Skip to main content
Deutsch Polski (Polska) Русский 中文 (香港) 中文 (马来西亚)

Privacy Policy

Bitbase
Updated

Effective Date: 21 February 2026

1. Introduction

Bitbase (hereinafter referred to as "we", "us", or "our") operates a cryptocurrency exchange platform accessible via www.Bitbase.com and our mobile applications (the "Platform"). This Privacy Policy ("Policy") sets out how we collect, use, store, disclose, transfer, and protect personal data in connection with your use of the Platform and Services. It applies to all users of the Platform, including individual retail users, institutional clients and visitors to our website ("you" or "your").

This Policy is incorporated into and forms part of our Terms of Use. By registering an Account or using the Services, you confirm that you have read and understood this Policy and consent to the processing of your personal data as described herein. If you do not agree, you must not use the Platform. Unless otherwise defined in this Policy, all capitalized terms shall have the meanings assigned to them in the Terms of Use.

We may update this Policy from time to time. The current version will always be available on the Platform. Material changes will be notified as described in Section 22.

2. Your Consent

To ensure transparency and to maintain your confidence in the manner in which we collect, use, and safeguard personal data, you are encouraged to read this Privacy Policy carefully and in full. By accessing or logging in to our Platform, whether or not you have registered for an account, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. In particular, you acknowledge and agree that:

  1. You voluntarily provide your personal data and expressly consent to our collection, use, processing, and disclosure of such personal data in accordance with this Privacy Policy.
  2. You agree to comply with all applicable terms, conditions, and provisions set out in this Privacy Policy.
  3. You consent to the collection and processing of your personal data through your access to the Platform, including but not limited to logging in, registering an account, and using the Services made available through the Platform. You further acknowledge and agree that this Privacy Policy may be amended, updated, or modified from time to time, and that your continued access to or use of the Platform following such amendments constitutes your acceptance of the revised Privacy Policy.
  4. You agree that our branches, affiliates, related entities, and employees may contact you regarding products, services, promotions, or other information that may be of interest to you, unless you have expressly indicated your preference not to receive such communications.

3. Scope of This Policy

This Policy covers personal data collected and processed by us in connection with:

  1. registration and maintenance of your Account;
  2. your use of any of the Services made available through the Platform;
  3. identity verification and AML/CFT compliance procedures conducted in connection with your onboarding and ongoing relationship with us;
  4. your communications with us, including via customer support, email, and live chat;
  5. your visits to our website and use of our mobile applications; and
  6. any other interactions you have with us in connection with the Platform.

This Policy does not cover the privacy practices of third-party websites, applications, or services that may be linked from the Platform. We encourage you to review the privacy policies of such third parties before providing them with personal data.

4. Personal Data We Collect — Comprehensive Inventory

We collect personal data from several sources: directly from you, automatically through your use of the Platform, from our third-party service providers, from public sources and registries, and from counterparty VASPs in connection with Travel Rule compliance. The table below provides a comprehensive inventory of the categories of personal data we collect, the specific data elements, how they are collected, the purposes of processing, and the legal basis.

CategoryData ElementsHow CollectedProcessing PurposeLegal Basis
Identity DataFull name; date of birth; sex; nationality; citizenship; place of birth; personal ID / national ID number; government-issued identity documents (passport, national ID, driving licence — including document type, issuing country, document number, expiry date, MRZ, barcodes, security features, document images/scans)Directly from you during registration and KYC; via our Identity Verification Service ProviderAccount opening; KYC; AML/CFT compliance; fraud prevention; regulatory reportingLegal obligation; Contract performance
Facial Image & Biometric DataSelfie photographs; facial images/scans from identity documents; biometric facial feature templates (extracted for face-matching); liveness check images/videos (blink, smile, motion prompts); video identification recordings; duplicate identity detection comparisonsVia our Identity Verification Service Provider during the KYC processIdentity authentication; liveness verification; spoofing / deepfake / emulator detection; duplicate account detection; AML/CFT complianceExplicit consent; Substantial public interest (AML/CFT)
Contact DataEmail address; phone number; residential / mailing address; postal code; city; country of residenceDirectly from you; verified by our Identity Verification Service ProviderAccount management; service delivery; communications; address verification; AML checksContract performance; Legal obligation
Financial DataBank account details (where fiat services are used); card details (first 6 and last 4 digits only); fiat currency amounts; payment method informationDirectly from you during fiat deposit/withdrawal processes; via payment service providersFiat on/off-ramp processing; payment verification; fraud preventionContract performance; Legal obligation
Transaction & Trading DataWallet addresses (deposit and withdrawal); all trade and order history (pair, price, quantity, timestamp, type); deposit and withdrawal records (amount, asset, date, on-chain transaction hash, counterparty address); account balance history; open positions; funding rate records; liquidation records; P&L historyGenerated automatically by your use of the PlatformService delivery; AML/CFT transaction monitoring; regulatory reporting; dispute resolution; tax obligationsContract performance; Legal obligation
On-Chain & Blockchain DataBlockchain wallet addresses; on-chain transaction IDs and hashes; asset type and quantity; counterparty wallet addresses; blockchain analytics risk scores; wallet screening results; Travel Rule data (sender/recipient name, physical address or national ID number or date/place of birth, originator/beneficiary account numbers, VASP identifiers)From on-chain data; via blockchain analytics providers; from counterparty VASPs (Travel Rule)AML/CFT compliance; Travel Rule compliance; sanctions screening; fraud detection; wallet attributionLegal obligation; Legitimate interests
Identity Verification Risk & Compliance DataPEP status and screening results; sanctions screening results (OFAC, EU, UN, country-specific lists); adverse media check results; high-risk country / residency flags; KYB corporate verification results (UBO, directors, corporate structure, registry checks); email and phone risk scores; device-based fraud signals; risk rating / customer risk profile; EDD documentationVia our Identity Verification Service Provider; via blockchain analytics and compliance tools; from regulatory databasesAML/CFT compliance; sanctions compliance; customer risk assessment; regulatory reporting; fraud preventionLegal obligation; Legitimate interests
Corporate & Institutional DataEntity legal name and registration number; jurisdiction of incorporation; registered address; certificate of incorporation; constitutional documents; UBO declarations; director and officer details; corporate structure chart; regulated status and licences; authorised signatory detailsDirectly from institutional users during onboarding; from public corporate registriesInstitutional account opening; KYB; AML/CFT compliance; regulatory obligationsLegal obligation; Contract performance
Device & Technical DataIP address; device identifiers (Android ID, IDFV, IDFA, OAID); device brand, model, OS type and version; browser type and version; network information (Wi-Fi SSID/BSSID, carrier, MAC address, connection type); device hardware attributes (camera name and type); running application list (for risk control); session timestamps; referring/exit pagesCollected automatically via our Platform, mobile app, and SDKPlatform security; fraud detection; emulator/bot detection; access control; analyticsLegitimate interests; Consent (non-essential)
Device Behavioural DataScreen size and resolution; session language settings; operating system verification signals; window focus/blur events; paste events; mouse movement patterns; keystroke event timing; touch event patterns; battery usage data; accelerometer / G-meter readings; incognito mode detectionCollected automatically during Platform sessions and identity verification processesEmulator detection; bot and automated attack prevention; fraud scoring; liveness verificationLegitimate interests
Usage & Behavioural DataLogin history (timestamps, IP, device); pages visited; features and products accessed; order flow and trading patterns; API call patterns and volumes; session duration; in-app navigationCollected automatically via the PlatformPlatform improvement; personalisation; market integrity monitoring; AML/CFT pattern detection; API abuse detectionLegitimate interests; Consent
Communication & Support DataSupport tickets and chat transcripts; email correspondence; dispute records; video identification interview recordings; feedback and survey responses; KYC verification decision records and rejection reason codesDirectly from you; generated during support interactions and verification processesCustomer support; dispute resolution; quality assurance; legal proceedings; KYC audit trailContract performance; Legitimate interests
Marketing & Preference DataMarketing communication preferences (opt-in / opt-out status); language preference; product interest signals; referral code / affiliate programme data; promotional campaign responsesDirectly from you; inferred from Platform usageSending marketing communications (with consent); affiliate programme management; product improvementConsent; Legitimate interests

4.1 Sources of Personal Data

(a) Directly From You

You provide personal data when you: register for an Account; complete identity verification (KYC); submit documentation for enhanced due diligence (EDD); make deposits or withdrawals; place orders or execute trades; participate in Financial Products; contact our customer support team; respond to surveys or promotions; or otherwise communicate with us.

(b) Automatically Collected

When you access the Platform or use our mobile application, we automatically collect device data, IP addresses, technical identifiers, session data, and behavioural signals through our Platform infrastructure, mobile SDK, and cookies or similar technologies.

(c) From Identity Verification Service Provider

We engage a third-party identity verification service provider to perform KYC, biometric verification, document authentication, liveness checks, sanctions screening, PEP checks, and fraud detection on our behalf. In that capacity, the provider processes your identity, biometric, contact, device, and compliance data under our instructions as data controller. The provider may also process certain data for its own independent purposes (including service development and cross-client fraud detection) acting as a data controller in its own right; in that case, its own Privacy Policy governs its processing, and data subject rights requests in respect of that processing should be directed to the provider. You may find the current identity verification service provider's Privacy Policy linked in our Help Centre.

(d) From Blockchain and On-Chain Sources

We, and our blockchain analytics providers, may access publicly available on-chain data, including wallet addresses, transaction histories, and blockchain records, in connection with AML/CFT compliance, sanctions screening, and Travel Rule obligations.

(e) From Public Sources and Third-Party Databases

We may collect information about you from public corporate registries (for institutional KYB), government identity registers, PEP and sanctions databases, adverse media sources, consumer credit reference agencies, and other public databases used in connection with our compliance obligations.

(f) From Counterparty VASPs (Travel Rule)

In connection with the FATF Travel Rule, we may receive personal data (including sender and recipient identifying information) from counterparty Virtual Asset Service Providers when you initiate or receive cryptocurrency transfers that meet applicable Travel Rule thresholds.

4.2 Biometric and Special Category Data

We collect and process biometric data (including facial feature templates extracted from your selfie photographs and identity document images, and liveness check recordings) as part of our identity verification process. Biometric data constitutes "special category" personal data under applicable data protection laws and is processed with particular care. The specific processing activities include:

  1. Document face-match: comparing your selfie to the facial image on your identity document to confirm ownership of the document.
  2. Liveness verification: confirming that you are a live person in real time, detecting spoofing attempts using static images, videos, masks, deepfakes, or emulators. You may be prompted to blink, smile, or move your device.
  3. Biometric deduplication: comparing your facial image against previously verified users on our platform to detect duplicate account creation attempts.
  4. Re-authentication: where you use biometric authentication to access sensitive account functions, your liveness image may be compared to your previously stored biometric record.
  5. Video identification: where a live video interview is conducted, the recording may be reviewed by authorised personnel for quality assurance and compliance purposes.

We process biometric data on the basis of your explicit consent and/or where such processing is necessary for reasons of substantial public interest, including compliance with applicable anti-money laundering and counter-terrorism financing (AML/CFT) obligations.

You may withdraw your consent to the processing of your biometric data at any time by contacting us through the contact details provided in this Privacy Policy. Please note, however, that withdrawal of your consent may prevent us from completing the identity verification process and may consequently limit or restrict your access to certain features or Services available on the Platform.

4.3 Data We Do Not Collect

We do not collect or store: full payment card numbers or CVV codes; online banking passwords; blockchain private keys or seed phrases; or personal data from persons under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will promptly delete it.

5. Purposes of Processing — How We Use Your Data

5.1 Account Opening and Onboarding

We process your identity, contact, and financial data to establish your Account, conduct identity verification (KYC) and corporate verification (KYB) procedures, assess your eligibility to use the Services, and set your account tier and transaction limits in accordance with our tiered verification system.

5.2 Provision of Trading and Financial Services

We process your transaction, trading, and financial data to execute your orders on the Spot market; process Derivatives Trading positions and calculate margin, liquidation levels, and funding rates; facilitate deposits and withdrawals in Digital Assets; provide access to Financial Products and calculate yields; process referral and affiliate programme transactions; and provide account statements, trade confirmations, and tax reporting data.

5.3 AML/CFT, Sanctions, and Regulatory Compliance

We are subject to anti-money laundering, counter-financing of terrorism, and sanctions laws that require us to verify user identities, monitor transactions, screen against sanctions lists, report suspicious activities, and maintain records. To comply with these obligations, we process your identity data, compliance data, transaction data, on-chain data, and Travel Rule data. This processing is mandatory; it cannot be opted out of, and the provision of the relevant data is a condition of account opening and service provision.

Specific compliance activities include:

  1. Initial and ongoing KYC and EDD identity verification;
  2. Real-time and periodic screening against OFAC, EU, UN Security Council, and country-specific PEP and sanctions lists;
  3. AML transaction monitoring and suspicious activity reporting;
  4. Know Your Transaction (KYT) blockchain monitoring for illicit activity;
  5. Travel Rule compliance — collection, verification, and transmission of originator and beneficiary information for qualifying Virtual Asset transfers;
  6. Risk profiling and customer risk scoring;
  7. KYB verification for institutional clients; and
  8. Tax reporting and information exchange with tax authorities as required by applicable law.

5.4 Fraud Prevention and Market Integrity

We analyse transaction patterns, trading behaviour, device signals, and account activity to detect and prevent: account takeover and unauthorised access; identity fraud and document forgery; market manipulation (including wash trading, spoofing, layering, pump-and-dump, and front-running); API abuse and automated attack activity; multiple account creation in violation of our policies; and other prohibited conduct under our Terms of Use. This processing is in the legitimate interests of Bitbase and our user community.

5.5 Platform Security

We process device and technical data, IP addresses, login history, and device behavioural signals to monitor for unauthorised access, investigate security incidents, maintain platform stability, and protect user accounts. Specific security measures include IP reputation checks, device fingerprinting, emulator and bot detection, and anomalous session activity monitoring.

5.6 Customer Support and Dispute Resolution

We retain and process communication and support data to respond to your enquiries, investigate complaints, resolve disputes, and conduct quality assurance reviews. Video identification recordings and KYC decision records may be reviewed by authorised staff for audit and compliance purposes.

5.7 Risk Management and Financial Controls

We process transaction, trading, and financial data to manage our financial and operational risk exposure, including but not limited to monitoring for negative account balances and reporting to our risk management functions.

5.8 Analytics, Research, and Platform Improvement

We use aggregated and, where possible, anonymised usage and behavioural data to analyse Platform performance, understand user activity patterns, develop new features, conduct market research, and generate internal business intelligence. Where data is genuinely anonymised, it falls outside the scope of this Policy.

5.9 Marketing Communications

Where you have provided consent (where required by law), or where we have a legitimate interest in doing so, we may send you promotional communications about new products, features, offers, and market updates by email, push notification, or in-Platform message. You may unsubscribe from marketing communications at any time via the unsubscribe link in any message or by updating your preferences in Account Settings. We do not sell or rent your personal data to third parties for their marketing purposes.

5.10 Legal Proceedings and Regulatory Obligations

We may process your personal data to comply with court orders, respond to regulatory investigations, fulfil tax and financial reporting obligations, and to establish, exercise, or defend legal claims. We may be required to disclose personal data to law enforcement, regulatory authorities, financial intelligence units, or courts, without prior notice to you, where legally required.

5.11 Automated Decision-Making and Profiling

We and our identity verification service provider use automated processing — including machine learning, pattern recognition, and rule-based scoring — during the KYC onboarding process and for ongoing AML/CFT transaction monitoring. Automated checks may produce risk scores, fraud flags, or verification outcomes that affect your ability to access the Services or your transaction limits.

Important safeguards applicable to automated decision-making:

  1. Automated checks during KYC provide reports and risk indicators; the final decision on your onboarding is made by a human on our side, unless the check result is clearly conclusive and a fully automated decision is justified by applicable law and your explicit consent.
  2. If your verification fails or your account is restricted based on an automated outcome, you may appeal the decision by contacting us at support@Bitbase.com. Our compliance team will conduct a human review.
  3. We implement human supervision over automated processes to ensure fairness and to correct erroneous machine learning outcomes.
  4. Where we make solely automated decisions that produce legal or similarly significant effects, we will inform you and provide meaningful information about the logic involved.

6. Grounds for Processing Your Personal Data

We collect and process your personal data only where we have a valid reason to do so. The principal grounds on which we rely are:

  1. Providing our Services to you. When you open an Account and use the Platform, we process the personal data necessary to fulfil our obligations to you — including executing trades, processing deposits and withdrawals, managing your Account, and delivering customer support. Without this processing, we cannot provide the Services.
  2. Compliance with our legal and regulatory obligations. As a virtual asset service provider, we are subject to legal obligations that require us to collect and process personal data — including identity verification, AML/CFT screening, sanctions checks, Travel Rule compliance, transaction monitoring, and regulatory reporting. These obligations apply regardless of your consent and cannot be waived.
  3. Protecting the Platform and our users. We process personal data to detect and prevent fraud, account takeover, market manipulation, API abuse, and other harmful conduct. We also use data to maintain the security and integrity of the Platform. These activities are necessary to protect both us and the broader user community, and we would not be able to operate a safe and fair platform without them.
  4. Your consent. For certain processing activities — in particular, the collection and use of biometric data during identity verification, non-essential cookies, and direct marketing communications — we rely on your consent. You may withdraw consent at any time by contacting us at privacy@bitbase.com or using the relevant opt-out mechanism. Withdrawal of consent does not affect any processing carried out before the withdrawal, but may result in restrictions on your ability to use certain features of the Services.
  5. Additional rights depending on where you live. Data protection laws vary by jurisdiction. Depending on your country or region of residence, you may have additional rights or protections under local law — including rights that apply under the EU General Data Protection Regulation (GDPR), the UK GDPR, or other applicable privacy legislation. Where such laws apply to you, we will honour the obligations they impose. If you have questions about how local law applies to your data, please contact us at  privacy@bitbase.com.

7. Data Sharing and Third-Party Disclosure

7.1 General Principles

We do not sell, rent, or trade your personal data to third parties for their own commercial purposes. We share your personal data only as necessary to provide the Services, to comply with our legal obligations, and as described in this Policy.

7.2 Third-Party Recipients — Overview Table

The table below (also set out in Appendix A) sets out the categories of third parties with whom we may share your personal data, the purpose of the sharing, the categories of data shared, and the safeguards in place.

Recipient CategoryPurpose / Services ProvidedData TransferredSafeguards
Identity Verification Service ProviderKYC; AML/CFT screening; biometric verification; liveness checks; document authentication; PEP/sanctions screening; fraud network checks; KYT/KYB; Travel Rule; wallet attributionIdentity data; facial image / biometric data; contact data; device/behavioural data; compliance dataData Processing Agreement; contractual obligations; encryption in transit and at rest
Cloud Infrastructure ProviderHosting; data storage; compute; disaster recoveryAll categories of personal data held on the PlatformAWS Data Processing Addendum; AWS Shared Responsibility Model; SOC 2 / ISO 27001 certified
Blockchain Analytics & Compliance ProvidersOn-chain transaction monitoring; wallet screening; sanctions compliance; AML/CFT reportingWallet addresses; transaction hashes; on-chain transaction data; Travel Rule dataData Processing Agreement; contractual confidentiality obligations
Fiat Payment Service ProvidersProcessing fiat deposits and withdrawals; chargeback managementIdentity data; contact data; financial data; transaction data; device dataData Processing Agreement; PCI-DSS compliance (where applicable)
Fraud Prevention & Risk Intelligence ProvidersDevice-based fraud detection; risk scoring; emulator/bot detection; cross-platform fraud signalsDevice data; device behavioural data; IP address; email / phone risk signalsData Processing Agreement; contractual confidentiality obligations
Regulatory Authorities, Tax Authorities & Law EnforcementCompliance with legal obligations; response to court orders; cooperation with financial investigations; VASP Travel Rule exchangesIdentity data; transaction data; compliance data; on-chain data (as required by law)Legal obligation; no transfer unless legally required
Affiliates and Group CompaniesIntra-group operational support; compliance coordination; shared risk functionsIdentity data; contact data; compliance data; account dataIntra-group data sharing agreement; equivalent privacy standards
Professional Advisers (Legal, Audit, Tax)Legal advice; audits; tax compliance; dispute resolutionData necessary for the specific advisory engagementProfessional confidentiality obligations; Data Processing Agreement where applicable
Corporate Successors (Mergers & Acquisitions)Transfer of business in connection with merger, acquisition, restructuring, or asset saleAll categories, subject to equivalent privacy protectionsConfidentiality agreement; privacy protections as a condition of transfer

7.3 Travel Rule Data Sharing

Where applicable laws require compliance with the FATF Travel Rule, we will share originator and beneficiary information (including name, wallet address, and identifying information) with counterparty VASPs when you initiate or receive Virtual Asset transfers that meet the applicable threshold. This sharing is mandatory and cannot be opted out of. By using our transfer services, you authorise us to share the required Travel Rule information.

7.4 Law Enforcement and Regulatory Disclosures

We may disclose personal data to law enforcement agencies, financial intelligence units, tax authorities, and regulatory bodies where: (i) required by applicable law or court order; (ii) necessary to prevent, detect, or investigate financial crime, fraud, or terrorism; or (iii) necessary to protect the rights, property, or safety of Bitbase, our users, or the public. Where legally permissible, we will endeavour to notify you of such disclosures.

7.5 Business Transfers

In the event of a merger, acquisition, restructuring, bankruptcy, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will require any acquirer to maintain privacy protections equivalent to those in this Policy and will provide advance notice to you where required by law.

7.6 Aggregated and Anonymised Data

We may share aggregated or anonymised data (which cannot reasonably be used to identify you) publicly or with partners for market intelligence, research, and reporting purposes. Such data is not personal data and is not subject to this Policy.

8. Data Transfers

We may transfer or disclose your personal data to our affiliates, trusted third-party partners, and service providers located in various jurisdictions around the world where such transfer is necessary for the purposes set out in this Privacy Policy.

Where your personal data is transferred to third countries or international organisations outside your country of residence that are not subject to an adequacy decision or equivalent level of protection under applicable data protection laws, we will implement appropriate safeguards to ensure that such transfers are conducted in compliance with applicable legal requirements. Such safeguards may include technical, organisational, and contractual measures designed to ensure that your personal data continues to receive an adequate level of protection consistent with applicable data protection laws.

By using the Platform, you acknowledge and accept that your personal data may be transferred as described above.

9. Data Retention

9.1 Retention Schedule

We retain personal data for as long as is necessary to fulfil the purposes for which it was collected and to comply with our legal and regulatory obligations. Our retention schedule is set out in the table below.

 

Data CategoryRetention PeriodBasis for Retention Period
Account registration data and identity documentsMinimum 5 years from account closure or last transaction (whichever is later)AML/CFT legal obligations; regulatory record-keeping requirements
Biometric data (facial feature templates, liveness images)Retained only while necessary for the verification purpose; deleted upon expiry of AML/CFT retention period or on verified deletion request; permanently non-recoverable upon deletionAML/CFT compliance; legal obligation; explicit consent basis
Transaction and trading records (all Services)Minimum 5 years from date of each transaction; longer if required by applicable tax or regulatory lawAML/CFT; tax law; regulatory reporting obligations
On-chain and blockchain / Travel Rule dataMinimum 5 years from transaction dateFATF Travel Rule; AML/CFT regulations; applicable VASP legislation
KYC / compliance risk records (PEP/sanctions screening, EDD)Minimum 5 years from account closure; longer if required by applicable law or active investigationAML/CFT; regulatory examination obligations
Fiat transaction and payment recordsMinimum 5 years from transaction date, or longer per applicable payment regulationPayment law; tax law; AML/CFT
Customer support and communications3 years from date of last communication; longer if subject to active dispute, legal proceedings, or regulatory inquiryLegitimate interests; contract performance; legal defence
Device, technical, and behavioural logsUp to 2 years; longer if retained in connection with a security investigation or legal proceedingLegitimate interests; fraud and security obligations
Video identification recordingsSame as KYC records (minimum 5 years) or as required by applicable eIDAS / AML/CFT lawAML/CFT; eIDAS framework (where applicable); legal obligation
Marketing preference recordsUntil consent withdrawn; plus 1 additional year for compliance record-keepingConsent; accountability obligations
Corporate/institutional onboarding recordsMinimum 5 years from end of business relationshipAML/CFT; KYB regulatory obligations

9.2 Criteria for Determining Retention Periods

In determining appropriate retention periods, we take into account: the nature and sensitivity of the data; the purposes for which it is processed; whether the purpose can be achieved by retention of anonymised data; applicable AML/CFT, tax, and financial regulatory requirements; contractual obligations; and the potential risk of harm from unauthorised disclosure.

9.3 Deletion and Destruction

Upon expiry of the applicable retention period, we will securely and permanently delete or irreversibly anonymise your personal data. Our deletion procedures include:

  1. Electronic data: permanently deleted from all systems using methods that prevent recovery; AWS S3 Object Deletion is used for cloud-stored data. Where data has been backed up, backup copies are deleted within the backup rotation cycle.
  2. Biometric data: deleted using methods that render the data non-recoverable, including via forensic techniques.
  3. Paper documents: shredded or incinerated.
  4. Mobile and removable media: factory reset or physical destruction for sensitive data.

We take reasonable steps to ensure that our third-party data processors also delete or anonymise your data upon expiry of the retention period in accordance with their contractual obligations to us. Deletion requests received from you will be fulfilled within thirty (30) days, subject to mandatory legal retention obligations. We will notify you if we are unable to delete certain data due to legal obligations.

10. Data Security

10.1 Technical and Organisational Measures

We implement a comprehensive set of technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, accidental loss, or destruction. These include:

  1. Encryption of all data in transit using TLS (Transport Layer Security) and of data at rest using AES-256 or equivalent encryption standards on AWS;
  2. Role-based access controls and the principle of least privilege, ensuring that personal data is accessible only to authorised personnel who need it to perform their functions;
  3. Mandatory two-factor authentication (2FA) for all Platform user accounts;
  4. API key whitelisting and rate limiting to prevent unauthorised API access;
  5. Multi-signature (multi-sig) wallet architecture and cold storage for the majority of Digital Asset reserves;
  6. Tiered hot/cold wallet system to minimise exposure of online assets;
  7. Dedicated internal risk control and security monitoring functions with continuous Platform activity monitoring;
  8. Regular penetration testing, vulnerability assessments, and security audits;
  9. Incident detection and response procedures, including forensic investigation capabilities; and
  10. Regular staff training on information security, data protection, and phishing awareness.

10.2 Your Responsibilities

You are responsible for maintaining the confidentiality of your Account credentials, including your password, 2FA codes, and API keys. You should use a strong, unique password, enable all available security features, and never share your credentials. If you suspect any unauthorised access to your Account, contact us immediately at support@Bitbase.com.

10.3 No Absolute Security Guarantee

While we take all reasonable measures to protect your data, no system is completely immune to security threats. The transmission of data over the internet is inherently insecure. We cannot guarantee the absolute security of data transmitted to or from the Platform.

11. Personal Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  1. notify relevant regulatory authorities within the timeframe required by applicable law (where applicable);
  2. notify affected users without undue delay and, where possible, within the timeframes required by applicable data protection law; and
  3. provide affected users with information about: the nature of the breach; the categories and approximate number of data records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach.

Breach notifications will be sent to the email address associated with your Account and, where appropriate, via a prominent notice on the Platform. Where individual notification is not reasonably practicable due to the scale of the breach, we will make a public communication via the Platform.

12. Cookies and Tracking Technologies

12.1 What We Use

We use cookies and similar tracking technologies (including web beacons, pixel tags, SDKs, and device fingerprinting) on the Platform and in our mobile applications for the following purposes:

Strictly Necessary

These technologies are essential for the operation of the Platform. They enable core functions such as session management, authentication, security (CSRF protection, unauthorised access detection), and load balancing. They also underpin our fraud prevention and emulator/bot detection systems. These cannot be disabled.

Performance and Analytics

We use performance cookies and analytics tools to understand how users navigate the Platform, identify performance issues, measure feature usage, and improve the overall user experience. These require your consent where applicable law so requires.

Functional

These technologies remember your preferences (such as language and region settings) and enable enhanced Platform features. They require consent where applicable.

Advertising and Targeting

Where enabled and with your consent, we may use first-party and third-party advertising cookies to present relevant promotions. These require consent where applicable law so requires.

12.2 Managing Cookies

You can manage your cookie preferences through our Cookie Preference Centre (accessible via the "Cookie" link in the footer of our website) or through your browser settings. Disabling certain cookies may affect your ability to use some features of the Platform. If you use a VPN, please be aware that VPN-assigned IP addresses may affect the accuracy of location-based cookie consent banners; we recommend managing your preferences manually via the Cookie Preference Centre.

12.3 Mobile Application Permissions

Our mobile application may request access to certain device permissions to provide the Services. Key permissions and their purposes include: camera (for document scanning and liveness checks during KYC); storage (for uploading documents); device identifiers (for fraud detection and device binding). Granting these permissions does not mean they are activated immediately; sensitive permissions will only be requested when the relevant function is accessed, and you will be prompted to consent at that time.

13. Your Data Protection Rights

13.1 Rights Available to You

Subject to applicable law and certain legal exceptions, you may have the following rights with respect to your personal data held by us:

Right of Access (Data Subject Access Request)

You may request a copy of the personal data we hold about you, together with information about the purposes for which it is processed, the categories of data, the recipients, the retention period, and your rights. We will provide a response in a commonly used electronic format.

Right to Rectification

You may request correction of inaccurate or completion of incomplete personal data we hold about you. Please note that certain data (such as identity verification records) cannot be changed unilaterally and may require a new verification process.

Right to Erasure (Right to Be Forgotten)

You may request deletion of your personal data where: it is no longer necessary for the purposes for which it was collected; you withdraw consent (where processing is consent-based); you successfully object to processing based on legitimate interests; or the data has been unlawfully processed. We will comply unless we are required or entitled to retain the data by law (e.g., AML/CFT record-keeping obligations).

Right to Restriction of Processing

You may request restriction of processing in certain circumstances, including while we verify the accuracy of disputed data, while an objection to legitimate interest processing is assessed, or where processing is unlawful but you do not want us to delete the data.

Right to Data Portability

Where processing is based on consent or contract performance and carried out by automated means, you may request that we provide your personal data in a structured, commonly used, machine-readable format, or that we transmit it directly to another controller where technically feasible.

Right to Object

You may object at any time to processing based on our legitimate interests (including profiling). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or that the processing is necessary for the establishment, exercise, or defence of legal claims. You may also object unconditionally to processing for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on your explicit consent (including for biometric data), you may withdraw consent at any time by contacting us at privacy@Bitbase.com. Note that withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Withdrawal of consent to biometric processing may prevent completion of identity verification and may result in account access restrictions.

Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you, unless such processing is necessary for the conclusion or performance of a contract with you, authorised by applicable law, or based on your explicit consent. Where such processing occurs, you have the right to obtain human review, to express your point of view, and to contest the decision.

13.2 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to privacy@Bitbase.com including: your full name; the email address associated with your Account; clear identification of the right you wish to exercise; and sufficient information to verify your identity (we may ask for additional verification).

We will acknowledge your request promptly and respond within thirty (30) days. In complex cases, we may extend this period by a further sixty (60) days, with prior notice to you explaining the reason for the extension. We will not charge a fee for handling reasonable requests; however, we may charge a reasonable administrative fee or decline to action requests that are manifestly unfounded, excessive, or repetitive.

13.3 Limitations on Rights

Your rights may be limited or restricted where: (i) we are required by law to retain or process the data (including AML/CFT record-keeping); (ii) the data is necessary to establish, exercise, or defend legal claims; (iii) exercising the right would adversely affect the rights or freedoms of third parties; or (iv) other statutory exemptions apply. We will always explain any restriction or limitation that applies to your specific request.

13.4 Dormant Account Data

We do not apply a specific dormant account policy that independently triggers data deletion. Inactive accounts are subject to our standard AML/CFT transaction monitoring processes. Account data is retained in accordance with Section 9 regardless of account activity levels.

14. Cryptocurrency-Specific Data Practices

14.1 Blockchain Transparency

Please be aware that blockchain networks are public and immutable. When you send or receive Digital Assets on a blockchain, your wallet address and transaction details (including amounts and counterparty wallet addresses) become publicly visible on the blockchain. We have no ability to delete or alter on-chain data. Our privacy obligations under this Policy relate to personal data we hold in our own systems; we cannot control the visibility of on-chain data.

14.2 Wallet Address Linkage

We associate your registered wallet addresses with your identity within our internal systems for AML/CFT compliance purposes. This association is not published publicly. However, third-party blockchain analytics tools may independently link wallet addresses to identities using publicly available on-chain data.

14.3 FATF Travel Rule Compliance

As a Virtual Asset Service Provider (VASP), we are required to comply with the FATF Travel Rule, which mandates the collection, verification, and transmission of originator and beneficiary information for qualifying Virtual Asset transfers. When you initiate or receive a transfer that meets the applicable threshold, we will:

  1. collect your name, wallet address, and applicable identifying information;
  2. verify that information as part of our KYC process;
  3. transmit that information to the counterparty VASP using encrypted messaging protocols; and
  4. retain a record of the information transmitted.

We may also receive originator and beneficiary information from counterparty VASPs when you receive Virtual Asset transfers. We process received Travel Rule data for AML/CFT compliance purposes only.

14.4 Know Your Transaction (KYT) Monitoring

We use blockchain analytics tools to conduct Know Your Transaction (KYT) monitoring. KYT involves analysing on-chain transaction data associated with your wallet addresses to detect unusual patterns, links to illicit activity, or sanctions exposure. KYT results may affect your ability to deposit or withdraw Digital Assets and may trigger enhanced due diligence.

14.5 Unhosted Wallet Verification

Where applicable Travel Rule regulations require, we may ask you to verify ownership or control of an unhosted (self-custodied) wallet address. Verification may be conducted by: signing a test message with the wallet's private key; submitting a declaration of ownership; providing a screenshot of the wallet; or, in some cases, via a micro-transaction (Satoshi test). Verification records are retained for Travel Rule compliance purposes.

15. Derivatives Trading and Leveraged Products — Specific Data Practices

For users of our Derivatives Trading products, we process additional data specific to leveraged products:

  1. Position data: open positions, position size, entry price, mark price, liquidation price, unrealised P&L, and margin ratio.
  2. Margin and collateral data: margin type (isolated/cross), initial margin, maintenance margin, margin ratio breaches, and collateral asset composition.
  3. Liquidation records: where forced liquidation is triggered because your margin ratio falls below the maintenance margin rate, we record the liquidation event, the positions closed, the mark price at time of liquidation, and any Insurance Fund utilisation.
  4. Funding rate records: periodic funding rate payments between long and short positions.

This data is processed for contract settlement, margin and liquidation management, risk control, regulatory reporting, and dispute resolution purposes.

16. Institutional and Business Users

Where you use the Services in a business or institutional capacity, we collect corporate personal data in addition to the individual data described above. This includes data relating to your entity's authorised representatives, ultimate beneficial owners (UBOs), directors, officers, shareholders, and other relevant natural persons ("Associated Persons").

You are responsible for ensuring that Associated Persons have been informed that their personal data will be provided to us and processed in accordance with this Policy. By providing us with personal data relating to Associated Persons, you represent that you have a lawful basis for doing so and that the Associated Persons have been informed of and have consented (where required) to such disclosure.

Institutional users may be subject to enhanced due diligence requirements, more extensive data collection, and separate institutional account terms that supplement this Policy.

17. API Users

If you access the Platform via our API, we collect and retain records of all API calls made using your credentials, including timestamps, IP addresses, parameters, and responses. API access logs are used for security monitoring, fraud detection, rate limiting, and abuse prevention. Unusual API patterns (including behaviour characteristic of market manipulation or unauthorised access) may trigger account review or restriction.

18. Minors

The Platform and Services are not directed at, and are not intended for use by, persons under the age of 18 years. We do not knowingly collect personal data from minors. Our identity verification process is designed to detect and reject minors.

If we become aware that we have inadvertently collected personal data from a minor, or if a minor has been submitted to identity verification without parental consent (where applicable law requires such consent), we will promptly delete the data upon becoming aware of the issue. If you believe a minor's data has been submitted, please contact us immediately at privacy@Bitbase.com.

19. Third-Party Links and Integrations

The Platform may contain links to third-party websites, applications, or services that are not operated or controlled by us. When you click on such links, you leave the Platform and your activity is governed by the third party's own privacy policy. We are not responsible for the privacy practices or content of any third-party sites.

The Platform may also integrate with third-party service providers (such as payment processors, fiat on-ramp providers, and blockchain data services) who process your data under our instructions and as described in Section 7 and Appendix A. The privacy policies of such providers govern their own independent data practices; links to the privacy policies of our key service providers are available in our Help Centre.

20. Deceased Users

In the event of a user's death, we may respond to requests from verified next of kin or estate representatives regarding the deceased user's account and assets, subject to our account closure procedures, applicable succession law, and AML/CFT obligations. Personal data of deceased users will continue to be retained and processed in accordance with this Policy for the applicable retention periods.

21. Governing Law

This Policy is governed by and construed in accordance with the laws of the Republic of Panama. Any disputes arising in connection with this Policy shall be resolved in accordance with the dispute resolution provisions set out in our Terms of Use. Nothing in this Section limits your rights under mandatory data protection laws applicable in your jurisdiction of residence.

22. Changes to This Privacy Policy

We may update or amend this Policy at any time. We will post the revised Policy on the Platform with an updated effective date. For material changes — including changes to the categories of data collected, the purposes for which data is processed, the categories of third parties with whom data is shared, or your rights — we will provide advance notice via email to the address associated with your Account and/or via a prominent in-Platform notice, with at least fourteen (14) days' advance notice before the change takes effect (where practicable). For non-material changes (such as typographical corrections or clarifications that do not affect our data practices), we will post the updated Policy without individual notice.

Your continued use of the Platform after the effective date of any revised Policy constitutes acceptance of the updated terms. If you do not agree with any change, you should cease using the Platform and submit an Account closure request before the change takes effect.

23. Language

This Privacy Policy is executed in the English language. In the event of any conflict between the English version and any translated version, the English version shall prevail.

Glossary

AML/CFT: Anti-Money Laundering / Countering the Financing of Terrorism — the regulatory framework of laws, regulations, and procedures designed to detect and prevent money laundering and terrorist financing.

Biometric Data: Personal data resulting from specific technical processing of physical or behavioural characteristics that allows or confirms unique identification of a person, including facial feature templates.

Controller: The natural or legal person that determines the purposes and means of processing personal data. For the purposes of this Policy, the Controller is Bitbase Global Inc.

Data Subject: Any identified or identifiable natural person whose personal data is processed by the Controller.

EDD: Enhanced Due Diligence — additional identity verification and risk assessment measures applied to higher-risk customers.

FATF Travel Rule: A recommendation by the Financial Action Task Force requiring VASPs to collect and transmit originator and beneficiary information for Virtual Asset transfers above a certain threshold.

GDPR: The General Data Protection Regulation (EU) 2016/679, and as applicable, the UK GDPR as implemented in UK domestic law.

KYB: Know Your Business — the process of verifying the identity, structure, and beneficial ownership of a legal entity.

KYC: Know Your Customer — the process of verifying the identity of individual users in accordance with AML/CFT and regulatory requirements.

KYT: Know Your Transaction — blockchain transaction monitoring to detect unusual or illicit activity in Virtual Asset transfers.

PEP: Politically Exposed Person — an individual who is or has been entrusted with a prominent public function, including their immediate family members and close associates.

Personal Data: Any information relating to an identified or identifiable natural person.

Processor: A natural or legal person that processes personal data on behalf of the Controller.

Special Category Data: Categories of personal data that warrant heightened protection, including biometric data, health data, racial/ethnic origin, political opinions, religious beliefs, and trade union membership.

VASP: Virtual Asset Service Provider — a business that provides Virtual Asset exchange, transfer, custody, or related services.

Related articles

Comments

0 comments

Article is closed for comments.