• Exmo Poland Sp. z o.o., a company duly incorporated and existing under the laws of the Republic of Poland, with its registered office at ul. Puszkarska 7i, Bonarka B4B, Building D, 30-644 Kraków, Poland, entered in the register of entrepreneurs of the National Court Register (Krajowy Rejestr Sądowy) under number KRS 0000963082.
• Blue Isthmus Technologies CORP, a company duly incorporated and validly existing under the laws of the Republic of Panama, registered under number 155777354, having its registered office at Calle 55 Este, SL55 Building, 21st Floor, Office 3, Panama City, Republic of Panama.

If you have any questions about this Policy or about how your Personal Data is processed, you may contact us at [email protected] or submit an inquiry through a support ticket via your Account.