Privacy Policy
Last updated: 30 June 2026
This Policy explains how CEX.IO Markets UK LTD collects, uses, shares, retains and protects personal data in connection with the Services.
Who is responsible for your personal data?
CEX.IO Markets UK LTD is responsible as controller for the processing described in this Policy. For particular processing, an affiliated CEX.IO entity may act as a separate controller, a joint controller with us or our processor, as explained in sections 1.2 and 8.
This Privacy Policy should be read together with the Terms of Use, the Cookie Policy and any product-specific notice presented when personal data is collected.
Contents
- Scope and status of this Policy
- Who we are and how to contact us
- Personal data we collect
- How we collect personal data
- How we use personal data and our lawful bases
- Special category and criminal offence data
- Automated decision-making and profiling
- How we share personal data
- Blockchain and transfer information
- International transfers
- Data retention
- Security
- Your data protection rights
- How to exercise your rights
- Data protection complaints
- Marketing, advertising and social media
- Cookies and similar technologies
- Children
- Third-party websites and services
- Changes to this Policy
1. Scope and status of this Policy
1.1 This Policy applies where CEX.IO Markets UK LTD (“CEX.IO”, “we”, “us” or “our”) processes personal data as controller in connection with the Site, Platform, Account and Services provided to Users, including prospective Users, individual Users, representatives and beneficial owners of corporate Users, payers, beneficiaries, recipients, counterparties, website and application visitors, and persons who contact us.
1.2 Different affiliated CEX.IO entities may use the CEX.IO Platform to provide services to their respective users. The entity responsible for your personal data depends on the relevant Service and the purposes and essential means of the processing. Depending on the activity, an affiliated CEX.IO entity may act as a separate controller, a joint controller with us or our processor acting on our instructions. Where another entity acts as a controller, its privacy notice or other applicable privacy information applies.
1.3 Capitalised terms not defined in this Policy have the meanings given to them in the Terms of Use. Other terms used in this Policy have the meanings given to them under applicable data protection laws.
1.4 This Policy is primarily governed by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and those laws as amended, including by the Data (Use and Access) Act 2025. Other laws may apply to particular processing or individuals.
2. Who we are and how to contact us
2.1 CEX.IO Markets UK LTD is a private limited company incorporated in England and Wales with company number 15140258 and registered office at 78-79 Pall Mall, London, England, SW1Y 5ES. It is registered with the Financial Conduct Authority as a cryptoasset business under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, firm reference number 1007192, for certain cryptoasset activities.
2.2 You may contact us or our Data Protection Officer using any of the following official channels:
- Secure online live chat: available through the Site, mobile application and Help Centre;
- Data Protection Officer: dpo@cex.io;
- Customer support email: support@cex.io;
- Post: Data Protection Officer, CEX.IO Markets UK LTD, 78-79 Pall Mall, London, England, SW1Y 5ES.
2.3 For security, do not send passwords, one-time codes, private keys, recovery phrases or complete payment card details through live chat, email or social media. Where reasonably necessary to protect your personal data and Account, we may ask you to verify your identity or continue an account-specific discussion through an authenticated channel designated by CEX.IO.
3. Personal data we collect
The personal data we process depends on how you interact with us, the Services you use, your Account type and the legal and risk requirements that apply. We may process the following categories:
| Category | Examples |
|---|---|
| Identity and contact data | Full name, previous names, date and place of birth, age, nationality, citizenship, residential and mailing address, email address, telephone number, signature, user ID, customer number and Account identifiers. |
| Identity-verification and due-diligence data | Government-issued identity documents and document details; photographs, selfie images, video, liveness information and verification results; proof of address; tax identification numbers and tax residence; occupation, employer and professional information; source of funds and source of wealth; purpose and intended nature of the relationship; corporate documents, ownership and control information, directors, authorised representatives and beneficial owners; politically exposed person, sanctions and adverse-media screening information; and information requested during onboarding, ongoing monitoring or an Account Review. |
| Financial and payment data | Bank and payment account details, payment card data or tokens, card issuer and payment method information, bank statements, payment references, payer and beneficiary information, balances, fees, charges, refunds, chargebacks, recalls, reversals, settlement information and accounting or tax records. |
| Transaction and Digital Asset data | Orders, trades, conversions, Deposits, Withdrawals, transfers, staking activity, CEX.IO Pay activity, transaction dates and values, Trading Pairs, wallet addresses, destination addresses, transaction hashes, selected networks, memos and tags, originator and beneficiary information, Travel Rule information, counterparties and related instructions or confirmations. |
| Compliance, fraud and risk data | Customer and transaction risk ratings, screening results, blockchain analytics, wallet attribution and exposure information, fraud indicators, device and behavioural risk signals, unusual or suspicious activity indicators, investigations, Account Review records, regulatory reports, law-enforcement requests and decisions concerning access, limits, holds, restrictions or closure. |
| Technical, device and security data | IP address, approximate location derived from IP or device signals, device type and identifiers, browser and operating system, application version, language, time zone, session identifiers, cookies and similar technologies, login and authentication events, 2FA and security-event metadata, connected devices, API identifiers and activity logs, network and diagnostic information, crash and error data, and records of suspected compromise. |
| Usage and interaction data | Pages, screens and features used, clicks, navigation, search and referral data, product and interface preferences, service configuration, activity timestamps, performance and analytics information, and responses to surveys or research. |
| Communications, support and complaint data | Live-chat messages, emails, telephone or video call records where used, support tickets, complaints, requests, correspondence, attachments, screenshots, call or chat recordings where notified, verification responses, investigation notes and associated metadata. |
| Marketing and preference data | Marketing choices, communication preferences, campaign engagement, referral and promotion information, survey responses, advertising identifiers, cookie or pixel identifiers, hashed contact data used for audience matching where permitted, and social-media interactions. |
| Corporate User and representative data | Organisation name, registered and business addresses, company number, constitutional documents, business activity, regulatory status, ownership structure, beneficial ownership, directors, authorised signatories, employee or representative role, authority and permissions, and business contact details. |
| Other data you provide | Any other personal data you choose to provide, or that we reasonably require for the Services, security, compliance, dispute resolution or legal obligations. Please provide only information relevant to your request. |
Certain information is mandatory because we need it to enter into or perform our contract with you under the Terms of Use, verify identity, process transactions or comply with legal and regulatory requirements. If you do not provide required information, we may be unable to open or maintain an Account, provide a Service, process a Transaction, answer a request or continue the relationship.
4. How we collect personal data
We collect personal data from the following sources:
- Directly from you when you register, complete verification, use the Services, submit an Instruction, contact support, make a complaint, exercise a right, participate in a survey or communicate with us.
- From your use of the Platform through Account records, Transactions, authentication, cookies, SDKs, APIs, logs, security tools and other technical systems.
- From affiliated CEX.IO entities, where necessary for cooperation and operational arrangements relating to the Platform and Services, including customer administration, migration, security, fraud prevention, legal and regulatory compliance, technology and business administration.
- From service and infrastructure providers including identity and liveness verification providers, sanctions and PEP screening providers, blockchain analytics providers, Travel Rule providers, fraud and device-intelligence providers, cloud and communications providers, customer-support providers, custodians, staking or validator providers, liquidity providers, exchanges and market infrastructure providers.
- From banks, payment and financial institutions including payment service providers, card schemes, issuers, acquirers, correspondent banks, e-money institutions and other payment participants.
- From other persons including corporate customers, authorised representatives, beneficial owners, counterparties, originators, beneficiaries, CEX.IO Pay senders or recipients, referral partners and persons who report suspected fraud or unauthorised activity.
- From public and official sources including Companies House and other company registers, sanctions lists, PEP lists, court and insolvency records, professional registers, public websites, public blockchain data, regulators, law-enforcement authorities and tax authorities.
- From advertising, analytics and social-media partners where you have consented or the processing is otherwise permitted by law.
5. How we use personal data and our lawful bases
We process personal data only where we have a lawful basis. More than one lawful basis may apply to a particular processing activity. Depending on the purpose and circumstances, we may rely on contractual necessity, compliance with a legal obligation, our legitimate interests, consent or another lawful basis available under applicable data protection laws. Consent is therefore not the only, or necessarily the primary, lawful basis for processing personal data in connection with the Services.
Where we rely on legitimate interests, we consider the nature and purpose of the processing, whether the processing is necessary, and its possible impact on your interests, rights and freedoms.
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn or processing we carry out under another lawful basis.
Purpose | Personal data we use | Lawful basis |
Open, administer and maintain Accounts; verify eligibility and authority; establish the Account relationship; provide Account interfaces and functionality; and maintain Account details and preferences. | Identity and contact data; identity-verification data; corporate and representative data; technical, device and security data; usage data; and communications data. | Contract: to take steps at your request before entering into our contract with you and to perform our contract with you under the Terms of Use. Legitimate interests: where you act for a corporate User, and for secure and efficient Account administration. |
Provide and operate the Services, where available, including Account, wallet and balance functionality; Fiat Currency and Digital Asset Deposits and Withdrawals; spot trading; the purchase, sale, exchange and conversion of supported Digital Assets and Fiat Currency; Order placement, execution, matching, routing and settlement; internal transfers; Instant Buy and Instant Sell; CEX.IO Pay; Staking; API access; supported payment methods; market information; and related Platform functionality. | Identity and contact data; corporate and representative data; financial and payment data; Account data; Order, Transaction and Digital Asset data; wallet addresses; payment and beneficiary details; internal-transfer and CEX.IO Pay information; staking, delegation, validator, Staking Proceeds and unstaking information; API activity; technical, device and security data; usage data; and communications data. | Contract: to provide the Services and perform our contract with you under the Terms of Use. Legal obligation: where transaction information, controls, records or disclosures are required by law. Legitimate interests: operating the Platform, administering Transactions, reconciling balances, maintaining reliable Services and managing operational risk. |
Apply customer-protection, eligibility and financial-promotion controls, including customer categorisation, appropriateness assessments, risk warnings, cooling-off periods, product and jurisdictional restrictions, acknowledgements and other measures required or permitted in connection with the Services. | Identity and contact data; date of birth and age; residence and location data; customer-category information; knowledge and experience information; appropriateness-assessment responses and results; risk-warning acknowledgements; cooling-off records; Account and Transaction data; technical data; and compliance and risk data. | Legal obligation: to comply with applicable financial-promotion, consumer-protection and regulatory requirements. Legitimate interests: where appropriate, ensuring that Services and communications are provided only to eligible Users and managing regulatory, product and customer-protection risk. |
Verify identity and conduct customer due diligence, enhanced due diligence, sanctions and politically exposed person screening, source-of-funds and source-of-wealth checks, beneficial-ownership and authority checks, ongoing monitoring, Travel Rule compliance, tax compliance and regulatory reporting. | Identity and contact data; identity-verification data; photographs, video or liveness information where used; corporate and representative data; beneficial-ownership information; financial and payment data; Account, Transaction and Digital Asset data; wallet information; tax information; compliance, fraud and risk data; and supporting documents and declarations. | Legal obligation: including anti-money laundering, counter-terrorist financing, sanctions, proliferation-financing, transfer-of-funds, tax and regulatory requirements. Legitimate interests: where appropriate, preventing unlawful use of the Services and protecting Users, CEX.IO and the Platform. Where special-category or criminal-offence data are processed, we also rely on an applicable condition under the UK GDPR and the Data Protection Act 2018. |
Prevent, detect and investigate unlawful, fraudulent or prohibited activity, including fraud, money laundering, terrorist financing, proliferation financing, sanctions evasion, market abuse, account takeover, payment abuse, cybersecurity incidents and misuse of the Platform or Services. | Any relevant categories of personal data, particularly identity and verification data; Account, Order, Transaction and Digital Asset data; financial and payment data; wallet and blockchain information; technical, device and security data; compliance, fraud and risk data; and communications data. | Legal obligation: where monitoring, prevention, investigation, reporting or disclosure is required by law. Legitimate interests: preventing loss, crime, fraud and misuse; protecting Users, CEX.IO, affiliated CEX.IO entities and third parties; and maintaining the security and integrity of the Platform. Recognised legitimate interest: where processing is necessary to prevent, detect or investigate crime and the applicable statutory condition is met. |
Manage Accounts, supported assets and operational changes, including Account Reviews, risk scoring, investigations, limits, holds, restrictions, suspension and closure; inactive and deactivated Accounts; reactivation; Maintenance Fees and Storage Fees; delisting and unsupported assets; dust and residual balances; protocol events; product changes; internal User migrations; system upgrades; and related transfers or conversions permitted under the Terms of Use. | Identity and contact data; identity-verification data; Account and balance data; financial and payment data; Order, Transaction and Digital Asset data; wallet information; technical, device and security data; usage data; compliance, fraud and risk data; and communications data. | Contract: to administer the Account and apply the Terms of Use. Legal obligation: where restrictions, investigations, records, disclosures or other action are required by law. Legitimate interests: maintaining accurate balances, operational continuity and system integrity; managing unsupported assets and inactive Accounts; protecting Users and CEX.IO; and applying proportionate operational and risk controls. |
Authenticate Users and protect Accounts, assets, systems and information, including password and authentication management, two-factor authentication, approved devices, API access, access controls, fraud controls, activity logging, security monitoring, vulnerability management, incident detection and response, operational resilience and security testing. | Identity and contact data; authentication data; technical, device and security data; IP addresses and device identifiers; API keys and activity logs; usage data; Account and Transaction information; compliance and risk data; and communications data. | Legal obligation: to maintain appropriate technical and organisational security measures and meet applicable legal and regulatory requirements. Contract: to provide secure access to the Account and Services. Legitimate interests: protecting systems, Users, assets, personal data and the integrity of the Platform. |
Process payments, corrections and recoveries, including Deposits and Withdrawals, settlement, fees, refunds, chargebacks, recalls, reversals, clawbacks, set-off, payment disputes, erroneous credits, incorrectly sent Fiat Currency or Digital Assets, reconciliation, recovery of amounts due and cooperation with banks, payment providers and other relevant participants. | Identity and contact data; Account data; financial and payment data; bank-account, payment-card and payment-method information; Order and Transaction data; wallet and beneficiary information; compliance, fraud and risk data; technical and security data; communications data; and supporting evidence. | Contract: to process and administer payments and Transactions under the Terms of Use. Legal obligation: where payment, record-keeping, fraud-prevention, tax or regulatory requirements apply. Legitimate interests: reconciliation, correcting errors, recovering funds and amounts due, resolving payment disputes, preventing fraud and protecting the rights and assets of Users, CEX.IO and relevant third parties. |
Provide customer support and communicate with you, including responding to questions, requests and complaints; investigating Account and Transaction issues; providing service, legal, regulatory, security and incident communications; making reasonable adjustments; and operating live-chat, email and other support channels. | Identity and contact data; Account, Order and Transaction data; financial and payment data; technical and security data; communications data; support history; call or chat records; and any other information relevant to the matter raised. | Contract: to provide support in connection with the Account and Services. Legal obligation: including complaint-handling, accessibility and data-protection obligations. Legitimate interests: providing effective support, maintaining service quality, investigating issues, resolving disputes and keeping appropriate records. |
Respond to and administer data protection rights and complaints, including identifying and locating relevant personal data, verifying identity where reasonably necessary, communicating with the requester, investigating complaints and recording the response and outcome. | Identity and contact data; identity-verification information where necessary; Account data; communications data; complaint and request details; and any personal data relevant to the request or complaint. | Legal obligation: to comply with applicable data protection rights and complaint-handling requirements. Legitimate interests: preventing unauthorised disclosure, maintaining evidence of compliance and resolving requests and complaints fairly and securely. |
Maintain records and evidence, including records of notices, disclosures, instructions, Orders, Transactions, consents, preferences, acknowledgements, communications, Account activity, investigations and decisions; and establish, exercise or defend legal rights and claims. | Communications data; Account, Order and Transaction data; financial and payment data; technical logs; consent and preference records; compliance, fraud and risk data; complaint and support records; and other relevant evidence. | Legal obligation: where records must be retained or produced by law. Contract: to evidence and administer the Account, Services and Transactions. Legitimate interests: maintaining appropriate evidence, resolving disputes, enforcing the Terms of Use and establishing, exercising or defending legal claims. |
Comply with legal and regulatory duties and respond to competent authorities, including court orders, statutory notices, lawful requests and duties involving regulators, law-enforcement agencies, tax authorities, supervisory authorities and other competent bodies. | Any categories of personal data that are necessary and proportionate to the relevant request, duty, investigation or proceeding. | Legal obligation: where disclosure, reporting or cooperation is required by law. Legitimate interests: where cooperation is lawful, proportionate and not legally mandatory, including protecting rights, preventing harm and responding appropriately to competent authorities. |
Analyse, develop, test, maintain and improve the Site, Platform and Services, including monitoring performance, troubleshooting, analysing use, improving interfaces, security and customer experience, and developing, testing and evaluating new, beta, pilot or limited-release products, tools and features. | Account and user identifiers; cookie, device and session identifiers; IP addresses; technical, device and security data; usage and interaction data; communications data; feedback; testing information; and relevant Account and Transaction data, including data that has been pseudonymised where appropriate. | Legitimate interests: analysing and improving the Site, Platform and Services; understanding service use; product development and testing; troubleshooting; reliability; operational efficiency; security and resilience. Contract: where processing is necessary to provide a beta, pilot or other feature selected by you. Consent: where applicable law requires consent for cookies, SDKs or similar technologies. |
Send marketing and product communications and lawful financial promotions, including information about products, Services, features, market developments, events and offers; conduct surveys; measure communications and campaigns; and build or use audiences where permitted. | Identity and contact data; marketing preferences; consent and opt-out records; limited Account-relationship data; usage and interaction data; cookie, advertising and device identifiers; survey responses; and campaign information. | Consent: where required by PECR or other applicable law. Legitimate interests: for communications that may lawfully be sent to existing customers without consent and for appropriate campaign measurement. Legal obligation: to apply applicable financial-promotion requirements, restrictions, warnings and controls to communications. You may opt out of direct marketing at any time. |
Administer promotions, referral arrangements, surveys and research, including checking eligibility, managing participation, delivering any applicable benefit, preventing misuse and evaluating outcomes. | Identity and contact data; Account and Transaction data necessary to establish eligibility; referral information; marketing preferences; survey and research responses; communications data; and fraud and risk data. | Contract: where you choose to enter or participate in a promotion or arrangement. Consent: where required. Legitimate interests: administering and evaluating promotions, referrals, surveys and research and preventing misuse. |
Manage our business and relationships with affiliated CEX.IO entities and other organisations, including cooperation and operational arrangements with affiliated CEX.IO entities; governance; audits; insurance; professional advice; financing; restructuring; corporate transactions; business continuity; and internal administration. | Relevant identity and contact data; corporate and representative data; Account and contractual information; financial data; compliance and risk data; technical and security data; and communications data. | Legitimate interests: operating, administering, protecting, financing and reorganising our business and managing relationships with affiliated CEX.IO entities, service providers, advisers and business partners. Legal obligation: where records, audits, disclosures or other actions are required by law. |
Create anonymised or aggregated information that no longer identifies an individual, including for analytics, research, reporting, security, risk management and product development. | Any categories of personal data capable of lawful anonymisation or aggregation. | Legitimate interests: analysing and improving our business, Services, security and risk management. Information that has been effectively anonymised is no longer personal data. |
6. Special category and criminal offence data
6.1 Facial images, liveness and biometric data
Photographs and video are personal data. They become special category biometric data only where they are processed through specific technical means for the purpose of uniquely identifying or authenticating an individual. We may use facial images, liveness checks and related outputs to verify identity, prevent impersonation and fraud, protect Account security, and comply with anti-money laundering, sanctions and other legal and regulatory requirements.
Where this processing involves special category biometric data, we identify an Article 6 lawful basis and an Article 9 condition appropriate to the specific processing. Depending on the purpose and implementation, this may include explicit consent or a substantial public interest condition under the DPA 2018, where the relevant statutory requirements are met. We maintain an appropriate policy document where required and apply data minimisation, access restrictions, vendor controls, retention limits and human review safeguards.
6.2 Other special category data
We do not seek special category data unless it is necessary. It may be processed if you voluntarily disclose health or disability information when requesting reasonable support, or if information obtained during compliance or legal processes reveals a special category. We process it only where an applicable Article 9 condition is met, such as explicit consent, substantial public interest or the establishment, exercise or defence of legal claims.
6.3 Criminal offence data
Compliance, fraud, security and dispute records may include information about criminal convictions, offences, investigations, proceedings or sufficiently specific allegations. We process such information under Article 10 of the UK GDPR and the DPA 2018, where authorised by law, including for regulatory requirements, prevention or detection of unlawful acts, fraud prevention, safeguarding against dishonesty, regulatory action and legal claims. We use enhanced access, retention and governance controls and maintain an appropriate policy document where required.
7. Automated decision-making and profiling
7.1 We use automated systems, rules, models and profiling to support identity verification, document and liveness checks, sanctions and PEP screening, fraud detection, blockchain and transaction monitoring, device and behavioural risk analysis, customer and Transaction risk scoring, eligibility checks, security controls, product functionality, marketing preferences and service improvement.
7.2 The factors considered may include identity-match and document-authenticity results; screening matches; Account history; Transaction patterns and values; wallet and blockchain exposure; source-of-funds information; location, device and network signals; links to other Accounts or payment methods; security events; legal restrictions; and information supplied during an Account Review. We do not disclose detailed detection rules where doing so could undermine anti-money laundering, sanctions, fraud-prevention or security controls, or the rights of others.
7.3 Automated outputs may result in a request for further information, enhanced authentication, a delay or hold, a Transaction being rejected, access to a feature being limited, or an Account application or activity being referred for review. Some decisions may be made without meaningful human involvement, where permitted by law.
7.4 Where a decision based solely on automated processing has a legal or similarly significant effect on you, we apply the safeguards required by law. These include giving you information about the decision, enabling you to make representations, request human intervention, and contest the decision, except where a lawful exemption applies. You may request a review through the channels in section 14.
7.5 Where AI-enabled tools are used in customer support, they may classify or summarise requests, retrieve support information, suggest responses or provide an automated first response. You may ask to communicate with a human agent. These tools are not used to make final decisions about onboarding, Account restrictions or Transactions. We use contractual and technical controls to limit provider access to and use of support data.
8. How we share personal data
We disclose personal data only where necessary, proportionate and lawful. Recipients may include:
- affiliated CEX.IO entities, where necessary for cooperation and operational arrangements relating to the Platform and Services, including customer administration, security, compliance, customer support, technology, internal audit and business administration. Depending on the relevant processing activity, an affiliated CEX.IO entity may act as our processor acting on our instructions, as a separate controller for its own purposes and legal obligations, or as a joint controller with us where we jointly determine the purposes and essential means of the processing.
- Identity, compliance and risk providers including identity-document, selfie, liveness and biometric verification providers; sanctions, PEP and adverse-media screening providers; blockchain analytics and wallet intelligence providers; Travel Rule providers; fraud, device-intelligence and cybersecurity providers.
- Banks and payment participants including payment service providers, e-money institutions, card schemes, issuers, acquirers, banking partners, correspondent banks and settlement providers. Some act as independent controllers and provide their own privacy information.
- Digital Asset and market infrastructure providers including custodians, wallet and node infrastructure providers, validators and staking providers, liquidity providers, exchanges, market makers, market-data providers, blockchain networks and protocol participants.
- Technology and business service providers including cloud hosting, data storage, software, analytics, communications, email and SMS delivery, live-chat and customer support, document management, consent management, auditing, accountancy, legal, insurance and professional-advisory providers.
- Other Users and counterparties where necessary to provide a requested transaction or feature, including the limited CEX.IO Pay information described in section 9.2.
- Regulators and public authorities including the FCA, the ICO, tax authorities, sanctions authorities, courts, law-enforcement bodies, financial-intelligence units and other competent authorities, where required or permitted by law.
- Persons involved in disputes or legal proceedings including counterparties, their representatives, courts, tribunals, mediators, insurers and professional advisers.
- Corporate transaction recipients, including prospective buyers, investors, lenders, and advisers in connection with a merger, acquisition, financing, reorganisation, or transfer of business or assets, subject to appropriate confidentiality and data-protection measures.
- Advertising, analytics and social-media providers only where the required consent or other lawful basis exists and subject to your choices in Consent Preferences and your marketing choices.
Service providers acting on our behalf are authorised to process personal data only for agreed purposes and are subject to contractual confidentiality, security, assistance, and deletion or return obligations. Where a recipient acts as an independent controller, its own privacy notice and legal obligations apply.
9. Blockchain and transfer information
9.1 Public blockchain information
Where a Digital Asset Transaction is transmitted to or recorded on a public blockchain, information relating to that Transaction may become publicly accessible on a decentralised and potentially immutable network. This may include wallet addresses, transaction hashes, amounts, timestamps, and other network information.
Public blockchain information may be viewed by anyone and may be analysed or combined with other information in a manner that could identify or relate to an individual. CEX.IO does not control the operation of public blockchains and may be unable to delete, correct or restrict information recorded on-chain.
This section does not generally apply to internal transfers between CEX.IO Accounts, including transfers made through CEX.IO Pay, unless the relevant transfer is expressly processed through a public blockchain. Where possible, we address data protection rights in relation to off-chain records and processing that remain under our control.
9.2 CEX.IO Pay and other internal transfers
Where CEX.IO Pay or another internal transfer functionality is available, transfers between eligible CEX.IO Accounts are generally processed within the CEX.IO Platform and are not recorded as individual transfers on a public blockchain.
When you send Digital Assets using CEX.IO Pay, the recipient may see your registered first name, the first letter of your last name, and your unique CEX.IO user identification number. This limited disclosure is used to identify the transaction counterparty and provide the relevant functionality.
We do not authorise recipients to use that information for unrelated purposes. However, recipients are independently responsible for any further use of information they receive.
9.3 Travel Rule and payment information
For certain Digital Asset or Fiat Currency transfers, we may be legally required to collect, verify, transmit, or receive information about the originator and beneficiary. This information may be shared with the recipient service provider, payment participant, Travel Rule network, intermediary, or competent authority, including where a transfer is reviewed, delayed, rejected, restricted, or investigated.
10. International transfers
10.1 We and our recipients may process personal data in the United Kingdom, the European Economic Area, and other countries. Data-protection laws in those countries may differ from UK law.
10.2 Where we make a restricted transfer from the United Kingdom, we use an applicable lawful mechanism, such as:
- UK adequacy regulations;
- the UK International Data Transfer Agreement or the UK Addendum to the European Commission Standard Contractual Clauses;
- approved binding corporate rules, codes or certification mechanisms where available;
- another safeguard recognised by UK data-protection law; or
- a limited statutory exception, where the legal conditions are met.
10.3 We assess transfer risks and apply supplementary technical, contractual or organisational measures where appropriate.
11. Data retention
We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including legal, regulatory, accounting, security, fraud-prevention, dispute-resolution, and evidential requirements. Account closure or deactivation does not automatically require deletion.
Record type | How long we keep it |
| Account, onboarding, KYC, AML, sanctions, Travel Rule and records of Orders, payments and Transactions | Normally for the duration of the business relationship and for five years after it ends. Records relating to an occasional transaction are normally retained for five years after the transaction is completed. Transaction records created during an ongoing business relationship may be deleted once they are more than 10 years old, where they are no longer required for another lawful purpose. Records may be retained for longer where required by another applicable law, a competent authority, a valid legal hold, court or other legal proceedings, or an ongoing investigation or dispute. |
| Contract, payment, accounting and tax records | Contractual and payment records are normally retained for the period necessary to administer the relationship and for up to six years after the relevant relationship, Transaction, payment, Account closure or other relevant event. Accounting and tax records are normally retained for six years from the end of the relevant company financial year, or longer where required by tax law, an audit, regulatory review, investigation or dispute. |
| Customer support and routine communications | For the period necessary to address the enquiry, administer the Account or provide the relevant Service. Routine operational communications are generally retained for a shorter period unless they become relevant to a complaint, investigation, Transaction, legal obligation or dispute. |
| Complaints, data protection rights requests and material communications | For the period necessary to investigate and resolve the matter and to demonstrate how it was handled. Material complaint, rights-request and dispute-related records may normally be retained for up to six years after the matter is closed where necessary for legal compliance, accountability, evidence or the establishment, exercise or defence of legal claims. Where a specific regulatory complaint-retention rule applies to a particular Service, we retain the record for at least the applicable regulatory period. |
| Fraud, security, device, access and incident records | For as long as necessary to identify, investigate and respond to fraud, unauthorised access, security threats and incidents; prevent recurrence; protect Users, assets and systems; and meet legal and regulatory requirements. Depending on the nature and significance of the record, this may normally be up to six years after the relevant event or the end of the relationship. Records may be retained for longer where an active threat, investigation, legal hold, regulatory matter or claim continues. Lower-risk technical logs may be retained for substantially shorter periods. |
| Identity documents, photographs and verification records | Where retained as part of a legally required customer due diligence record, identification documents, photographs and relevant verification results may normally be retained for the applicable five-year AML record-keeping period. |
| Liveness captures and biometric-related information | Raw video, liveness captures, biometric templates, embeddings, comparison data and other technical outputs are retained only for as long as necessary for the specific verification, fraud-prevention or security purpose for which they are used. Different technical components may have different retention periods. They are not automatically retained for the full AML period merely because they were used during identity verification, unless their continued retention is necessary and supported by an applicable legal basis and, where relevant, a special-category condition. |
| Marketing data | Until you withdraw consent, object, unsubscribe or the information is no longer necessary for the relevant marketing purpose. We may retain a minimal suppression record for as long as necessary to respect your choice, prevent further marketing and demonstrate compliance. |
| Cookies and similar technologies | For the period shown in Consent Preferences for the relevant cookie or similar technology. Records of your consent, rejection and preferences may be retained for as long as reasonably necessary to demonstrate your choices and comply with applicable law. |
| Legal holds, investigations and disputes | Until the relevant investigation, complaint, audit, regulatory review, enforcement action, claim, litigation, appeal or applicable limitation period has ended and any necessary follow-up or enforcement action is complete. Legal holds are reviewed and lifted when continued retention is no longer necessary. |
| Backups | For defined and limited backup, security and disaster-recovery cycles. Deleted or restricted data may remain in protected backups until the relevant backup is overwritten or securely deleted and is not restored for ordinary business use. If backup data are restored, applicable deletion, objection and restriction decisions are reapplied where technically and operationally appropriate. |
When retention ends, we securely delete, destroy or irreversibly anonymise personal data, unless continued retention is required or permitted by law. We periodically review retention rules and may apply a shorter period where the purpose can be achieved with less data.
12. Security
We maintain technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access. Depending on the system and risk, measures may include encryption in transit and at rest, access controls, segregation of duties, multi-factor authentication, logging and monitoring, secure development and change management, vulnerability management, incident response, resilience and backup controls, personnel confidentiality obligations, vendor due diligence, and contractual security requirements.
No method of transmission, storage, or authentication is completely secure. You are responsible for protecting your Security Credentials and devices and for notifying us promptly of suspected compromise. We will notify affected individuals and the ICO of a personal-data breach where and within the period required by law.
13. Your data protection rights
Subject to legal conditions, exemptions and limitations, you may have the following rights:
Right | What it means |
|---|---|
Access | Obtain confirmation of whether we process your personal data and receive a copy together with required supplementary information. |
Rectification | Ask us to correct inaccurate personal data or complete incomplete information. |
Erasure | Ask us to delete personal data where a legal ground applies. This right does not override legal retention, fraud-prevention, legal-claims or public-blockchain limitations. |
Restriction | Ask us to restrict processing in specified circumstances. |
Data portability | Receive personal data you provided to us in a structured, commonly used and machine-readable format, and ask us to transmit it to another controller where technically feasible and legally applicable. |
Object | Object to processing based on legitimate interests, including a recognised legitimate interest. You have an absolute right to object to direct marketing, including related profiling. |
Withdraw consent | Withdraw consent at any time where processing is based on consent. Withdrawal does not affect earlier lawful processing. |
Automated decisions | Where applicable, receive information and request human intervention, make representations and contest a significant solely automated decision. |
Complain | Make a data-protection complaint to us and lodge a complaint with the Information Commissioner’s Office. |
14. How to exercise your rights
14.1 You may submit a rights request through secure online live chat, dpo@cex.io, support@cex.io or by post using the details in section 2. You do not need to use a specific form, quote a legal provision or call the request a subject access request. If you contact us through another channel, we will take reasonable steps to recognise and route a request that concerns your data protection rights.
14.2 Please describe what you want us to do and, where relevant, the Account, date range, transaction or communication concerned. A focused request helps us respond efficiently, but we will not require information that is not reasonably necessary.
14.3 We may ask for information needed to verify your identity, authority and Account ownership. This protects you and other individuals. Where possible, we use existing Account authentication rather than collecting additional identity documents. We may ask an authorised representative to provide evidence of authority and may confirm instructions with you directly.
14.4 We normally respond within one month of receiving your request or, where we reasonably require information to verify your identity, from when we receive that information. If the request is complex or you make several requests, we may extend the period by up to two further months and will explain the extension within the first month. If a request is unclear, we may seek clarification, and the response period may be paused as permitted by law. We carry out reasonable and proportionate searches.
14.5 Rights are usually free of charge. We may charge a reasonable fee or refuse to act where the law permits because a request is manifestly unfounded or excessive, including because it is repetitive. We will explain any refusal and the available complaint rights.
14.6 Some rights may be limited where necessary to comply with anti-money laundering, sanctions, tax, security, legal claims or regulatory requirements; protect the rights of another person; preserve confidential risk controls; or avoid prejudicing the prevention or detection of crime. We apply exemptions case by case and disclose as much as the law permits.
15. Data protection complaints
15.1 You may complain if you believe we have used personal data unfairly, failed to respect a right, disclosed information improperly, retained it too long, failed to keep it secure or otherwise breached data protection law. You may make a complaint through any of the channels in section 2. We will also recognise and route a data protection complaint received through another CEX.IO channel. You do not need to use a particular form, refer to a legal provision or use legal language.
15.2 If you complain through social media, we will take reasonable steps to recognise and route the complaint but may ask you to continue through a private or authenticated channel before discussing personal or Account information.
15.3 We will:
- acknowledge receipt within 30 days;
- take appropriate steps without undue delay to investigate the complaint fairly and accurately;
- ask for clarification or evidence only where reasonably necessary;
- keep you informed about progress where the investigation is not promptly completed; and
- tell you about the outcome without undue delay, including the reasons and any action taken or proposed.
15.4 You may complain to the Information Commissioner’s Office at any time. Information about how to make a complaint, together with the ICO’s current contact details, is available at ico.org.uk/make-a-complaint/data-protection-complaints/. We would welcome the opportunity to address your concern first, but you do not have to wait for our process to finish before contacting the ICO.
15.5 This section concerns data protection complaints. Service, transaction, and contractual complaints are handled under the relevant provisions in the Terms of Use. A complaint may involve both processes, and we may coordinate them while keeping the applicable legal routes distinct.
16. Marketing, advertising and social media
16.1 We may send service, security, legal, regulatory, Transaction and Account communications where necessary. These are not marketing and may continue after you opt out of promotional messages.
16.2 We send electronic marketing only where permitted by PECR, data-protection law and applicable FCA financial-promotion rules. We may rely on your consent or, where legally available, the existing-customer exception and our legitimate interests in informing customers about similar CEX.IO products and services. You can opt out at any time through the unsubscribe link, Account preferences, live chat or dpo@cex.io.
16.3 With consent where required, we may use cookies, mobile advertising identifiers and hashed contact data to measure campaigns, create audiences or show relevant advertising through providers such as search engines, social networks and advertising platforms. The current providers and controls are available through Consent Preferences. These providers may act as independent controllers for their own purposes.
16.4 When you interact with an official CEX.IO social-media page, the platform provider processes information under its own privacy notice. We may receive comments, messages, engagement statistics and audience insights. Do not use social media for passwords, security codes, private keys or detailed Account information.
16.5 We keep suppression information after an opt-out so that we can respect your choice. Opting out of marketing does not affect legal, security, service or administrative messages.
17. Cookies and similar technologies
We use cookies, local storage, SDKs, pixels, tags, scripts and similar technologies on the Site, Platform, mobile application and communications. Some are Necessary for security, authentication, fraud prevention, consent management and requested functionality. Functional, Analytics and Advertisement technologies are optional and are used only in accordance with your choices in Consent Preferences and applicable law. Consent Preferences is displayed when you first visit the Site and remains available through the “Consent Preferences” link or icon on the left-hand side of the Site footer. The Cookie Policy and Consent Preferences explain the current technologies, categories, providers, purposes and durations and allow you to update your choices.
18. Children
The Services are not intended for anyone under 18 and minors are not eligible to open an Account. We do not knowingly provide the Services to children. If you believe a child has provided personal data or an Account is being used by a minor, contact us promptly at dpo@cex.io. We will investigate and take appropriate action, subject to legal record-keeping and safeguarding obligations.
19. Third-party websites and services
The Site, Platform and communications may link to or integrate third-party websites, applications, wallets, payment pages or services that we do not control. The third party’s privacy notice applies to its processing. Review that notice before providing personal data. A link or integration does not mean that we accept responsibility for the third party’s privacy or security practices.
20. Changes to this Policy
We may update this Policy to reflect changes in law, regulation, guidance, the Services, technology or our processing. We will update the “Last updated” date and, where a change is material, provide an appropriate notice through the Site, Platform, Account, email or another official channel. Where consent is required for a new purpose, we will request it separately.
Controller: CEX.IO Markets UK LTD, company number 15140258, registered office at 78-79 Pall Mall, London, England, SW1Y 5ES.
Data Protection Officer: dpo@cex.io