User Agreement on the Processing and Storage of Personal Data

1. General provisions

1.1. This Policy on Personal Data Processing and Storage (hereinafter referred to as the “Policy”) defines the procedure for collection, processing, storage, protection and transfer of personal data of BTC-Obmennik.info service users (hereinafter referred to as the “Service”).

1.2. The Policy applies to all cases where the User transfers personal data through the BTC-Obmennik.info website, as well as when the Service processes data within the framework of AML/KYC/SoF, fraud prevention and security procedures.

1.3. By using the Service, the User confirms that he is familiar with this Policy and agrees to the processing of data on the terms set forth in it, to the extent necessary for the provision of services and compliance with AML requirements.

2. Terms

Personal data – any information related to an individual directly or indirectly identified.

Processing – any action with data (collection, recording, systematization, storage, clarification, use, transfer, deletion, etc.).

KYC – identification/verification of identity.

SoF – confirmation of the origin of funds.

Authorized persons are employees/contractors admitted to the data on the basis of the need for access.

3. What data can we process

3.1. data provided by the User:

first/last name (if provided);

contact details: telephone, e-mail;

payment details (depending on the direction): card/account/wallet details, address (s) of the crypto wallet, TxID;

correspondence and appeals in support (including attachments).

3.2. data for AML/KYC/SoF (as requested by the Service):

identity documents (passport/ID/passport);

selfies/video selfies and materials for checking “liveliness” (if applicable);

confirmation of address (receipts, statements, lease agreement, etc.);

SoF documents: statements from exchanges/wallets, bank statements, contracts/invoices, other confirmations of the source of funds;

results of AML checks (Risk-Score, labels/risk categories) and case materials.

3.3. Technical data:

IP address, browser/device information, cookies, browsing logs;

anti-fraud data (for example, signs of anomalies/suspicious activity).

4. Purposes of personal data processing

The service processes data for:

provision of exchange services and support of applications;

perform AML/KYC/SoF, Risk-Score, anti-money laundering and fraud procedures;

preventing abuse, investigating disputes, ensuring security and integrity of the service;

compliance with monitoring requirements and applicable regulations;

communication with the User (application notifications, document requests, support responses);

improving the quality of the site (analytics, bug fixes, protection against attacks).

5. Legal grounds for processing

5.1. Processing is carried out on the basis of:

User’s consent (when required);

the need to fulfill the contract (provide services);

the need to perform AML procedures and monitoring requirements;

legitimate interests of the Service (anti-fraud, security, protection of rights and interests).

5.2. In cases where the User does not provide the requested data for AML/KYC/SoF, the Service may suspend the operation or refuse service within AML procedures.

6. Processing methods

6.1. Processing can be performed both automatically (by IT systems) and manually by authorized employees/contractors.

6.2. The Service adheres to the following principles:

minimization of data (we ask only what is needed);

limited goals (use only for the purposes of this Policy);

Need-to-know

limited shelf life (deletion/depersonalization after expiration of shelf life).

7. Data Retention

7.1. AML/KYC/SoF and case materials (documents, correspondence, inspection results, decision logs) are generally kept for at least five (5) years from the date of completion of the transaction or termination of the relationship with the User, unless a longer period is required by applicable requirements or to protect the rights of the Service.

7.2. Data on applications/operations (technical logs, accounts, transactional information) can be stored within the same period required for investigations, dispute resolution and AML control.

7.3. After the expiration of the storage period, the data is deleted or depersonalized if their further storage is not required.

8. Transfer of personal data to third parties

8.1. the Service may transfer data to third parties only if there are legal grounds and in the amount necessary for processing purposes, including:

CCM/identity verification providers (for example, SumSub or similar services);

Secure storage/cloud infrastructure providers (subject to security measures)

Payment providers and infrastructure partners (if necessary for the transaction)

legal/audit consultants (as required);

competent authorities – upon official request and in cases provided for by applicable requirements.

8.2. When transferring data to third parties, the Service takes reasonable measures to ensure the confidentiality and security of data (contractual obligations, access restrictions, audit).

9. Licensed KYC tools and secure storage

9.1 To improve the security and reliability of identity verification procedures, the Service may use licensed KYC/ID-verification tools (for example, SumSub or other providers).

9.2. KYC/SoF materials and test results are stored in secure storage systems with restricted access and logging of user actions.

10. Information protection measures

10.1 The Service applies organizational and technical protection measures, including (but not limited to):

Data transfer encryption (TLS/HTTPS)

Role-based Access Restriction (RBAC) and the “need to access” principle

Multi-factor authentication (2FA) for administrative access

audit logs and monitor suspicious logins;

Backup and recovery measures

sensitive data access segmentation (KYC/SoF);

regular software updates and vulnerability monitoring;

IS internal regulations and personnel training.

10.2. The user undertakes to comply with security measures on his part (not to transfer access to mail/phone/account to third parties, use strong passwords, etc.).

11. User rights

The User may:

request information on the processing of personal data;

Request correction of inaccurate data

request deletion of data, if this does not contradict AML duties and mandatory retention periods;

withdraw processing consent if processing is based on consent (the service may not be available if data is required for AML/KYC/performance).

Requests are sent through the support/contact indicated on the site.

12. cookies and technical data

12.1. The service may use cookies and similar technologies to ensure the correct operation of the site, security and analytics.

12.2. The user can limit the use of cookies in the browser settings, but this may affect the correct operation of the site.

13. Policy Updates

13.1 The Service may change the Policy. The current version is published on the website exchange-bro.net. Continuing to use the site means agreeing to updates.

14. Contacts

For personal data processing and AML/KYC, please contact:

support@btc-obmennik.info