B2B Privacy Notice. This Privacy Policy applies to data processed in connection with Exchange Capital's institutional OTC desk services. It covers data relating to corporate representatives, beneficial owners, directors, and other individuals whose information is collected as part of institutional onboarding and ongoing due diligence.
Introduction
Exchange Capital ("we", "us", "our") is committed to protecting the privacy and security of personal data processed in connection with our OTC services. This Privacy Policy explains how we collect, use, share, and protect information about individuals associated with our institutional counterparties, including corporate representatives, directors, beneficial owners, and compliance contacts.
We process personal data as required by law, including for the purposes of anti-money laundering (AML), counter-terrorist financing (CTF), sanctions screening, and know-your-customer (KYC) obligations. This processing is mandatory — failure to provide required information will prevent us from providing services.
Data We Collect
2.1 Corporate & Entity Data
- Company name, registration number, jurisdiction of incorporation.
- Registered address and principal place of business.
- Corporate ownership and group structure documentation.
- Regulatory licences, authorisations, and compliance certifications.
- Financial statements and source of funds documentation.
2.2 Individual Data (Directors, UBOs, Representatives)
- Full legal name, date of birth, nationality, and country of residence.
- Government-issued identification documents (passport, national ID).
- Proof of residential address.
- Professional role, title, and authority to act on behalf of the entity.
- PEP (Politically Exposed Person) and sanctions screening results.
2.3 Transaction Data
- Trade history, order details, confirmation records, and settlement instructions.
- Wallet addresses, bank account details, and payment reference information.
- Communication records related to trade negotiation and execution.
2.4 Technical Data
- IP addresses, browser type, and device information when accessing our platform.
- Access logs and platform usage data for security and operational purposes.
How We Use Data
We use the data we collect for the following purposes:
- Onboarding and verification: Conducting KYB/KYC checks, verifying identity, and assessing suitability for access to our services.
- Service delivery: Executing trades, processing settlements, and managing the ongoing trading relationship.
- Regulatory compliance: Meeting our obligations under AML, CTF, sanctions, and other applicable financial regulations.
- Risk management: Monitoring transactions for suspicious activity, fraud prevention, and ongoing due diligence.
- Record-keeping: Maintaining required records for regulatory reporting and audit purposes.
- Communication: Sending trade confirmations, operational notices, and compliance-related correspondence.
- Legal proceedings: Defending or pursuing legal claims where necessary.
Legal Basis for Processing
We process personal data on the following legal bases:
- Legal obligation: Processing required to comply with AML, CTF, sanctions screening, and financial regulation obligations.
- Contractual necessity: Processing required to perform the services agreed under the Master Trading Agreement or equivalent bilateral agreement.
- Legitimate interests: Processing for fraud prevention, risk management, security, and improving our services, where these interests are not overridden by individual rights.
- Consent: Where required by applicable law and not covered by the above bases, we will seek explicit consent.
Data Sharing
We may share personal data with the following categories of recipients:
- Regulatory authorities and law enforcement: As required by applicable law, court order, or regulatory direction.
- Financial intelligence units: Suspicious activity reports and other mandatory disclosures under AML legislation.
- Compliance service providers: Third-party KYC/AML screening providers, sanctions list providers, and identity verification platforms engaged under appropriate data processing agreements.
- Banking and payment partners: Settlement and fiat currency processing partners, to the extent necessary to execute agreed transactions.
- Professional advisors: Legal, audit, and tax advisors bound by professional confidentiality obligations.
- Technology providers: Cloud infrastructure, platform, and security service providers engaged under appropriate data processing agreements.
We do not sell personal data to third parties, and we do not share data for marketing purposes without explicit consent.
Data Retention
We retain personal data for the periods required by applicable law and regulation. As a minimum, KYC/AML records are retained for a period of five (5) years from the end of the business relationship, or such longer period as required by applicable law. Transaction records are retained for a minimum of five (5) years from the date of the transaction. Where data is no longer required, it will be securely deleted or anonymised.
Security
Exchange Capital implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include encryption of data at rest and in transit, access controls, regular security assessments, and staff training. However, no system is completely secure, and we cannot guarantee absolute security of data transmitted electronically.
International Transfers
Exchange Capital operates internationally and may transfer personal data to countries outside the jurisdiction of incorporation. Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses, adequacy decisions, or other legally recognised transfer mechanisms. Transfers to regulatory or law enforcement authorities are conducted as required by applicable law.
Your Rights
Subject to applicable law, individuals whose data we process have the following rights:
- Access: The right to request a copy of personal data we hold about you.
- Rectification: The right to request correction of inaccurate personal data.
- Erasure: The right to request deletion of personal data where no longer necessary, subject to our legal retention obligations.
- Restriction: The right to request that we restrict processing in certain circumstances.
- Objection: The right to object to processing based on legitimate interests.
- Portability: The right to receive personal data in a structured, machine-readable format where applicable.
Please note that certain rights are subject to limitations where processing is required for regulatory compliance or legal obligations. Requests should be submitted to compliance@excap.io.
Cookies
Our website uses minimal, essential cookies required for security and session management. We do not use advertising cookies or third-party tracking technologies. Technical cookies are strictly necessary for the functioning of the platform and cannot be disabled without impairing functionality.
Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in applicable law, our services, or our data practices. Material changes will be communicated to counterparties with reasonable advance notice. The current version of this Policy is always available at excap.io/legal/privacy.html.
Contact
For privacy-related queries, data subject access requests, or complaints regarding our handling of personal data, please contact:
- Data & Compliance: compliance@excap.io
- General: desk@excap.io