XREX Privacy and Cookies Policy

Capitalised terms not defined herein shall have the meanings ascribed to them under the General Terms and Conditions (“Terms”).

We are committed to protecting your privacy and safeguarding your personal data. The purpose of this XREX privacy policy (the “Privacy Policy”) is to inform you about our privacy practices, including how we collect, use, and disclose your personal data. This Privacy Policy applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose, or process personal data for our purposes of operating, and your use of the Services. Any terms used and not otherwise defined herein in this Privacy Policy shall have the meaning as set forth therein in the Terms.

By visiting the Site, interacting with us, submitting information to us, signing up for any products and/or using services made available by us or connecting with us at industry events and conferences, you agree and consent to us collecting, using, disclosing, processing, and sharing your personal data amongst ourselves and our affiliates to the extent necessary for the provision of the Services, or otherwise consented to by you, and disclosing such personal data to our authorised service providers and relevant third parties in the manner set forth in this Privacy Policy. If any policies or practices of this Privacy Policy are not agreed to, please do not visit, access, or use the Services.

This Privacy Policy supplements but does not supersede nor replace any other consents you may have previously provided to us in respect of your personal data, and your consents herein are cumulative and additional to any rights which we may have at law to collect, use, disclose and/or process your personal data. This Privacy Policy does not affect any rights which we may have at law in connection with the collection, use, disclosure and/or processing of your personal data.

1. General information

In this section, we provide you with general information about the entity that is responsible for your personal data, this Privacy Policy, and the Services.

1.1. Important terms

In this Privacy Policy, you will encounter recurrent terms. For your convenience, we would like to explain what such terms mean, as stated in this Privacy Policy:

“consent” means a freely given, specific, informed, and unambiguous agreement to the processing of personal data, including deemed consent;

“data controller” means the entity that determines the purposes and means of the processing of personal data;

“data processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller;

“PDPA” means the Personal Data Protection Act 2012 of Singapore, and all subsidiary legislation, regulations, and guidelines promulgated thereunder, and as time to time amended;

“personal data” means data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access;

“processing” means the use of personal data in any manner, including, but not limited to, collection, storage, erasure, transfer, and disclosure of personal data; and

“You” and “your” means a natural person or a business entity that accesses and/or uses the Services.

1.2. Owner and data controller

The Services are provided by XREX Pte. Ltd. with its registered address at 12 Marina View, #10-23, Asia Square Tower 2, Singapore 018961. XREX acts as a data controller with regard to all personal data collected through the Services.

1.3. Children

The Services is not intended for children under the age of 18 or equivalent minimum age in the relevant jurisdiction. Therefore, we do not knowingly collect the personal data of persons under the age of 18. We are unable to identify whether a child has provided us personal data without the KYC process. If we become aware that a child has provided us with personal data, we will take steps to delete such information as soon as possible.

1.4. Cookies Policy

Definition of a Cookie

A cookie is a small data piece sent by a website to your browser, which may then be stored on your device. Cookies enable websites to recognize your device and collect certain user data. They include persistent cookies which are valid until you delete them, expiry cookies which are valid until a set expiration date, session cookies which are valid until you close your browser, first-party cookies which are set by the visiting website and third-party cookies which are set by external websites.

In respect of the Services, we employ technical cookies, which are crucial for the proper functioning of the Site and XREX Pay, and unclassified cookies to record your service preferences.

These cookies may also be used for the following purposes:

(a) Recognize new or past users;

(b) Store your profile or authentication credentials if you use the Services;

(c) Improve the services and to better understand your use of the Services; and

(d) Better understand your interests.

Cookie Consent

Upon your first visit to the Site and/or XREX Pay, we (and the service providers working on our behalf) may seek your consent for cookie usage, especially if accessing from the EU. Without consent, only essential technical cookies will be used. However, this might affect your user experience.

Disabling Cookies

You can decline our cookies anytime via your browser/device settings. However, some platform parts might not work correctly without them. For cookie management, please use the applicable link below:

(a) Apple Safari

(b) Google Chrome

(c) Firefox

(d) Microsoft Edge

1.5. Applicability of the Privacy Policy

This Privacy Policy applies exclusively to the Services and does not extend to any third-party applications, software, products, services, or businesses that may integrate with the Services.

1.6. Changes to the Privacy Policy

Your privacy matters to us so please familiarise yourself with this Privacy Policy. We may update this Privacy Policy by publishing the latest version on our Site or notifying you of any change to this Privacy Policy. You acknowledge and agree that it is your responsibility to review this Privacy Policy periodically to be aware of any changes. Your continued interaction with us or use of our products and/or services shall constitute your acknowledgement and acceptance of such changes.

1.7. How we collect your personal data

Before you submit any personal data through Services, you must read and agree to this Privacy Policy.

We generally collect your personal data in the following ways:

(a) Voluntary disclosure of your personal data directly or via a third party who has been duly authorised by you to disclose your personal data (your “Authorised Representative”) after (i) you (or your Authorised Representative) have been notified of the purposes for which the data is collected, and (ii) you (or your Authorised Representative) have provided consent to the collection and usage of your personal data for those purposes; or

(b) Involuntary collection and use of personal data without consent as permitted or required by the PDPA or other Applicable Laws.

Where it is necessary to collect, use, disclose or process your personal data for purposes which you have not already consented to and been notified of, we shall seek your additional consent to the expanded purposes unless authorised by the PDPA.

It is a continuing condition of your access and/or use of the Services that you agree and consent to the collection, use, disclosure, and/or processing of your personal data in accordance with this Privacy Policy.

2. Types and purposes of personal data collected

We collect only personal data that is necessary for ensuring your proper use of the Services. We use your personal data for specified and limited purposes. In this section, we explain what personal data we collect from you, for what purposes we use that data, and on what lawful bases we rely when processing personal data.

2.1. Types of personal data

We comply with data minimisation principles and collect only personal data that is necessary for your proper use of the Services. Personal data may be obtained from you either directly (e.g., when you register to use the Services or contact us) or through automated means (e.g., when you browse the Site or make a transaction). Please refer below for the types of personal data we collect.

2.2. Purposes of personal data processing

We process your personal data only for specified and legitimate purposes explicitly mentioned in this Privacy Policy. In short, we will use personal data only to enable your use of the Services, deliver the services you request, comply with our legal obligations (e.g., AML/CFT laws), maintain and enhance the Services, conduct research related to our business activities, and respond to your inquiries. We will not process your personal data for any other purposes which you provide your personal data without obtaining your express consent.

2.3. Overview of types and purposes of collecting and processing your personal data

By using the Services, you consent to our collection, use, processing and disclosure of your personal data outlined in the table below. The personal data is collected for the specific purpose associated with the corresponding event reflected in the table below.

Please note that we may transmit your personal data to any third parties including third-party service providers, data processors (including but not limited to those identified in Paragraph 3.2 below), agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for any of the abovementioned purposes in this Paragraph 2.3.

2.4. Failure to provide personal data

Unless specified otherwise, all personal data requested by XREX is mandatory and failure to provide such data may prevent us from delivering the Services to you. Where we specifically state that certain personal data is optional, you may choose not to provide it without affecting the availability or the functionality of the Services. However, by voluntarily providing optional personal data, you consent to its collection, use, disclosure, and processing for the purposes outlined in this Privacy Policy.

2.5. Additional data

From time to time, we may receive certain additional personal data when you request support, interact with our social media accounts, submit feedback, or otherwise communicate with us. The provision of such data is optional and you may choose what personal data to share. Please exercise discretion when making your personal data publicly available. We will use such personal data to reply to you, provide you with the requested services, or pursue our legitimate business interests such as analysing and improve our business, in accordance with our obligations under the PDPA.

2.6. Sensitive data

We do not, under any circumstances, collect special categories of personal data (e.g., sensitive data) from you, such as your health, religious or political beliefs, racial origins, trade or professional association membership, or sexual orientation. If you choose to provide such sensitive data, you are deemed to do so at your own sole discretion.

2.7. Personal data published on the Services

If you decide to publish information about yourself through the Site and/or XREX Pay (e.g., via your public user profile), you may disclose certain personal data to other users. Please be aware that such data becomes publicly available and may be used by third parties for unlawful purposes. Please exercise discretion and avoid sharing personal data that is unnecessary, excessive or sensitive. Additionally, you must not publish personal data of other persons without their prior consent. If we become aware of such unauthorised disclosure of personal information, we will take immediate steps to remove the personal data and may suspend you from the access or use of the Services.

2.8. Privacy of transactions

The Services allow you to conduct transactions with other users of the Services. We make reasonable efforts to ensure that any transaction-related data remains confidential and securely protected. We do not intentionally access, manage, correct, delete, share, or disclose transaction-related data, unless it is strictly necessary to:

(a) provide the Services;

(b) fulfil any of the specific purposes mentioned in this Privacy Policy or related business purposes;

(c) exercise our legal rights;

(d) enforce the Terms or this Privacy Policy; or

(e) comply with the Applicable Laws.

2.9. Location of processing

Your personal data is processed at XREX’s operating offices in Singapore and in any other locations where our data processors are located. The processing of personal data is carried out using secure IT systems and tools, in accordance with organisational procedures and modes that are strictly aligned with the purposes stated in this Privacy Policy.

2.10. Our compliance with Anti-Money Laundering (AML) regulations

We have established robust internal standards to meet regulatory requirements of the Applicable Laws pertaining to AML/CFT. These standards include internal policies and procedures, such as (a) XREX Financial Crime Compliance Policy; (b) AML Policy; (c) Sanctions Policy; (d) ABC (Anti-Bribery & Corruption) Policy; (e) Customer Due Diligence Policy; (f) FATF Travel Rule; and (g) Operation Procedures.

2.11. FATF Travel Rule

To enhance security and prevent illicit activities involving blockchain and Virtual Asset channels or platforms, the Financial Action Task Force (“FATF”) has introduced a rule which requires VASPs, including XREX, to exchange sender and recipient information with the other VASPs during Virtual Asset transactions (“Travel Rule”). Accordingly, while you make a cryptocurrency deposit or withdrawal, certain personal information may be shared with other VASPs in compliance with the Travel Rule.

3. Disclosure and transfer of personal data

To support the delivery and operation of the Services, we may need to share your personal data with external parties. This includes third-party service providers, data processors and the relevant authority. Additionally, your personal data may be transferred outside your country of residence. This section outlines the types of third parties we may disclose your personal data to, the purposes of such disclosure, instances when we make international data transfers, and the safeguards we implement to protect your personal data.

3.1. Disclosure of personal data

Your personal data may be disclosed to internal teams within XREX (e.g., administration, sales, marketing, legal, system administration) or external parties appointed as data processors (e.g., third-party technical service providers, mail carriers, hosting providers, IT companies, and communications agencies). We do not sell your personal data to third parties. Such disclosure of your personal data is limited to the situations necessary for the following purposes:

(a) Ensuring the proper operation of the Services;

(b) Ensuring the delivery of the Services requested by you;

(c) Providing you with requested information;

(d) Pursuing our legitimate business interests;

(e) Enforcing our rights, preventing fraud, and security purposes;

(f) Carrying out our contractual obligations;

(g) Law enforcement purposes; and

(h) Other purposes to which you provide your consent.

3.2. List of data processors

We only share your personal data with data processors who have legally enforceable obligations to provide a level of data protection comparable to that under the PDPA and other Applicable Laws. The data processors that will have access to your personal data are included, but not limited to, the following:

(a) Name: Amazon Web Services

• Service: Hosting service provider

• Location: The United States & Japan (location of our servers)

• More information: https://aws.amazon.com

(b) Name: Sum and Substance Inc.

• Service: Identity verification service provider

• Location: The United Kingdom & Germany (location of our servers)

• More information: https://sumsub.com

(c) Name: Fireblocks

• Service: Digital asset infrastructure service provider

• Location: Not publicly disclosed

• More information: https://www.fireblocks.com

(d) Name: Intercom

• Service: Customer support service provider

• Location: The United States

• More information: https://intercom.io

(e) Name: Sentry

• Service: Error monitoring service provider

• Location: The United States

• More information: https://sentry.io

(f) Name: World-Check (by LSEG, formerly Refinitiv)

• Service: Risk monitoring service provider

• Location: Not publicly disclosed

• More information: https://www.lseg.com/en/risk-intelligence/screening-solutions/world-check-kyc-screening

(g) Name: MistTrack (by SlowMist AML)

• Service: Blockchain analysis service provider

• Location: Not publicly disclosed

• More information: https://misttrack.io

(h) Name: TRM Labs

• Service: Blockchain analysis service provider

• Location: Not publicly disclosed

• More information: https://www.trmlabs.com

(i) Name: VerifyVASP Pte. Ltd.

• Service: Travel rule solution provider

• Location: Singapore

• More information: https://www.verifyvasp.com/en/

(j) Name: Crypto Defenders Alliance (CDA)

• Service: Non-profit blockchain alliance

• Location: Not publicly disclosed

• More information: https://cryptodefendersalliance.com

3.3. International transfers of personal data

Depending on your location, we may need to transfer your personal data to a country other than your country of residence to ensure the proper delivery of the Services. Where such transfer occurs, we will take appropriate steps to ensure compliance with the Applicable Laws, including ensuring that recipients of the transferred personal data have a level of protection comparable to that required under the PDPA or other Applicable Laws. By using the Services, you consent to international transfer of your personal data.

3.4. Disclosure of non-personal data

We may disclose non-personal data to third parties for any lawful purpose. For example, we may share such data with prospects or partners for business or research purposes, improving the Services, responding to lawful requests from public authorities, or developing new products and services.

3.5. Legal requests

If requested by a public authority, we may disclose your personal data to the extent necessary to comply with the Applicable Laws.

3.6. Successors

In the event of a merger, acquisition or sale of all or part of our business, your personal data may be transferred to the purchaser or successor entity. We will request the purchaser or successor entity to handle your personal data in accordance with this Privacy Policy, the PDPA and the Applicable Laws.

4. Security of personal data

We will use our best efforts to keep your personal data safe and secure. This section outlines the measures taken to protect your personal data.

4.1. Our security measures

XREX implements robust security measures to prevent unauthorised access, collection, disclosure, copying, modification, or unauthorised destruction of your personal data. The security measures taken by us include secured networks, SSL protocol, strong passwords, limited access to your personal data by our staff, and anonymization of personal data (when possible). In order to ensure the security of your personal data, we recommend accessing the Services only through secure networks.

4.2. Handling security breaches

While we ensure best efforts and take reasonable precautions to protect your personal data, we shall not be liable for any unauthorised destruction, loss, use, copying, modification, leakage, and falsification of your personal data caused by circumstances that are beyond our reasonable control. In the event of a serious breach, we will take reasonable measures to mitigate the breach and comply with all necessary disclosure obligations under the Applicable Laws. You agree that our liability will be limited to the maximum extent permitted by the Applicable Laws.

5. Non-personal data

When you use the Services, we automatically collect certain technical data about your device and use. In this section, we inform you what non-personal data we collect from you and for what purposes we use that data.

5.1. Types of non-personal data

We automatically collect technical non-personal data and anonymised for analytics purposes, including de-identified personal data which is treated as non-personal data. These data collected by us include:

(a) Transaction data

When you make a transaction, details such as expected transaction volume, frequency, trade activity, deposits, withdrawals, parties to send or receive transactions, relationships, and purpose of the transactions.

(b) Usage data

When you access and use the Services, information about your time of request, method of server request, file size received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by you, the various time details per visit, and the details about the path followed within the Services with special reference to the sequence of pages visited, and other parameters about the device operating system and/or your IT environment.

When you contact us, we keep records of any questions, complaints, recommendations, or compliments made by you and the response, if any. Where possible, we will de-identify your personal data.

5.2. Purposes of using non-personal data

We will use non-personal data for the following purposes:

(a) To analyse what kind of users visit and use the Services;

(b) To examine the relevance, popularity, and engagement rate of the Services;

(c) To investigate and help prevent security issues and abuse;

(d) To develop and provide additional features to the Services; and/or

(e) To personalize the Services for your specific needs.

5.3. De-identified data

In the event that your non-personal data is combined with certain elements of your personal data in a way that allows us to identify you, we will handle such aggregated data as personal data. If your personal data is de-identified in a way that it can no longer identify a natural person (whether by itself or in combination with any other data in our possession or control), it will not be considered personal data and we may use it for any purpose set out in Paragraph 5.2 above.

6. Direct marketing

From time to time, we may send you promotional messages regarding our services. The section outlines the circumstances under which you may receive such notices and how you can manage your preferences.

6.1. Marketing messages

We may send you direct marketing messages to keep you informed about the Services, including updates on existing Services and information about new or related services. Please note that your voluntary subscription to our updates or newsletters will be deemed as such consent.

6.2. Opting-out

You can opt out from receiving marketing messages at any time free of charge by

(a) clicking on the “unsubscribe” link contained in any message sent to you;

(b) adjusting your account settings; or

(c) contacting us directly in accordance with this Privacy Policy.

6.3. Informational notices and service updates

If necessary, we will send you important informational communications, including service-related, technical, administrative emails, information about the Services, your transactions, user account, privacy and security, and other administrative matters. These communications are necessary for the operation of the Services and do not require your prior consent.

7. Retention time

We retain your personal data only for a period necessary to fulfil the purposes outlined in this Privacy Policy or to meet our legitimate business purpose. This section details the applicable retention period of your personal and non-personal data in our systems, with examples as set out in the table below.

Where processing your personal data based on your consent, we will retain your personal data until the earlier of (i) the purposes for which you have provided your consent is fulfilled or (ii) you withdraw your consent. Upon expiry of the applicable retention period, your personal data shall be securely deleted from our systems. After deletion, your rights to access, rectify, erase, or port your data can no longer be exercised.

7.1. Retention as required by law

XREX may retain your personal data for a longer period where required to do to comply with the Applicable Laws. For example, we may retain your personal data to comply with record keeping obligations, accountancy records and AML/CFT laws.

7.2. Retention of non-personal data

We may retain non-personal data pertaining to you for as long as necessary for the purposes described in this Privacy Policy. This includes retention keeping non-personal data after you have deactivated your user account for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.

8. Representations and Warranties

You represent, warrant, and undertake to us that:

(a) if in connection with your access and/or use of the Services, you provide us with the personal data of any person other than yourself, such persons have consented to the collection, use, disclosure and/or processing of your personal data in accordance with the Privacy Policy;

(b) your disclosure to us of any personal data is in accordance with all Applicable Laws governing the collection, use, disclosure, and/or processing of personal data, and such personal data is complete, accurate, updated and relevant at the time of disclosure;

(c) before providing any such personal data to us, you acknowledge that you have read and understood this Privacy Policy, and, in the case of personal data relating to an individual other than yourself, have (or will at the time of disclosure have) provided the individual with a copy of, or directed the individual towards a webpage containing that Privacy Policy; and

(d) if from time to time we provide you with a replacement version of the Privacy Policy, you will promptly read that notice and provide updated copies of the Privacy Policy to, or re-direct towards a webpage containing the updated Privacy Policy, any individual whose personal data you have provided to us.

9. Your rights regarding your personal data

You have the right to control how we process your personal data. This section outlines your data protection rights and how you may exercise those rights.

Subject to the Applicable Laws, you may exercise your right to:

(a) Withdraw your consent

You may withdraw your consent to the processing of your personal data at any time. Your consent for the collection, use, and disclosure of your personal data remains valid until you notify us of your withdrawal in writing.

Upon receipt of your written request to withdraw your consent, we may require a reasonable period, depending on the complexity and the impact on our continued obligations to you in providing the Services. We will notify you of any potential consequences, including any legal or service-related implications.

Please note that your withdrawal of consent may affect our ability to continue providing the Services to you.

(b) Object to processing

You have the right to object to the processing of your personal data where such processing is based on grounds other than the performance of a contract or pursuing our legitimate business interests.

(c) Access your personal data

You have the right to request for:

• access to your personal data in our possession or under our control through receiving a copy of such personal data; and/or

• information on how your personal data has been used or disclosed by us, during the last twelve (12) months immediately preceding your request.

If we are unable to provide you with such information, we will inform you of the reasons in writing, subject to the Applicable Laws.

(d) Verify and seek rectification

You have the right to request the updating of any inaccurate or incomplete personal data we hold about you.

(e) Restrict processing

You have the right to request the restriction of the processing of your personal data if you have withdrawn of your consent to such processing.

(f) Have your personal data deleted or otherwise removed. You have the right, under certain circumstances (namely, where retention of the data no longer serves any legal or business need of ours), to erase your personal data from our systems.

(g) Receive your personal data and transfer it to another controller. You have the right to receive your personal data in a structured, commonly used, and machine-readable format and, if technically feasible, to have it transmitted to another controller.

(h) Lodge a complaint. You have the right to bring a claim before their competent data protection authority.

How to exercise your rights

To exercise any of the rights described above, please contact us using the details provided at the end of this Privacy Policy. Requests are generally processed free of charge for one time every year and will be addressed as soon as reasonably practicable, and in any event within one (1) month of receipt.

Lodging a complaint

If you would like to launch a complaint about the way in which we handle your personal data, we kindly ask you to contact us first in writing and express your concerns. Thereafter, we will investigate your complaint and provide you with our response as soon as possible. If you are unsatisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority.

Contact information

For any questions, comments, or requests about this Privacy Policy or your personal data, please contact our Data Protection Officer by using the contact details below.

• Company name: XREX Pte. Ltd.

• Address: 12 Marina View, #10-23, Asia Square Tower 2, Singapore 018961

• Email address: [email protected]

• Phone number: (+65) 69149851