Privacy Policy

UAB EXZi Markets Privacy Policy

GENERAL PROVISIONS

At EXZi Markets (UAB EXZi Markets is a Virtual Currency Exchange Operator authorized by the Lithuanian Financial Crime Investigation Service (FCIS), incorporated under the Laws of Lithuania with the company number 306143232 within the address J. Basanavičiaus g. 26, Vilnius, Lithuania, 03224), referred to as "the Company" or "EXZi", we are deeply committed to safeguarding your privacy and ensuring the utmost security of your personal information. This privacy policy (hereinafter referred to as the "Privacy Policy") outlines our approach to the collection, utilization, and protection of your personal data when you engage with our website or utilize any of the services offered by our Company. In these scenarios, EXZi acts as the data controller responsible for your personal data.

The term "personal data" encompasses any information associated with an identified or identifiable natural person, also known as the data subject. These individuals can be identified either directly or indirectly.

We have designed this Privacy Policy to provide you with detailed insights into the purposes and legal foundations underpinning the processing of your personal data. Additionally, we clarify the sources from which we procure this data, the entities with whom we may share it, the duration of retention, the security measures we've implemented, and instructions on how to exercise your data subject rights. It is our sincere recommendation that you thoroughly review this document to make informed decisions concerning your personal data, especially as you engage with our cryptocurrency services.

Your personal data is processed in accordance with this Privacy Policy, the General Data Protection Regulation (GDPR) 2016/679, the Republic of Lithuania Law on the legal protection of personal data, and other legal acts regulating the legal protection of personal data and the activities of financial institutions and the services they provide, including the applicable Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.

• YOUR PERSONAL DATA THAT WE PROCESS

In this section, we present the main categories of personal data processed by EXZi:

• Customer data, such as general identification personal data (name, surname), Identity Verification and Validation (hereinafter IDV) documents and results, used device, wallet address, password, biometrics, and Two-Factor Authentication (hereinafter 2FA) data. 

• Contact details, such as email and phone number.

• Location data, such as IP address and residence address.

• Customers’ transactions with EXZi data, such as transaction type (in or out), transaction amount, transaction method, transaction history, and balance in the account.

• External party of transaction data, such as full name, transaction amount, and wallet address.

• Transaction security data, such as device type, IP address, information from WLAN (Wireless Local Area Network - for Geolocation), transaction history, access date and time, browser type and version, account balance, and wallet address.

• External data, such as external documents received from any party, physical letters (letters from authorities, complaints from customers, their lawyers). 

• Special categories of personal data, such as biometric data.

• PURPOSES AND LEGAL GROUNDS ON WHICH WE PROCESS YOUR PERSONAL DATA

Your provided personal data shall be processed following the guidelines outlined in our Privacy Policy and previously mentioned laws and regulations. 

Your personal data shall not be used for purposes other than those specified during data collection unless we have another lawful basis for processing your personal data.

Below, we provide information for which purposes and on which legal grounds we process your personal data:

• We collect general personal data, IDV documents and results, email, consumer data, external party of transaction data, transaction security data, marketing data, and external data for the execution of operational processes purposes (according to Article 6(1)(b) of the GDPR, processing is necessary for the performance of a contract to which the data subject is party). To ensure the efficient execution of operational processes, we may collect certain information from our users. The information we gather is essential for effectively providing the required crypto services specified in the contract and ensuring a fulfilling experience.
• We collect general personal data, IDV documents and results, wallet address, contact details, location data, customers’ transactions with EXZi data, external party of transaction data, transaction security data, and external data to meet the requirements of AML laws and regulations (according to Article 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject). As part of our commitment to maintaining the highest standards of security and compliance, we precisely adhere to the requirements of AML laws and regulations. Protecting our platform from potential risks associated with unlawful financial activities is of great significance to us. To fulfill our legal obligations under AML laws, we employ robust verification processes and conduct thorough due diligence on all user accounts. This includes verifying the identity of our customers, monitoring transactions, and reporting any suspicious activities to the relevant authorities when necessary. 
• We collect IP addresses for the Financial Crime Investigation Service (hereinafter FIU) orders (according to Article 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject). To comply with our legal obligations and ensure the integrity of the financial system, we may collect and process certain personal data in response to FIU orders. These orders empower us to gather relevant information, necessary for the fulfillment of our cooperation with the FIU. It is essential to note that the processing of personal data in response to FIU orders is carried out in compliance with legal obligations.
• We collect wallet addresses, contact details, location data, customers’ transactions with EXZi data, external party of transaction data, transaction security data, and external data for authorities’ purposes (according to Article 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject). Your personal data may be collected and processed for authorities' purposes when we are legally obligated to do so. This may involve sharing information with governmental bodies or regulatory authorities in compliance with relevant laws and regulations. We are fully committed to ensuring the protection and security of your personal information while meeting our legal requirements.
• We collect passwords, biometrics, 2FA data, contact details, IP addresses, and transaction security data for cybersecurity purposes (according to Article 6(1)(f) of the GDPR, processing is necessary for the purposes of the legitimate interests pursued by the controller). Our dedication to cybersecurity ensures the protection of our systems, networks, and the information you entrust to us. To strengthen our cybersecurity mechanisms, we collect specific personal data that is crucial for our security efforts. This data enables us to detect, prevent, and swiftly respond to potential security threats and cyber risks.
• We collect marketing data for the purposes of intelligence on modeling, reporting, and other commercial activities (according to Article 6(1)(f) of the GDPR, processing is necessary for the purposes of the legitimate interests pursued by the controller). This data is vital for us to gain insights into customer behavior, preferences, and market trends, allowing us to make informed business decisions and optimize our marketing strategies. By analyzing this data, we aim to enhance our products and services, customize our communications to better meet your needs, and, therefore, deliver a more personalized experience. 

• SOURCES OF PERSONAL DATA

EXZi uses personal data obtained directly from you when you fill out questionnaires, applications, or other forms to order our services, correspond with us by e-mail, present specific documents to us, submit requests or claims, call us, or contact us in another manner.

• RECIPIENTS OF PERSONAL DATA

In its operations, EXZi may involve different processors of your personal data (i.e., certain service providers). According to GDPR Article 4(8), “processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. The Data processor's role is to carry out specific processing activities as instructed by the data controller, who remains responsible for the data and its processing. 

For instance, data processors may include companies providing data storage services, companies developing and supporting software, companies providing communications services, and other service providers. Your personal data may only be disclosed by EXZi to these data processors to the extent necessary for providing the respective services.

We shall ensure that the chosen data processors adhere to the requirements of the GDPR, laws, and other applicable legal acts and recommendations issued by competent authorities. The relationship between EXZi and a specific data processor (except in cases where such relationship is regulated by laws or other legal acts) shall be regulated by the respective written agreement or written conditions.

At present, EXZi uses the services of two data processors. We partner with “Ondato”, an identity verification service provider, to meet the requirements of establishing business relationships with our customers remotely. Additionally, we collaborate with “HAWK:AI”, which provides transaction monitoring, sanctions/PEP/RCA negative adverse media, blockchain screening, and fraud prevention services, to fulfill the demands of Anti-Money Laundering (AML) laws.

EXZi may also provide your personal data to other recipients of data:

• Local Authorities such as the Police, Prosecutor’s office, Lithuanian FCIS
• Foreign Authorities such as the Police, Prosecutor’s office or equivalent 

• TERMS OF STORAGE OF PERSONAL DATA

EXZi stores customer personal data for a term not longer than necessary. The term of processing of personal data is set with consideration of the agreement concluded with the respective customer, the legitimate interests of EXZi, or legal requirements, e.g.:

• Internal AML logs, IDV results, and documents associated with crypto transfers obtained from customers are stored for 8 years after business relationship termination. 

• Communication transcripts, information associated with the customers' risk assessment, Customer Due Diligence, Enhanced Due Diligence, and Ongoing Due Diligence are stored for 5 years after business relationship termination. 

• All timelines for information storage can be increased by 2 years by receiving a request from authorities.

• All timelines that are set out in AML or KYC are subject to change if the applicable laws set out a different period.

• COOKIES 

For a better browsing experience and personalized services, we use cookies on our website. Cookies are small text files that websites place on your device while you are browsing. They are processed and stored by your web browser and we do not apply non-essential ones.

Cookies start functioning when you access our site, enabling us to remember your preferences, analyze your interactions, and improve overall functionality and performance.

Detail information about the cookies used on the website, their purposes, expiration period, and other information you can find in the cookie banner the first time you visit our website or in our Cookie policy.

Detailed information about the cookies we use is provided in UAB EXZi Market’s Cookie Policy.

• SECURITY MEASURES IN PLACE 

EXZi has implemented a comprehensive set of organizational and technical security measures to ensure the protection of your personal data from accidental or prohibited destruction, alteration, disclosure, access, or any other unauthorized processing. Additionally, we enforce the same level of security standards on our data processors, requiring them to implement appropriate organizational and technical measures when processing your personal data on behalf of EXZi or while providing services to our organization.

Some of the technical and organizational measures we use are:

• All sensitive information is protected at rest and in transit. We use only certified (ISO/IEC 27001:2013) third-party technologies that meet the highest standards. We systematically evaluating information security risks and take into account the impact of threats and vulnerabilities.

Nevertheless, it should be taken into account that in certain cases the transmission of information by electronic means of communication (e-mail, mobile phone, etc.) may be less secure for reasons not depending on the technical or organizational measures implemented by EXZi. To ensure the security of your confidential data, we recommend that you do not provide us with any information via less secure electronic systems or via any electronic systems not used by EXZi.

• YOUR RIGHTS AND THEIR IMPLEMENTATION

You have the following rights with respect to your personal data as indicated in GDPR:

• The right to familiarise yourself with your personal data and with the manner in which it is processed. This means you shall be able to request information about the types of personal data we collect, the purposes for which it is processed, and any third parties with whom it may be shared. 

• The right to demand that any inaccurate data would be corrected. If you believe that the information about you that we process is inaccurate, incorrect, or incomplete, you shall be entitled to demand that this information be modified, corrected, or adjusted.

• The right to demand that your personal data be deleted. In the presence of certain circumstances listed in legal acts (where personal data is processed illegally, the grounds for the processing of personal data no longer exist, etc.), you shall be entitled to demand that we delete your personal data.
• The right to demand that the processing of your personal data be restricted. In the presence of certain circumstances listed in legal acts (where personal data is processed illegally, you contest the accuracy of the data, etc.), you shall be entitled to demand that we restrict the processing of your personal data.
• Other rights. In certain cases (according to Article 20 of the GDPR), you have the right to data portability or to request the restriction of data processing in accordance with the procedures and grounds established by the GDPR.

In order to exercise your above rights, please contact us at [email protected]. Upon receiving your request, and in accordance with applicable laws and professional practices, we shall undertake all necessary actions to ensure that your rights are fulfilled.

• CONTACTS 

If you have any questions or concerns regarding our privacy practices, do not hesitate to contact us. Please e-mail us at [email protected]. We are always here to assist you and provide the information you need.

• VALIDITY AND AMENDMENTS OF THE RULES

This Privacy Policy shall come into effect as of 01 10 2023. If we amend this Privacy Policy, we shall publish the updated version on https://exzi.com/. In this case, we shall notify you about the respective amendments to the rules and publish the new wording of the rules on our website as well as email you about it in case the changes are significant.

If you believe that our actions or omissions infringe upon your rights or legal requirements, you shall be entitled to submit a complaint to the State Data Protection Inspectorate. Further information is available on the website of the State Data Protection Inspectorate at www.vdai.lrv.lt/. However, we recommend that in all cases, prior to submitting an official complaint to the supervisory authority, you first contact us to find a prompt and effective method of resolving the issue.

Last update date 01 10 2023 of the Privacy Policy.