Privacy Policy

The data controller responsible for the processing of your personal data is PRYSTORUS SP ZOO, a company incorporated under the laws of Poland. For personal data processed in connection with Brazilian operations, ON3X GLOBAL PAYMENTS LTDA acts as a joint controller in compliance with the Brazilian General Data Protection Law (LGPD, Law 13,709/2018).

We have appointed a Data Protection Officer (DPO) to oversee compliance with applicable data protection legislation. You may contact our DPO for any questions or concerns regarding the processing of your personal data at: dpo@on3x.com.

For the purposes of the EU General Data Protection Regulation (GDPR) and the LGPD, the data controller determines the purposes and means of processing personal data as described in this Privacy Policy.

Personal Identification Data: Full legal name, date of birth, nationality, email address, phone number, residential address, and (for Full Verification) government-issued photo identification document data, biometric data (facial recognition via selfie), and proof of address documentation.

Financial & Transaction Data: Cryptocurrency wallet addresses (both internal and external), transaction history (deposits, withdrawals, swaps, P2P transfers, PIX transactions), transaction amounts and timestamps, bank account details (for PIX and fiat services), source of funds information, and account balances.

KYC & Verification Data: Identity verification status and results, documents submitted for verification (processed by our partner Sumsub), risk scores and screening results (sanctions, PEP, adverse media), and Enhanced Due Diligence records where applicable.

Device & Technical Data: IP address, device type and model, operating system and version, browser type and version, unique device identifiers, mobile advertising identifiers, language preferences, time zone, and screen resolution.

Usage Data: Pages and features accessed, time and duration of sessions, clickstream data, search queries within the Platform, notification interactions, and feature usage patterns.

Communication Data: Support tickets and correspondence, chat messages with the Nex AI assistant (which may be retained for service improvement), feedback and survey responses, and referral program participation data.

We process your personal data on the following legal bases under Article 6 of the GDPR and the corresponding provisions of the LGPD:

Contract Performance (Art. 6(1)(b) GDPR / Art. 7(V) LGPD): Processing necessary for the performance of our contract with you, including account creation and management, transaction processing, provision of wallet and exchange services, and customer support.

Legal Obligation (Art. 6(1)(c) GDPR / Art. 7(II) LGPD): Processing necessary to comply with our legal obligations, including AML/KYC/CFT requirements under EU Anti-Money Laundering Directives, Polish AML law, and Brazilian AML regulations; tax reporting obligations; responding to lawful requests from regulatory and law enforcement authorities; and maintaining records as required by applicable financial regulations.

Legitimate Interests (Art. 6(1)(f) GDPR / Art. 7(IX) LGPD): Processing necessary for our legitimate interests, which include fraud detection and prevention, platform security and abuse prevention, analytics and service improvement, and direct marketing of our own products and services (subject to your right to object).

Consent (Art. 6(1)(a) GDPR / Art. 7(I) LGPD): Where we rely on your consent, including for certain marketing communications, the use of non-essential cookies, and processing of special categories of data (e.g., biometric data for KYC). You have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

We process your personal data for the following purposes: to create, maintain, and secure your Platform account; to verify your identity in compliance with applicable KYC requirements; to process and execute transactions, including cryptocurrency swaps, P2P transfers, deposits, withdrawals, and PIX operations; to calculate and apply fees, conversion rates, and transaction limits.

We also process your data to: detect, prevent, and investigate fraud, unauthorized access, and other prohibited activities; comply with anti-money laundering, counter-terrorist financing, and sanctions screening requirements; respond to legal process and cooperate with regulatory and law enforcement authorities; maintain audit trails and transaction records as required by law.

Additionally, we process data to: provide customer support and respond to your inquiries; improve and optimize the Platform, including through analytics and user behavior analysis; personalize your experience, including relevant notifications and price alerts; communicate with you about your account, transactions, service updates, and (where permitted) promotional offers; administer the referral program and Reward Vault; and train and improve the Nex AI assistant.

For Full Verification (Enhanced KYC), we partner with Sumsub (Sum and Substance Ltd) as our identity verification processor. When you undergo Full Verification, you submit your identity documents and biometric data (selfie) directly to Sumsub's secure platform. Sumsub processes this data on our behalf to verify your identity and return the verification result to us.

Sumsub acts as a data processor under GDPR and processes your data in accordance with its own privacy policy and our data processing agreement. Sumsub is certified under ISO 27001 and SOC 2 Type II and maintains appropriate technical and organizational security measures. We recommend reviewing Sumsub's privacy policy for details on their data handling practices.

We may also engage blockchain analytics providers to monitor transactions for compliance purposes. These providers analyze publicly available blockchain data to identify potentially suspicious wallet addresses, transaction patterns, and connections to known illicit activities. This processing is necessary for our legal obligations under AML/CFT regulations.

We periodically screen User data against international sanctions lists, politically exposed persons (PEP) databases, and adverse media sources using specialized compliance tools. This screening is conducted as required by applicable AML/KYC regulations and is necessary for our legitimate compliance interests.

We do not sell your personal data to third parties. We share your personal data only in the following circumstances:

Service Providers: We share data with trusted third-party service providers who process data on our behalf, including Sumsub (identity verification), cloud infrastructure providers (hosting and storage), payment processors (for PIX and fiat operations), blockchain analytics providers (compliance monitoring), and customer support tools. All service providers are bound by data processing agreements requiring them to process data only for specified purposes and in compliance with applicable data protection laws.

Legal & Regulatory Obligations: We may disclose your data to competent authorities, including Financial Intelligence Units (the Polish GIIF, the Brazilian COAF), tax authorities, regulatory bodies, and law enforcement agencies, where required by applicable law or in response to valid legal process such as court orders, subpoenas, or regulatory requests.

Corporate Transactions: In the event of a merger, acquisition, reorganization, or sale of all or substantially all of the Company's assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.

With Your Consent: We may share your data with third parties where you have given explicit consent, such as when using Platform features that interact with external services.

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with our legal obligations, and resolve disputes. Specific retention periods are as follows:

Account Data: Retained for the duration of your account and for a period of five (5) years following account closure, as required by AML record-keeping regulations under EU and Brazilian law.

Transaction Records: Retained for a minimum of five (5) years from the date of the transaction, or longer if required by applicable tax or financial regulations. In Brazil, certain financial records must be retained for a minimum of five (5) years under COAF regulations.

KYC & Verification Data: Identity verification records, including documents and verification results, are retained for a minimum of five (5) years following the end of the business relationship, as mandated by AML directives.

Communication Records: Customer support correspondence and Nex AI assistant interactions are retained for a period of three (3) years for quality assurance and dispute resolution purposes.

Usage & Technical Data: Anonymized or aggregated usage data may be retained indefinitely for analytics and service improvement. Identifiable usage data is retained for a maximum of twenty-four (24) months.

When retention periods expire, personal data is securely deleted or irreversibly anonymized. If deletion is not technically feasible (e.g., data stored in backups), we ensure the data is securely isolated and protected from further processing until deletion is possible.

Under the GDPR (for EU/EEA residents) and the LGPD (for Brazilian residents), you have the following rights regarding your personal data:

Right of Access (Art. 15 GDPR / Art. 18(II) LGPD): You have the right to request confirmation of whether we process your personal data and to obtain a copy of such data. We will provide this information in a commonly used electronic format.

Right to Rectification (Art. 16 GDPR / Art. 18(III) LGPD): You have the right to request correction of inaccurate personal data and to have incomplete data completed.

Right to Erasure / Deletion (Art. 17 GDPR / Art. 18(VI) LGPD): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent and there is no other legal basis, or where the data has been unlawfully processed. This right is subject to our legal obligations to retain certain data (e.g., AML records).

Right to Restriction of Processing (Art. 18 GDPR): You have the right to request restriction of processing in certain circumstances, including where you contest the accuracy of the data or where the processing is unlawful.

Right to Data Portability (Art. 20 GDPR / Art. 18(V) LGPD): You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller where technically feasible.

Right to Object (Art. 21 GDPR / Art. 18(IV) LGPD): You have the right to object to the processing of your personal data based on our legitimate interests. Where you object to processing for direct marketing purposes, we will cease such processing immediately.

Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR / Art. 20 LGPD): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where automated decisions are made (e.g., in compliance screening), you have the right to obtain human intervention, to express your point of view, and to contest the decision.

To exercise any of these rights, please contact us at support@on3x.com or dpo@on3x.com. We will respond to your request within thirty (30) days (GDPR) or fifteen (15) days (LGPD). If we are unable to comply with your request, we will provide reasons. You have the right to lodge a complaint with your local supervisory authority, including the Polish President of the Personal Data Protection Office (UODO) for EU matters or the Brazilian National Data Protection Authority (ANPD) for LGPD matters.

The Platform uses cookies and similar technologies to enhance your experience, analyze usage patterns, and support security features. Cookies are small text files stored on your device when you access the Platform.

Essential Cookies: These cookies are strictly necessary for the operation of the Platform, including session management, authentication, security (e.g., CSRF protection), and load balancing. These cookies cannot be disabled without impairing Platform functionality and do not require consent under applicable law.

Analytics Cookies: With your consent, we use analytics cookies to collect anonymized usage data, including pages visited, time spent on the Platform, and navigation patterns. This data helps us understand how the Platform is used and to improve its performance and features.

Preference Cookies: These cookies store your preferences, such as language settings and notification preferences, to provide a personalized experience.

You can manage your cookie preferences at any time through the Platform's cookie settings or through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform. For mobile applications, you can manage tracking through your device's privacy settings.

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256); multi-factor authentication (MFA) for user accounts; role-based access controls and the principle of least privilege for internal systems; regular security assessments, penetration testing, and vulnerability scanning; secure development practices including code review and automated security testing; network segmentation and firewall protection; intrusion detection and monitoring systems; incident response procedures and regular security training for personnel.

While we strive to protect your personal data, no method of electronic transmission or storage is entirely secure. We cannot guarantee absolute security and encourage you to take steps to protect your own data, including using strong, unique passwords, enabling two-factor authentication, and being cautious of phishing attempts.

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with Article 33 and 34 of the GDPR and Article 48 of the LGPD, as applicable.

The Platform is not intended for individuals under the age of eighteen (18). We do not knowingly collect or solicit personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data as promptly as possible.

If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at support@on3x.com so that we can take appropriate action.

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. In particular, data may be transferred between Poland (EU) and Brazil, and to countries where our service providers operate.

For transfers of personal data from the EU/EEA to countries not recognized by the European Commission as providing an adequate level of data protection, we rely on appropriate safeguards, including: Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914); binding corporate rules where applicable; or derogations under Article 49 of the GDPR, such as your explicit consent or the necessity of the transfer for the performance of a contract.

For transfers of personal data from Brazil, we comply with the LGPD requirements for international data transfers, including ensuring that the recipient country provides an adequate level of protection or implementing appropriate safeguards as recognized by the ANPD.

You may request information about the specific safeguards applied to transfers of your personal data by contacting us at dpo@on3x.com.

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or regulatory guidance. When material changes are made, we will publish the updated Policy on the Platform with a revised "Last Updated" date and notify you via email or push notification at least thirty (30) days before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

Where required by applicable law (e.g., for changes requiring consent under GDPR or LGPD), we will seek your explicit consent before applying changes that affect the legal basis or scope of processing of your personal data.

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

General inquiries: support@on3x.com

Data Protection Officer: dpo@on3x.com

PRYSTORUS SP ZOO — Poland, European Union

ON3X GLOBAL PAYMENTS LTDA — Brazil (for Brazilian operations)

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes applicable data protection law. In the EU, you may contact the Polish President of the Personal Data Protection Office (UODO) at https://uodo.gov.pl or the supervisory authority in your Member State of residence. In Brazil, you may contact the National Data Protection Authority (ANPD) at https://www.gov.br/anpd.