XREX PRIVACY POLICY
Effective date: 2 November 2021
We are committed to protecting your privacy and safeguarding your personal data. The purpose of this XREX privacy policy (the “Privacy Policy”) is to inform you about our privacy practices, including how we collect, use, and disclose your personal data. This Privacy Policy applies to our cryptocurrency exchange platform available at https://xrex.exchange (the “Website”) and the related mobile applications and services (collectively, the “XREX Services”). If any policies or practices of this Privacy Policy are unacceptable to you, please do not visit, access, or use the XREX Services.
General information
In this section, we provide you with general information about the entity that is responsible for your personal data, this Privacy Policy, and the XREX Services.
Owner and data controller. The XREX Services is owned and operated by XREX Inc. with its operation office at 5F-1, No. 35, Guangfu S. Rd., Songshan Dist., Taipei City 105, Taiwan (R.O.C.), (“XREX”, “ we”, “us”, and “our”). XREX acts as a data controller with regard to all personal data collected through the XREX Services.
About the XREX Services. The XREX Services include operating and managing a peer-to-peer cryptocurrency exchange platform and the related services.
Children. The XREX Services are not intended for children under the age of 18 or equivalent minimum age in the relevant jurisdiction. Therefore, we do not knowingly collect the personal data of persons under the age of 18. If we learn that we have collected the personal data of a child under 18, we will immediately take steps to securely delete such information from our systems.
Cookies. To ensure the best possible user experience, we use cookies. For detailed information about our cookies, please refer to our cookie policy available at https://intercom.help/xrex-inc/en/articles/4210036-xrex-cookie-policy.
Applicability of the Privacy Policy. This Privacy Policy applies to the XREX Services only; it does not apply to any third-party applications or software that integrate with the XREX Services or any other third-party products, services, or businesses.
Changes to the Privacy Policy. Your privacy matters to us so whether you are new to the XREX Services or a long-time user, please take the time to get to know and familiarize yourself with our policies and practices. Feel free to print and keep a copy of this Privacy Policy, but please understand that we reserve the right to change any of our policies and practices at any time, by notifying you accordingly. You can always find the latest version of this Privacy Policy with the effective date here on this page.
Your consent to the Privacy Policy. Before you submit any personal data through XREX Services, you are encouraged to read this Privacy Policy. In most cases, we rely on the lawful grounds for the processing of your personal data other than your consent. However, in some cases, we may seek to obtain your consent. For example, we may seek your prior consent in the following instances:
If we intend to collect other types of personal data that are not mentioned in this Privacy Policy;
If we intend to use your personal data for purposes that are not indicated in this Privacy Policy;
If we would like to disclose or transfer your personal data to third parties that are not specified in this Privacy Policy; or
If we significantly amend this Privacy Policy.
Important terms. In this Privacy Policy, you will encounter recurrent terms. For your convenience, we would like to explain what such terms mean:
“Consent” means a freely given, specific, informed, and unambiguous agreement to the processing of personal data;
“Data controller” means the entity that determines the purposes and means of the processing of personal data;
“Data processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller;
“Personal data” means any information relating to a natural person who can be identified, directly or indirectly, by using such information (e.g., name, address, phone number, email, and IP address);
“Processing” means the use of personal data in any manner, including, but not limited to, collection, storage, erasure, transfer, and disclosure of personal data; and
“You” and “your” means a natural person or a business entity that accesses and uses the XREX Services.
Types and purposes of personal data collected
We collect only a minimal amount of personal data that is necessary for ensuring your proper use of the XREX Services. We use your personal data for specified and limited purposes. In this section, we explain what personal data we collect from you, for what purposes we use that data, and on what lawful bases we rely when processing personal data.
Types of personal data. We comply with data minimization principles. Thus, we collect only a minimal amount of personal data that is necessary for your use of XREX Services. Your personal data can be collected directly from you when you provide it to us (e.g., when you sign up to use the XREX Services or contact us) or by automated means (e.g., when you browse the Website or make a transaction). The list of the types of personal data that we collect from you is provided in the table below.
Purposes of personal data. We process your personal data only for specified and legitimate purposes explicitly mentioned in this Privacy Policy. In short, we will use personal data only for the purposes of enabling you to use the XREX Services, providing you with the requested services, complying with our legal obligations (e.g., anti-money-laundering laws and regulations), maintaining and improving the XREX Services, conducting research about our business activities, and replying to your inquiries. We will not use your personal data for any purposes that are different from the purposes for which your personal data was provided.
Overview of types and purposes of your personal data. The table below provides a detailed description of the types of personal data that we collect, the purposes for which we use it, and the legal bases on which we rely when processing your personal data.
When you sign up to receive notifications about the XREX Services, we collect your:
Email address
Phone number
In order to:
To inform you about the XREX Services
Legally based on:
Your consent
When you sign up to use the XREX Services, we collect your:
Email address; and
Password.
In order to:
To enable your access to the XREX Services;
To register and maintain your user account;
To deliver the requested services;
To contact you, if necessary; and
To analyze and improve our business.
Legally based on:
Performing a contract with you; and
Pursuing our legitimate business interests (to administer and improve our business).
When you upgrade your user account for transactions, we collect your:
Full name;
Date of birth;
Residential address;
Nationality;
Identification number;
A copy of your identity document and any information included therein;
Employment status;
Bank account information (bank name, bank account number, bank address, contact details, name of the beneficiary, wire instructions);
Annual income;
Asset net worth;
Occupation and industry;
Source of funds; and
Tax Identification Number.
In order to:
To deliver the requested services;
To verify your identity;
To comply with our legal obligations (e.g., anti-money laundering laws and regulations);
To contact you, if necessary; and
To analyse and improve our business.
Legally based on:
Performing a contract with you; and
Pursuing our legitimate business interests (to comply with legal obligations, ensure security, administer and improve our business).
When you make a transaction, we collect your:
Trading records;
Trading logs;
Addresses of digital assets; and
Wallet address.
In order to:
To facilitate your transactions;
To comply with our legal obligations (e.g., anti-money laundering laws and regulations); and
To administer, analyze, and improve our business.
Legally based on:
Performing a contract with you; and
Pursuing our legitimate business interests (to comply with legal obligations, ensure security, administer and improve our business).
When you contact us by email or via live chat, we collect your:
Full Name;
Email address; and
Any personal data that you decide to provide us in your message.
In order to:
To respond to your inquiries; and
To provide you with the requested information.
Legally based on:
Pursuing our legitimate business interests (to grow and promote our business); and
Your consent (for optional personal data).
When you make a deposit or withdrawal, we collect your:
Name;
Bank account information (i.e., bank account number, bank name, and billing address);
Purpose of the transaction;
Contact information;
Relationship of the recipient;
Recipient information.
In order to:
To process your deposits or withdrawals;
To maintain our accountancy records; and
To comply with our legal obligations (e.g., anti-money laundering laws and regulations).
Legally based on:
Performing a contract with you; and
Pursuing our legitimate business interests (to administer our business and comply with our legal obligations).
When you make a cryptocurrency deposit or withdrawal, we collect your:
Name
Deposit wallet address
Customer ID
Transaction amount
In order to:
To share the data to the originator or beneficiary VASP (Virtual Asset Service Provider)
To comply with FATF (Financial Action Task Force) Travel Rule
Legally based on:
Pursuing our legitimate business and services (to comply with legal obligations and ensure security)
When you use the XREX Services, we collect your:
IP address;
Device ID, OS, model name;
XREX App version;
Errors encountered;
Cookie-related data*; and
Your approximate location.
Please refer to our cookie policy available here for more information.
In order to:
To analyze, improve, and evaluate our business activities;
To customize the XREX Services for your location; and
To ensure the security of the XREX Services.
Legally based on:
Pursuing our legitimate business interests (to analyze and improve our business activities and ensure security)
Our compliance with AML (Anti-Money Laundering) regulations. We have established internal standards in meeting regulatory obligations of relevant AML laws, regulations and guidelines that are applicable to our business. These standards include various internal policies and procedures we are required to adhere to, e.g., XREX Financial Crime Compliance Policy, AML Policy, Sanctions Policy, ABC (Anti-Bribery & Corruption) Policy, Customer Due Diligence Policy, FATF Travel Rule, and Operation Procedures.
FATF Travel Rule. To ensure a more secure environment and prevent illicit activities abusing the blockchain and Virtual Asset channels or platforms, FATF has designed and announced the Travel Rule to all Virtual Asset Service Providers (VASP), including XREX. According to the Travel Rule, every VASP shall exchange the sender and recipient data with the other VASP during the process of conducting a Virtual Asset transaction. Therefore, while you make a cryptocurrency deposit or withdrawal, some of your personal information will be exchanged.
Failure to provide personal data. Unless specified otherwise, all personal data requested by XREX is mandatory and failure to provide this data may make it impossible for us to provide the XREX Services. In cases where we specifically state that your personal data is not mandatory, you are free to not communicate this data without consequence to the availability or the functioning of the XREX Services. Please note that your provision of non-mandatory personal data constitutes your consent for the processing of such personal data by us.
Additional data. From time to time, we may receive certain additional data if you request support, interact with our social media accounts, submit your feedback, or otherwise communicate with us. Please note that the provision of such data is optional and you may choose what personal data you would like to share with us. We kindly request you to exercise your due diligence when making your personal data publicly available. We will use such personal data to reply to you, provide you with the requested services, or for pursuing our legitimate business interests (i.e., to analyze and improve our business).
Sensitive data. We do not collect, under any circumstances, special categories of personal data (sensitive data) from you, such as your health information, opinion about your religious and political beliefs, racial origins, membership of a professional or trade association, or information about your sexual orientation, unless you decide to provide such sensitive data, at your own sole discretion.
Personal data made public. If you decide to publish information about yourself through the XREX Services (e.g., via your public user profile), you may decide to reveal certain information about yourself. Please keep in mind that such data will become available to other users of the XREX Services. Therefore, we request you to exercise your due diligence and not to disclose your personal data that is not necessary, extensive, or sensitive as such data can be used by third parties for unlawful purposes. Also, please note that you are not allowed to publish personal data pertaining to other persons if they have not provided you with their prior consent to disclose such data. We will take immediate steps to remove any information or user accounts from the XREX Services if we become aware that they contain personal data disclosed unlawfully.
Privacy of transactions. The XREX Services allow you to conduct transactions with other users of the XREX Services. We put reasonable efforts to ensure that any transaction-related data remains confidential and properly protected. Moreover, we do not intentionally and directly access, manage, correct, delete, share, or disclose transaction data, unless it is strictly necessary for the provision of the XREX Services, enforcement of our legal terms, or we are requested by law to do so.
Location of processing. The personal data is processed at the operating offices of XREX located in Taiwan and in any other places where the data processors appointed by XREX are located (please refer to the section “Disclosure and transfer or personal data” below for more information about the location of our data processors). The processing of personal data is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated.
Disclosure and transfer of personal data
We may need to cooperate with external service providers and share some personal data with them. Also, to ensure the provision of the XREX Services, your personal data may be transferred outside the country where you reside. In this section, you can find information about the third parties that have access to your personal data, the purposes of disclosure, instances when we make international data transfers, and what safeguards we implement to ensure that your personal data is properly protected.
Disclosure of personal data. In addition to XREX, in some cases, your personal data may be accessible to certain types of third parties involved with the operation of the XREX Services (e.g. administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, and communications agencies). Such third parties are appointed by XREX as its data processors. We do not sell your personal data to third parties. The disclosure of your personal data is limited to the situations when such data is required for the following purposes:
Ensuring the proper operation of the XREX Services;
Ensuring the delivery of the services requested by you;
Providing you with the requested information;
Pursuing our legitimate business interests;
Enforcing our rights, preventing fraud, and security purposes;
Carrying out our contractual obligations;
Law enforcement purposes; or
If you provide your prior consent to such disclosure.
List of data processors. We will share your personal data only with the data processors that agree to ensure an adequate level of protection of personal data that is consistent with this Privacy Policy and the applicable data protection laws. The data processors that will have access to your personal data are listed in the values below.
Service: Hosting service provider
Name: Amazon Web Services
Location: The United States & Japan (location of our servers)
More information:https://aws.amazon.com
Service: Identity verification service provider
Name: Sum and Substance Inc.
Location: The United Kingdom & Germany (location of our servers)
More information:https://sumsub.com
Service: Identity verification service provider
Name: HyperVerge Technologies Pvt Ltd.
Location: India (location of our servers)
More information:https://HyperVerge.co
Service: Customer support service provider
Name: Intercom
Location: The United States
More information:https://intercom.io
Service: Error monitoring service provider
Name: Sentry
Location: The United States
More information:https://sentry.io
Service: AML compliance service provider
Name: CipherTrace
Location: The United States
More information:https://ciphertrace.com/
International transfers of personal data. Depending on your location, we may need to transfer your personal data to a country other than your own for ensuring the proper provision of the XREX Services and other purposes of your personal data. For example, if you reside in the European Economic Area (EEA), we may need to transfer your personal data to jurisdictions outside the EEA. In case it is necessary to make such a transfer, we will make sure that the jurisdiction in which the recipient third party is located guarantees an adequate level of protection for your personal data (e.g., the recipient is a Privacy-Shield certified entity) or we conclude an agreement with the respective third party that ensures such protection (e.g., a data processing agreement based pre-approved standard contractual clauses).
Disclosure of non-personal data. Your non-personal data may be disclosed to third parties for any purpose. For example, we may share it with prospects or partners for business or research purposes, for improving the XREX Services, responding to lawful requests from public authorities, or developing new products and services.
Legal requests. If requested by a public authority, we will disclose information about you to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.
Successors. In case our business is sold partly or fully, we will provide your personal data to a purchaser or successor entity and request the successor to handle your personal data in line with this Privacy Policy.
Security of personal data
We put our best efforts to keep your personal data safe and secure. In this section, we inform you about our technical measures that help us to protect your personal data.
Our security measures. XREX takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of your personal data. The security measures taken by us include secured networks, SSL protocol, strong passwords, limited access to your personal data by our staff, and anonymization of personal data (when possible). In order to ensure the security of your personal data, we kindly ask you to use the XREX Services through a secure network only.
Handling security breaches. Although we put our best efforts to protect your personal data, given the nature of communications and information processing technology and the Internet, we cannot be liable for any unlawful destruction, loss, use, copying, modification, leakage, and falsification of your personal data caused by circumstances that are beyond our reasonable control. In case a serious breach occurs, we will take reasonable measures to mitigate the breach, as required by the applicable law. Our liability for any security breach will be limited to the highest extent permitted by the applicable law.
Non-personal data
When you use the XREX Services, we automatically collect some technical data about your device and visits. In this section, we inform you what non-personal data we collect from you and for what purposes we use that data.
Types of non-personal data. When you use XREX Services, we automatically collect technical non-personal data for analytics purposes. Please note that de-identified personal data is also considered to be non-personal data. Although such non-personal data allows us to analyze your use of the XREX Services, it does not allow us to identify you. The non-personal data collected by us includes the following information:
Transaction data. When you make a transaction, we collect expected transaction volume, expected transaction frequency, details of transactions you make, such as trades, deposits, withdrawals, parties to send or receive transactions, relationships, and purpose of the transactions.
Usage data. When you access and use the XREX Services, we collect information about the time of your request, the method utilized by you to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by you, the various time details per visit (e.g., the time spent on each page) and the details about the path followed within the XREX Services with special reference to the sequence of pages visited, and other parameters about the device operating system and/or your IT environment.
When you contact us, we keep records of any questions, complaints, recommendations, or compliments made by you and the response, if any. Where possible, we will de-identify your personal data.
Purposes of non-personal data. We will use non-personal data for the following purposes:
To analyze what kind of users visit and use the XREX Services;
To examine the relevance, popularity, and engagement rate of the XREX Services;
To investigate and help prevent security issues and abuse;
To develop and provide additional features to the XREX Services; and
To personalize the XREX Services for your specific needs.
Aggregated and de-identified data. In case your non-personal data is combined with certain elements of your personal data in a way that allows us to identify you, we will handle such aggregated data as personal data. If your personal data is aggregated or de-identified in a way that it can no longer be associated with an identified or identifiable natural person, it will not be considered personal data and we may use it for any business purpose.
Direct marketing
From time to time, you may receive promotional messages from us. In this section, we explain when you may receive notices from us and what you can do to decline our commercial communication.
Marketing messages. To keep you updated about the latest developments related to the XREX Services, we will send you direct marketing messages. You will receive such communication only if:
We receive your express (“opt-in”) consent to receive direct marketing messages (please note that your voluntary subscription to our updates or newsletters substitutes such consent); or
We decide to send you marketing messages about our new services that are closely related to the XREX Services already used by you.
Opting-out. You can opt-out from receiving marketing messages at any time free of charge by clicking on the “unsubscribe” link contained in any of the messages sent to you, adjusting your account settings, or by contacting us directly.
Informational notices and service updates. If necessary, we will send you important informational notices, such as service-related, technical, or administrative emails, information about the XREX Services, your transactions, user account, privacy and security, and other administrative matters. Please note that we will send such notices on an “if-needed” basis and they do not fall within the scope of direct marketing communication that requires your prior consent.
Retention time
We store your personal data only if it is necessary for its specific and limited purposes. In this section, we specify the time period for which we keep your personal and non-personal data in our systems.
Your personal data shall be processed and stored for as long as required by the purpose for which it has been collected. Therefore:
Your personal data collected for purposes related to the performance of a contract between you and XREX shall be retained until such contract has been fully performed.
Your personal data collected for the purposes of XREX’s legitimate interests shall be retained as long as needed to fulfill such purposes.
If you provide your consent to the processing of your personal data, we will retain your personal data (i) for as long as such personal data is necessary for the purposes for which you have provided your consent or (ii) until you withdraw your consent, whichever comes first.
Once the retention period specified above expires, your personal data shall be immediately securely deleted from our systems. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after the expiration of the retention period.
Retention as required by law. XREX may be obliged to retain your personal data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority. For example, we may retain your personal data for as long as it is necessary to keep our accountancy records or for the time period stipulated by anti money-laundering laws and regulations.
Retention of non-personal data. We may retain non-personal data pertaining to you for as long as necessary for the purposes described in this Privacy Policy. This may include keeping non-personal data after you have deactivated your user account for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.
Your rights regarding your personal data
You have the right to control how we process your personal data. Below, we list the rights that you can exercise with regard to your personal data and explain how you can exercise those rights.
Subject to any exemptions provided by law, you can exercise the right to do the following:
Withdraw your consent. You have the right to withdraw your consent at any time where you have previously given your consent to the processing of your personal data;
Object to processing. You have the right to object to the processing of your personal data if the processing is carried out on a legal basis other than the performance of a contract with you or pursuing our legitimate business interests;
Access your personal data. You have the right to learn what personal data is being processed by us and receive a copy of your personal data;
Verify and seek rectification. You have the right to verify the accuracy of your personal data and ask for it to be updated or corrected;
Restrict processing. You have the right, under certain circumstances, to restrict the processing of your personal data.
Have your personal data deleted or otherwise removed. You have the right, under certain circumstances, to erase your personal data from our systems;
Receive your personal data and transfer it to another controller. You have the right to receive your personal data in a structured, commonly used, and machine readable format and, if technically feasible, to have it transmitted to another controller; and
Lodge a complaint. You have the right to bring a claim before their competent data protection authority.
How to exercise your rights? Any requests to exercise your rights can be directed to XREX by using the contact details specified at the end of this Privacy Policy. The requests can be exercised free of charge to you once per year and they will be addressed by XREX as early as possible and always within one month.
Launching a complaint. If you would like to launch a complaint about the way in which we handle your personal data, we kindly ask you to contact us first and express your concerns. After you contact us, we will investigate your complaint and provide you with our response as soon as possible. If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority.
Contact information
For any questions, comments, or requests about this Privacy Policy or your personal data, please contact our Data Protection Officer by using the contact details below.
Company name: XREX Inc.
Address: 5F-1, No. 35, Guangfu S. Rd., Songshan Dist., Taipei City 105, Taiwan (R.O.C.)
Email address: dpo@XREX.io
Phone number: (+886) 2 2721-1811