XREX Privacy and Cookies Policy

Last Updated: January 11, 2024

Capitalised terms not defined herein shall have the meanings ascribed to them under the General Terms and Conditions.

We are committed to protecting your privacy and safeguarding your personal data. The purpose of this XREX privacy policy (the “Privacy Policy”) is to inform you about our privacy practices, including how we collect, use, and disclose your personal data. This Privacy Policy applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose, or process personal data for our purposes of operating, and your use of the XREX Service. If any policies or practices of this Privacy Policy are not agreed to, please do not visit, access, or use the XREX Service.

By using the XREX Service, you consent to XREX collecting, using, and disclosing and processing your personal data in the manner set forth in this Privacy Policy:

1. General information

In this section, we provide you with general information about the entity that is responsible for your personal data, this Privacy Policy, and the XREX Service.

1.1 Important terms

In this Privacy Policy, you will encounter recurrent terms. For your convenience, we would like to explain what such terms mean, as stated in this Privacy Policy:

“Consent” means a freely given, specific, informed, and unambiguous agreement to the processing of personal data, including deemed consent;

“Data controller” means the entity that determines the purposes and means of the processing of personal data;

“Data processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller;

“Personal Data Protection Act 2012” and “PDPA” means the Personal Data Protection Act of Singapore, and all subsidiary legislation, regulations, and guidelines promulgated thereunder, and as time to time amended;

“Personal Data” means any information relating to a natural person who can be identified, (a) from that information; or (b) from that data and other information to which we have or are likely to have access. Depending on the nature of your interaction with us, some examples of personal data which we may collect from you include your name, residential address, email address, and IP address;

“Processing” means the use of personal data in any manner, including, but not limited to, collection, storage, erasure, transfer, and disclosure of personal data; and

“You” and “your” means a natural person or a business entity that accesses and uses the XREX Service.

1.2 Owner and data controller

The XREX Service is owned and operated by XREX Pte. Ltd. with its operation office at 7 Straits View #05-01 Marina One East Tower Singapore 018936. XREX acts as a data controller with regard to all personal data collected through the XREX Service.

1.3 Children

The XREX Service is not intended for children under the age of 18 or equivalent minimum age in the relevant jurisdiction. Therefore, we do not knowingly collect the personal data of persons under the age of 18.

1.4 Cookies Policy

We employ two cookie types on the XREX Service:

Details of Cookies Employed

ReCAPTCHA v3:

token:

lan:

Cookie Consent

Upon your first XREX Service visit, we may seek your consent for cookie usage, especially if accessing from the EU. Without consent, only essential technical cookies will be used. However, this might affect your user experience.

Disabling Cookies

You can decline our cookies anytime via your browser/device settings. However, some platform parts might not work correctly without them. For cookie management, please use the applicable link below:

Do Not Track (DNT)

DNT is a browser feature preventing online monitoring. Although we don't currently support DNT, you can check third-party service provider policies to determine their DNT adherence.

1.5 Applicability of the Privacy Policy

This Privacy Policy applies to the XREX Service only, it does not apply to any third-party applications or software that integrate with the XREX Service or any other third-party products, services, or businesses.

1.6 Changes to the Privacy Policy

Your privacy matters to us so whether you are new to the XREX Service or a long-time user, please take the time to get to know and familiarize yourself with our policies and practices. Feel free to print and keep a copy of this Privacy Policy, but please understand that we reserve the right to change any of our policies and practices at any time, by posting the changes on the Website. You can always find the latest version of this Privacy Policy with the effective date here on this page. Your continued use of the XREX Service constitutes your acknowledgement and acceptance of such changes.

1.7 How we collect your personal data

Before you submit any personal data through XREX Service, you must read and agree to this Privacy Policy.

We generally collect your personal data in the following ways:

Where is it necessary to collect, use, disclose or process your personal data for purposes to which you have not already consented to and been notified of, we shall seek your prior further consent to the same (except where permitted or authorised by law).

2. Types and purposes of personal data collected

We collect only a minimal amount of personal data that is necessary for ensuring your proper use of the XREX Service. We use your personal data for specified and limited purposes. In this section, we explain what personal data we collect from you, for what purposes we use that data, and on what lawful bases we rely when processing personal data.

2.1 Types of personal data.

We comply with data minimization principles. Thus, we collect only a minimal amount of personal data that is necessary for your use of the XREX Service. Your personal data can be collected directly from you when you provide it to us (e.g., when you sign up to use the XREX Service or contact us) or by automated means (e.g., when you browse the Website or make a transaction). The list of the types of personal data that we collect from you is provided below.

2.2 Purposes of personal data processing.

We process your personal data only for specified and legitimate purposes explicitly mentioned in this Privacy Policy. In short, we will use personal data only for the purposes of enabling you to use the XREX Service, providing you with the requested services, complying with our legal obligations (e.g., anti-money-laundering laws and regulations), maintaining and improving the XREX Service, conducting research about our business activities, and replying to your inquiries. We will not use your personal data for any purposes that are different from the purposes for which your personal data was provided.

2.3 Overview of types and purposes of collecting and processing your personal data

Below provided is a detailed description of the types of personal data that we collect, use and disclose, the purposes for which we may do so, and the legal bases on which we rely in doing so.

When you sign up to receive notifications about the XREX Service, we may collect your:

In order:

Legally based on:

When you sign up to use the XREX Service, we may collect your:

In order:

Legally based on:

When you upgrade your user account for transactions, we may collect your:

In order:

Legally based on:

When you make a transaction, we may collect your:

In order:

Legally based on:

When you contact us by email or via live chat, we may collect your:

In order:

Legally based on:

When you make a deposit or withdrawal, we may collect your:

In order:

Legally based on:

When you make a cryptocurrency deposit or withdrawal, we may collect your:

In order:

Legally based on:

When you use the XREX Service, we may collect your:

In order:

Legally based on:

Please note that we may transmit your personal data to any third parties including our third party service providers, data processors (including but not limited to those identified in Clause 3.2 below), agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for any of the abovementioned purposes in this Paragraph 2.3.

2.4 Failure to provide personal data

Unless specified otherwise, all personal data requested by XREX is mandatory and failure to provide this data may make it impossible for us to provide the XREX Service. In cases where we specifically state that your personal data is not mandatory, you are free to not communicate this data without consequence to the availability or the functioning of the XREX Services. Please note that your provision of non-mandatory personal data constitutes your consent to the collection, use, disclosure and processing of such personal data by us for the abovementioned purposes.

2.5 Additional data

From time to time, we may receive certain additional data if you request support, interact with our social media accounts, submit your feedback, or otherwise communicate with us. Please note that the provision of such data is optional and you may choose what personal data you would like to share with us. We kindly request you to exercise your due diligence when making your personal data publicly available. We will use such personal data to reply to you, provide you with the requested services, or for pursuing our legitimate business interests (i.e., to analyze and improve our business) in accordance with our obligations under the PDPA.

2.6 Sensitive data

We do not collect, under any circumstances, special categories of personal data (sensitive data) from you, such as your health information, opinion about your religious and political beliefs, racial origins, membership of a professional or trade association, or information about your sexual orientation, unless you decide to provide such sensitive data, at your own sole discretion.

2.7 Personal data published on the XREX Service

If you decide to publish information about yourself through the XREX Service (e.g., via your public user profile), you may decide to reveal certain information about yourself. Please keep in mind that such data will become available to other users of the XREX Service. Therefore, we request you to exercise your due diligence and not to disclose your personal data that is not necessary, extensive, or sensitive as such data can be used by third parties for unlawful purposes. Also, please note that you are not allowed to publish personal data pertaining to other persons if they have not provided you with their prior consent to disclose such data. We will take immediate steps to remove any information or user accounts from the XREX Service if we become aware that they contain personal data disclosed unlawfully.

2.8 Privacy of transactions

The XREX Service allow you to conduct transactions with other users of the XREX Service. We put reasonable efforts to ensure that any transaction-related data remains confidential and properly protected. Moreover, we do not intentionally and directly access, manage, correct, delete, share, or disclose transaction data, unless it is strictly necessary for the provision of the XREX Service or to fulfill any of the specific purposes mentioned in this Privacy Policy (or any other incidental business purposes related to or in connection with those purposes), enforcement of our legal terms, or we are requested by law to do so.

2.9 Location of processing

The personal data is processed at the operating offices of XREX located in Singapore and in any other places where the data processors appointed by XREX are located (please refer to the section “Disclosure and transfer or personal data” below for more information about the location of our data processors). The processing of personal data is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated in this Privacy Policy.

2.10 Our compliance with AML (Anti-Money Laundering) regulations

We have established internal standards in meeting regulatory obligations of relevant AML laws, regulations, and guidelines that are applicable to our business. These standards include various internal policies and procedures we are required to adhere to, e.g., XREX Financial Crime Compliance Policy, AML Policy, Sanctions Policy, ABC (Anti-Bribery & Corruption) Policy, Customer Due Diligence Policy, FATF Travel Rule, and Operation Procedures.

2.11 FATF Travel Rule

To ensure a more secure environment and prevent illicit activities abusing the blockchain and Virtual Asset channels or platforms, FATF has designed and announced the Travel Rule to all Virtual Asset Service Providers (“VASPs”), including XREX. According to the Travel Rule, every VASP shall exchange the sender and recipient data with the other VASPs during the process of conducting a Virtual Asset transaction. Therefore, while you make a cryptocurrency deposit or withdrawal, some of your personal information will be exchanged.

3. Disclosure and transfer of personal data

We may need to cooperate with external service providers and share some personal data with them. Also, to ensure the provision of the XREX Service, your personal data may be transferred outside the country where you reside. In this section, you can find information about the third parties that we may disclose your personal data to, the purposes of disclosure, instances when we make international data transfers, and what safeguards we implement to ensure that your personal data is properly protected.

3.1 Disclosure of personal data

In addition to XREX, in some cases, your personal data may be disclosed to third parties involved in the operation of the XREX Service (e.g. administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, and communications agencies). Such third parties are appointed by XREX as its data processors. We do not sell your personal data to third parties. The disclosure of your personal data is limited to the situations when such data is required for the following purposes:

3.2 List of data processors

We will share your personal data only with the data processors with whom we have entered into legally enforceable obligations to ensure that personal data disclosed is provided a level of protection equivalent to that under the PDPA and other applicable data protection laws. The data processors that will have access to your personal data are included, but not limited to, the following:

Name: Amazon Web Services

Name: Sum and Substance Inc.

Name: HyperVerge Technologies Pvt Ltd.

Name: Intercom

Name: Sentry

3.3 International transfers of personal data

Depending on your location, we may need to transfer your personal data to a country other than your own for ensuring the proper provision of the XREX Service and other purposes of your personal data. For example, if you reside in the European Economic Area (EEA), we may need to transfer your personal data to jurisdictions outside the EEA. In case it is necessary to make such a transfer, we will make sure that each overseas recipient holds a specified certification (e.g., certification issued under the Asia Pacific Economic Cooperation Cross Border Privacy Rules) or such overseas recipient is bound by legally enforceable obligations to ensure that personal data disclosed is provided a level of protection comparable to that under the PDPA (e.g., a data processing agreement based pre-approved standard contractual clauses).

3.4 Disclosure of non-personal data

Your non-personal data may be disclosed to third parties for any purpose. For example, we may share it with prospects or partners for business or research purposes, for improving the XREX Service, responding to lawful requests from public authorities, or developing new products and services.

3.5 Legal requests

If requested by a public authority, we will disclose information about you to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.

3.6 Successors

In case our business is sold partly or fully, we will provide your personal data to a purchaser or successor entity and request the successor to handle your personal data in line with the PDPA and this Privacy Policy.

4. Security of personal data

We make our best efforts to keep your personal data safe and secure. In this section, we inform you about our appropriate administrative, physical and technical measures that help us to protect your personal data.

4.1 Our security measures

XREX takes appropriate security measures to prevent unauthorized access, collection, disclosure, copying, modification, or unauthorized destruction of your personal data, or similar risks. The security measures taken by us include secured networks, SSL protocol, strong passwords, limited access to your personal data by our staff, and anonymization of personal data (when possible). In order to ensure the security of your personal data, we kindly ask you to use the XREX Service through a secure network only.

4.2 Handling security breaches

Although we put our best efforts to protect your personal data, given the nature of communications and information processing technology and the Internet, we cannot be liable for any unlawful destruction, loss, use, copying, modification, leakage, and falsification of your personal data caused by circumstances that are beyond our reasonable control. In case a serious breach occurs, we will take reasonable measures to mitigate the breach, as required by the Applicable Law. Our liability for any security breach will be limited to the highest extent permitted by the Applicable Law.

5. Non-personal data

When you use the XREX Service, we automatically collect some technical data about your device and visits. In this section, we inform you what non-personal data we collect from you and for what purposes we use that data.

5.1 Types of non-personal data.

When you use XREX Service, we automatically collect technical non-personal data for analytics purposes. Please note that de-identified personal data is also considered to be non-personal data. Although such non-personal data allows us to analyze your use of the XREX Service, it does not allow us to identify you. The non-personal data collected by us includes the following information:

Transaction data

When you make a transaction, we collect expected transaction volume, expected transaction frequency, details of transactions you make, such as trades, deposits, withdrawals, parties to send or receive transactions, relationships, and purpose of the transactions.

Usage data

When you access and use the XREX Service, we collect information about the time of your request, the method utilized by you to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by you, the various time details per visit (e.g., the time spent on each page) and the details about the path followed within the XREX Service with special reference to the sequence of pages visited, and other parameters about the device operating system and/or your IT environment.

When you contact us, we keep records of any questions, complaints, recommendations, or compliments made by you and the response, if any. Where possible, we will de-identify your personal data.

5.2 Purposes of using non-personal data.

We will use non-personal data for the following purposes:

5.3 De-identified data.

In case your non-personal data is combined with certain elements of your personal data in a way that allows us to identify you, we will handle such aggregated data as personal data. If your personal data is de-identified in a way that it can no longer identify a natural person (whether by itself or in combination with any other data in our possession or control), it will not be considered personal data and we may use it for any business purpose.

6. Direct marketing

From time to time, you may receive promotional messages from us. In this section, we explain when you may receive notices from us and what you can do to decline such promotional messages.

6.1 Marketing messages

To keep you updated about XREX Service, we will send you direct marketing messages. You will receive such communication only if: We receive your express (“opt-in”) consent to receive direct marketing messages in relation to both the existing XREX Service provided to you and/or new services closely related to such XREX Service (please note that your voluntary subscription to our updates or newsletters substitutes such consent).

6.2 Opting-out.

You can opt out from receiving marketing messages at any time free of charge by clicking on the “unsubscribe” link contained in any of the messages sent to you, adjusting your account settings, or contacting us directly.

6.3 Informational notices and service updates.

If necessary, we will send you important informational notices, such as service-related, technical, or administrative emails, information about the XREX Service, your transactions, user account, privacy and security, and other administrative matters. Please note that we will send such notices on an “if-needed” basis and they do not fall within the scope of direct marketing communication that requires your prior consent.

7. Retention time

We retain your personal data only for a period necessary to carry out the purposes mentioned in this Privacy Policy or for our business purposes. In this section, we specify the time period for which we keep your personal and non-personal data in our systems.

For example:

Once the retention period specified above expires, your personal data shall be securely deleted from our systems. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after the expiration of the retention period.

7.1 Retention as required by law

XREX may be obliged to retain your personal data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority. For example, we may retain your personal data for as long as it is necessary to keep our accountancy records or for the time period stipulated by anti money-laundering laws and regulations.

7.2 Retention of non-personal data

We may retain non-personal data pertaining to you for as long as necessary for the purposes described in this Privacy Policy. This may include keeping non-personal data after you have deactivated your user account for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.

8. Your rights regarding your personal data

You have the right to control how we process your personal data. Below, we list the rights that you can exercise with regard to your personal data and explain how you can exercise those rights.

Subject to any exemptions provided by law, you can exercise the right to do the following:

You have the right to withdraw your consent at any time where you have previously given your consent to the processing of your personal data.

The consent that you provide for the collection, use, and disclosure of your personal data will remain valid until it is withdrawn by you in writing. You may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the purposes stated in this Privacy Policy.

Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the request, including any legal consequences which may affect your rights and liabilities to us.

Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our services to you once such consent has been withdrawn.

You have the right to object to the processing of your personal data if the processing is carried out on a legal basis other than the performance of a contract with you or pursuing our legitimate business interests.

You have the right of access to:

If we are unable to provide you with such copy of personal data or such information requested, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).

How to exercise your rights

Any requests to exercise your rights can be directed to XREX by using the contact details specified at the end of this Privacy Policy. The requests can be exercised free of charge to you once per year and they will be addressed by XREX as early as possible and always within one month.

Launching a complaint

If you would like to launch a complaint about the way in which we handle your personal data, we kindly ask you to contact us first and express your concerns. After you contact us, we will investigate your complaint and provide you with our response as soon as possible. If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority.

Contact information

For any questions, comments, or requests about this Privacy Policy or your personal data, please contact our Data Protection Officer by using the contact details below.

​

……………..