Privacy Policy

This Privacy Policy defines how Ecash Expert (the "Service") collects, processes, stores and protects users' personal data.

By using the Service, the user confirms that they have read and accepted this Policy. If you do not agree with any provisions — please discontinue use of the Service.

The Policy has been developed taking into account the requirements of the EU General Data Protection Regulation (GDPR), Ukrainian personal data protection law, and international AML / CTF standards.

Ecash Expert follows the principles of data minimisation, transparency and confidentiality. We process only the personal data that is necessary to provide exchange services and comply with AML / KYC requirements.

The personal data controller is the Ecash Expert service. Contact details for data-related enquiries are provided in section 12 of this Policy.

This Policy applies to all visitors of the website, registered users and clients of the Service, regardless of whether they have completed any transactions.

The Policy governs the processing of personal data carried out by the Service directly or with the involvement of third parties acting as data processors.

The categories of personal data collected depend on the purpose of processing and the type of service. We may collect and process the following categories of data:

• identification data — full name, date of birth, citizenship, ID document series and number (for KYC verification);
• contact data — email address, Telegram username, phone number (optional);
• financial data — bank card / account details, cryptocurrency addresses and wallets, transaction hashes, amounts, currencies;
• technical data — IP address, device identifier, browser type, operating system, referrer, visit parameters;
• AML data — Risk Score results, blockchain analytics, Source of Funds information, data received from AML / KYT providers;
• KYC documents — photo or scan of an identity document, selfie with the document, proof of address (if required);
• other information voluntarily provided by the user when contacting support or filling in Service forms.

Personal data is processed for the following purposes and on the following legal grounds:

• provision of exchange services and performance of the user agreement — Article 6(1)(b) GDPR;
• compliance with legal requirements, including AML / CTF and sanctions law — Article 6(1)(c) GDPR;
• protection of the Service's legitimate interests, including fraud prevention, system security, protection of rights and property — Article 6(1)(f) GDPR;
• user consent — for marketing communications, bonus programmes, analytics, use of optional cookies — Article 6(1)(a) GDPR;
• protection of vital interests of the user or third parties — in exceptional cases, Article 6(1)(d) GDPR.

The Service uses cookies and similar technologies to enable the website to operate, maintain user sessions, prevent fraud and collect anonymised statistics.

Types of cookies in use:

• strictly necessary (technical) — required for site operation, authentication, form protection, language and theme selection;
• analytics — anonymised visit statistics (e.g. Google Analytics);
• functional — saving interface settings and user preferences;
• marketing — only with explicit user consent.

The user can manage cookies through their browser settings. Disabling necessary cookies may limit the functionality of the Service.

The Service does not sell or share personal data with third parties for marketing or other commercial purposes. Data may be shared only in the following cases:

• AML / KYT providers (including but not limited to Chainalysis, Crystal and similar blockchain analytics services) — for verifying the source of funds;
• infrastructure partners (including GetBlock, hosting / email / SMS / database providers) — to the extent necessary to provide services;
• payment processors and partner banks — when carrying out payouts to bank details;
• competent authorities, regulators and law-enforcement bodies — on the basis of a lawful request or to comply with AML / CTF and sanctions law;
• legal, audit and tax consultants — under confidentiality obligations.

All engaged third parties are required to provide a level of data protection no lower than that set out in this Policy and applicable law.

Personal data retention periods are determined by the purpose of processing and statutory requirements:

• data on completed transactions and related AML materials — at least 5 years from the completion of the transaction, in accordance with AML / CTF requirements;
• KYC documents and user records — 5 years from the end of the business relationship;
• technical logs and cookies — up to 12 months;
• support enquiries — up to 3 years from the date the case was closed;
• marketing consents — until the user withdraws consent.

After the established periods, data is deleted or anonymised in a manner that prevents its recovery.

The Service applies organisational and technical measures to protect personal data against unauthorised access, modification, disclosure or destruction:

• encryption of data in transit using HTTPS / TLS;
• storage of passwords in hashed form using strong algorithms (bcrypt / argon2);
• two-factor authentication (2FA) for the user's account;
• access to data restricted under the principle of least privilege;
• regular security audits and infrastructure updates;
• encrypted backups;
• monitoring of suspicious activity and security incident response.

Under applicable law, including GDPR, the user has the following rights in relation to their personal data:

• right of access — to obtain confirmation of processing and a copy of the data;
• right to rectification — to request correction of inaccurate or incomplete data;
• right to erasure (right to be forgotten) — to request deletion when processing is no longer required;
• right to restriction of processing in certain cases;
• right to object to processing based on legitimate interests or for marketing purposes;
• right to data portability — to receive a copy in a machine-readable format;
• right to withdraw consent — at any time, without giving reasons;
• right to lodge a complaint with a data protection supervisory authority.

Requests should be sent to [email protected] or via the contact form. The Service will respond within 30 calendar days.

Some of the infrastructure and analytics providers engaged by the Service may be located outside the European Economic Area and Ukraine.

Personal data is transferred to such jurisdictions only where appropriate safeguards are in place — including Standard Contractual Clauses, European Commission Adequacy decisions, or other legal grounds under applicable law.

The Service is not intended for persons under 18 and does not provide services to minors.

We do not knowingly collect personal data of persons under 18. If we become aware of such data, it will be deleted promptly.

The Service may amend and supplement this Policy at its discretion. The current version is always available at /privacy-policy and in the website footer.

Material changes are published with the effective date. The Service may also send an additional notice to the email address provided at registration.

For matters relating to the processing of personal data and exercising rights granted by applicable law, please contact:

• E-mail: [email protected];
• General support: [email protected];
• Telegram: @ecash_expert;
• Through the contact form at /contact.