Privacy Policy

1. Introduction

This Privacy Policy explains how Crypocto (the website available at https://crypocto.com, together with all related subdomains and pages, the "Service") collects, uses, discloses and safeguards personal data when you interact with it. References to "we", "our" or "us" mean the legal entity responsible for the Crypocto brand (the "Company"). The Company's full legal name, registration details and registered office are set out in the Contact section or available on written request.

Crypocto provides a regulated crypto exchange and escrow service across the European Union and Ukraine — including fiat-to-crypto and crypto-to-fiat conversions (commonly referred to as a crypto on-ramp and off-ramp), and crypto-settled escrow for real-asset deals such as real estate, cars, watches, jewelry and art. Because these services involve regulated financial activity, parts of this policy address requirements specific to Know Your Customer (KYC), Anti-Money Laundering (AML) and EU data-protection law. The KYC and sanctions controls referenced throughout this policy are described in more detail in our AML Policy, while the contractual framework governing each deal is set out in our Terms of Service.

By using the Service, registering for an account or submitting a request through any Crypocto page, you acknowledge that you have read and understood this Privacy Policy and agree to be bound by it. If you do not agree, please do not use the Service.

2. Information we collect

We collect several categories of information to operate the Service, meet legal obligations and improve what we offer.

2.1 Personal information you provide

When you contact us, open a ticket, initiate a deal or complete our KYC process, we may collect:

• Full legal name and contact details (email address, phone number, messenger handle such as Telegram)
• Identity documents required for KYC/AML (passport, national ID, residence permit) and the data contained in them
• Proof of address (utility bill, bank statement or equivalent)
• Bank account details and IBANs used for the fiat leg of an exchange or escrow
• Cryptocurrency wallet addresses, transaction hashes and on-chain history relevant to the deal
• Information about the source of your funds or source of wealth, where legally required
• For corporate clients: company registration documents, UBO declarations and the personal data of directors and authorised signatories
• Any other information you voluntarily share in correspondence with your Crypocto manager

2.2 Information collected automatically

When you visit any Crypocto page, certain information is collected automatically by your browser and our infrastructure:

• IP address and approximate geolocation
• Browser type, version and language
• Device information, operating system and screen resolution
• Pages viewed, time spent on each page and referring URL
• Date and time of access, and diagnostic or crash information
• Cookies and similar tracking identifiers (see the Cookies & tracking section)

3. How we use your information

We use the information described above for the following purposes:

• Providing the Service: to process your crypto on-ramp or off-ramp exchange, run escrow for real-asset transactions, issue invoices and release settlements
• KYC & AML compliance: to verify your identity, screen against sanctions and politically-exposed-persons (PEP) lists, check source of funds and meet record-keeping obligations under applicable EU and national law
• Communication: to answer enquiries, keep you informed about the progress of a deal and send transactional updates (not marketing) through a dedicated personal manager
• Improvement and analytics: to understand how the Service is used and improve performance, content, security and user experience
• Security & fraud prevention: to detect, investigate and prevent unauthorised access, fraudulent activity and misuse of the Service
• Legal obligations: to comply with tax, accounting and other reporting duties, and to respond to lawful requests from public authorities

4. Legal basis for processing (GDPR)

Where the General Data Protection Regulation (GDPR) applies, we rely on the following legal bases to process your personal data:

• Performance of a contract: processing necessary to deliver the exchange, escrow or custody-related service you requested
• Legal obligation: processing required to meet EU and national KYC/AML, sanctions, tax and accounting obligations
• Legitimate interests: processing necessary for fraud prevention, network security, dispute management and the safe operation of the Service, provided your rights and freedoms do not override these interests
• Consent: for specific activities — such as non-essential cookies and analytics — we rely on your explicit, freely given and revocable consent

5. Data sharing and disclosure

Crypocto does not sell your personal data. We may share data only where necessary and with trusted recipients, subject to written confidentiality and data-processing agreements where required by law.

• Service partners: EU-licensed crypto-asset counterparties, banking partners, notaries and legal professionals that participate in settling an exchange or escrow deal
• KYC & AML providers: identity-verification, sanctions-screening and on-chain analytics vendors engaged to help us meet regulatory obligations
• Infrastructure providers: cloud hosting, email, backup and customer-support tools that process data strictly on our instructions
• Regulatory authorities: tax, financial supervision and law-enforcement bodies, where disclosure is required by law, court order or in response to a valid request
• Professional advisers: auditors, accountants and lawyers bound by professional confidentiality
• Corporate transactions: in the event of a restructuring, merger or transfer of the Crypocto business, data may be transferred to the acquiring party, with equivalent privacy commitments in place

We do not allow third parties to use your personal data for their own marketing or profiling purposes.

6. Data retention

We keep your personal data only for as long as necessary for the purposes described in this policy, plus any additional period required by law. Typical retention windows include:

• KYC/AML records: retained for a minimum of five (5) years after the end of our business relationship, in line with EU AML directives and applicable national law
• Transaction records and invoices: retained for the statutory accounting and tax period of the jurisdiction where the Company is established
• Communication records: retained for as long as needed to resolve enquiries, manage disputes and demonstrate compliance
• Website logs and analytics: retained for a limited technical window and then aggregated or deleted

When a retention period expires, we securely delete, anonymise or archive the relevant data in line with our data-protection procedures.

7. Your rights

Under the GDPR and comparable data-protection laws, you have the following rights in respect of your personal data:

• Right of access: obtain a copy of the personal data we hold about you and information on how it is processed
• Right to rectification: ask us to correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): ask us to delete your data, subject to legal retention obligations (for example KYC/AML records)
• Right to restriction: ask us to temporarily limit the processing of your data in specific circumstances
• Right to data portability: receive your data in a structured, commonly used, machine-readable format, or ask us to transmit it to another controller
• Right to object: object to processing based on our legitimate interests
• Right to withdraw consent: withdraw any consent you have given (for example for non-essential cookies) at any time, without affecting the lawfulness of earlier processing
• Right to lodge a complaint: lodge a complaint with a competent data-protection authority in your EU/EEA country of residence

To exercise any of these rights, please write to us at support@crypocto.com or through the Contact page. We will respond within the statutory timeframe and may need to verify your identity before acting on your request.

8. Cookies & tracking

The Crypocto website uses cookies and similar technologies to make the site work, remember your preferences and measure its performance. Cookies fall into three broad categories:

• Strictly necessary cookies: required for the Service to function (for example session management and security). These are always active and cannot be disabled
• Preference cookies: remember choices such as language or display settings to personalise your experience
• Analytics and performance cookies: help us understand how visitors interact with the Service so we can improve it. These are only used where EU law requires consent with your explicit permission

You can accept, reject or manage non-essential cookies through your browser settings or, where available, through the on-page consent controls. Disabling certain cookies may affect how the Service displays or behaves on your device.

9. Analytics

We may use third-party analytics providers — for example Google Analytics — to help us understand how visitors use the Crypocto website. These providers set cookies and process limited technical data (such as truncated IP address, page path and session duration) to produce aggregated usage reports.

You can opt out of Google Analytics by installing the official Google Analytics opt-out browser add-on, which prevents the Google Analytics JavaScript from sharing information about your visit. More information on Google's privacy practices is available at policies.google.com/privacy.

We do not use analytics data to build individual profiles or to make automated decisions with legal or similarly significant effects.

10. Data security

Protecting your data is a priority. We implement technical and organisational measures designed to safeguard personal data against unauthorised access, alteration, disclosure or destruction. These measures include, among others:

• Encryption of data in transit (TLS) and encryption at rest for sensitive records
• Role-based access control on internal systems and strict need-to-know principles for staff
• Segregated infrastructure for KYC documents, with access limited to compliance personnel
• Regular security reviews, penetration testing and backup procedures
• Staff training on data-protection and information-security obligations

While we make every reasonable effort to protect your data, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we will notify you and the relevant authorities of any personal data breach in line with applicable law.

11. International data transfers

Your personal data is primarily processed within the European Economic Area (EEA) and, for Ukrainian deals, within Ukraine. Where it is necessary to transfer data to a country outside the EEA, we ensure that appropriate safeguards are in place, including:

• Transfers to countries covered by an adequacy decision of the European Commission
• Use of Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary technical and contractual measures where required by applicable case law

You can request a copy of the safeguards applied to a specific transfer by contacting us.

12. Links to other websites

Crypocto pages may contain links to websites, applications or platforms that are not operated by us — for example banking providers, notary offices, dealer websites or blockchain explorers. We do not control and are not responsible for the privacy practices, content or security of those third parties. We encourage you to review the privacy policy of any site you visit through a link on Crypocto.

13. Minors

The Service is not directed at, and is not available to, individuals under the age of eighteen (18). We do not knowingly collect personal data from persons under 18. If we learn that we have collected personal data from a minor without verification of parental consent, we will take reasonable steps to delete that information from our systems. If you are a parent or legal guardian and believe that a minor has provided us with personal data, please contact us at support@crypocto.com.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our Service, legal requirements or internal practices. When we do, we will update the "Last updated" date at the top of this page and, where changes are material, provide additional notice through the Service or by email. We encourage you to review this page periodically. Your continued use of the Service after an update becomes effective constitutes your acceptance of the revised Privacy Policy.

15. Contact

If you have any question, concern or request relating to this Privacy Policy or to the way your personal data is processed, you can reach us at:

• Email: support@crypocto.com
• Contact form: crypocto.com/contact
• Service operator: the legal entity responsible for the Crypocto brand — full legal name, registered office and regulatory details available on request

Where applicable, a dedicated Data Protection Officer (DPO) or privacy contact can be reached through the same channels. We aim to respond to privacy-related requests within the statutory time limits set by the GDPR.