Privacy Policy


Last update: 7th of November, 2024

General

CEX.IO (hereinafter, "CEX.IO", "we", "us" or "our") is committed to protecting and respecting the privacy of our Users (hereinafter, “User(s)”, “you”, “customer”).  

This Privacy Policy applies to Users served by CEX.IO EU VASP, UAB (Lithuania) and CEX OVRS LLC (St. Kitts and Nevis). For more information about these entities, including which entity provides services to you please see our Terms of Use.

Our Privacy Policy for residents of the United States is available here.

If you are a California resident, you can learn more about how we use your information and your privacy rights by reviewing our California Privacy Notice

By agreeing to this Privacy Policy and the Terms of Use, you are entering into an electronic agreement between you and a specific CEX.IO entity.
This Privacy Policy (together with our Terms of Use) describes our policies and procedures on the collection, use, and disclosure of personal information we collect when you use CEX.IO’s website, any and all services, products, and content, and tells you about your privacy rights and how the law protects you.

We adhere to the standards outlined in this Privacy Policy, ensuring we collect and process personal information lawfully, fairly, transparently, and with legitimate, legal reasons for doing so.

The purpose of this Privacy Policy is to inform you of:

  1. Interpretation and Definitions
  2. Who we are
  3. Collecting and Using Your Personal Information    
  4. Your rights in relation to your Personal Data
  5. Exercising of your Data Protection Rights
  6. Retention of Personal Information
  7. Disposal of Personal Information
  8. Tracking Technologies and Cookies
  9. Disclosure of Personal Information
  10. International Data Transfers
  11. Third-Party Sites and Resources Disclaimer
  12. Marketing Data Processing, Advertising and Social Media Fan Pages
  13. AI Products in Communication Channels
  14. Security of Your Personal Data
  15. Security measures for processing payment card details
  16. Fraud, Phishing and Email Scams Disclaimer
  17. Changes to this Privacy Policy
  18. Contact us  

1. Interpretation and Definitions

1.1. Interpretation

The words of which the initial letter is capitalised have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

1.2. Definitions

For the purposes of this Privacy Policy:

  • Account: means an account registered by the User on the Platform.
  • СEX.IO affiliates: subsidiaries, parent companies, and companies under common control.
  • Personal Information (Personal Data): any information which identifies you personally or which may help us to identify you (e. g. your name, address, e-mail address, trades etc.).
  • Data Subject: an identified or identifiable person (User/you/customer).
  • Data Controller: for the purposes of the applicable laws in the EU and UK controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data Processor: a company which processes personal data on behalf and upon instructions of the Data Controller.
  • Our Site: websites with the following domains such as CEX.IO - our Platform used for providing our services to you and any other CEX.IO domains that is used for the purposes of informing our Users on our promotional, marketing campaigns and special offers; or any other related websites that may be created by CEX.IO in future.     
  • Personal Data processing: any operation or set of operations performed on personal data (e.g., collection, storage, use, disclosure erasure).
  • Tracking Technologies include cookies, web beacons, tracking pixels, and other tracking technologies used on our Site, including any other media form, media channel, mobile website, or mobile application to help customise the Site and improve your experience; for more detailed information please visit the Tracking Technologies section of our Privacy Policy.
  • Device means any device that can access the CEX.IO’s Site such as a computer, a mobile phone or tablet.

1.3. Other capitalised terms, not specified above, have the meanings as defined in the Terms of Use and the applicable data protection legislation. 

2. Who We Are

CEX.IO is a leading digital asset ecosystem comprised of entities defined in Terms of Use.

Established in 2013 as the first cloud mining provider, CEX.IO has become a multi-functional cryptocurrency exchange, trusted by over 6 million users.

CEX.IO offers cross-platform trading via website, mobile app, WebSocket and REST API, providing access to high liquidity order book for top currency pairs on the market. Instant cryptocurrency buying and selling is available via a simplified bundle interface.
The exchange has developed a multi-level account system with an individual approach to each customer, from crypto beginners to institutional traders. Worldwide coverage in permissible jurisdictions, multiple payment options, and 24/7 support are accompanied by time-proven platform stability that focuses on the safety of assets and data.

3. Collecting and Using Your Personal Information

3.1. We may collect your Personal Information if you open an account or perform any transactions. This is defined as collection for the purpose of provision of service(s) to you in accordance with our Terms of Use. Please note, if you refuse to share your Personal Information for this purpose, we will not be able to provide our services to you.

3.2. The types of Personal Information which we collect may include:

  1. your name
  2. your photographic identification
  3. details from your identity documents (such as driver licence, passport), number of the document, date of issue/expiration, photographic identification, etc.
  4. your address, phone number, cell number, email
  5. app, browser and device information - we may collect various types of information about your use of our app or website, including your device's Internet Protocol address (e.g. IP address); browsing behaviour and preferences, such as the pages you visit and time spent on them; login credentials; browser type and version; and other diagnostic data. We may also collect information about your mobile device, such as its type, operating system, and unique identifiers                                        
  6. bank details including account numbers, payment cards and statements
  7. your date of birth
  8. your personal code
  9. your employment details
  10. your trades
  11. information on sources of your funds, and
  12. selfie photos/videos footage identifying you
  13. other Personal Information that we should process in accordance with our legal obligations and legitimate interest.

3.3. Use of your Personal Data

3.3.1. We will process your Personal Information only for the purpose(s) of providing the service(s) to you, to satisfy the legal and regulatory obligations that arise from providing you the service(s) and our legitimate interest.

3.3.2. Based on our obligations and legitimate interest, we may request other documents for identity verification and sources of funds. 

3.3.3. We may use your Personal Information for the following purposes:

  • To provide and maintain our services, including to allow you to open and operate an Account and monitor the usage of services.
  • To manage your Account: to manage your registration as a user of the service(s). The Personal Data you provide can give you access to different functionalities of the Service that are available to you as a registered user, i.e., to enable you to complete transactions on the Platform.
  • For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items, or services you      have purchased or of any other contract with us.
  • To contact you: we may contact you by email, telephone, SMS, or other equivalent forms of electronic communication, such as push notifications from our mobile app. We may use these methods to provide you with updates, informative communications related to the functionalities of our products or contracted services, including security updates when necessary or reasonable for their implementation, and to reply to your queries.
  • To provide you with news, special offers and general information about other goods, services, and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information.
  • To manage your requests: to attend and manage your requests to us.
  • To ensure security of your Account (for instance, if you make a request to disable 2-factor authentication on your account we can ask you to provide additional Personal Information to confirm your identity).
  • To comply with legal obligation purposes such as tax reporting, fraud prevention, our reporting obligations etc.
  • To provide you with information about products and promotions that may be of interest to you, from ourselves and third parties, although only if you have specifically agreed to receive such information.
  • For market research e.g., surveying Users' needs and opinions on issues, such as performance. Unless consented, your data for this purpose would be anonymised.
  • For business transfers: we may use your Personal information to evaluate or conduct a merger, divestiture, restructuring, reorganisation, dissolution, or other sale or transfer of some or all our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our services users is among the assets transferred.
  • For other purposes: We may use your Personal Information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our service(s), products, services, marketing, and your experience.

3.4.  Children's personal data

Minors are not permitted to use CEX.IO. If you are a parent or guardian and believe that CEX.IO has information of a child under the age of 18 please contact us  immediately at dpo@cex.io so we remove any such information from our database.

3.5. Face Data Collection, Usage, and Storage

3.5.1. Purpose of Collecting Face Data

At CEX.IO, we use face data as part of our liveness check during the user verification process. This is essential for:

  • Identity Verification: Ensuring that the person verifying their identity is physically present and not using a photo or video, which helps prevent identity fraud.
  • Security: Adding an extra layer of security to ensure the authenticity of the user during the verification process.
  • Fraud Prevention: Detecting and preventing potential attempts to bypass security measures, ensuring that the verification process remains secure and trustworthy. Verifying that the individual accessing our services is indeed who they claim to be.
  • Regulatory Compliance: Meeting legal and regulatory requirements that mandate secure identity verification methods for Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.

By utilising face data in the liveness check, we ensure a more secure and reliable verification process for all users.

3.5.2. Storage and Retention of Face Data

Face data is stored securely in compliance with regulatory requirements that CEX.IO must adhere to. We implement robust security measures to protect this data. We retain face data for a period of five to eight years, depending on local regulatory body requirements. This retention period starts from the date of the user’s last transaction or the end of the tax period in which the last transaction occurred. This duration is necessary to comply with legal and regulatory obligations and to ensure we can respond to any legal or compliance inquiries that may arise during this period.

We are committed to ensuring that face data is handled securely and stored only for as long as necessary and required by legal and regulatory requirements to fulfil the purposes for which it was collected. Our approach to the storage and retention of face data is governed by the following principles:

  1. Limited Retention Period:
    Face data is stored only for the duration needed to complete the verification process or meet the legal requirements related to identity verification. Once the verification is complete, we retain the data for a specific period in accordance with regulatory obligations and internal policies.
  2. Purpose-Specific Retention:
    We store face data for the following purposes:
    • Identity Verification: Retained for a limited period to allow for audits or disputes related to the verification process.
    • Fraud Prevention and Security: Retained to detect and prevent potential fraud during and after the verification process.
  3. Data Deletion Policy:
    Once face data is no longer necessary for the purposes it was collected for, or after the retention period has passed, it is securely deleted. We do not retain face data indefinitely.
  4. Compliance with Legal Requirements:
    Our retention policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection regulations. Face data is retained only for as long as necessary to fulfil the purposes for which it was collected, in accordance with legal, regulatory, and contractual obligations. 
  5. User Rights:
    Users have the right to request the deletion of their face data at any time, in accordance with applicable privacy laws. We ensure a transparent and easy process for users to exercise this right.

By adhering to these principles, we aim to balance the need for effective user verification and security with the rights and privacy of our users.

3.5.3. Sharing of Face Data with Third Parties

We prioritise the security and privacy of face data and only share it with third parties when absolutely necessary. Our approach to sharing face data is guided by the following principles:

  1. Limited Sharing:
    We share face data with third parties only when it is essential to provide our services or comply with legal obligations. The main purposes for sharing face data include:
    • Identity Verification Providers: We may share face data with trusted service providers who assist us in conducting secure user verification and liveness checks.
    • Cloud Storage Providers: Face data may be stored securely by third-party cloud service providers who are bound by strict data protection agreements.
    • Security and Fraud Prevention Partners: We may share data with specialised security vendors to help detect and prevent fraud during the verification process.
    • Banks and Payment Providers: We may share face data with banks and payment providers upon request for investigation related to specific transactions.
    • Regulatory Authorities: If required by law or to comply with legal obligations, we may share face data with government or regulatory bodies to meet legal requirements or respond to law enforcement requests.
  2. Robust Data Protection Agreements:
    All third parties we share face data with are required to comply with strict contractual agreements that meet or exceed applicable data protection laws. These agreements ensure that third parties use the data solely for the purposes we have defined and apply stringent security measures to protect the data.
  3. No Unauthorised Use:
    We do not permit third parties to use face data for any purpose other than what is explicitly stated in our agreements. Third parties are prohibited from using the data for advertising, analytics, or any other purposes outside of those required for verification or security.
  4. Data Retention by Third Parties:
    Some third parties, such as identity verification providers, may retain face data for a limited period to comply with legal or contractual obligations. We ensure that any third-party data retention policies are consistent with our own practices, and they are required to delete or anonymize face data once it is no longer needed.
  5. Transparency and User Rights:
    We provide transparency to our users about which third parties may have access to their face data and the reasons for such sharing. Users also have the right to request information about third-party sharing and to request deletion of their face data.

By adhering to these principles, we ensure that face data is shared responsibly and securely, maintaining the privacy and trust of our users. 

3.5.4. Third-Party Data Storage and Practices

When we share face data with third parties, we ensure that their data storage practices align with the highest standards of privacy and security. Below is an outline of how third-party data storage is handled, along with our measures to protect user privacy:

  1. Data Storage by Third Parties:
    Some third parties, such as identity verification providers and cloud storage services, may store face data temporarily to assist us in completing the user verification process. The specific practices include:
    • Secure Cloud Storage: Third-party providers may store face data on secure servers that use encryption and advanced security measures to protect data from unauthorised access.
    • Temporary Retention: In most cases, third parties only store face data for the duration necessary to complete verification, after which the data is either securely deleted or anonymized.
  2. Privacy Practices of Third Parties:
    We carefully vet all third-party providers to ensure their privacy practices are compliant with applicable data protection regulations, such as the GDPR, CCPA, and other privacy laws. Their privacy practices must include:
    • Limited Data Usage: Third parties are prohibited from using face data for any purpose other than those specified by us, such as verification and fraud prevention.
    • Security Measures: They are required to implement strong security protocols, such as encryption and secure access controls, to safeguard face data.
    • Compliance with Regulations: Third parties must adhere to relevant data protection regulations, and we regularly review their compliance.
  3. Data Retention Policies:
    If third parties retain face data, they are bound by specific retention policies that comply with the following guidelines:
    • Purpose-Limited Retention: Face data is only retained for the period necessary to fulfil the specific purpose (e.g., user verification or fraud detection).
    • Deletion or Anonymization: Once the data is no longer needed, third parties must either securely delete it or anonymize it to ensure it cannot be linked to individual users.
  4. Reasons for Third-Party Data Storage:
    Third parties may store face data for the following reasons:
    • Verification Records: To maintain an audit trail of user verification for compliance with legal or contractual requirements.
    • Fraud Prevention: To identify and prevent repeated or attempted fraud during the verification process.

By enforcing strict data storage and privacy practices with our third-party partners, we ensure that face data is handled securely and in compliance with all relevant privacy laws.

3.5.5. User Rights

Users can access, correct, or request the deletion of their face data by contacting our Support Team. However, please note that we may need to retain personal information if required by data protection laws for specific purposes, such as regulatory compliance or defending legal claims. In such cases, we will inform you and provide an explanation if this applies.

3.5.6. Additional Information

This section specifically addresses face data and complements the other provisions of our privacy policy. For any questions or additional details not covered here, please refer to the full privacy policy for comprehensive information.

4. Your rights in relation to your Personal Data

4.1. Right to be informed: you have the right to be informed about the collection and use of your personal data. This Privacy Policy is intended to provide you with clear and concise information about how we process your personal data. 

4.2. Right to access: you have the right to access your Personal Information and request details about processing activities that we undertake with your data. You can do this by sending an email to us at dpo@cex.io or where possible, you can do these actions in your account profile page yourself. Upon your written request we will also give you a copy of the Personal Information we have retained. There may be a minimal charge for providing you additional copies of your Personal Information to cover administrative costs.

4.3. Right to Rectification: you may request us to rectify or update any of your personal information held by CEX.IO that is incomplete or inaccurate by sending an email at dpo@cex.io or where possible - do it in your account profile page yourself.  

4.4. Right to Erasure: you have the right to request the erasure of both the Account and Personal Information by sending an email to us at: dpo@cex.io. CEX.IO will action your request, unless we have a legal or regulatory obligation or overriding legitimate interest to store your Personal Information (for instance, in cases you have performed transactions).

4.5. Right to object or to restrict processing - you have the right to restrict and object to the processing of your personal data in certain circumstances, such as where the processing is carried out for direct marketing purposes. To do so, please send an email to us at dpo@cex.io or where possible do it yourself, f. e. unsubscribe from our marketing emails by clicking on the “Unsubscribe” link provided in each of our marketing messages.

4.6. Right to data portability - you may also ask us to transfer your Personal Information to another controller of your choice.

4.7. Identity Verification - to ensure the confidentiality, integrity, and availability of your information, we may request you to confirm your identity by providing identification documentation and/or other methods prior to assisting you in exercising any of your rights. If you refuse to prove your identity, we may decline to take actions in respect of your data, save restricting processing, until we can ensure that such actions are the true wish of the data subject.

4.8. Automated Decision-Making and Profiling. In the carrying out of our services we may use automated processing and profiling to reduce the risks of fraud, money laundering and abuse of our services. Through this automated processing, we carry out an analysis of your identification, transactional and behavioural patterns. We may not be able to provide you with some or all our services if you do not wish this automated processing to be carried out. If you feel that this processing might be detrimental to you, please contact us on dpo@cex.io, and our compliance officer will review your application.

4.9. Timeframe for Response: if you make a request, we have one month to respond to you. If we are unable to respond within the month, we will inform you and provide an explanation for the delay.

4.10. Non-discrimination: we will not discriminate against you for exercising any of your rights over your personal information. Unless your personal information is required to provide you with a particular service or offer (for example providing user support), We will not deny you goods or services and/or charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, or provide you with a different level or quality of goods or services.

4.11. No Fee usually required: you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

5. Exercising of your Data Protection Rights

5.1. You may exercise your rights of access, rectification, cancellation, and opposition by contacting us. We may ask you to verify your identity before responding to requests. 

5.2. You have the right to complain to a data protection authority about our collection and use of your Personal Data.  If you reside in the EEA, Switzerland, or the UK, you have the right to discuss any instance where you feel we may not be adhering to the terms within this Privacy Policy or raise a complaint about our practices with the supervisory authority of your country or state. 

5.3.  You can check the list of the Data Protection Authorities in European Union countries, as well as in Iceland, Norway and Liechtenstein on this website - https://edpb.europa.eu/about-edpb/about-edpb/members_en#member-lt 

5.4. In the UK, the Information Commissioner’s Office www.ico.org.uk.  

6. Retention of Personal Information

6.1. Your information is held within our servers located within the European Union. Access to this information is provided to staff of CEX.IO whose office may also be outside of the European Union but who adhere to the same principles of data security and processes as those within the European Union (please see the Section on International data transfers for more details).

6.2. Your payment method information to effect or receive payments from CEX.IO are passed on to third-party payment processor(s) based in the EU and with which CEX.IO has a contractual agreement to safeguard your rights. Unless you create an account with us and conduct transactions, we do not retain your payment method information.

6.3. We will hold your Personal Information only for as long as it is necessary for the purposes described in this Privacy Policy and our legal and regulatory requirements.

6.4. To comply with relevant regulatory bodies and laws requirements, we must adhere to different retention periods for Personal Information. In accordance with CEX.IO’s legal obligations, we will retain Personal Information for a period of five to eight years after our User closes their Account and terminates legal relationships with us, or for five to eight years from the end of the tax period in which the User conducts their last transaction.

6.5. Data stored for regulatory purposes will be protected from unnecessary processing and will be held only for the purpose of being able to provide information or access to relevant authorities.

6.6. As retention periods vary depending on the jurisdiction and may change from time to time, if you wish to obtain information on how long we store your data, please contact us. 

7. Disposal of Personal Information

7.1. Once we do not have any obligation to provide you with a service you requested, nor an obligation to hold Personal Information for regulatory or legal purpose, we will anonymise or dispose of your Personal Information in line with acceptable industry and security standards so that this cannot be subsequently retrieved and associated with you. 

7.2. Where we cannot directly remove such records, such as in archived backups, we will retain a log of which Personal Information should be removed if ever the backup data is restored.

8. Tracking Technologies and Cookies

We use cookies and similar tracking technologies to track the activity on our site and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse our site. The technologies we use may include:

8.1. IP Addresses

We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users' browsing actions and patterns and will not be used to identify any individual unless that same individual.

8.2. Web Beacons

Certain sections of our service(s) and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the CEX.IO, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).

8.3. Cookies

8.3.1. We use a browser feature known as a "cookie", which assigns a unique identification to your computer. Cookies are typically stored on your computer's hard drive. Information collected from cookies is used by us to evaluate the effectiveness of our Sites, analyse trends, and administer the Platform.  The information collected from cookies allows us to determine such things as which parts of our Sites are most visited and difficulties our visitors may experience in accessing our Sites. With this knowledge, we can improve the quality of your experience on the Platform by recognising and delivering more of the most desired features and information, as well as by resolving access difficulties. 

8.3.2. We also use cookies and/or a technology known as web bugs or clear gifs, which are typically stored in emails to help us confirm your receipt of, and response to, our emails and to provide you with a more personalised experience when using our Sites.

8.3.3. We use third party service provider(s), to assist us in better understanding the use of our Sites. Our service provider(s) will place cookies on the hard drive of your computer and will receive information that we select that will educate us on such things as how visitors navigate around our Sites, what products are browsed, and general transaction information. Our service provider(s) analyses this information and provides us with aggregate reports. The information and analysis provided by our service provider(s) will be used to assist us in better understanding our visitors' interests in our Sites and how to better serve those interests. The information collected by our service provider(s) may be linked to and combined with information that we collect about you while you are using the Platform. Our service provider(s) is/are contractually restricted from using information they receive from our Sites other than to assist us.

8.3.4. Cookie Preferences

To facilitate easier customization of your cookie preferences and similar technologies, we have implemented a cookie window, the appearance, and settings of which may vary depending on your region. User settings are saved for a period of 60 days, after which you can change them, or at any time using your browser settings.

8.3.5. We use cookies and similar technologies to improve your browsing experience. Some cookies are essential for basic website functions and are stored on your browser. We also employ third-party cookies to analyse how you use this website. Please note that opting out may affect your browsing experience. 
Please see the cookie category and description below: 

  • Necessary

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Functional

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Advertisement

Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.

8.4. Analytics. We use Google Analytics, which uses cookies and similar technologies to collect and analyse information about use of the website and report on activities and trends. This service may also collect information regarding the use of other websites, apps, and online resources.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our site. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.

You can opt-out of having made your activity on the site available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (gtm.js) from sharing information with Google Analytics about visits activity.

For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy 

8.5. Do Not Track

Some browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked. Currently, we do not respond to browser “Do Not Track” signals.

9. Disclosure of Personal Information

9.1. We use the Personal Information for purposes indicated at the time you provide such information/for the purposes set out in this Privacy Policy/as permitted by law.

9.2. Business Transactions. We may make available the Personal Information that you provide to us for the limited purpose indicated for and during the provision of the service that you would have requested in particular to:     

  • our affiliates, agents, and representatives
  • payment service providers and financial institutions
  • customer communications platforms
  • our contractors providing software for identity verification purposes
  • our contractors who provide us information on sanctions lists from publicly accessible sources.

9.2.1. We may also share users’ Personal Information with financial institutions, insurance companies or other companies in the case of a merger, divestiture, or other corporate reorganisation and notify you of such sharing of your information to be able to exercise any of your rights where applicable.

9.3. Law Enforcement. We may be required to disclose your Personal Information under certain circumstances, such as we are obligated to do so due to valid requests from public authorities (e. g. law enforcement or regulatory agencies, court, etc.). In certain cases, we may not be able to inform you of such sharing of data due to legal restrictions.

9.4. Any third party which receives or has access to Personal Information shall be required by us to protect such Personal Information and to use it only to carry out the services they are performing for you or for CEX.IO, unless otherwise required or permitted by law. Such a third party, except for regulatory authorities, would be contractually bound to adhere to the same or higher level of security and confidentiality policies as CEX.IO, and assume at least the same level of responsibilities as CEX.IO.

9.5. The legitimate exercise of any of your rights with CEX.IO will also be notified to be applied by any such third parties having been given access to your Personal Information.

9.6. We will ensure that any such third party is aware of our obligations under this Privacy Policy, and we will enter into contracts with such third parties by which they are bound by terms no less protective of any Personal Information disclosed to them than the obligations we undertake to you under this Privacy Policy, or which are imposed on us under applicable data protection laws.

10. International Data Transfers

10.1. Our contractors and affiliates are situated in various countries, including countries located outside the European Union (EU), and we may need to transfer your personal data to third countries to provide our services to you. We strive to ensure an adequate level of protection for your personal data, regardless of where our contractors are located. Please note that we may transfer your Personal Information only in the following cases:

  • If the country where we transfer your Personal Information provides the adequate level of personal data protection, as determined by the European Commission. You can view a list of such countries by clicking here.
  • If we take appropriate safeguards to ensure that your rights as a data subject are protected.
  • If any derogations for specific situations apply, such as if the transfer is necessary for the establishment, exercise, or defence of legal claims or for an important reason of public interest.

11. Third-Party Sites and Resources Disclaimer

11.1. Our Site may contain links to third-party sites and resources. Please note that his Privacy Policy applies only to our Sites. By clicking on any such links and accessing those third-party sites or resources, you will be leaving our Site.

11.2. We want to make it clear that we have no control over these third-party sites, or any content contained therein. Therefore, we cannot accept any responsibility or liability for any of those third-party sites, including but not limited to their content, policies, promotions, products, services, actions and any damages, losses, failures, or problems caused by, related to, or arising from those sites. We strongly advise you to review all policies, rules, terms, and regulations, including the privacy policies, of any site that you visit.

12. Marketing Data Processing, Advertising and Social Media Fan Pages

12.1. We may use your Personal Information for marketing purposes if you provide your consent during registration or post-registration by checking marketing preferences boxes in your account profile page. Additionally, we may notify existing Users about our products or services that are similar to those we have already provided based on our legitimate interest.

12.2. You have the right to withdraw your consent for us to process your Personal Information for marketing purposes. To exercise this right, you can uncheck the marketing preferences boxes in your account profile or contact us at dpo@cex.io.

12.3. We maintain a strong presence on various social media platforms to stay connected with our customers and keep them updated on our latest developments. Our social fan pages include X, LinkedIn, Facebook, Telegram, Instagram, YouTube, Reddit, Pinterest, and TikTok.

12.3.1. Here is the list of our social pages:

  1. X: https://x.com/cex_io 
  2. LinkedIn: https://www.linkedin.com/company/cex-io/
  3. Facebook: https://www.facebook.com/CEX.IO/
  4. Telegram: https://t.me/CEX_IO
  5. Instagram: https://www.instagram.com/cexio/
  6. YouTube: https://www.youtube.com/c/cexio
  7. Reddit: https://www.reddit.com/r/cex_io/
  8. Pinterest: https://www.pinterest.com/cex_io/
  9. TikTok: https://www.tiktok.com/@cex_io

12.3.2. Please verify that you are on the correct website, to do it you can use the links provided above to access these pages directly. 

12.4. We encourage our customers to follow and engage with us on our social media pages. However, please note that any information shared on these platforms is subject to the respective social media platform's privacy policy and terms of service. We do not have control over the information collected by these platforms and are not responsible for their actions.

12.5. We may use social media advertising to promote our services and reach a wider audience. Such advertising may involve the use of cookies or similar technologies to collect data about your browsing behaviour. If you do not wish to receive targeted advertising from us, you can adjust your social media platform's settings or opt-out of targeted advertising by following the instructions provided by the respective social media platform.

12.6. Please note that any content posted by users on our social media pages is subject to the respective social media platform's terms of service and community guidelines. We reserve the right to moderate or remove any content that violates these guidelines or our company policies.

12.7. We collaborate with third-party entities as specified below to help us display advertisements on external websites and assess the effectiveness of our advertising campaigns. These third parties have the ability to show you relevant ads for products and services that align with your interests, based on your visits to our Sites as well as other websites. Please note that these third parties follow their own privacy policies, which are distinct from ours. However, as a rule such third parties grant data privacy standards no less than we do.

For the marketing and analytics purposes, we may share your Personal Information including Hashed Data, along with other general or non-personally identifiable data, with the following counterparties:

Appsflyer
AdRoll (including NextRoll)
Customer.io
Gleam.io
Google and its affiliates (including Firebase)
Hotjar
Hubspot
Intercom
META and its affiliates
Mixpanel
Pinterest
Prefinery
Quora
Reddit
RudderStack
Snapchat
Trustpilot
Typeform
Wheel of Popups
X
Zapier
Microsoft Advertising

If you wish to opt out of various third-party ad networks, including those operated by the Network Advertising Initiative (NAI) and the European Interactive Digital Advertising Alliance (EDAA), you can find more details on interest-based advertising and how to opt out on their respective websites: https://www.youronlinechoices.com/uk/your-ad-choices (EDAA) and https://optout.networkadvertising.org/?c=1  (NAI).

By opting out of one or more NAI or EDAA member networks (many of which overlap), you will no longer receive targeted content or ads from those members. However, this does not mean that you will stop receiving all ads on our Sites or other websites. You may still receive advertisements based on the particular website you are currently visiting.

Additionally, please note that if your browser settings reject cookies, if you delete your cookies, or if you switch to a different computer or web browser, your NAI or EDAA opt-out may no longer remain effective.

13. AI Products in Communication Channels

13.1. We continuously strive to ensure prompt resolution of questions and issues arising from our customers' use of our services. The primary method of communication with our Support Team is via chat available on our website. This tool is provided to us by our external provider, Intercom Inc., with whom we have appropriate agreements in place. These agreements include provisions ensuring that Intercom Inc., acting as a Data Processor, cannot provide a lower level of data protection than we do. Furthermore, to streamline the operation of our Support Team, particularly in responding to users' queries promptly, we have implemented the functionality of Intercom Inc.'s AI chatbot, Fin AI Agent, into the chat.

13.2. To address any potential concerns that may arise, we provide key information below regarding the measures we have implemented to minimise risks to the protection of individuals' personal data:

  • We conducted a thorough assessment of the risks to personal data protection and consulted with relevant stakeholders regarding the implementation of AI Products.
  • We have entered into appropriate agreements with Intercom Inc. guaranteeing data protection in using AI. These agreements include:
  • OpenAI being contractually restricted from using customer data to train its AI model, with zero data retention enabled by Intercom Inc.
  • No sensitive data shared within the chat will be stored or used for self-learning by OpenAI. 
  • Users will have the choice of receiving a quick response via the AI chatbot or proceeding directly to a conversation with our agent.

For additional information about the Fin AI Agent, please refer to the following resources: Fin AI Agent Explained and AI Products Features Legal FAQ.

*Artificial intelligence (AI) systems are software (and possibly also hardware) systems designed by humans that, given a complex goal, act in the physical or digital dimension by perceiving their environment through data acquisition, interpreting the collected structured or unstructured data, reasoning on the knowledge, or processing the information, derived from this data and deciding the best action(s) to take to achieve the given goal. AI systems can either use symbolic rules or learn a numeric model, and they can also adapt their behaviour by analysing how the environment is affected by their previous actions.

14. Security of Your Personal Data

14.1. We have implemented technical and organisational security measures to ensure the confidentiality, integrity, availability, and accountability of your Personal Information and to protect your Personal Information from loss, misuse, unauthorised alteration or destruction. Such measures include:

  • the pseudonymisation and TLS 1.2-1.3 encryption of personal data
  • 2-factor authentication
  • the access control
  • processes to ensure the ongoing confidentiality, integrity, availability of our processing systems and services
  • reliable backups to restore access to personal data in a timely manner in the event of a physical or technical incident.

14.2. Only authorised personnel of CEX.IO have access to your Personal Information, and these personnel are required to treat the information as confidential.

14.3. Where you have consented to or we are obliged to pass on Personal Information to third parties to provide you with a requested service or in the carrying out of a regulatory or legal obligation, we will request that the high levels of technical and organisational security measures be applied through contractual arrangements, where possible.

14.4. We conduct testing, assessment, and evaluation of our technical and organisational measures effectiveness on a regular basis. Technical and organisational security measures in place, from time to time, are reviewed in line with legal and technical developments.

14.5. In the event of incidents, personal data leakage or the failure of the security measures to protect such information we will notify you without undue delay.

15. Security measures for processing payment card details

15.1. CEX.IO  is fully compliant with PCI DSS (Level 1 Service Provider). PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designated for merchants, financial institutions, and payment service providers to ensure the safety of cardholders' data. You can check our Certificate of compliance here.     

15.2. Please note that our trusted payment service providers are PCI DSS compliant as well.    

16. Fraud, Phishing and Email Scams Disclaimer

16.1. Please note that CEX.IO is not in any partnership with any individuals or organisations who represent themselves as customer support agents and offer customer support services through phone and/or social media channels for a fee. Please be aware that customer support is provided only through the CEX.IO website and is always free of charge.

16.2. If you believe that you have been a victim of fraud, phishing, or any scam that impersonates CEX.IO, please contact us immediately through the chat available on our website

17. Changes to this Privacy Policy

17.1. Our Sites policies, content, information, promotions, disclosures, disclaimers, and features may be revised, modified, updated, and/or supplemented at any time and without prior notice at the sole and absolute discretion of CEX.IO. If we change this Privacy Policy, we will take steps to notify all users by a notice on CEX.IO's Site and will post the amended Privacy Policy on the CEX.IO's Site.

17.2. If we consider that your rights may be affected by any such changes, we will request you to confirm your consideration and acceptance prior to continuing our relationship with you.

18. Contact us

18.1. CEX.IO, due to applicable data protection laws, appointed a Data Protection Officer (DPO). Our DPO is the main contact for data protection supervisory authorities. If you have any questions, comments, or concerns regarding our Privacy Policy and/or how we process your personal data, please contact our DPO at the email address dpo@cex.io.

18.2. You may also wish to check our Help Centre for frequently asked questions where a solution may easily be found ready for you.