Privacy Policy.

XCHAINGER s.r.o. is incorporated in the Slovak Republic, registration number 56 684 258, with registered office at Betliarska 22, 851 07 Bratislava – mestská časť Petržalka, Slovakia.

XCHAINGER operates exclusively as a proprietary crypto-asset trader. We trade in our own name, on our own account, at our own risk, and using our own corporate funds. We do not provide crypto-asset services to third parties, do not onboard anyone through this Website, do not hold, control, manage, safeguard, or administer assets belonging to third parties, do not manage third-party funds, and do not execute orders on behalf of third parties.

This Privacy Policy applies to:

• visitors of the website operated under the domain xchainger.trade;
• persons who contact XCHAINGER by email, Telegram, contact form, or other communication channels;
• counterparties involved in specific proprietary transactions with XCHAINGER on approved centralized third-party marketplaces, where XCHAINGER is required to perform AML/CFT due diligence.

01 Data Controller

The data controller is:

• XCHAINGER s.r.o.
• Registration number: 56 684 258
• Registered office: Betliarska 22, 851 07 Bratislava – mestská časť Petržalka, Slovakia
• General contact: contact@xchainger.trade
• Data protection requests: dpa@xchainger.trade

02 Key Definitions

“Personal data” means any information relating to an identified or identifiable natural person.

“Website” means the informational website operated under the domain xchainger.trade.

“Counterparty” means a natural person or legal entity entering into a specific transaction with XCHAINGER on an approved centralized third-party marketplace. A counterparty is not a customer, client, or service user of XCHAINGER.

“AML/CFT” means anti-money laundering and counter-terrorist financing.

“KYC/KYCP” means identity and counterparty due-diligence checks performed only where required for AML/CFT compliance. In the context of XCHAINGER’s proprietary trading activity, this should be understood as Know Your Counterparty, not onboarding to a service.

“Processor” means a third-party service provider that processes personal data on behalf of XCHAINGER.

03 What Personal Data We Collect

3.1 Website visitors

When you access or browse the Website, we may process limited technical data, including:

• IP address;
• browser type and version;
• operating system;
• device type;
• referring and exit pages;
• timestamps;
• security logs;
• cookie identifiers, where applicable.

We use this data to operate the Website, maintain security, prevent abuse, and understand basic website performance.

3.2 Persons who contact us

If you contact XCHAINGER voluntarily, we may process:

• your name;
• email address;
• Telegram username or other contact identifier;
• phone number, if provided;
• company name, if provided;
• the content of your message;
• attachments or documents that you choose to send;
• metadata connected with the communication.

We use this data only to review and respond to your inquiry, maintain business records, protect our legal interests, and comply with legal obligations.

3.3 Counterparties in specific proprietary marketplace transactions

Where XCHAINGER enters into or considers entering into a specific proprietary transaction on an approved centralized third-party marketplace, we may be legally required to perform AML/CFT due diligence. In that context, we may process:

• full name;
• date and place of birth;
• nationality;
• country of residence;
• residential address;
• identity document type, number, issuing country, issuing authority, issue date, expiry date, and document image;
• selfie, facial image, liveness check data, face-match data, and similar identity-verification data, where required;
• proof of address;
• email address;
• phone number;
• IP address, device identifiers, geolocation data, and fraud-prevention indicators, where available;
• bank account details, payment account details, IBAN, payment reference, payer/payee name, and transaction details;
• crypto wallet addresses, blockchain transaction hashes, crypto-asset type, network, amount, and risk-scoring data;
• approved centralized third-party marketplace order references and transaction records;
• communication records, including official marketplace order-chat messages and screenshots, where relevant;
• information about the purpose and intended nature of the transaction;
• source-of-funds and source-of-wealth information and supporting documents;
• occupation, business activity, employer or business information, where relevant;
• sanctions, PEP, adverse media, fraud, and AML screening results;
• information required to assess whether the transaction is lawful, legitimate, and consistent with XCHAINGER’s AML/CFT risk appetite.

We request this information only where it is required or reasonably necessary for AML/CFT compliance, fraud prevention, sanctions screening, transaction monitoring, risk assessment, legal claims, or regulatory reporting.

04 Special Categories of Personal Data

XCHAINGER does not seek to collect special categories of personal data unless this is required or necessarily occurs in the context of AML/CFT due diligence.

Where identity verification involves liveness checks, face matching, face authentication, or similar technical checks, biometric data or facial-verification data may be processed for the purpose of verifying identity and preventing fraud.

Such data is processed only where necessary for AML/CFT compliance, fraud prevention, identity verification, sanctions compliance, or related legal obligations, and only with appropriate safeguards.

We do not use biometric data, facial images, or identity-verification data for marketing, advertising, unrelated profiling, or sale to third parties.

05 Sources of Personal Data

We may receive personal data from:

• you directly;
• a counterparty to a specific proprietary marketplace transaction;
• approved centralized third-party marketplaces;
• banks, payment institutions, electronic money institutions, and payment service providers;
• blockchain networks and publicly available blockchain data;
• identity verification providers;
• blockchain analytics and KYT providers;
• sanctions, PEP, adverse media, and AML databases;
• public registers, company registers, court registers, insolvency registers, and similar public sources;
• law enforcement, regulators, courts, or other competent authorities;
• professional advisers, auditors, or compliance consultants.

06 Purposes of Processing

We process personal data for the following purposes:

6.1 Website operation and security

• operating and maintaining the Website;
• protecting the Website from misuse, fraud, cyberattacks, and unauthorized access;
• diagnosing technical issues;
• maintaining security logs.

6.2 Communication

• responding to inquiries;
• maintaining corporate correspondence;
• handling legal, compliance, banking, platform, or business inquiries.

6.3 AML/CFT compliance

• verifying the identity of counterparties;
• performing sanctions, PEP, adverse media, and fraud screening;
• assessing the purpose and intended nature of a transaction;
• verifying source of funds and source of wealth where required;
• monitoring transactions;
• matching fiat payments and crypto-asset movements to specific marketplace orders;
• rejecting third-party payments, mismatched payments, and off-platform settlement requests;
• maintaining transaction evidence packs and escalating unusual activity to the MLRO;
• detecting suspicious, unusual, high-risk, or prohibited activity;
• preventing money laundering, terrorist financing, sanctions violations, fraud, and other unlawful activity;
• filing reports with competent authorities where required.

6.4 Proprietary trading transaction administration

• matching a payment or crypto-asset transfer to a specific transaction;
• documenting transaction records;
• resolving payment errors, duplicate payments, refunds, cancellations, disputes, or compliance rejections;
• maintaining accounting and audit records.

6.5 Legal and regulatory purposes

• complying with laws, regulations, court orders, and requests from competent authorities;
• maintaining statutory records;
• protecting XCHAINGER’s rights and legal interests;
• establishing, exercising, or defending legal claims.

07 Legal Bases for Processing

Depending on the context, XCHAINGER processes personal data on the following legal bases:

7.1 Legal obligation

We process personal data where necessary to comply with AML/CFT, sanctions, accounting, tax, corporate, regulatory, and other legal obligations applicable to XCHAINGER.

7.2 Legitimate interests

We process personal data where necessary for our legitimate interests, including:

• operating and securing the Website;
• communicating with persons who contact us;
• preventing fraud and abuse;
• documenting transactions;
• protecting XCHAINGER’s legal position;
• maintaining internal compliance and risk-management systems.

We do not rely on legitimate interests where such interests are overridden by the rights and freedoms of the data subject.

7.3 Contractual necessity

Where a specific transaction is being considered or concluded with a counterparty on an approved centralized third-party marketplace, certain data may be processed where necessary to take steps before entering into the transaction or to administer the transaction as principal. This does not create a customer relationship or service relationship.

7.4 Consent

Where required by law or by the relevant verification process, we may ask for consent, including explicit consent for certain identity-verification or biometric processing. Where processing is based on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect processing already carried out before withdrawal.

If AML/CFT due diligence cannot be completed after consent is withdrawn, XCHAINGER may be required to decline, cancel, reverse, or refrain from entering into the relevant transaction.

7.5 Special categories of data

Where special categories of personal data are processed, including biometric data used for identity verification, XCHAINGER relies on one or more applicable conditions under Article 9 GDPR, including explicit consent, substantial public interest, legal claims, or other conditions permitted by applicable EU or Slovak law.

08 Cookies and Similar Technologies

The Website uses essential browser storage for security, form operation, and remembering cookie notice preferences. The Website currently does not use advertising cookies or cross-site tracking.

Essential cookies may be used to make the Website function properly and securely. Analytics or other non-essential cookies will be used only where legally permitted and, where required, after prior consent.

You can manage cookies through your browser settings or through the Website’s cookie tools, where available.

We do not use cookies to sell personal data, track users across unrelated websites for advertising, or build marketing profiles.

09 Data Sharing

XCHAINGER may share personal data only where necessary and lawful. Recipients may include:

• identity verification providers, including Sumsub;
• blockchain analytics and KYT providers, including Crystal Blockchain;
• cloud hosting, IT, cybersecurity, and communication providers;
• banks, payment institutions, electronic money institutions, and payment service providers;
• approved centralized third-party marketplaces, where necessary for a specific transaction, dispute, or compliance matter;
• professional advisers, auditors, accountants, legal counsel, and compliance consultants;
• courts, regulators, law-enforcement authorities, the Slovak Financial Intelligence Unit, tax authorities, sanctions authorities, and other competent public authorities;
• group companies or affiliated entities, only where necessary for corporate administration, compliance, risk management, or legal purposes and subject to appropriate safeguards.

We do not sell personal data. We do not share personal data for third-party advertising. We do not allow processors to use personal data for their own unrelated purposes.

10 Processors and Subprocessors

XCHAINGER uses third-party providers to support identity verification, AML/CFT compliance, blockchain analytics, IT infrastructure, security, communication, and data storage.

Where a processor processes personal data on our behalf, we require appropriate contractual safeguards under GDPR, including confidentiality, security, restricted use, and data protection obligations.

Some processors may use subprocessors. Where this happens, international transfer safeguards and data protection obligations must apply.

11 International Transfers

Personal data may be transferred outside the European Economic Area where a processor, subprocessor, database provider, support provider, or other recipient is located outside the EEA.

Where personal data is transferred outside the EEA, we use appropriate safeguards, including:

• adequacy decisions;
• Standard Contractual Clauses;
• supplementary technical and organisational measures;
• other lawful transfer mechanisms under GDPR.

12 Data Retention

XCHAINGER retains personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

12.1 AML/CFT and transaction records

AML/CFT due-diligence records, transaction records, counterparty verification records, sanctions screening records, and related compliance data are generally retained for at least 5 years from the completion of the relevant transaction or from the end of the relevant relationship, where applicable, unless a longer period is required or permitted by law.

12.2 Website logs

Website logs and security logs are generally retained for up to 12 months, unless longer retention is required for security investigations, fraud prevention, legal claims, or compliance purposes.

12.3 Communications

General correspondence is retained for as long as necessary to respond to the inquiry and maintain appropriate business, legal, and compliance records.

12.4 Legal claims and investigations

Where data is relevant to a dispute, investigation, regulatory request, suspicious activity report, sanctions matter, fraud case, or legal claim, we may retain it for as long as necessary to protect our legal interests or comply with legal obligations.

13 Security

XCHAINGER applies appropriate technical and organisational measures to protect personal data, including:

• access controls;
• restricted employee and contractor access;
• secure storage;
• encryption where appropriate;
• secure communication channels where available;
• monitoring and logging;
• confidentiality obligations;
• AML/CFT and data-protection procedures;
• vendor due diligence;
• periodic review of access rights.

No system is completely secure. If you believe that your data has been compromised or that someone is impersonating XCHAINGER, contact us immediately at contact@xchainger.trade.

14 Your GDPR Rights

Subject to applicable legal limitations, you may have the following rights:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to object;
• right to data portability;
• right to withdraw consent where processing is based on consent;
• right to lodge a complaint with a data protection authority.

To exercise your rights, contact us at: dpa@xchainger.trade. We may need to verify your identity before responding to a request.

Please note that AML/CFT, sanctions, accounting, tax, regulatory, and legal obligations may limit our ability to delete, restrict, or disclose certain information. For example, we may be legally required to retain AML/CFT records for a statutory period.

15 Complaints

You have the right to lodge a complaint with your local data protection authority. In Slovakia, the competent authority is:

• Úrad na ochranu osobných údajov Slovenskej republiky
• The Office for Personal Data Protection of the Slovak Republic

You may also contact us first at dpa@xchainger.trade so that we can review and address your concern.

16 Automated Decision-Making

XCHAINGER does not make decisions based solely on automated processing that produce legal effects or similarly significant effects on individuals.

AML/CFT tools, identity verification systems, blockchain analytics tools, fraud indicators, sanctions databases, and risk-scoring tools may generate technical results, alerts, or recommendations. Final decisions to proceed with, decline, cancel, reverse, or further review a transaction involve human review where required.

17 Minors

The Website is not intended for minors.

XCHAINGER does not knowingly enter into proprietary marketplace transactions with minors and does not knowingly collect personal data from minors. If you believe that a minor has provided personal data to XCHAINGER, please contact us immediately.

18 Third-Party Platforms and Websites

XCHAINGER may conduct proprietary trading on approved centralized third-party marketplaces. Those platforms are operated by independent third parties and have their own terms, privacy policies, verification processes, and compliance procedures.

This Privacy Policy does not apply to personal data processed by third-party platforms as independent controllers. The Website may contain links to third-party websites or platforms. XCHAINGER is not responsible for their privacy practices.

19 No Customer Relationship

Nothing in this Privacy Policy creates or implies that XCHAINGER provides crypto-asset services, payment services, custody services, exchange services, investment services, account services, wallet services, order execution, transfer services, or any other regulated service to the public.

Any AML/CFT due-diligence request made by XCHAINGER is made only in connection with a specific proprietary transaction and only for legal compliance.

20 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The latest version will be published on the Website and will indicate the date of the latest update.

21 Contact

• XCHAINGER s.r.o.
• Registration number: 56 684 258
• Registered office: Betliarska 22, 851 07 Bratislava – mestská časť Petržalka, Slovakia
• General contact: contact@xchainger.trade
• Data protection requests: dpa@xchainger.trade

© 2026 XCHAINGER s.r.o. — All rights reserved.