Last update: 27th of October 2023
CEX.IO (hereinafter, "CEX.IO", "we", "us" or "our") is committed to protecting and respecting the privacy of our Users (hereinafter, "User(s)", "you", "customer").
If you are a California resident, you can learn more about how we use your information and your privacy rights by reviewing our California Privacy Notice.
- Interpretation and Definitions
- Who we are
- Collecting and Using Your Personal Information
- Your rights in relation to your Personal Data
- Exercising of your Data Protection Rights
- Retention of Personal Information
- Disposal of Personal Information
- Tracking technologies and Cookies
- Disclosure of Personal Information
- International Data Transfers
- Third-Party Sites and Resources Disclaimer
- Marketing Data Processing, Advertising and Social Media Fan Pages
- Security of Your Personal Data
- Security measures for processing payment card details
- Fraud, Phishing and Email Scams Disclaimer
- Contact us
1. Interpretation and Definitions
1.1. Interpretation The words of which the initial letter is capitalised have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
- Account: means an account registered by the User on the Platform.
- CEX.IO affiliates: subsidiaries, parent companies, and companies under common control.
- Personal Information (Personal Data): any information which identifies you personally or which may help us to identify you (e.g. your name, address, e-mail address, trades etc.).
- Data Subject: an identified or identifiable person (User/you/customer).
- Data Controller: for the purposes of the applicable laws in the EU and UK, controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Data Processor: a company which processes personal data on behalf and upon instructions of the Data Controller.
- Our Site: websites with the following domains such as CEX.IO - our Platform used for providing our services to you and any other CEX.IO domains that is used for the purposes of informing our Users on our promotional, marketing campaigns and special offers; or any other related websites that may be created by CEX.IO in future.
- Personal Data processing: any operation or set of operations performed on personal data (e.g., collection, storage, use, disclosure erasure).
- Device means any device that can access the CEX.IO’s Site such as a computer, a mobile phone or tablet.
2. Who We Are
Established in 2013 as the first cloud mining provider, CEX.IO has become a multi-functional cryptocurrency exchange, trusted by over 6 million users.
CEX.IO offers cross-platform trading via website, mobile app, WebSocket and REST API, providing access to high liquidity order book for top currency pairs on the market. Instant cryptocurrency buying and selling is available via a simplified bundle interface.
The exchange has developed a multi-level account system with an individual approach to each customer, from crypto beginners to institutional traders. Worldwide coverage in permissible jurisdictions, multiple payment options, and 24/7 support are accompanied by time-proven platform stability that focuses on the safety of assets and data.
3. Collecting and Using Your Personal Information
3.2. The types of Personal Information which we collect may include:
- your name
- your photographic identification
- details from your identity documents (such as driver licence, passport), number of the document, date of issue/expiration, photographic identification, etc.
- your address, phone number, cell number, email
- app, browser and device information - we may collect various types of information about your use of our app or website, including your device's Internet Protocol address (e.g. IP address); browsing behaviour and preferences, such as the pages you visit and time spent on them; login credentials; browser type and version; and other diagnostic data. We may also collect information about your mobile device, such as its type, operating system, and unique identifiers
- bank details including account numbers, payment cards and statements
- your date of birth
- your personal code
- your employment details
- your trades
- information on sources of your funds, and
- video footage identifying you.
3.3. Use of your Personal Data
3.3.1. We will process your Personal Information only for the purpose(s) of providing the service(s) to you, to satisfy the legal and regulatory obligations that arise from providing you the service(s) and our legitimate interest.
3.3.2. Based on our obligations and legitimate interest, we may request other documents for identity verification and sources of funds.
3.3.3. We may use your Personal Information for the following purposes:
- To provide and maintain our services, including to allow you to open and operate an Account and monitor the usage of services.
- To manage your Account: to manage your registration as a user of the service(s). The Personal Data you provide can give you access to different functionalities of the Service that are available to you as a registered user, i.e., to enable you to complete transactions on the Platform.
- For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items, or services you have purchased or of any other contract with us.
- To contact you: we may contact you by email, telephone, SMS, or other equivalent forms of electronic communication, such as push notifications from our mobile app. We may use these methods to provide you with updates, informative communications related to the functionalities of our products or contracted services, including security updates when necessary or reasonable for their implementation, and to reply to your queries.
- To provide you with news, special offers and general information about other goods, services, and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information.
- To manage your requests: to attend and manage your requests to us.
- To ensure security of your Account (for instance, if you make a request to disable 2-factor authentication on your account we can ask you to provide additional Personal Information to confirm your identity).
- To comply with legal obligation purposes such as tax reporting, fraud prevention, our reporting obligations etc.
- To provide you with information about products and promotions that may be of interest to you, from ourselves and third parties, although only if you have specifically agreed to receive such information.
- For market research e.g., surveying Users' needs and opinions on issues, such as performance. Unless consented, your data for this purpose would be anonymised.
- For business transfers: we may use your Personal information to evaluate or conduct a merger, divestiture, restructuring, reorganisation, dissolution, or other sale or transfer of some or all our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our services users is among the assets transferred.
- For other purposes: We may use your Personal Information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our service(s), products, services, marketing, and your experience.
3.4. Children's personal data Minors are not permitted to use CEX.IO. If you are a parent or guardian and believe that CEX.IO has information of a child under the age of 18 please contact us immediately at email@example.com so we remove any such information from our database.
4. Your rights in relation to your personal data
4.2. Right to access: you have the right to access your Personal Information and request details about processing activities that we undertake with your data. You can do this by sending an email to us at firstname.lastname@example.org or where possible, you can do these actions in your account profile page yourself. Upon your written request we will also give you a copy of the Personal Information we have retained. There may be a minimal charge for providing you additional copies of your Personal Information to cover administrative costs.
4.3. Right to Rectification: you may request us to rectify or update any of your personal information held by CEX.IO that is incomplete or inaccurate by sending an email at email@example.com or where possible - do it in your account profile page yourself.
4.4. Right to Erasure: you have the right to request the erasure of both the Account and Personal Information by sending an email to us at: firstname.lastname@example.org. CEX.IO will action your request, unless we have a legal or regulatory obligation or overriding legitimate interest to store your Personal Information (for instance, in cases you have performed transactions).
4.5. Right to object or to restrict processing - you have the right to restrict and object to the processing of your personal data in certain circumstances, such as where the processing is carried out for direct marketing purposes. To do so, please send an email to us at email@example.com or where possible do it yourself, f. e. unsubscribe from our marketing emails by clicking on the “Unsubscribe” link provided in each of our marketing messages.
4.6. Right to data portability - you may also ask us to transfer your Personal Information to another controller of your choice.
4.7. Identity Verification - to ensure the confidentiality, integrity, and availability of your information, we may request you to confirm your identity by providing identification documentation and/or other methods prior to assisting you in exercising any of your rights. If you refuse to prove your identity, we may decline to take actions in respect of your data, save restricting processing, until we can ensure that such actions are the true wish of the data subject.
4.8. Automated Decision-Making and Profiling. In the carrying out of our services we may use automated processing and profiling to reduce the risks of fraud, money laundering and abuse of our services. Through this automated processing, we carry out an analysis of your identification, transactional and behavioural patterns. We may not be able to provide you with some or all our services if you do not wish this automated processing to be carried out. If you feel that this processing might be detrimental to you, please contact us on firstname.lastname@example.org, and our compliance officer will review your application.
4.9. Timeframe for Response: if you make a request, we have one month to respond to you. If we are unable to respond within the month, we will inform you and provide an explanation for the delay.
4.10. Non-discrimination: we will not discriminate against you for exercising any of your rights over your personal information. Unless your personal information is required to provide you with a particular service or offer (for example providing user support), We will not deny you goods or services and/or charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, or provide you with a different level or quality of goods or services.
4.11. No Fee usually required: you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
5. Exercising of your Data Protection Rights
5.1. You may exercise your rights of access, rectification, cancellation, and opposition by contacting us. We may ask you to verify your identity before responding to requests.
5.3. You can check the list of the Data Protection Authorities in European Union countries, as well as in Iceland, Norway and Liechtenstein on this website.
5.4. In the UK, the Information Commissioner’s Office www.ico.org.uk.
6. Retention of Personal Information
6.1. Your information is held within our servers located within the European Union. Access to this information is provided to staff of CEX.IO whose office may also be outside of the European Union but who adhere to the same principles of data security and processes as those within the European Union (please see the Section on International data transfers for more details).
6.2. Your payment method information to effect or receive payments from CEX.IO are passed on to third-party payment processor(s) based in the EU and with which CEX.IO has a contractual agreement to safeguard your rights. Unless you create an account with us and conduct transactions, we do not retain your payment method information.
6.4. To comply with relevant regulatory bodies and laws requirements, we must adhere to different retention periods for Personal Information. In accordance with CEX.IO’s legal obligations, we will retain Personal Information for a period of five to eight years after our User closes their Account and terminates legal relationships with us, or for five to eight years from the end of the tax period in which the User conducts their last transaction.
6.5. Data stored for regulatory purposes will be protected from unnecessary processing and will be held only for the purpose of being able to provide information or access to relevant authorities.
6.6. As retention periods vary depending on the jurisdiction and may change from time to time, if you wish to obtain information on how long we store your data, please contact us.
7. Disposal of Personal Information
7.1. Once we do not have any obligation to provide you with a service you requested, nor an obligation to hold Personal Information for regulatory or legal purpose, we will anonymise or dispose of your Personal Information in line with acceptable industry and security standards so that this cannot be subsequently retrieved and associated with you.
7.2. Where we cannot directly remove such records, such as in archived backups, we will retain a log of which Personal Information should be removed if ever the backup data is restored.
8. Tracking Technologies and Cookies
8.1. IP Addresses We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users' browsing actions and patterns and will not be used to identify any individual unless that same individual.
8.2. Web Beacons Certain sections of our service(s) and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the CEX.IO, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).
8.3.1. We use a browser feature known as a "cookie", which assigns a unique identification to your computer. Cookies are typically stored on your computer's hard drive. Information collected from cookies is used by us to evaluate the effectiveness of our Sites, analyse trends, and administer the Platform. The information collected from cookies allows us to determine such things as which parts of our Sites are most visited and difficulties our visitors may experience in accessing our Sites. With this knowledge, we can improve the quality of your experience on the Platform by recognising and delivering more of the most desired features and information, as well as by resolving access difficulties.
8.3.3. We use third party service provider(s), to assist us in better understanding the use of our Sites. Our service provider(s) will place cookies on the hard drive of your computer and will receive information that we select that will educate us on such things as how visitors navigate around our Sites, what products are browsed, and general transaction information. Our service provider(s) analyses this information and provides us with aggregate reports. The information and analysis provided by our service provider(s) will be used to assist us in better understanding our visitors' interests in our Sites and how to better serve those interests. The information collected by our service provider(s) may be linked to and combined with information that we collect about you while you are using the Platform. Our service provider(s) is/are contractually restricted from using information they receive from our Sites other than to assist us.
8.3.4. You may control the cookies through your browser settings.
8.3.5. We use both session and persistent cookies for the purposes set out below: Necessary / Essential Cookies Type: Session Cookies Administered by us Purpose: these cookies are essential to provide you with services available through the Site and to enable you to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.
Tracking and Performance Cookies Type: Persistent Cookies Administered by third parties Purpose: these cookies are used to track information about traffic to the Site and how users use the Site. The information gathered via these cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Site. We may also use these cookies to test new pages, features, or new functionality of the Site to see how our users react to them.
8.5. Do Not Track Some browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked. Currently, we do not respond to browser “Do Not Track” signals.
9. Disclosure of Personal Information
9.2. Business Transactions. We may make available the Personal Information that you provide to us for the limited purpose indicated for and during the provision of the service that you would have requested in particular to:
- our affiliates, agents, and representatives
- payment service providers and financial institutions
- customer communications platforms
- our contractors providing software for identity verification purposes
- our contractors who provide us information on sanctions lists from publicly accessible sources.
9.2.1. We may also share users’ Personal Information with financial institutions, insurance companies or other companies in the case of a merger, divestiture, or other corporate reorganisation and notify you of such sharing of your information to be able to exercise any of your rights where applicable.
9.3. Law Enforcement. We may be required to disclose your Personal Information under certain circumstances, such as we are obligated to do so due to valid requests from public authorities (e. g. law enforcement or regulatory agencies, court, etc.). In certain cases, we may not be able to inform you of such sharing of data due to legal restrictions.
9.4. Any third party which receives or has access to Personal Information shall be required by us to protect such Personal Information and to use it only to carry out the services they are performing for you or for CEX.IO, unless otherwise required or permitted by law. Such a third party, except for regulatory authorities, would be contractually bound to adhere to the same or higher level of security and confidentiality policies as CEX.IO, and assume at least the same level of responsibilities as CEX.IO.
9.5. The legitimate exercise of any of your rights with CEX.IO will also be notified to be applied by any such third parties having been given access to your Personal Information.
10. International Data Transfers
10.1. Our contractors and affiliates are situated in various countries, including countries located outside the European Union (EU), and we may need to transfer your personal data to third countries to provide our services to you. We strive to ensure an adequate level of protection for your personal data, regardless of where our contractors are located. Please note that we may transfer your Personal Information only in the following cases:
- If the country where we transfer your Personal Information provides the adequate level of personal data protection, as determined by the European Commission. You can view a list of such countries by clicking here.
- If we take appropriate safeguards to ensure that your rights as a data subject are protected.
- If any derogations for specific situations apply, such as if the transfer is necessary for the establishment, exercise, or defence of legal claims or for an important reason of public interest.
11. Third-Party Sites and Resources Disclaimer
11.2. We want to make it clear that we have no control over these third-party sites, or any content contained therein. Therefore, we cannot accept any responsibility or liability for any of those third-party sites, including but not limited to their content, policies, promotions, products, services, actions and any damages, losses, failures, or problems caused by, related to, or arising from those sites. We strongly advise you to review all policies, rules, terms, and regulations, including the privacy policies, of any site that you visit.
12. Marketing Data Processing, Advertising and Social Media Fan Pages
12.1. We may use your Personal Information for marketing purposes if you provide your consent during registration or post-registration by checking marketing preferences boxes in your account profile page. Additionally, we may notify existing Users about our products or services that are similar to those we have already provided based on our legitimate interest.
12.2. You have the right to withdraw your consent for us to process your Personal Information for marketing purposes. To exercise this right, you can uncheck the marketing preferences boxes in your account profile or contact us at email@example.com.
12.3. We maintain a strong presence on various social media platforms to stay connected with our customers and keep them updated on our latest developments. Our social fan pages include Twitter, LinkedIn, Facebook, Telegram, Instagram, YouTube, Reddit, Pinterest, and TikTok.
12.3.1. Here is the list of our social pages:
12.3.2. Please verify that you are on the correct website, to do it you can use the links provided above to access these pages directly.
12.6. Please note that any content posted by users on our social media pages is subject to the respective social media platform's terms of service and community guidelines. We reserve the right to moderate or remove any content that violates these guidelines or our company policies.
12.7. We collaborate with third-party entities as specified below to help us display advertisements on external websites and assess the effectiveness of our advertising campaigns. These third parties have the ability to show you relevant ads for products and services that align with your interests, based on your visits to our Sites as well as other websites. Please note that these third parties follow their own privacy policies, which are distinct from ours. However, as a rule such third parties grant data privacy standards no less than we do.
For the marketing and analytics purposes, we may share your Personal Information including Hashed Data, along with other general or non-personally identifiable data, with the following counterparties:
- AdRoll (including NextRoll)
- Google and its affiliates (including Firebase)
- META and its affiliates
- Wheel of Popups
If you wish to opt out of various third-party ad networks, including those operated by the Network Advertising Initiative (NAI) and the European Interactive Digital Advertising Alliance (EDAA), you can find more details on interest-based advertising and how to opt out on their respective websites: www.youronlinechoices.com/uk/your-ad-choices (EDAA) and optout.networkadvertising.org (NAI). By opting out of one or more NAI or EDAA member networks (many of which overlap), you will no longer receive targeted content or ads from those members. However, this does not mean that you will stop receiving all ads on our Sites or other websites. You may still receive advertisements based on the particular website you are currently visiting. Additionally, please note that if your browser settings reject cookies, if you delete your cookies, or if you switch to a different computer or web browser, your NAI or EDAA opt-out may no longer remain effective.
13. Security of Your Personal Data
13.1. We have implemented technical and organisational security measures to ensure the confidentiality, integrity, availability, and accountability of your Personal Information and to protect your Personal Information from loss, misuse, unauthorised alteration or destruction. Such measures include:
- the pseudonymisation and TLS 1.2-1.3 encryption of personal data
- 2-factor authentication
- the access control
- processes to ensure the ongoing confidentiality, integrity, availability of our processing systems and services
- reliable backups to restore access to personal data in a timely manner in the event of a physical or technical incident.
13.2. Only authorised personnel of CEX.IO have access to your Personal Information, and these personnel are required to treat the information as confidential.
13.3. Where you have consented to or we are obliged to pass on Personal Information to third parties to provide you with a requested service or in the carrying out of a regulatory or legal obligation, we will request that the high levels of technical and organisational security measures be applied through contractual arrangements, where possible.
13.4. We conduct testing, assessment, and evaluation of our technical and organisational measures effectiveness on a regular basis. Technical and organisational security measures in place, from time to time, are reviewed in line with legal and technical developments.
13.5. In the event of incidents, personal data leakage or the failure of the security measures to protect such information we will notify you without undue delay.
14. Security measure for processing payment card details
14.1. CEX.IO is fully compliant with PCI DSS (Level 1 Service Provider). PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designated for merchants, financial institutions, and payment service providers to ensure the safety of cardholders' data. You can check our Certificate of compliance here.
14.2. Please note that our trusted payment service providers are PCI DSS compliant as well.
15. Fraud, Phishing and Email Scams Disclaimer
15.1. Please note that CEX.IO is not in any partnership with any individuals or organisations who represent themselves as customer support agents and offer customer support services through phone and/or social media channels for a fee. Please be aware that customer support is provided only through the CEX.IO website and is always free of charge.
15.2. If you believe that you have been a victim of fraud, phishing, or any scam that impersonates CEX.IO, please contact us immediately through the live chat available on our website.
16.2. If we consider that your rights may be affected by any such changes, we will request you to confirm your consideration and acceptance prior to continuing our relationship with you.
17. Contact us
17.2. You may also wish to check our Help Centre on support.cex.io/en for frequently asked questions where a solution may easily be found ready for you.