This Privacy Policy describes how Xylos Global Ltd. ("Xylos," "we," "us," "our") collects, uses, stores, shares, and protects your personal data when you use the Xylos platform, website, mobile applications, and related services (the "Platform"). By accessing or using the Platform, you consent to the practices described in this policy.
1. Information We Collect
We collect the following categories of personal data:
1.1 Information You Provide Directly
- Account Information: Email address, password (hashed), username, phone number, country of residence, Telegram username, WhatsApp number.
- KYC Documents: Government-issued identification (passport, national ID, driver's license), proof of address (utility bill, bank statement), selfie/liveness check images, and any additional documents required for identity verification.
- Financial Information: Blockchain wallet addresses, bank account details (for fiat on-ramp/off-ramp), card application data.
- Communication Data: Support tickets, chat messages, email correspondence, feedback, and any attachments you submit.
1.2 Information Collected Automatically
- Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution, language settings.
- Usage Data: Pages visited, features used, click patterns, session duration, trading activity timestamps, API request logs.
- Trading Data: Order history, position data, trade executions, account balances, PnL data, margin usage, and liquidation events.
- Referral Data: UTM parameters, referral codes, introducing broker (IB) codes, and attribution data.
1.3 Information from Third Parties
- KYC Providers: Identity verification results, risk scores, and watchlist screening data from SumSub, Veriff, or other verification partners.
- Payment Processors: Transaction confirmations, payment status, and fraud screening data.
- Blockchain Analytics: On-chain transaction data, wallet risk scores, and transaction tracing from blockchain analytics providers.
2. How We Use Your Information
We process your personal data for the following purposes:
- Account Management: Creating and maintaining your account, authenticating logins, managing security settings.
- Service Delivery: Processing trades, managing positions, executing deposits and withdrawals, issuing cards, and facilitating challenge programs.
- Compliance & Legal Obligations: Performing KYC/AML checks, sanctions screening, fraud prevention, suspicious activity reporting, tax reporting, and responding to lawful requests from regulatory or law enforcement authorities.
- Analytics & Improvement: Analyzing usage patterns to improve platform performance, develop new features, optimize the user interface, and monitor system health.
- Communications: Sending transactional notifications (trade confirmations, withdrawal alerts, security notifications), service updates, and, where you have opted in, marketing communications.
- Risk Management: Calculating margin requirements, monitoring exposure, detecting market manipulation, and managing platform risk.
- Referral & IB Programs: Tracking referrals, calculating commissions, and managing introducing broker relationships.
3. Legal Basis for Processing (GDPR)
For users in jurisdictions where the EU General Data Protection Regulation (GDPR) applies, we process your data under the following legal bases:
- Contract Performance: Processing necessary to perform our contract with you (account management, trade execution, deposits/withdrawals).
- Legal Obligation: Processing required to comply with legal requirements (KYC/AML, tax reporting, regulatory compliance).
- Legitimate Interest: Processing in our legitimate interests (fraud prevention, platform security, analytics, service improvement) where such interests are not overridden by your rights.
- Consent: Processing based on your explicit consent (marketing communications, optional analytics cookies).
4. Data Sharing & Third Parties
We do not sell your personal data. We may share your data with the following categories of third parties:
- KYC/Verification Providers: SumSub, Veriff, or equivalent identity verification services for identity document verification, liveness checks, and sanctions screening.
- Payment Processors: Fiat on-ramp/off-ramp providers (e.g., Plutope) for processing fiat deposits and withdrawals.
- Card Issuers: Marqeta, WasabiCard, Wallester, or other licensed card issuers for card issuance, loading, and transaction processing.
- Blockchain Analytics: Chain analysis providers for transaction monitoring, risk scoring, and compliance with travel rule requirements.
- Infrastructure Providers: Cloud hosting, content delivery networks, and database services that process data on our behalf under strict data processing agreements.
- Legal & Regulatory Authorities: When required by law, subpoena, court order, or valid regulatory request.
- Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of the transaction, subject to the same privacy protections.
5. Data Retention
We retain your personal data for the following periods:
| Data Type | Retention Period |
|---|
| Account information | Duration of account + 5 years after closure |
| KYC documents | 5 years after account closure (AML requirement) |
| Trading history & transactions | 7 years (financial record-keeping) |
| Device & usage data | 2 years |
| Support tickets | 3 years after resolution |
| Marketing preferences | Until consent is withdrawn |
| Server & API logs | 90 days (rolling) |
Upon account deletion request, personal data is anonymized within 30 days, except where retention is required by law. Anonymized and aggregated data may be retained indefinitely for analytics and statistical purposes.
6. Cookies & Tracking Technologies
The Platform uses the following types of cookies and tracking technologies:
- Essential Cookies: Required for authentication, session management, security (CSRF protection), and core platform functionality. These cannot be disabled.
- Functional Storage: We use localStorage and sessionStorage to persist your trading preferences, chart settings, theme selection, and other UI preferences locally on your device.
- Analytics Cookies: If enabled, used solely to analyze platform usage and improve performance. We do not use third-party advertising trackers.
- UTM & Referral Parameters: We track UTM parameters and referral codes from incoming links for attribution and referral program management.
- Tracking Pixels: We may use tracking pixels in emails to measure open rates and engagement. You can disable image loading in your email client to opt out.
You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Platform from functioning correctly.
7. Security Measures
We implement comprehensive technical and organizational measures to protect your data:
- Encryption: All data in transit is protected with TLS 1.3 encryption. Sensitive data at rest is encrypted using industry-standard algorithms.
- Password Security: Passwords are hashed using bcrypt with a high work factor. We never store plaintext passwords.
- Two-Factor Authentication: TOTP-based 2FA is available and strongly recommended for all accounts.
- Rate Limiting: API and login endpoints are rate-limited to prevent brute force attacks.
- Access Controls: Internal access to user data is restricted on a need-to-know basis with role-based access controls and audit logging.
- Wallet Security: Platform hot wallets use encrypted mnemonic storage. Withdrawal processing includes multi-step verification.
- Monitoring: Continuous security monitoring, intrusion detection, and automated alerting for suspicious activity.
While we strive to protect your data, no system is completely secure. We cannot guarantee absolute security and encourage you to take steps to protect your account credentials.
8. International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence. Xylos operates infrastructure across multiple jurisdictions. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms. We ensure that all international transfers are compliant with applicable data protection laws.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
- Right to Data Portability: Request your data in a structured, commonly used, machine-readable format (e.g., CSV export of trading history).
- Right to Restrict Processing: Request restriction of processing in certain circumstances.
- Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
- Right to Lodge a Complaint: File a complaint with your local data protection authority (e.g., the Office of the Commissioner for Personal Data Protection in Cyprus).
To exercise any of these rights, contact us at privacy@xylos.io. We will respond within 30 days of receipt of your request, as required by applicable law.
10. GDPR Compliance
For users subject to the General Data Protection Regulation (EU) 2016/679:
- Data Controller: Xylos Global Ltd. is the data controller for personal data processed through the Platform.
- Data Protection Officer: You may contact our Data Protection Officer at dpo@xylos.io.
- Data Processing Agreements: We maintain Data Processing Agreements (DPAs) with all third-party processors who handle EU personal data on our behalf.
- Data Protection Impact Assessments: We conduct DPIAs for high-risk processing activities as required by Article 35 of the GDPR.
- Breach Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.
11. Children's Privacy
The Platform is not intended for, and we do not knowingly collect personal data from, individuals under 18 years of age. If we become aware that we have collected personal data from a minor, we will take immediate steps to terminate the account and delete all associated data. If you believe that a minor has provided personal data to Xylos, please contact us at privacy@xylos.io.
12. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: (a) update the "Last updated" date at the top of this page; (b) notify you via email to the address associated with your account; and/or (c) display a prominent notice on the Platform. We encourage you to review this Policy periodically. Your continued use of the Platform after any changes constitutes your acceptance of the updated Policy.
13. Contact Information
For privacy-related inquiries, data subject requests, or complaints: