ATT Exchange Privacy Policy and Personal Data Processing Notice
I. Data Controller and Scope of Application
This Privacy Policy and Personal Data Processing Notice (hereinafter referred to as this “Notice”) explains how the operating entity of the ATT Exchange platform and its affiliates, authorized service providers, entrusted processors, and compliance advisers collect, use, store, share, transfer, protect, and delete personal data during user registration, login, KYC, account use, deposits, withdrawals, trading, customer support, risk control, regulatory assistance, and platform security.
II. Categories of Personal Data We Process
The platform may process the following categories of personal data based on user registration, KYC, service use, and compliance requirements:
Registration and account data: email address, mobile phone number, username, account ID, login records, authentication methods, and account status;
Identity data: name, date of birth, nationality, country or region of residence, document type, document number, document issuing place, and document validity period;
Contact and device data: address, phone number, email address, IP address, device identifier, browser type, operating system, language settings, login time, and location;
KYC verification materials: document images, selfies, liveness detection results, photos holding identity documents, authorization letters, proof of address, proof of source of funds, proof of source of wealth, and other supplementary materials;
Biometric-related data: facial images, selfie videos, liveness detection results, similarity scores, biometric templates, or service provider return results;
Occupation and risk information: employment status, industry, position, employer, source of funds, source of wealth, transaction purpose, expected transaction volume, and PEP declaration;
Compliance and risk data: review results, rejection reasons, risk tags, sanctions/PEP/adverse media screening results, KYT or on-chain risk indicators, audit logs, and manual review records;
Transaction and wallet data: deposits, withdrawals, transaction records, fiat deposits and withdrawals, wallet addresses, on-chain transaction hashes, counterparty addresses, transaction patterns, and risk control results;
Customer support and complaint data: user requests, communication records, appeal materials, dispute handling records, and investigation results.
III. Sources of Personal Data
The platform may obtain personal data from the following sources: direct submission by the user; automatic generation when the user uses platform services; third-party identity verification, OCR, facial recognition, sanctions screening, KYT, cloud services, or payment/fiat service providers; public blockchain data; public information, regulatory or law enforcement information; and other sources authorized by the user or permitted by applicable law.
IV. Purposes of Processing
The purposes for which the platform processes personal data include:
Completing account registration, login verification, identity verification, and account management;
Fulfilling compliance obligations related to digital asset service providers;
Conducting KYC, Additional Verification, OCR, liveness detection, face comparison, and manual review;
Preventing money laundering, terrorist financing, proliferation financing, fraud, sanctions evasion, account abuse, and other illegal activities;
Conducting risk rating, transaction monitoring, KYT analysis, on-chain address risk identification, and suspicious transaction handling;
Enforcing user agreements, platform rules, product restrictions, fee rules, and transaction processing rules;
Providing customer support, complaint handling, dispute resolution, audit, compliance inspections, and regulatory assistance;
Maintaining platform system security, account security, data security, and business continuity;
Improving compliance processes, risk control models, product experience, and security controls to the extent permitted by applicable law.
V. Legal Bases for Processing
The legal bases for the platform’s processing of personal data may include: user consent; performance of the user agreement or taking necessary steps before entering into a contract; compliance with legal, regulatory, AML/CFT, sanctions compliance, recordkeeping, or regulatory reporting obligations; protection of the legitimate interests of the platform, users, or third parties; fulfillment of regulatory requirements; and legitimate interests to the extent permitted by applicable law.
For biometric data, document OCR, KYC, Additional Verification, AML/CFT risk information, KYT, and on-chain risk processing, the platform may obtain the necessary authorization or basis through separate authorization, KYC checkboxes, the Service Agreement, the Privacy Policy, or other lawful means.
VI. KYC, OCR, Biometric, and Sensitive Data Processing
Document images, facial images, liveness detection results, biometric templates, identity document information, source of funds information, and risk tags may constitute sensitive or high-risk personal data. The platform will adopt stricter security measures and access controls in accordance with applicable law.
The user understands and agrees that the platform may process the above data for identity verification, anti-fraud, AML/CFT, risk control, regulatory compliance, backend review, and dispute handling purposes. If the user refuses to provide or withdraws the necessary authorization, the platform may be unable to complete identity verification and may restrict or refuse to provide deposits, withdrawals, trading, fiat deposits and withdrawals, or other services that require identity verification.
VII. AML/CFT, KYT, and Automated Risk Controls
The platform may use automated rules, third-party service providers, sanctions lists, PEP databases, adverse media, on-chain risk tools, KYT tools, and manual review to evaluate the user’s identity, transactions, wallet addresses, source of funds, and risk level.
Relevant risk scores, risk tags, or service provider results may affect the user’s account functions, deposits, withdrawals, trading, fiat services, Additional Verification requirements, manual review, transaction delays, transaction rejections, account freezes, or regulatory reports. The platform shall provide necessary explanations to the user to the extent required by applicable law, but matters involving AML/CFT, regulatory investigations, or no-tipping-off obligations may not be disclosed.
VIII. Third-Party Processing and Sharing
The platform may provide necessary personal data to the following third parties:
Identity verification, OCR, facial recognition, liveness detection, and anti-fraud service providers;
Cloud storage, cybersecurity, logging, data encryption, and system operations and maintenance service providers;
Sanctions lists, PEP, adverse media, KYT, and on-chain risk service providers;
Fiat channels, payment, banking, custody, wallet, or clearing-related service providers;
Compliance audit, legal adviser, accounting adviser, regulatory reporting, or customer support service providers;
CNAD, UIF, courts, law enforcement authorities, regulators, government departments, or other competent authorities;
Entities that reasonably need to receive data in connection with corporate restructuring, mergers, acquisitions, asset transfers, or similar transactions.
The platform shall require third parties to process personal data only for authorized purposes and to adopt confidentiality, access control, data security, and compliant processing measures. Before official launch, the names of service providers, processing locations, data categories, processing purposes, and cross-border transfer arrangements should be supplemented based on the actual service providers.
IX. Cross-Border Transfers and Storage Locations
The user understands and agrees that personal data may be processed or stored in El Salvador, the platform’s operating location, the cloud service location, the location of third-party service providers, or other jurisdictions permitted by applicable law.
The platform shall take necessary data protection, cross-border transfer, and contractual arrangements in accordance with applicable law, including but not limited to confidentiality obligations, access controls, data security measures, entrusted processing agreements, data transfer clauses, or other mechanisms required by local law.
X. Cookies, Device Information, and Security Logs
The platform may use Cookies, SDKs, logs, device fingerprints, or similar technologies for login verification, security protection, risk identification, fraud prevention, language settings, user experience, service statistics, and compliance audits.
The user may manage Cookies according to browser or device settings, but disabling necessary Cookies or security identification functions may affect registration, login, identity verification, transaction security, or availability of platform services.
XI. Data Retention Period
The platform will retain personal data according to the needs of the laws of El Salvador and other applicable laws, regulatory requirements, AML/CFT recordkeeping obligations, audits, dispute handling, regulatory assistance, and law enforcement assistance.
If the law does not specify a longer period, the platform shall retain identity verification, transaction, risk control, audit, and compliance-related materials at least in accordance with applicable AML/CFT and regulatory recordkeeping requirements. After the necessary period, the platform may lawfully delete, anonymize, or continue to retain data necessary to satisfy regulatory, dispute, audit, or law enforcement assistance purposes.
XII. Data Security and Access Controls
The platform shall adopt reasonable technical and organizational measures to protect personal data, including encryption in transit, encryption at rest, access permission controls, least-privilege access, backend preview restrictions, prohibition on downloading document images, operation logs, abnormal access audits, employee confidentiality obligations, service provider security requirements, and data backup mechanisms.
Although the platform adopts reasonable measures, the internet, blockchain, third-party services, and information systems still involve security risks. The user shall properly safeguard accounts, passwords, verification codes, devices, and security credentials, and report abnormal situations in a timely manner.
XIII. User Rights
To the extent permitted by applicable law, the user may request access, correction, update, restriction of processing, objection to processing, deletion, data portability, or withdrawal of consent. The user may also submit complaints or requests to the platform regarding personal data processing.
The user understands that requests to withdraw consent, delete data, or restrict processing do not affect lawful processing before the withdrawal, nor do they affect the platform’s continued retention and processing of necessary data to fulfill legal, regulatory, AML/CFT, audit, dispute, regulatory assistance, or law enforcement assistance obligations.
XIV. Withdrawal of Consent and Service Impact
The user may withdraw certain authorizations or consents to the extent permitted by applicable law. However, if the withdrawal involves account registration, identity verification, OCR, facial recognition, AML/CFT, KYT, transaction monitoring, or other necessary compliance processing, the platform may be unable to continue providing the relevant services and may restrict, suspend, or terminate account functions.
XV. Minors
The platform services are not intended for individuals who have not reached the minimum age required by applicable law or who do not have full civil capacity. If the platform discovers that the relevant account does not meet the registration eligibility requirements, it may refuse registration, restrict services, or close the account, and process the relevant data in accordance with the law.
XVI. Regulatory Reporting, No-Tipping-Off, and Confidentiality Obligations
If the platform determines, based on internal rules, third-party service provider results, regulatory requirements, or manual judgment, that user activity is suspicious, the platform may take necessary measures in accordance with the law without further notice to the user and submit suspicious activity, suspicious transaction, or other regulatory reports.
The user understands that relevant reports may be subject to confidentiality or no-tipping-off requirements under law, and the platform may be unable to disclose to the user the report contents, triggering rules, processing reasons, or regulatory communications.
XVII. Contact, Complaints, and Dispute Resolution
The user may submit privacy requests, complaints, or disputes through the customer support, privacy, data protection, or compliance contact channels published by the platform. The platform shall accept and handle user requests within a reasonable period.
If a dispute arises between the user and the platform regarding personal data processing, both parties shall first resolve it through the platform complaint channel; if it cannot be resolved and applicable law does not provide otherwise on a mandatory basis, the user may file a complaint or request with a court, competent authority, or other applicable institution in El Salvador that has jurisdiction in accordance with the law.
XVIII. El Salvador Applicable Law, Jurisdiction, and Language Versions
Unless mandatory applicable law provides otherwise, this Notice and disputes arising from personal data processing, privacy requests, account registration, identity verification, risk control, regulatory assistance, or dispute handling shall, in principle, be governed by the laws of the Republic of El Salvador.
This Notice may be provided in Chinese, English, Spanish, or other languages. In the event of a dispute, the English version shall prevail.