Legal

Privacy Policy

Last updated: [LAST UPDATED]

This document is a template maintained by [ENTITY NAME] and is not legal advice. Placeholders in [BRACKETS] must be reviewed and completed with counsel in your operating jurisdiction before public launch.

1. Data controller

[ENTITY NAME], [ADDRESS], is the data controller for personal information processed via the Service. Contact: [PRIVACY EMAIL].

2. Information we collect

  • Account: email address, chosen display name, hashed password, Telegram user ID (if you connect the Mini App).
  • KYC: government-issued ID, selfie / liveness capture, address, date of birth, and screening results.
  • Trading: offers, trade history, chat messages, payment proof uploads, on-chain deposit addresses and transactions.
  • Technical: IP address, device and browser metadata, session and audit logs.

3. How we use it

  • Provide the Service, operate escrow, and settle trades.
  • Comply with AML/KYC, sanctions screening, and Travel Rule obligations.
  • Detect and prevent fraud, abuse, and security incidents.
  • Respond to lawful requests from regulators, law enforcement, and courts.

4. Third parties (subprocessors)

We share the minimum data needed with the following categories of processors:

  • Cloud hosting and database (managed Postgres, storage, realtime).
  • Blockchain data providers (e.g. public block explorers) for deposit and payout confirmation lookups.
  • Messaging (Telegram) for Mini App authentication and notifications, when you opt in.
  • [KYC VENDOR] for identity verification and screening.

5. Retention

We retain KYC and transaction records for the period required by applicable AML law (typically 5–7 years after account closure). Chat logs, dispute evidence, and audit logs are retained for the same period.

6. Your rights

Subject to local law (including GDPR/UK GDPR/CCPA where applicable), you may request access to, correction of, or deletion of your personal data, and object to or restrict certain processing. Contact [PRIVACY EMAIL]. Some records must be retained for regulatory reasons and cannot be deleted on request.

7. International transfers

Your data may be processed in jurisdictions other than your own. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

8. Security

We use TLS in transit, encryption at rest, role-based access control, and audit logging. No system is perfectly secure; report suspected incidents to [SECURITY EMAIL].

9. Cookies

We use strictly necessary cookies for authentication and session management. We do not sell personal information.