Privacy Policy

Account data: When you register, we collect your name, email address, username, and a securely hashed password. We never store your plain-text password.

Identity verification (KYC): To comply with financial regulations, we may collect government-issued ID documents, a selfie photograph, date of birth, residential address, and — for US residents only — a Social Security Number. These are stored encrypted and accessed only by authorised compliance staff.

Financial data: We record deposit amounts, cryptocurrency wallet addresses you provide, withdrawal requests, and transaction histories. We do not store full credit-card numbers.

Technical data: Each login records your IP address, browser type, operating system, device fingerprint, and approximate geolocation (country, city). This data powers our fraud-detection and security-alert systems.

Communications: Messages you send to our support team and AI chatbot interactions are retained for quality assurance and dispute resolution.

We use your data solely for the following purposes:

• Providing, maintaining, and improving our investment platform
• Processing deposits, withdrawals, and referral commissions
• Verifying your identity and complying with anti-money-laundering (AML) and Know Your Customer (KYC) obligations
• Detecting and preventing fraud, account takeovers, and suspicious activity
• Sending transactional emails (deposit confirmations, withdrawal updates, security alerts)
• Calculating and distributing referral bonuses at Level 1 (3%) and Level 2 (1%)
• Responding to your support requests

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

We apply industry-standard safeguards to protect your information:

• All data in transit is encrypted via TLS 1.3
• Passwords are hashed using bcrypt with a per-user salt
• KYC documents are stored in encrypted object storage with access-controlled signed URLs
• Session tokens are signed with a rotating JWT secret and expire after 7 days
• Every login is logged with IP, device fingerprint, and a 0–100 risk score; anomalies trigger automatic alerts
• Multi-IP and multi-device logins within 24 hours are automatically flagged for review

Despite these measures, no system is completely immune to breaches. We will notify affected users within 72 hours of discovering a material data incident.

We use a single session cookie (app_session_id) to keep you logged in. This cookie is:

• HttpOnly — inaccessible to JavaScript, preventing XSS theft
• Secure — transmitted only over HTTPS
• SameSite=Lax — mitigates CSRF attacks
• Automatically expires after 7 days of inactivity

We do not use advertising cookies, third-party tracking pixels, or analytics services that profile you across other websites.

We share your data only in the following limited circumstances:

• Service providers: Cloud infrastructure (hosting, database, object storage) under strict data-processing agreements
• Legal obligations: When required by a valid court order, subpoena, or applicable law
• Business transfers: In the event of a merger or acquisition, your data may transfer to the successor entity, subject to the same privacy protections

Any third-party processor we engage is contractually bound to use your data only for the purpose we specify and to maintain equivalent security standards.

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of all personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your account and associated data, subject to legal retention requirements
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request that we limit processing while a dispute is resolved

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

We retain your data for as long as your account is active. After account closure:

• Transaction records are retained for 7 years to satisfy financial regulatory requirements
• KYC documents are retained for 5 years post-closure under AML regulations
• Security logs are retained for 2 years for fraud investigation purposes
• Support messages are retained for 3 years
• All other personal data is deleted within 90 days of account closure

If you have questions, concerns, or requests regarding this Privacy Policy, please contact our Data Protection team:

We may update this policy periodically. Material changes will be announced via email and a prominent notice on the platform at least 14 days before taking effect.