XREX Privacy and Cookies Policy
Capitalised terms not defined herein shall have the meanings ascribed to them under the General Terms and Conditions.
We are committed to protecting your privacy and safeguarding your personal data. The purpose of this XREX privacy policy (the “Privacy Policy”) is to inform you about our privacy practices, including how we collect, use, and disclose your personal data. This Privacy Policy applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose, or process personal data for our purposes of operating, and your use of the XREX Service. If any policies or practices of this Privacy Policy are not agreed to, please do not visit, access, or use the XREX Service.
By using the XREX Service, you consent to XREX collecting, using, disclosing and processing your personal data in the manner set forth in this Privacy Policy:
1. General information
In this section, we provide you with general information about the entity that is responsible for your personal data, this Privacy Policy, and the XREX Service.
1.1. Important terms
In this Privacy Policy, you will encounter recurrent terms. For your convenience, we would like to explain what such terms mean, as stated in this Privacy Policy:
“Consent” means a freely given, specific, informed, and unambiguous agreement to the processing of personal data, including deemed consent;
“Data controller” means the entity that determines the purposes and means of the processing of personal data;
“Data processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller;
“Personal Data Protection Act 2012” and “PDPA” means the Personal Data Protection Act of Singapore, and all subsidiary legislation, regulations, and guidelines promulgated thereunder, and as time to time amended;
“Personal Data” means any information relating to a natural person who can be identified, (a) from that information; or (b) from that data and other information to which we have or are likely to have access. Depending on the nature of your interaction with us, some examples of personal data which we may collect from you include your name, residential address, email address, and IP address;
“Processing” means the use of personal data in any manner, including, but not limited to, collection, storage, erasure, transfer, and disclosure of personal data; and
“You” and “your” means a natural person or a business entity that accesses and uses the XREX Service.
1.2. Owner and data controller
The XREX Service is owned and operated by XREX Pte. Ltd. with its operation office at 7 Straits View #05-01 Marina One East Tower Singapore 018936. XREX acts as a data controller with regard to all personal data collected through the XREX Service.
1.3. Children
The XREX Service is not intended for children under the age of 18 or equivalent minimum age in the relevant jurisdiction. Therefore, we do not knowingly collect the personal data of persons under the age of 18.
1.4. Cookies Policy
Definition of a Cookie
A cookie is a small data piece sent by a website to your browser, which may then be stored on your device. Cookies enable websites to recognize your device and collect certain user data. They can be:
Persistent cookies: valid until you delete them.
Expiry cookies: valid until a set expiration date.
Session cookies: valid until you close your browser.
First-party cookies: set by the visiting website.
Third-party cookies: set by external websites.
We employ two cookie types on the XREX Service:
Technical cookies: crucial for the platform's proper functioning.
Unclassified cookies: record your service preferences.
Details of Cookies Employed
ReCAPTCHA v3:
Type: Third-party
Provider: Google
Expiration: End of session
Purpose: To distinguish humans from bots
token:
Type: First-party
Provider: XREX
Expiration: 30 minutes
Purpose: User authentication
lan:
Type: First-party
Provider: XREX
Expiration: Persistent
Purpose: To store language preference
Cookie Consent
Upon your first XREX Service visit, we may seek your consent for cookie usage, especially if accessing from the EU. Without consent, only essential technical cookies will be used. However, this might affect your user experience.
Disabling Cookies
You can decline our cookies anytime via your browser/device settings. However, some platform parts might not work correctly without them. For cookie management, please use the applicable link below:
Do Not Track (DNT)
DNT is a browser feature preventing online monitoring. Although we don't currently support DNT, you can check third-party service provider policies to determine their DNT adherence.
1.5. Applicability of the Privacy Policy
This Privacy Policy applies to the XREX Service only, it does not apply to any third-party applications or software that integrate with the XREX Service or any other third-party products, services, or businesses.
1.6. Changes to the Privacy Policy
Your privacy matters to us so whether you are new to the XREX Service or a long-time user, please take the time to get to know and familiarize yourself with our policies and practices. Feel free to print and keep a copy of this Privacy Policy, but please understand that we reserve the right to change any of our policies and practices at any time, by posting the changes on the Website. You can always find the latest version of this Privacy Policy with the effective date here on this page. Your continued use of the XREX Service constitutes your acknowledgement and acceptance of such changes.
1.7. How we collect your personal data
Before you submit any personal data through XREX Service, you must read and agree to this Privacy Policy.
We generally collect your personal data in the following ways:
(a) Your personal data is provided to us voluntarily by you, directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided consent to the collection and usage of your personal data for those purposes; or
(b) Collection and use of personal data without consent is permitted or required by the Personal Data Protection Act 2012 or other laws.
Where is it necessary to collect, use, disclose or process your personal data for purposes to which you have not already consented to and been notified of, we shall seek your prior further consent to the same (except where permitted or authorised by law).
2. Types and purposes of personal data collected
We collect only a minimal amount of personal data that is necessary for ensuring your proper use of the XREX Service. We use your personal data for specified and limited purposes. In this section, we explain what personal data we collect from you, for what purposes we use that data, and on what lawful bases we rely when processing personal data.
2.1. Types of personal data
We comply with data minimization principles. Thus, we collect only a minimal amount of personal data that is necessary for your use of the XREX Service. Your personal data can be collected directly from you when you provide it to us (e.g., when you sign up to use the XREX Service or contact us) or by automated means (e.g., when you browse the Website or make a transaction). The list of the types of personal data that we collect from you is provided below.
2.2. Purposes of personal data processing
We process your personal data only for specified and legitimate purposes explicitly mentioned in this Privacy Policy. In short, we will use personal data only for the purposes of enabling you to use the XREX Service, providing you with the requested services, complying with our legal obligations (e.g., AML laws and regulations), maintaining and improving the XREX Service, conducting research about our business activities, and replying to your inquiries. We will not use your personal data for any purposes that are different from the purposes for which your personal data was provided.
2.3. Overview of types and purposes of collecting and processing your personal data
Below provided is a detailed description of the types of personal data that we collect, use and disclose, the purposes for which we may do so, and the legal bases on which we rely in doing so.
When you sign up to receive notifications about the XREX Service, we may collect your:
Email address; and/or
Phone number.
In order:
To inform you about the XREX Service
Legally based on:
Your consent
When you sign up to use the XREX Service, we may collect your:
Email address;
Phone number; and/or
Password.
In order:
To enable your access to the XREX Service;
To register and maintain your user account;
To deliver the requested services;
To contact you, if necessary;
To deliver promotional information about the XREX Service;
To analyze and improve our business;
To manage your relationship with us;
To comply with any Applicable Law, regulations, codes of practice, guidelines, or rules, in order to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;
To fulfil any other purposes for which you have provided your personal data; and/or
To fulfil any other incidental business purposes related to or in connection with the above.
Legally based on:
Your consent
When you upgrade your user account for transactions, we may collect your:
Full name;
Date of birth;
Residential address;
Nationality;
Identification number;
A copy of your identity document and any information included therein;
Employment status;
Bank account information (bank name, bank account number, bank address, contact details, name of the beneficiary, wire instructions);
Annual income;
Asset net worth;
Occupation and industry;
Source of funds; and/or
Tax Identification Number.
In order:
To deliver the requested services;
To verify your identity;
To comply with our legal obligations (e.g., AML laws and regulations);
To contact you, if necessary; and/or
To analyze and improve our business.
Legally based on:
Your consent
When you make a transaction, we may collect your:
Trading records;
Trading logs;
Addresses of digital assets; and/or
Wallet address.
In order:
To facilitate and process your transactions;
To comply with our legal obligations (e.g., AML laws and regulations); and/or
To administer, analyze, and improve our business.
Legally based on:
Your consent
When you contact us by email or via live chat, we may collect your:
Full Name;
Email address; and/or
Any personal data that you decide to provide us in your message.
In order:
To respond to and processing your enquiries; and/or
To provide you with the requested information.
Legally based on:
Your consent
When you make a deposit or withdrawal, we may collect your:
Name;
Bank account information (i.e., bank account number, bank name, and billing address);
Purpose of the transaction;
Contact information;
Relationship of the recipient; and/or
Recipient information.
In order:
To process your deposits or withdrawals;
To maintain our accountancy records; and/or
To comply with our legal obligations (e.g., AML laws and regulations).
Legally based on:
Your consent.
When you make a cryptocurrency deposit or withdrawal, we may collect your:
Name;
Deposit wallet address;
Customer ID, including birth information; and/or
Transaction amount.
In order:
To share the data to the originator or beneficiary VASP (Virtual Asset Service Provider); and/or
To comply with FATF (Financial Action Task Force) Travel Rule.
Legally based on:
Your consent
When you use the XREX Service, we may collect your:
IP address;
Device ID, OS, model name;
XREX App version;
Errors encountered;
Cookie-related data (please refer to the Cookie Policy for more information); and/or
Your approximate location.
In order:
To analyze, improve, and evaluate our business activities;
To customize the XREX Service for your location; and/or
To ensure the security of the XREX Service.
Legally based on:
Your consent
Please note that we may transmit your personal data to any third parties including our third party service providers, data processors (including but not limited to those identified in Clause 3.2 below), agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for any of the abovementioned purposes in this Paragraph 2.3.
2.4. Failure to provide personal data
Unless specified otherwise, all personal data requested by XREX is mandatory and failure to provide this data may make it impossible for us to provide the XREX Service. In cases where we specifically state that your personal data is not mandatory, you are free to not communicate this data without consequence to the availability or the functioning of the XREX Services. Please note that your provision of non-mandatory personal data constitutes your consent to the collection, use, disclosure and processing of such personal data by us for the abovementioned purposes.
2.5. Additional data
From time to time, we may receive certain additional data if you request support, interact with our social media accounts, submit your feedback, or otherwise communicate with us. Please note that the provision of such data is optional and you may choose what personal data you would like to share with us. We kindly request you to exercise your due diligence when making your personal data publicly available. We will use such personal data to reply to you, provide you with the requested services, or for pursuing our legitimate business interests (i.e., to analyze and improve our business) in accordance with our obligations under the PDPA.
2.6. Sensitive data
We do not collect, under any circumstances, special categories of personal data (sensitive data) from you, such as your health information, opinion about your religious and political beliefs, racial origins, membership of a professional or trade association, or information about your sexual orientation, unless you decide to provide such sensitive data, at your own sole discretion.
2.7. Personal data published on the XREX Service
If you decide to publish information about yourself through the XREX Service (e.g., via your public user profile), you may decide to reveal certain information about yourself. Please keep in mind that such data will become available to other users of the XREX Service. Therefore, we request you to exercise your due diligence and not to disclose your personal data that is not necessary, extensive, or sensitive as such data can be used by third parties for unlawful purposes. Also, please note that you are not allowed to publish personal data pertaining to other persons if they have not provided you with their prior consent to disclose such data. We will take immediate steps to remove any information or user accounts from the XREX Service if we become aware that they contain personal data disclosed unlawfully.
2.8. Privacy of transactions
The XREX Service allows you to conduct transactions with other users of the XREX Service. We put reasonable efforts to ensure that any transaction-related data remains confidential and properly protected. Moreover, we do not intentionally and directly access, manage, correct, delete, share, or disclose transaction data, unless it is strictly necessary for the provision of the XREX Service or to fulfill any of the specific purposes mentioned in this Privacy Policy (or any other incidental business purposes related to or in connection with those purposes), enforcement of our legal terms, or we are requested by law to do so.
2.9. Location of processing
The personal data is processed at the operating offices of XREX located in Singapore and in any other places where the data processors appointed by XREX are located (please refer to the section “Disclosure and transfer or personal data” below for more information about the location of our data processors). The processing of personal data is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated in this Privacy Policy.
2.10. Our compliance with Anti-Money Laundering (AML) regulations
We have established internal standards in meeting regulatory obligations of relevant AML laws, regulations, and guidelines that are applicable to our business. These standards include various internal policies and procedures we are required to adhere to, e.g., XREX Financial Crime Compliance Policy, AML Policy, Sanctions Policy, ABC (Anti-Bribery & Corruption) Policy, Customer Due Diligence Policy, FATF Travel Rule, and Operation Procedures.
2.11. FATF Travel Rule
To ensure a more secure environment and prevent illicit activities abusing the blockchain and Virtual Asset channels or platforms, FATF has designed and announced the Travel Rule to all Virtual Asset Service Providers (“VASPs”), including XREX. According to the Travel Rule, every VASP shall exchange the sender and recipient data with the other VASPs during the process of conducting a Virtual Asset transaction. Therefore, while you make a cryptocurrency deposit or withdrawal, some of your personal information will be exchanged.
3. Disclosure and transfer of personal data
We may need to cooperate with external service providers and share some personal data with them. Also, to ensure the provision of the XREX Service, your personal data may be transferred outside the country where you reside. In this section, you can find information about the third parties that we may disclose your personal data to, the purposes of disclosure, instances when we make international data transfers, and what safeguards we implement to ensure that your personal data is properly protected.
3.1. Disclosure of personal data
In addition to XREX, in some cases, your personal data may be disclosed to third parties involved in the operation of the XREX Service (e.g. administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, and communications agencies). Such third parties are appointed by XREX as its data processors. We do not sell your personal data to third parties. The disclosure of your personal data is limited to the situations when such data is required for the following purposes:
Ensuring the proper operation of the XREX Service;
Ensuring the delivery of the services requested by you;
Providing you with requested information;
Pursuing our legitimate business interests;
Enforcing our rights, preventing fraud, and security purposes;
Carrying out our contractual obligations;
Law enforcement purposes; and/or
If you provide your prior consent to such disclosure.
3.2. List of data processors
We will share your personal data only with the data processors with whom we have entered into legally enforceable obligations to ensure that personal data disclosed is provided a level of protection equivalent to that under the PDPA and other applicable data protection laws. The data processors that will have access to your personal data are included, but not limited to, the following:
Name: Amazon Web Services
Service: Hosting service provider
Location: The United States & Japan (location of our servers)
More information: https://aws.amazon.com
Name: Sum and Substance Inc.
Service: Identity verification service provider
Location: The United Kingdom & Germany (location of our servers)
More information: https://sumsub.com
Name: HyperVerge Technologies Pvt Ltd.
Service: Identity verification service provider
Location: India (location of our servers)
More information: https://HyperVerge.co
Name: Intercom
Service: Customer support service provider
Location: The United States
More information: https://intercom.io
Name: Sentry
Service: Error monitoring service provider
Location: The United States
More information: https://sentry.io
3.3. International transfers of personal data
Depending on your location, we may need to transfer your personal data to a country other than your own for ensuring the proper provision of the XREX Service and other purposes of your personal data. For example, if you reside in the European Economic Area (EEA), we may need to transfer your personal data to jurisdictions outside the EEA. In case it is necessary to make such a transfer, we will make sure that each overseas recipient holds a specified certification (e.g., certification issued under the Asia Pacific Economic Cooperation Cross Border Privacy Rules) or such overseas recipient is bound by legally enforceable obligations to ensure that personal data disclosed is provided a level of protection comparable to that under the PDPA (e.g., a data processing agreement based pre-approved standard contractual clauses).
3.4. Disclosure of non-personal data
Your non-personal data may be disclosed to third parties for any purpose. For example, we may share it with prospects or partners for business or research purposes, for improving the XREX Service, responding to lawful requests from public authorities, or developing new products and services.
3.5. Legal requests
If requested by a public authority, we will disclose information about you to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.
3.6. Successors
In case our business is sold partly or fully, we will provide your personal data to a purchaser or successor entity and request the successor to handle your personal data in line with the PDPA and this Privacy Policy.
4. Security of personal data
We make our best efforts to keep your personal data safe and secure. In this section, we inform you about our appropriate administrative, physical and technical measures that help us to protect your personal data.
4.1. Our security measures
XREX takes appropriate security measures to prevent unauthorized access, collection, disclosure, copying, modification, or unauthorized destruction of your personal data, or similar risks. The security measures taken by us include secured networks, SSL protocol, strong passwords, limited access to your personal data by our staff, and anonymization of personal data (when possible). In order to ensure the security of your personal data, we kindly ask you to use the XREX Service through a secure network only.
4.2. Handling security breaches
Although we put our best efforts to protect your personal data, given the nature of communications and information processing technology and the Internet, we cannot be liable for any unlawful destruction, loss, use, copying, modification, leakage, and falsification of your personal data caused by circumstances that are beyond our reasonable control. In case a serious breach occurs, we will take reasonable measures to mitigate the breach, as required by the Applicable Law. Our liability for any security breach will be limited to the highest extent permitted by the Applicable Law.
5. Non-personal data
When you use the XREX Service, we automatically collect some technical data about your device and visits. In this section, we inform you what non-personal data we collect from you and for what purposes we use that data.
5.1. Types of non-personal data
When you use XREX Service, we automatically collect technical non-personal data for analytics purposes. Please note that de-identified personal data is also considered to be non-personal data. Although such non-personal data allows us to analyze your use of the XREX Service, it does not allow us to identify you. The non-personal data collected by us includes the following information:
Transaction data
When you make a transaction, we collect expected transaction volume, expected transaction frequency, details of transactions you make, such as trades, deposits, withdrawals, parties to send or receive transactions, relationships, and purpose of the transactions.
Usage data
When you access and use the XREX Service, we collect information about the time of your request, the method utilized by you to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by you, the various time details per visit (e.g., the time spent on each page) and the details about the path followed within the XREX Service with special reference to the sequence of pages visited, and other parameters about the device operating system and/or your IT environment.
When you contact us, we keep records of any questions, complaints, recommendations, or compliments made by you and the response, if any. Where possible, we will de-identify your personal data.
5.2. Purposes of using non-personal data
We will use non-personal data for the following purposes:
To analyze what kind of users visit and use the XREX Service;
To examine the relevance, popularity, and engagement rate of the XREX Service;
To investigate and help prevent security issues and abuse;
To develop and provide additional features to the XREX Service; and/or
To personalize the XREX Service for your specific needs.
5.3. De-identified data
In case your non-personal data is combined with certain elements of your personal data in a way that allows us to identify you, we will handle such aggregated data as personal data. If your personal data is de-identified in a way that it can no longer identify a natural person (whether by itself or in combination with any other data in our possession or control), it will not be considered personal data and we may use it for any business purpose.
6. Direct marketing
From time to time, you may receive promotional messages from us. In this section, we explain when you may receive notices from us and what you can do to decline such promotional messages.
6.1. Marketing messages
To keep you updated about XREX Service, we will send you direct marketing messages. You will receive such communication only if: We receive your express (“opt-in”) consent to receive direct marketing messages in relation to both the existing XREX Service provided to you and/or new services closely related to such XREX Service (please note that your voluntary subscription to our updates or newsletters substitutes such consent).
6.2. Opting-out
You can opt out from receiving marketing messages at any time free of charge by clicking on the “unsubscribe” link contained in any of the messages sent to you, adjusting your account settings, or contacting us directly.
6.3. Informational notices and service updates
If necessary, we will send you important informational notices, such as service-related, technical, or administrative emails, information about the XREX Service, your transactions, user account, privacy and security, and other administrative matters. Please note that we will send such notices on an “if-needed” basis and they do not fall within the scope of direct marketing communication that requires your prior consent.
7. Retention time
We retain your personal data only for a period necessary to carry out the purposes mentioned in this Privacy Policy or for our business purposes. In this section, we specify the time period for which we keep your personal and non-personal data in our systems.
For example:
Your personal data collected for purposes related to the performance of a contract between you and XREX shall be retained until such contract has been fully performed;
Your personal data collected for the purposes of XREX’s legitimate interests shall be retained as long as needed to fulfill such purposes; and
If you provide your consent to the processing of your personal data, we will retain your personal data (i) for as long as such personal data is necessary for the purposes for which you have provided your consent or (ii) until you withdraw your consent, whichever comes first.
Once the retention period specified above expires, your personal data shall be securely deleted from our systems. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after the expiration of the retention period.
7.1. Retention as required by law
XREX may be obliged to retain your personal data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority. For example, we may retain your personal data for as long as it is necessary to keep our accountancy records or for the time period stipulated by AML laws and regulations.
7.2. Retention of non-personal data
We may retain non-personal data pertaining to you for as long as necessary for the purposes described in this Privacy Policy. This may include keeping non-personal data after you have deactivated your user account for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.
8. Your rights regarding your personal data
You have the right to control how we process your personal data. Below, we list the rights that you can exercise with regard to your personal data and explain how you can exercise those rights.
Subject to any exemptions provided by law, you can exercise the right to do the following:
Withdraw your consent
You have the right to withdraw your consent at any time where you have previously given your consent to the processing of your personal data.
The consent that you provide for the collection, use, and disclosure of your personal data will remain valid until it is withdrawn by you in writing. You may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the purposes stated in this Privacy Policy.
Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the request, including any legal consequences which may affect your rights and liabilities to us.
Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our services to you once such consent has been withdrawn.
Object to processing
You have the right to object to the processing of your personal data if the processing is carried out on a legal basis other than the performance of a contract with you or pursuing our legitimate business interests.
Access your personal data
You have the right of access to:
(a) personal data about you in our possession or under our control through receipt a copy of such personal data; and/or
(b) information about the ways in which that personal data has been used or disclosed by us within a year before the date of your request.
If we are unable to provide you with such copy of personal data or such information requested, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).
Verify and seek rectification
You have the right to verify the accuracy of your personal data and ask for it to be updated or corrected.
Restrict processing
You have the right, under certain circumstances, to restrict the processing of your personal data by withdrawing of your consent to such processing.
Have your personal data deleted or otherwise removed
You have the right, under certain circumstances (namely, where retention of the data no longer serves any legal or business need of ours, to erase your personal data from our systems.
Receive your personal data and transfer it to another controller
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and, if technically feasible, to have it transmitted to another controller.
Lodge a complaint
You have the right to bring a claim before their competent data protection authority.
How to exercise your rights
Any requests to exercise your rights can be directed to XREX by using the contact details specified at the end of this Privacy Policy. The requests can be exercised free of charge to you once per year and they will be addressed by XREX as early as possible and always within one month.
Launching a complaint
If you would like to launch a complaint about the way in which we handle your personal data, we kindly ask you to contact us first and express your concerns. After you contact us, we will investigate your complaint and provide you with our response as soon as possible. If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority.
Contact information
For any questions, comments, or requests about this Privacy Policy or your personal data, please contact our Data Protection Officer by using the contact details below.
Company name: XREX Pte. Ltd.
Address: 7 Straits View #05-01 Marina One East Tower Singapore 018936
Email address: support@xrex.sg
Phone number: (+65) 69116677
Last updated