Privacy Policy

This Privacy Policy explains how VaultEX Digital Assets Ltd ( “VaultEX”, “we”) collects, uses, shares and protects personal data when you use the Services available at https://vaultex.ee. It applies to all users, visitors, and any authorised representatives acting on their behalf.

This Policy should be read alongside our Terms of Service and our AML / KYC Policy.

• Identity data — full legal name, date of birth, nationality, place of birth, government ID number, passport or national-ID images, photograph, liveness / face-match video.
• Contact data — residential address, email, phone number.
• Financial data — source of funds / wealth, employment status, bank-account details, card details (tokenised; full PAN never touches our servers), withdrawal addresses.
• Account data — email, password hash, 2FA secrets, anti-phishing code, referral ID, session history, device fingerprints, IP addresses, coarse geolocation.
• Transaction data — orders placed, trades executed, deposits, withdrawals, conversion history, internal transfers, earn subscriptions, blockchain addresses and txids.
• Communications data — support tickets, emails, chat messages, voice recordings (where permitted by law).
• Technical data — browser, operating system, screen size, referring URL, timestamps, logs, error reports.
• Third-party data — sanctions-list hits, PEP status, politically-exposed-person matches, fraud-database hits, blockchain-analytics risk scores, credit-bureau data (where lawfully processed).

We process personal data on one or more of the following legal bases:

• Contract — to provide the Services you have asked for.
• Legal obligation — to comply with AML/CTF, sanctions, tax, financial-services, data-protection and other laws.
• Legitimate interests — to operate, secure, improve and defend the platform, prevent fraud and abuse, develop products, and recover amounts owed.
• Consent — for optional processing (marketing, certain analytics).
• Vital interests — to respond to an imminent threat to life or physical safety.

We use your data — including behavioural patterns, device fingerprints, IP addresses, on-chain activity, and third-party risk-scoring feeds — to detect, prevent, investigate and respond to fraud, phishing, account takeover, scams, market manipulation, sanctions evasion and money laundering. This processing is a necessary part of running a regulated financial platform. Automated risk models may restrict your use of the Services, freeze funds, or trigger manual review. Where automated decisions produce legal or similarly significant effects, you have the right to request human review (subject to applicable law).

Personal data at rest is encrypted using industry-standard algorithms and segregated by sensitivity. Sensitive records (KYC documents, 2FA secrets, API key secrets) are protected by dedicated secrets infrastructure and never transit our application tier in plaintext. Access is restricted to personnel with a documented business need, gated by multi-factor authentication, and logged for audit.

• Regulators, courts, and law-enforcement agencies — where legally compelled or to comply with court orders, subpoenas, or lawful requests submitted via our Law Enforcement channel. Where legally required, we will not notify you of such disclosures (“tipping off” is prohibited by AML law).
• KYC / AML / sanctions vendors — identity verification providers, politically-exposed-person databases, sanctions-screening services, blockchain-analytics firms.
• Fraud-prevention vendors — device-risk, IP-risk, and behavioural-biometrics providers that help us detect account takeover and fraud rings.
• Banking, payment and custody partners — for processing fiat deposits and withdrawals, card payments, and holding segregated client funds.
• Cloud-infrastructure and security vendors — operating on our behalf under strict contractual controls, subject to no-retention beyond contracted purposes.
• Victims of fraud and their authorised representatives — where we receive credible evidence that funds were stolen from a third party, we may share account information with the rightful owner or their legal counsel to support recovery.
• Successor entities — in the event of a merger, acquisition or reorganisation, subject to the same protections.

VaultEX operates from the UAE and uses infrastructure providers located in multiple jurisdictions. Where we transfer personal data internationally, we rely on appropriate safeguards (standard contractual clauses, adequacy decisions, or binding corporate rules) to protect your data.

We retain personal data for as long as your account is active and, after closure, for the period required by applicable law (typically 5 – 10 years for KYC and transaction records). Logs and telemetry data are retained for up to 13 months. Retention may be extended where a regulator, court, or ongoing investigation so requires.

Subject to applicable law you have the right to: access your personal data; correct inaccurate data; request deletion in certain circumstances; object to or restrict certain processing; data portability; withdraw consent (for consent-based processing); and lodge a complaint with your local data-protection authority.

To exercise these rights, contact privacy@vaultex.ee. Note that we may refuse or limit requests where we are legally obliged to retain data (e.g. AML records), where granting the request would prejudice an ongoing investigation, or where it would reveal confidential information of third parties.

Our use of cookies and similar technologies is described in our Cookie Policy. We do not sell personal data and do not use third-party advertising trackers.

The Services are not directed at children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect data from children; if we learn we have, we delete it.

We may update this Policy to reflect changes in law, regulation or our operations. Material changes will be communicated in-product and by email at least 15 days before they take effect. Continued use of the Services after that date signifies acceptance.

Data-protection questions: privacy@vaultex.ee. Law-enforcement requests: see /legal/law-enforcement. Complaints: /complaint.