This Policy applies to personal data processed by KryptoX in connection with our Services, including website, dashboards, APIs, KYC/KYB onboarding, compliance screening (KYT), settlement, and support. Capitalized terms have the meanings in the Glossary below.

This document is informational and not legal advice.

The data controller is Insert KryptoX legal entity and address. For privacy inquiries, contact: privacy@kryptox.com. If applicable, provide details of EU/UK representatives and a Data Protection Officer (DPO).

• Account & Contact: name, email, phone, company, role, tenant IDs.
• KYC/KYB: IDs, selfies/liveness, proof of address, incorporation docs, directors/UBOs.
• KYT & Transaction: wallet addresses, risk signals, quotes, conversions, settlements.
• Technical: device and session data (IP, user-agent), logs, telemetry, security events.
• Support & Comms: tickets, call/chat transcripts, preferences.
• Cookies/Analytics: as described in Cookies.

We may receive data from partners (e.g., KYC/KYB, KYT providers, banks) to operate the Services.

• Provide Services & settle funds — Contract performance.
• Compliance (KYC/KYB/KYT, sanctions) — Legal obligation; public interest; legitimate interests (risk management).
• Security & fraud prevention — Legitimate interests; legal obligation.
• Support, billing & communications — Contract; legitimate interests.
• Analytics & product improvement — Legitimate interests (aggregate/limited personal data).
• Marketing (B2B) — Consent or legitimate interests, with opt-out options.

• Subprocessors: specialized providers for identity verification (KYC/KYB), KYT/analytics, treasury, liquidity/settlement, hosting, and support. Current list: /subprocessors.html.
• Banks & payment partners: to execute settlement instructions and comply with law.
• Corporate & advisors: affiliates, auditors, lawyers, insurers (as necessary).
• Legal: when required to comply with laws, court orders, or to protect rights and safety.
• Business transfers: in connection with mergers, acquisitions, or asset sales.

We disclose the minimum necessary data and require contractual safeguards.

We may process data in jurisdictions outside your own. Where required, we rely on appropriate safeguards (e.g., EU/UK Standard Contractual Clauses), supplementary measures, and vendor due diligence.

We retain personal data for as long as necessary to provide Services and meet legal, accounting, and audit requirements. Typical horizons:

• KYC/KYB evidence: 5–10 years after the end of the relationship (jurisdiction dependent).
• Transactions/settlements: 7–10 years.
• Logs/support: 1–3 years.

Automated deletion applies where feasible; exceptions are documented and approved.

• Encryption in transit and at rest; secrets management.
• RBAC/least privilege; quarterly access reviews; audit logs.
• Secure development practices; vulnerability and pen-testing.
• Incident response runbooks and notifications as required by law/contract.

Subject to conditions and exemptions, you may have the right to:

• Access, rectification, erasure (“right to be forgotten”).
• Restriction and objection to processing; portability.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority.

We will verify identity before fulfilling requests. See Submitting Requests.

For California and similar US state laws, you may have rights to:

• Know/access categories and specific pieces of personal information.
• Deletion, correction, and portability.
• Opt-out of sale/sharing of personal information and certain profiling (if applicable).
• Non-discrimination for exercising rights.

KryptoX does not knowingly sell personal information. If you believe otherwise, contact us.

We use automated checks (e.g., sanctions/PEP/KYT screening) to flag potential risks. Final decisions that materially affect you (e.g., account rejection) include human review where required.

We use cookies and similar technologies for:

• Strictly necessary: session, security, load balancing.
• Functional: preferences, improved UX.
• Analytics: aggregate usage (non-essential; consent where required).
• Marketing (B2B): only with appropriate notices/consent.

Manage preferences via our cookie banner or browser settings. “Do Not Track” signals may not be honored due to industry standards variability.

To exercise privacy rights, email privacy@kryptox.com with your name, organization, request type, and region. We will verify your identity (and authority if acting on behalf of an organization) before processing the request.

Authorized agents may submit requests where permitted by law with proof of authorization.

Our Services are not directed to children under 16, and we do not knowingly collect their data. If you believe a child has provided data, contact us to delete it.

We may update this Policy from time to time. Material changes will be communicated via dashboard, email, or website notice. Continued use after changes indicates acceptance.

Questions or concerns? Contact our privacy team at privacy@kryptox.com. Include “Privacy Request” in the subject line for rights requests.

• KYC/KYB: Know Your Customer / Business identity verification processes.
• KYT: Know Your Transaction monitoring for risk signals.
• Controller/Processor: Roles under GDPR-like frameworks determining purposes/means vs. processing on behalf.
• Personal data: Information that identifies or relates to an identifiable person.
• Subprocessor: Third party engaged to process data on our behalf.