Privacy Policy

Last updated: April 1, 2026

1. Information We Collect

1.1 Information You Provide

When you create an account, verify your identity, or use our services, we collect information that you voluntarily provide, including:

• Account information: Name, email address, phone number, date of birth, nationality, and residential address.
• Identity verification (KYC): Government-issued photo ID (passport, driver's license, or national ID card), proof of address documents, selfie photographs, and biometric data used for liveness detection and facial matching.
• Financial information: Bank account details, payment card information, transaction history, wallet addresses, and source-of-funds declarations where required by law.
• Communications: Records of customer support interactions, chat messages, survey responses, and feedback you submit to us.

1.2 Information Collected Automatically

When you access or use the Platform, we automatically collect certain information, including:

• Device data: IP address, device type, operating system, browser type and version, screen resolution, and unique device identifiers.
• Usage data: Pages visited, features used, time spent on the Platform, clickstream data, search queries, and referring URLs.
• Location data: Approximate geographic location derived from your IP address or, with your consent, more precise location from your device's GPS or Wi-Fi.
• Log data: Server logs that record API calls, login attempts, trading activity timestamps, and error reports.

1.3 Information from Third Parties

We may receive information about you from third-party sources, including identity verification providers (such as Jumio and Onfido), blockchain analytics firms (such as Chainalysis), credit bureaus, sanctions screening services, and social media platforms when you choose to link your account or sign in via a third-party service.

2. How We Use Information

We use the information we collect for the following purposes:

• Service delivery: To create and manage your account, process transactions, execute trades, and provide customer support.
• Identity verification and compliance: To comply with KYC, AML, CTF (Counter-Terrorism Financing), and sanctions screening obligations under applicable law.
• Security and fraud prevention: To detect, investigate, and prevent unauthorized access, fraud, market manipulation, and other prohibited activities.
• Platform improvement: To analyze usage patterns, diagnose technical issues, conduct A/B testing, and improve the performance, functionality, and user experience of the Platform.
• Communications: To send transactional emails (order confirmations, withdrawal alerts, security notifications), marketing communications (with your consent), and regulatory notices.
• Legal obligations: To comply with court orders, subpoenas, regulatory requests, tax reporting requirements, and other legal obligations.
• Aggregate analytics: To generate anonymized, aggregated statistics for internal research and public reporting (e.g., trading volume data).

3. Cookies & Tracking Technologies

Exbit uses cookies and similar tracking technologies to enhance your experience on the Platform. The types of cookies we use include:

• Essential cookies: Required for the Platform to function correctly, including session cookies, authentication cookies, and security cookies. These cannot be disabled.
• Performance cookies: Help us understand how you interact with the Platform by collecting anonymous usage data. We use services such as Google Analytics and Mixpanel for this purpose.
• Functional cookies: Remember your preferences, such as language, theme (light/dark mode), and display settings.
• Marketing cookies: Used to deliver relevant advertisements and measure the effectiveness of our marketing campaigns. These are only set with your explicit consent.

You can manage your cookie preferences through your browser settings or through our cookie consent banner. Disabling certain cookies may affect the functionality of the Platform.

4. Third-Party Data Sharing

We do not sell your personal data. We may share your information with the following categories of third parties:

• Service providers: Cloud infrastructure (AWS, Google Cloud), identity verification (Jumio, Onfido), payment processors (Visa, Mastercard gateways), blockchain analytics (Chainalysis), email delivery (SendGrid), and customer support tools (Zendesk).
• Regulatory and law enforcement: Government agencies, financial regulators, tax authorities, and law enforcement bodies when required by applicable law or in response to valid legal process.
• Affiliated entities: Exbit subsidiaries and affiliates that operate in other jurisdictions, subject to equivalent data protection standards.
• Professional advisors: Auditors, legal counsel, and consultants who are bound by professional confidentiality obligations.
• Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity.

All third-party service providers are contractually obligated to protect your data and to use it only for the purposes specified by Exbit.

5. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Account data: Retained for the duration of your account and for 5 years after account closure, as required by AML regulations in most jurisdictions.
• Transaction records: Retained for at least 7 years to comply with financial record-keeping and tax reporting obligations.
• KYC documents: Retained for 5 years after account closure or the end of the business relationship, in accordance with the FATF Recommendations and local law.
• Server logs and usage data: Retained for up to 24 months for security and performance monitoring purposes.
• Marketing consent records: Retained for as long as the consent remains valid and for 3 years thereafter as evidence of compliance.

When personal data is no longer required, it is securely deleted or anonymized so that it can no longer be associated with you.

6. Security

Exbit implements industry-leading technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256).
• Multi-factor authentication (2FA) for account access and critical operations.
• Role-based access controls and the principle of least privilege for internal systems.
• Regular penetration testing, vulnerability scanning, and independent security audits (SOC 2 Type II, ISO 27001).
• A 24/7 Security Operations Center (SOC) with real-time threat monitoring and incident response.
• Segregated cold storage for the majority of Digital Assets, with multi-signature authorization and geographic distribution.

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights (GDPR & Global Privacy)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): You may request deletion of your personal data, subject to legal retention requirements.
• Right to restriction: You may request that we restrict the processing of your data in certain circumstances.
• Right to data portability: You may request your data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV).
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You may file a complaint with your local data protection authority (e.g., CNIL in France, ICO in the UK, BfDI in Germany).

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond within 30 days (or the timeframe required by applicable law). We may require identity verification before processing your request.

For California residents (CCPA/CPRA): You have the right to know what personal information is collected, to request deletion, to opt out of the sale of personal information, and to not be discriminated against for exercising your rights. Exbit does not sell personal information as defined by the CCPA.

8. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:

• Data Protection Officer: [email protected]
• General inquiries: [email protected]
• Support: Help Center
• Address: Exbit Exchange Ltd., PO Box 309, Ugland House, George Town, Grand Cayman, KY1-1104, Cayman Islands

For EEA users, our EU representative is Exbit Europe GmbH, Friedrichstrasse 68, 10117 Berlin, Germany.