ECASH EXPERT

Personal Data Processing and Protection Policy

This Personal Data Processing Policy (hereinafter — the “Policy”) defines the procedures for collection, processing, storage and protection of personal data of Ecash Expert users.

This Policy is developed in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR) principles and applies to all users regardless of jurisdiction.

1. Data Controller

Ecash Expert acts as the Data Controller for the purposes of exchange operations and AML / KYC / SoF compliance.

2. Categories of Personal Data

• Full name;
• Email address;
• IP address, browser and device data;
• Payment details;
• Cryptocurrency addresses and transaction data;
• KYC documents (passport, ID card, selfie with document);
• Proof of address;
• Source of funds documentation;
• Verification photos and videos;
• Communication with support.

3. Processing Principles

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimization;
• accuracy;
• storage limitation;
• integrity and confidentiality.

4. Legal Basis for Processing

• User consent;
• Performance of a contract (exchange transaction);
• Legitimate interests in preventing financial crime;
• Compliance with AML / CTF legal obligations.

5. Purposes of Processing

• AML / KYC / SoF procedures;
• Execution of exchange operations;
• Fraud prevention;
• Regulatory compliance;
• Dispute resolution;
• Information security.

6. Data Retention Periods

• Transaction data — minimum 5 years from transaction completion;
• KYC documents — up to 5 years after termination of business relationship;
• AML reports — up to 5 years or longer if legally required;
• Technical logs — up to 12 months;
• Consent-based data — until consent withdrawal.

7. Data Transfers

• KYC/AML providers (including KYCaid);
• Blockchain infrastructure providers (including GetBlock);
• Government authorities upon lawful request;
• Monitoring services for dispute resolution.

8. International Data Transfers

Where personal data is transferred outside the user's country, appropriate safeguards are ensured in accordance with GDPR.

9. Security Measures

• SSL/TLS encryption;
• Encrypted data storage;
• Access restriction based on need-to-know principle;
• Two-factor authentication for administrative access;
• Access logging;
• Regular security audits.

10. Data Subject Rights

• Right of access;
• Right to rectification;
• Right to erasure (“right to be forgotten”);
• Right to restrict processing;
• Right to object;
• Right to data portability;
• Right to lodge a complaint with a supervisory authority.

Last updated: 2026