Last update: 27 October 2018
The privacy and security of your personal information is important to us. We implement the privacy concepts provided by the applicable laws and regulations including the General Data Protection Regulation (GDPR) to ensure that your Personal Data (as defined below) will be collected, processed, used and shared in the appropriate manner and in accordance with the purpose we set out as follows.
Personal data we collect
This Policy covers our collection, processing and treatment of the Personal Data on four (4) main categories:
- account registration;
- visiting and interacting with our Services;
- trading or transaction executing on our Exchange; and
- the Company’s marketing communication.
1.1 Account registration
Data we collect: We need to identify all users using and transacting on our Exchange. In order to do so, we proceed with know your customer procedures by strictly complying with the laws and regulations (related to anti-money laundering, terrorist financing, proliferation of weapons of mass destruction financing and other financial crimes) and our KYC/CDD policy. Therefore, all users must provide us with the following Personal Data before accessing and using our Services:
- full name;
- ID card or passport;
- address (both registered address and current address) with proof of address;
- email address;
- date of birth;
- photograph (for face biometrics/face scan);
- telephone number;
- occupation and work address;
- other information we are required to collect under the applicable law.
If you are a corporate user, we will collect your constitutional information (e.g. certificate of incorporation, affidavit, memorandum and articles of association, proof of good standing, list of directors and shareholders) including the Personal Data of the representatives or directors (e.g. their full names, ID cards or passports, registered address and contact addresses
Method of data collection: We collect your Personal Data during our KYC process through documents and information given to us via our website or through Singlesource Limited, our third-party KYC provider (“KYC Provider”).
Data storage, processing and sharing: We verify, process and store the Personal Data provided by each individual on the Company’s protected system in Singapore. Your Personal Data will be disclosed and shared by and between the Company and our KYC Provider to verify your identity. During the identity review process, the Personal Data may also be shared with other service providers engaged by the Company as well as the competent government authorities and similar bodies and organizations if we are required by the applicable laws and regulations.
In case we need to transfer your Personal Data to our service providers other than our KYC Provider, we will ensure that adequate safeguards for protection of your Personal Data is in place.
Data retention: We will keep the Personal Data of each user during the term of the Services and five (5) years after such user closes the account opened on the Exchange with us per our Terms and Conditions. After the that we will promptly delete or destroy such Personal Data from our system.
Your rights: You may email directly to us requesting to access, change or update your Personal Data at our address in section 5 below.
1.2 Visiting and interacting with our services
Data we collect: When visiting our website, we will record in our web server logs system of your Personal Data as follows:
- browser information (e.g. browser type and version, operating system, etc.) through user agent strings and metadata provided during the access request by your system;
- Internet protocol (IP) Addresses and their associated location;
- date and time of visit;
- referral uniform resources locator (URL); and
- pages visited by such visitor on our website.
For our website visitor analysis systems we will also additionally collect:
- Email address (when signing up);
- Google UUID (Unique User ID).
Data processing and sharing: Access to the Company’s website is logged to monitor system security as part of our intrusion detection program. We store the Personal Data that we collected for the purpose under this section on Google Data Centers in Singapore.
Access information is also shared with our analytics provider, Google Analytics and Facebook using third party cookies.
Data Retention: The retention of the Personal Data collected for profiling is governed:
- by Google Analytics where it will be retained for 38 months; and
- by Facebook Insights where it will be retained in accordance with the retention policy of Facebook.
Retention of logged access data that only provides IP and browser information of the accessing user, may be kept for one (1) year. Access to logs is strictly controlled and protected.
Your rights: When successfully shown that you are the owner of certain IP addresses at a certain time, we provide you with all information we have about it. You may request erasure of those IP addresses from our logs which we will comply if there is no regulation or obligation requiring it to be kept.
You can delete all site access and conversion data shared with Google anytime from https://myactivity.google.com/myactivity.
1.3 Trading or transaction executing on our Exchange
Data we collect:
- On our Exchange platform you can exchange and trade any Virtual Financial Assets under the laws of Malta to another (crypto to crypto trading) available on our Exchange as described in our Terms and Conditions you agreed before opening your account with us. Whenever you create orders or make transactions this transactional Personal Data will be stored and processed by us.
- When making transactions inbound or outbound we may request information in regard to your External Account (source or destination of funds) in compliance with our Terms and Conditions.
Data processing and sharing:
- On the blockchain: By nature of the service, all transactions on the blockchain, that is all transfers from and to an External Account (i.e. an account, digital wallet or address hosted and controlled by other service providers) will be public forever and available to anyone. Processing is determined by the algorithms of the digital asset you are transferring from or to. This algorithm may or may not provide anonymity.
- On our system: All transaction and order data will be stored and processed in our secure Exchange portal hosted within Google Cloud Data Centers in Singapore. Order data are linked to your account within the portal.
- Transaction data on the blockchain cannot be deleted or removed.
- Transaction data on our Exchange portal cannot be removed to guarantee correctness of our operations. However, the link between a transaction and a user may be removed. We will retain this data for your convenience as long as you keep an account with us and five (5) years thereafter. Afterwards that, the transactions will be anonymized.
- Information about your external accounts are retained for five (5) years after the transaction involving such account happened.
Profiling: We will use trading information internally to analyse trading behaviours and find suspicious account activities. This is done internally and no information that is a result of this profiling is shared with any third party.
Your rights: You can request anonymization of your transaction and orders on our Exchange that executed more than five (5) years from the transaction date.
1.4 Company's marketing communication
As part of our marketing and promotional plan, we may communicate with you through the channels (email, social media platform, telephone number and others) that you shared with us:
- to provide information regarding our system and Services including on trading, financing features, new products and enhancement; and
- to advertise, deliver or promote our Services or our affiliates’ services.
- to ask for user feedback using surveys.
Data retention and Sharing: We will retain the contact details and communication information under this section as we deem appropriate, to the extent provided by the applicable laws and regulations, and will not share such information to any persons, except with our affiliate companies.
Your rights: At any time, you may contact us to cease to send and deliver you any marketing and promotional information. We will promptly remove your contact and communication information for such purpose upon your request.
2. Sharing of your Personal Data
The Company will not share or disclose your Personal Data to any third parties, except:
- where expressly indicated in the previous sections;
- the Personal Data is provided through a business transfer by way of merger or other similar transactions;
- the Company is required to cooperate with state or local governmental organizations or their agents to perform their duties or obligations pursuant to applicable laws and regulations, and such performance is likely to be precluded if the consent of the user must be obtained;
- if the sharing or disclosure is requested by the owner of the Personal Data;
- in any event we obtain specific consent from the owner of the Personal Data;
- if the data was disclosed publicly outside our control by the owner of the Personal Data.
3. Protecting children's personal data
We do not intend to provide our Services to individuals under the age of eighteen (18). We encourage parents and legal guardians to monitor their children’s internet usage and to help enforce this Policy by instructing their children never to provide their Personal Data through the website or our Services without their permission.
4. Dispute resolution
Any claim or dispute arising from or in connection with this Policy shall be resolved by the dispute resolution method available in the Terms and Conditions.
Should you have any suggestions, questions, complaints, or other inquiries in connection with this Policy, please do not hesitate to communicate with our data protection officer at our contact points as follows.
Data Protection Officer
Go Exchange Ltd.
85 St. John Street, Valletta VLT 1165, Malta
At any time, you may request to have your Personal Data maintained by us returned to you or removed by emailing us or use the provided portal (in case of merchants). Requests to access, change, or remove your information or your inquiry will be handled within thirty (30) days. To protect your privacy and security, we may take steps to verify your identity before complying with the request.
6. Changes to this Policy
The Company may amend this Policy from time to time. Such changes will be highlighted when accessing the Services and you may access to the latest version of our Policy on our website.