Personal Data Protection Policy(USA)

Introduction and Purpose

To help comply with the Privacy Act, 1974 and relevant laws and regulations in the USA, ’s best practice of Data Protection and the concurrence with Privacy Act, 1974 and Uniform Personal Data Protection Act 2021 which is subject to relevant amendments as and when such amendment takes place is shown in this policy.

In this Policy “we”, “us”, “our” means and the terms “user”, “individuals”, “non-individuals” means the residents of USA and the business enterprises registered in USA under the Model Business Corporation Act, 1984¹.

The Personal Data Protection Policy is uniformly applicable to all Users intending to utilize the Services or gain advantages from the Online Platforms of , constituting an integral element of the User Terms and Conditions. Before engaging with the Online Platforms or divulging any personal information, it's imperative to thoroughly examine this Data Protection Policy. Your use of the Online Platforms implies your explicit acknowledgment and adherence to the User Terms and Conditions and, consequently, this Personal Data Protection Policy.

The purpose of 's Personal Data Protection policy is to ensure that the customers of get their privacy protected invariably by protection of their personal data and information². Personal Data Protection Policy of optimises and enhances transparency and accountability in processing of the valuable data and specifics provided by the customers, giving greater control of their personal data and sensitive information.

¹ Amended and revised last in 2016, published in Dec 9th, 2017 ² Section 6 of the Uniform Personal Data Protection Act, 2021

Scope

’s Personal Data Protection Policy applies both to the processing of personal data taking place within the territory of USA and extraterritorially, in certain circumstances, to processing taking place outside of USA either for the purpose of the Financial Crimes Enforcement Network’s statutory functions or in other purposes provided for³ in pursuance of proper discharge of the functions of or for detection and prevention of serious crime or criminal proceedings⁴, following the data protection principles and makes sure that the information is used fairly, legally and transparently for specified and explicit purposes in a way that is adequate and accurate, notwithstanding that the information is relevant and limited to only what is necessary. Record retention techniques at retains relevant information of the customers involved in a transaction for a maximum period of five years from the date of completion of the transaction and/or after off-boarding⁵. also ascertains that there is a strong legal protection by its legal team for more sensitive information like race, ethnic background, political and religious opinions and beliefs, genetics, trade union membership and sex life or orientation, and most pertinently, setting separate safeguards and measures for personal data relating to criminal convictions and offences.

retains records of its employees for a tenure of three years.⁶

³ Sec 2(b) of the Privacy Act, 1974 ⁴ Sec 3(i) of the Privacy Act, 1974

⁵ Section 802(a)(1) of Sarbanes-Oxley (SoX) Act of 2002

Principle of Personal Data Protection Policy

With the unerring adherence to Privacy Act, 1974 and Uniform Personal Data Protection Act, 2021 at , the Compliance Team at is responsible for compliance regarding the Personal data and Personally Identifiable Information of the customers of in a manner if that is:

• processed legally, without prejudice and in a transparent manner,
• the said information and data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
• the information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• accurate and, where necessary, kept updated;
• every reasonable step is taken to ensure that personal data that are inaccurate in terms of the purpose for which that was collected are erased or rectified in an expeditious manner;
• the data is kept in a form which permits identification of customers for no longer than is necessary for the purposes for which the relevant personal data are processed;
• the data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Types of Data collected

While using the services provided by , certain Personally Identifiable Information (PII) are collected which can be used to identify or contact the customers. The Personally Identifiable Information (PII) may include, but is not limited to:

1. Name

2. Address including Zip code

3. Place and Date of birth

4. SSN (Social Security Number) or Passport number

5. Email

6. Phone number

7. Account password

The Employment Information of the Customers is also collected in the subsequent steps like

1. Industry
2. Occupation
3. Source of Funds
4. Employment Category
5. Employment Type
6. Annual Income
7. Net Worth
8. Transaction Volume
9. If the Applicant is a Politically Exposed Person (PEP) or not
10. Purpose of the account
11. Current Banking Partner
12. How long the Applicant had that banking relationship

The applicant and/or customer shall have to also provide and upload the following documents and information via mobile applications or web browsers.

1. One of the government-issued identity documents bearing the individual’s photograph, an identification number and date of
2. Passport or SSN
3. Driver’s License
4. Proof of residence issued within the last three
5. Real-time live selfie of themselves
6. Industry and

When the customer uses the services provided by by or through a mobile device or web in regards to crypto exchange, collects, retains, uses, or stores data or information automatically; including, but not limited to, device verification, gathering the IP address of the device used by the customers, accessing the photo gallery/media/files/camera and user’s other apps and services including messaging through SMS and usage data, tracking the location from where the customer has logged in, the type of browser used by the customer and the device ID, browser type, browser version, unique device identifiers, and the time and date of visit during login using local storage. User’s device information is also collected including but not limited to IMEI or equipment identification number, IMSI or subscriber identification, MAC address, Android version, device details, network operator, contact list information, Wifi / Data Network connectivity.

also collects information that the browser sends whenever the customer visits the site to login or when the customer accesses the services provided by through a mobile device.

In terms of website handling, uses cookies and tracking technologies like Google Analytics. In terms of cookies, uses cookies like:

• Necessary/Essential cookies which provide the customers with services available through the Website and to enable the customers to use some of the features of . These cookies help to authenticate users and prevent fraudulent use of user accounts.
• Notice acceptance cookies identify if users have accepted the use of cookies on the Website.

• Functionality cookies which allow to remember choices the customer makes when the customers use the website, such as remembering the login details or language preference.
• Tracking and performance cookies which are used to track information about traffic to the website and how users use the website.

Processing of data relating to Criminal Conviction and Offences

carries out security measures relating to processing of personal data pertaining to criminal convictions and offences under the control of official authority or when the processing is authorised by Financial Crimes Enforcement Network (FinCEN) through thereby providing for appropriate safeguards for the rights and freedoms of the customers of . Any comprehensive register of criminal convictions are kept under the control of official authority only.

Use of Personal Data

uses Personal Data of its customers for the following purposes:

• To provide and maintain the Service in addition to monitoring the usage of the service.
• To manage the Account of the customers in terms of the registration and login as a user of the service provided by so that the personal data provided can give the customers access to different functionalities of the service that are available to them as a registered user.
• For the performance of a contract encompassing the development, compliance and undertaking of the contract for the services the customer has obtained or of any other contract with .
• To contact the customers by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities or contracted services, including the security updates, when necessary or reasonable for their implementation.
• To provide the customer with news, special offers and general information about other services and events which are offered by unless the customer has opted not to receive such information.
• To manage the requests of the customers to may use the customer information for other purposes like data analysis, identifying usage trends, determining the effectiveness of the promotional campaigns and to evaluate and improve the Service, products, services and marketing.
• It is to be noted that the personal information of the customers for any relevant purpose whatsoever are always disclosed with the consent of the customers.

Retention of Personal Data

shall retain the Personal and Professional Data of the customers for as long as the account of the customers is active or as needed to provide services in accordance with The Sarbanes-Oxley Act of 2002. The personal and professional data obtained by for verification purposes before using and/or availing the services of are kept throughout the continuance of business relationship with the customer and are retained for a tenure of at least five years after the conclusion of business relationship⁷. shall retain and use the Personal Data of the customers to the extent necessary to comply with the legal obligations, and for the purpose of enforcing the legal agreements and policies.

keeps a copy of the data and information as well as sufficient supporting records of the transactions provided by the customers of for fulfilment of its CDD obligations for a period of five years following the completion of the transaction or the end of the business relationship⁸. After the completion of the five- year tenure, the information and personal data of the customers is retained only either under an enactment or for the purposes of court proceedings, or the data of customers can also be retained by if the concerned customer consents to such retention of data. But if any suspicious activities related to Money Laundering is detected by , the record retention may span up to the tenure so required to be retained by to comply with the appropriate legal obligations and requirements.

⁷ Section 802(a)(1) of the Sarbanes-Oxley Act of 2002 ⁸ 31 C.F.R. § 1023.410, BSA 1970

keeps staff training records at least for three years after the date of completion of such training.

The retention period may extend beyond the termination of business relationship with a customer only as long as it is necessary for to have sufficient information to respond to any issues that may arise later, including but not limited to the purpose of investigations or ongoing prosecutions or in case of Suspicious transactions or if requires the information for its records or to support legal proceedings, or if believes in good faith that a law, regulation, rule or guideline requires it. Nevertheless, there is no obligation to do so in all instances. shall not be liable or responsible for the non-availability of information beyond the termination of business relationship with their clients.

Disclosure of Personal Data

Law enforcement

Under certain exceptional circumstances, shall disclose the Personal Data of the customers if required to do so by law or in response to valid requests by public authorities like Courts or Government Agencies.

Other legal requirements

shall disclose the personal data and information of the customers in good faith that such action is necessary to either abide by a legal obligation, or for protection against legal liability and defence of however deemed applicable by the Compliance team at .

For the purposes of disclosure of information, the disclosure shall be made by only if the disclosure was made with the consent of the customer himself or by the legal representative of the customer carrying on the business of the customer for the time being, or the information which was obtained by or provided to the Financial Crime Enforcement Network in the course or purposes of discharge of the functions of Financial Crimes Enforcement Network through , or for the purpose of making the the data or information available to the public in relevant and respective manner or where the disclosure of information was made for the purposes of criminal or civil proceedings, or such disclosure was necessary in the public interest.

Transfer of Personal Data

The information of the customers, including Personal Data, is processed at the operating offices of and in any other places where the customer and involved in the processing are located. It implies that the relevant information may be transferred to and maintained on computers located outside of the state, province, country or other governmental jurisdiction where the data protection laws may differ from those from the territorial jurisdiction of USA and the same shall be done after complying with , including for onward transfers of personal data from the country located outside the aforementioned jurisdictional borders or an international organisation to another country or international organisation. The consent of the customers followed by submission of such information represents the agreement and consent to such transfer. takes all reasonable steps necessary to guarantee that the data of the customers is treated securely and in accordance with this Policy and no transfer of Personal Data shall take place to an organisation or in the vicinity of any jurisdiction when the Bureau of Consumer Service Protection by due notification, restricts the transfer of such data by the Federal Trade Commission⁹.

The transfer of personal data of customers shall be so applied that the level of protection of customers which is guaranteed by is not undermined.

⁹ 15 U.S.C. §§ 6801-6809, §§ 6821-6827 of the Gramm-Leach-Bliley Act, 1999

Security of Personal Data

Taking into account the purposes of processing personal data as well as the risk of deviating likelihood and severity for the rights and freedoms of customers of , implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation¹⁰ and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, and resilience of processing systems and services, the ability to restore the availability and access to personal data in an expeditious manner in the event of a physical or technical incident and incorporates a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing of personal data and information of the customers.

The security of personal data of customers of is held in highest regard and all kinds of chamber-tight security protocols are implemented and always in place, but it has to be borne in mind that no method of transmission or transfer of information over the internet, or method of electronic storage is 100% secure and are susceptible to malicious cyber attacks. Although strives to use the prime means to protect the Personal Data of the customers, its absolute security is not guaranteed.

¹⁰ Pseudonymisation and other encryptions shall be performed at the discretion of , subject to the applicable and existing laws and regulations of the land.

Legal Basis for Processing Personal Data under Personal Data Protection

processes personal data of customers under the following conditions:

• Consent: Where the customer has given his consent for processing personal data for one or more specific purposes.
• Performance of a contract: Processing of Personal Data is necessary for the performance of an agreement with the customer or for any pre-contractual obligations thereof.
• Legal obligations: Processing Personal Data is necessary for compliance with legal obligations to which is subject.
• Legitimate interests: When processing of personal data becomes necessary for the purposes of the legitimate interests pursued by .

In any of the aforementioned scenarios, undertakes to clarify the specific legal basis which applies to the processing of personal data and information, and in particular whether the provision of Personal Data is a statutory or contractual requirement.

Rights of the Customer

Under the Personal Data Protection Policy framed and implemented strictly by being a Centralised Crypto Trading Platform, the Customers have the right to find out what information stores about them, including the right to:

• be informed about how the relevant data of the customers is being used
• have incorrect data replaced and updated with the correct information
• have data erased
• stop or restrict the processing of data
• object to how their data is processed in certain circumstances.

In compliance with the Bureau of Consumer Financial Protection and FTC,¹¹ being the rulemaking authority and the enforcement authority of personal data of customers respectively, has the responsibility for monitoring and enforcing the respective provisions relating to Personal Data Protection. The various rights enforceable by the customer as per the Personal Data Protection policy of are as follows:

• Right to access information or request records by the customer pertaining to the personal data concerning him or her whether being processed by , or any other relevant information related to personal data of the customer and its processing and, where that is the case, access to the personal data and the relevant information, but such access to information is limited to exemptions provided in Privacy Act, 1974¹². is liable to provide information to the customer barring pseudonymized data like the identity and the relevant contact details and information of , the legal foundation and purposes for which the personal data of the customer is processed by , the categories of personal data of the customer which is being processed, the categories of recipients of the personal data (if any) and any other information needed to secure that the personal data of customer is processed fairly and transparently.

¹¹ 15 U.S.C. § 6801 et seq of Gramm-Leach-Bliley Act, 1999.

• Right of Rectification of data except pseudonymized data by the customer who has the right to rectify the inaccurate personal data concerning him or her from the database of The customer also has the right to complete the incomplete personal data, including providing a supplementary statement conditional to the purpose of processing the data of the customers.
• Right to erasure by the customer to obtain the erasure of personal data concerning him or her where either the personal data of the customer is no longer necessary in relation to the purposes for which they were collected or otherwise processed, or the customer withdraws consent on to the processing of his or her personal data for one or more specific purposes. Data deletion involves the secure and irreversible removal of data from all relevant storage locations involving the procedure of identification of data to be deleted, Verifying the deletion request and obtaining necessary approvals and using appropriate methods to securely delete ensures documenting the deletion process of data for audit and compliance purposes. Customers may request complete deletion of their personal, financial, operational and legal and compliance data by using the “Delete my data” button in the Settings of the interface. Upon using this feature, the customer’s data goes immediately to the deletion queue from where it is automatically and permanently deleted at the end of the retention period, wherever applicable.

¹² 10 exemptions are provided in the Privacy Act, 1974 where access to records on individuals are not

granted being Exemptions (d)(5), j(1) to (2) and k(1) to (7).

• Right of receipt of copy of data of the customer where the customer has a right to readily receive a copy of personal data provided to free of cost once every 12 months. It is, however, subject to a minimal fees for every additional copy of personal data based on administrative costs of .¹³

Requirements

is not bound to disclose any record or information of its customers which is contained in its back-end portal or any other system of record-keeping to any third person or another agency whatsoever, except prior written consent of the customer to whom the record pertains. However, under the following circumstances, shall be liable to disclose information:

• to the respective officers at who might have a requirement of such information for discharge of their duties in their official capacity.¹⁴
• does not disclose any record or information unless such disclosure is required by law for a routine use which is defined in Privacy Act.¹⁵

¹³ Section 5 of Uniform Personal Data Protection Act, 2021 ¹⁴ 5 U.S.C. § 552a(b)(1) of Privacy Act, 2020 version

¹⁵ Subsection (a)(7) of 5 U.S.C. § 552a(b)(3), Privacy Act, 2020

• does not disclose any record or information unless such disclosure is required by the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity. ¹⁶
• is not liable to disclose any information or share any record of any individual except when such information or record is required by the National Archives and Records Administration as a record which has sufficient historical or other value for continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value.
• is bound by confidentiality of information of its customers except in circumstances where it is needed by any Governmental Department or an agency of any governmental jurisdiction under the control of the United States for a civil or criminal law enforcement activity authorized by law if the head of such agency makes a written request to specifying the law enforcement activity and the particular portion of information for which the record is sought.¹⁷
• does not disclose any information about its customers except the order of a court of competent jurisdiction concerning such information.¹⁸
• does not divulge customer information under any circumstances apart from requirements of a consumer reporting agency.¹⁹

¹⁶ 5 U.S.C. § 552a(b)(4) of Privacy Act, 2020 version ¹⁷ 5 U.S.C. § 552a(b)(7) of Privacy Act, 2020 version

¹⁸ 5 U.S.C. § 552a(b)(11) of Privacy Act, 2020 version

¹⁹ Section 3711(e) of Title 31, i.e. Debt Collection Act, 1982

Exercising Personal Data Protection Rights

The customers of may exercise the rights of access and request their records, rectification and change of records which are not accurate and right to be protected against unwarranted invasion of their privacy resulting from the collection, maintenance, use, and disclosure of their personal information by contacting . It must be noted that may ask its customers to verify their identity before responding to such requests, but shall strive to respond and reciprocate to any of such requests of its customers instantaneously.

Children's Privacy

In relation to the processing of the personal data of a child, the processing of data although not barred for children pursuant to the existing regulations of the US, might not be allowed by at the time of signing in as a customer. The processing of data however, is executed where the child is at least 18 years old. does not address anyone under the age of 18. Personally Identifiable Information from anyone under the age of 18 is collected if and to the extent that consent is given or authorised by the parent or the legal guardian of the child by using a crypto custodial account²⁰. strictly adheres to the privacy rights of children implemented throughout the US like Children's Online Privacy Protection Act (COPPA), 1998.

²⁰ Ref: Uniform Gifts to Minors Act (UGMA), 1966

If a parent or legal guardian of a child is aware that his/her child has provided with Personal Data without consent and/or approval, such parent or guardian is requested to contact the customer service executive of at the first instance. If Personal Data from anyone under the age of 18 without verification of parental consent is collected, required steps are taken to remove that information from the servers of . If any data of children is mistakenly collected by which might have a detrimental effect towards the welfare and well- being of the child, such data provided shall not be processed by under any prudent circumstances.

Changes to Policy

updates its privacy policy from time to time. Any changes whatsoever shall be notified to the customers of by posting the new Privacy Policy on this page.

The customers are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page on the Website.

Contact

For any query about this Policy, the contact information is given below:

• By visiting this page on the website: [.com/">.com]

• By sending an email: [.com">compliance@.com]