Privacy Rules

1.1. These Privacy Rules (hereinafter referred to as the "Rules") establish the procedure for obtaining, storing, processing, using, and disclosing personal (including personal and contact) data of Clients of the AEXchanger service (hereinafter referred to as the "Service"). These Rules apply to any services provided by the Service.

1.2. AEXchanger is an online platform/system for providing virtual asset exchange services to fiat currencies. The Service’s website is https://aexchanger.com (hereinafter referred to as the "Website"). The Service is owned by EX Rock s.r.o., identification number 193 14 850, with a registered office at Roháčova 145/14, Žižkov, 130 00 Prague 3, Czech Republic, registered with the Municipal Court in Prague, Section C, Insert 384567 (hereinafter referred to as the “Company”, “We”, or “Us”).

1.3. By registering with the Service, the Client (hereinafter referred to as the "Client", or “You”) must familiarize themselves with the terms and confirm their Agreement with this Rules by checking the appropriate box in the registration form. If the Client refuses to comply with the terms of this Rules, they must cease using the Service.

1.4. The Personal Data of Clients during registration, placement, receipt, and transmission of information in the Service is collected by the Company.

1.5. This Rules has been developed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the “GDPR”), Zákon č. 110/2019 Sb., o zpracování osobních údajů a o změně některých zákonů (hereinafter referred to as the “Czech Law”), as amended by subsequent regulations, which includes the protection of individuals concerning the processing of Personal Data and unrestricted transfer of Personal Data.

AEXchanger Service: It is an online Platform providing a Service for the exchange of Crypto-assets for funds, as well as for other Crypto-assets, and enables the transfer of Crypto-assets on behalf of Clients. The service is owned by the Company.

Data Controller: the Company, acting as the legal entity that oversees the data repository and/or database, defines the purposes and methods of processing the Personal Data it holds or controls, and bears responsibility for ensuring that such processing complies with all relevant data protection legislation. For the purposes of this Policy, the Company is the Data Controller.

Data Subject: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data: any information relating to an identified or identifiable natural person.

Processing of Personal Data: automated or non-automated operation or set of operations, including collection, documentation, organizing, structuring, storing, customizing and modifying, querying, reading, using, transferring, distributing, or making otherwise available, joining or combining, restricting, deleting or destructing of Personal Data or set of them.

Third Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor, or persons authorised under the direct authority of the controller or processor.

Client: any individual or legal entity that requests, accesses, or utilizes the Company’s Services in accordance with Our Rules, irrespective of the communication channel or form of payment chosen.

Website: the Company’s official Website, accessible at https://aexchanger.com, which serves as the primary source for publishing information about the Services, legal documentation, public communications, contact information, and any official Offers.

3.1. To provide Clients with access to the Service's services and the proper use of its functionality, the Service collects the following information from Clients.

3.1.1. Mandatory information required during registration to receive services, such as:

• First and last name;
• Gender;
• Citizenship;
• Identification document number, date of issue, and validity period;
• Identification number and taxpayer number;
• Place of residence, mailing address;
• Other personal information typically included in identification documents;
• Client account login and password;
• Bank account details;
• Electronic wallet details;
• Email address;
• Phone number;
• IP address.

3.1.2. The Service will be unable to provide services if the User does not provide this information, and as a result, the User will be unable to use the Service's services.

3.3. Information Collected Automatically

3.3.1. Certain information is automatically collected when Clients access or interact with Our Website or digital infrastructure. This includes:

3.3.2. Technical Data

• IP address and device identifier;
• Browser type and version;
• Operating system and language settings;
• Referring URLs and time zone.

3.3.3. Usage Data

• Pages visited and time spent on the Website;
• Click paths, interactions, and transaction history;
• Session duration and system performance logs.

3.4. Cookies and Tracking Technologies

3.4.1. We use cookies to identify the Client’s browser and provide services dependent on it. The types of data collected through such technologies include:

• Session identifiers and authentication tokens;
• Necessary cookies (e.g. _cs_c, ClientStoreCookies, i18n_redirected);
• Analytics cookies (e.g., _ga, _cs_s, _cs_id) for behavioral metrics;
• Marketing cookies (e.g., _fbp, Client_tracker) for ad personalization;
• Browser capabilities and cookie support status.

3.4.2. Detailed information on the use of cookies can be found in the Cookies Rules.

3.5. Information from Third-Party Sources

3.5.1. In certain cases, We may collect Personal Data from external and legally permitted sources, including:

• Analytics and tracking providers (e.g., Google Analytics, ContentSquare);
• Anti-Money Laundering (hereinafter referred to as the "AML") / Know-Your-Customer (hereinafter referred to as the "KYC") verification partners;
• Public databases or registries (where required by law);
• Payment processors and technical providers for transaction validation.

3.6. All information is collected "as is" and is not modified during the data collection process.

3.7. When Clients contact Customer Support, the Service may collect personal information necessary to fulfill the Client's request and provide feedback. The Service may also contact the Client using the existing account contact information provided for this purpose.

3.8. By using the Service's tools and Services, the Client consents to the processing of their Personal Data.

4.1. Information collected from Clients is used solely to provide the Service's offerings and improve the Website and Services. The Client's personal information is utilized for the following purposes:

4.1.1. To maintain our Service and offerings

We use personal information to ensure the proper functioning of our services;

4.1.2. To improve our Service and Services

Personal Data helps our systems ensure the availability of our interface to Clients across all platforms;

4.1.3. To comply with our legal obligations

In many jurisdictions, We are required to collect certain information about our Clients to have the legal right to provide services (e.g., KYC, AML, counter-terrorism financing (hereinafter referred to as the “CFT”) regulations). We may also process Personal Data to satisfy mandatory reporting obligations, respond to law enforcement or regulatory inquiries, cooperate with financial supervisory authorities, and ensure compliance with applicable tax, accounting, and audit frameworks;

4.1.4. To protect your assets

We may use information to identify You and your assets to ensure access to your accounts and prevent fraud. Transaction information allows us to track suspicious activity and protect You from fraud and scams;

4.1.5. For periodic notifications

We may use information We receive from You when You register or use certain other features of the Website. This could be done for security reasons, to seek your feedback on the Service, or to keep You informed about any changes in the services provided by the Service. We may also periodically send notifications with news and updates about the Services or use this information to contact You via chat;

4.1.6. To resolve disputes and enforce our agreements

to the extent necessary and sufficient to protect your interests or the interests of other Clients.

4.2. As part of its activities, the Service has the right to post information about the Client, to the extent necessary for the conclusion of agreements between Clients, for sending messages, and facilitating communication between Clients, processing payments, and the like.

4.3. When providing services, We may also use third-party tools and resources (independent service providers) (hereinafter referred to as the "Service Providers"). The Service may enter into agreements with third parties that need to receive personal information to the extent necessary to provide services. To provide us with contractual services, these third-party service providers are required to adhere to this Rules. The software used by the Service is owned by Guardance UAB. Clients can review the Privacy Rules and the Process for Handling Client Data on the Company's website at https://guardarian.com.

All our Service Providers ensure sufficient security for your Personal Data to prevent unauthorized or accidental access or other misuse, and all our Service Providers are bound by confidentiality obligations and must not use your Personal Data for any purpose other than that for which the data was provided to them.

4.4. Notwithstanding any provisions of this Rules to the contrary, We may retain or disclose your information if We believe it is reasonably necessary to comply with the law, regulation, legal process, or governmental request; to protect the safety of any person; to address fraud, security, or technical issues; or to protect our rights or the property of our Clients.

4.5. Clients are responsible for all information they post on the Service.

4.6. Personal information provided for the purpose of creating and managing a Client account, as well as for entering into or fulfilling Agreements, will be retained for as long as necessary for the purposes outlined in this Rules.

4.7. In accordance with applicable legislation, including Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (hereinafter referred to as the “MiCA”), GDPR, Zákon č. 253/2008 Sb., o některých opatřeních proti legalizaci výnosů z trestné činnosti a financování terorismu (hereinafter referred to as the “AML Law”) the Service or, where required by law, the Payment System must retain records about its Clients and their transactions to provide quality services and assist authorities and courts in the event of legal proceedings.

4.8. The Service or, where required by law, the Payment System must retain records for five (5) years after the termination of the Business Relationship (or after the completion of any investigation conducted by authorities concerning the Client) regarding:

• Data obtained during the Client's due diligence process;
• Copies of official identification documents;
• All necessary transaction records sufficient to reconstruct individual Transactions;
• The service provision agreement;
• Financial documentation related to the Client and transactions.

4.9. For ten (10) years after a transaction or the termination of the business relationship, the Service or, where required by law, the Payment System retains:

• Identification and other data obtained during the Client's identification or collected in accordance with directly applicable European Union Regulations governing information accompanying the transfer of funds;
• Copies of documents submitted for identification purposes, if such copies were made;
• Information and copies of documents obtained as part of the Client's due diligence process;
• The original or notarized copy of a power of attorney or the decision number appointing a guardian in cases of representation.

4.10. Upon the expiration of the applicable retention periods, the Service shall ensure the erasure (irreversible destruction) of any and all relevant Personal Data of the Client from all systems and storage media without undue delay.

5.1. In accordance with the principles of data minimisation under the GDPR and Czech Law, the Company does not collect Personal Data that is not strictly necessary for the lawful and secure provision of the Service.

5.2. Specifically, the Company does not knowingly or intentionally collect the special categories of Personal Data as defined in Article 9(1) GDPR, such as: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

5.3. The Company does not knowingly collect or process Personal Data from individuals under the age of eighteen (18). By accessing or using the Service, Clients confirm that they are at least eighteen (18) years old. If it is discovered that data belonging to a child under eighteen (18) has been inadvertently collected, the Company will immediately delete such data from its systems.

Parents or legal guardians who believe that We may have unintentionally collected data from a minor are encouraged to contact Us using the contact details provided in this Rules.

The Service does not offer content or functionality specifically directed at minors, nor does it engage in behavioural profiling or targeted advertising aimed at individuals under the age of eighteen (18).

5.4. Furthermore, the Company does not collect or process data unrelated to the provision, support, or compliance of the Service, such as data collected from social media, geolocation beyond functional necessity, or metadata from external platforms.

5.5. The Company does not engage in the sale or commercial sharing of Personal Data with third parties beyond the purposes described in this Rules and in accordance with GDPR, and Czech Law.

6.1. In accordance with GDPR and Czech Law, the Client has the right to manage personal information, including, for example:

6.1.1. Right of Access (Art. 15 GDPR)

Clients have the right to obtain confirmation as to whether or not their Personal Data are being processed, and, where that is the case, access to the Personal Data and the following information:

• The purposes of the processing;
• The categories of Personal Data concerned;
• The recipients or categories of recipients;
• Where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
• The right to request rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the data subject or to object to such processing;
• The right to lodge a complaint with a supervisory authority;
• The existence of automated decision-making or profiling and related safeguards.

6.1.2. Right to Rectification (Art. 16 GDPR)

The Client has the right to request the prompt correction of inaccurate Personal Data concerning them. Taking into account the purposes of processing, the Client also has the right to have incomplete data completed, including by providing a supplementary statement.

6.1.3. Right to Erasure (Right to be Forgotten)(Art. 17 GDPR)

The Client may request the erasure of their Personal Data without undue delay where one of the following grounds applies:

• The Personal Data are no longer necessary for the purposes for which they were collected or otherwise processed;
• The Client withdraws consent and no other legal basis applies;
• The Client objects to the processing and no overriding legitimate grounds exist;
• The Personal Data have been unlawfully processed;
• The data must be erased for compliance with a legal obligation;
• The data were collected in relation to the offer of services to a child.

The Service may refuse such a request where the processing remains necessary, including for compliance with legal obligations, archiving purposes, public interest, or the establishment or defence of legal claims.

6.1.4. Right to Restriction of Processing (Art. 18 GDPR)

The Client may request the restriction of the processing of their Personal Data where one of the following applies:

• The accuracy of the data is contested by the Client, allowing the Service time to verify the data;
• The processing is unlawful and the Client opposes the erasure of the data and requests restriction of its use instead;
• The Service no longer needs the data for the original purposes, but the Client requires it for the establishment, exercise, or defence of legal claims;
• The Client has objected to the processing, pending verification of whether the Service’s legitimate grounds override those of the Client.

6.1.5. Right to Data Portability (Art. 20 GDPR)

The Client has the right to receive the Personal Data they have provided to the Service in a structured, commonly used, and machine-readable format. This applies where the processing is based on the Client’s consent or a contract, and is carried out by automated means. The Client also has the right to request that such data be transmitted directly to another controller, where technically feasible.

6.1.6. Right to Object (Art. 21 GDPR)

The Client has the right to object, at any time and on grounds relating to their particular situation, to the processing of their Personal Data based on legitimate interests or tasks carried out in the public interest, including profiling. The Service shall stop processing such data unless it demonstrates compelling legitimate grounds or the processing is required for legal claims.

If the Client’s Personal Data is processed for direct marketing purposes, including related profiling, the Client may object at any time. Upon such objection, the data will no longer be used for marketing.

6.1.7. Rights Related to Automated Decision-Making and Profiling (Art. 22 GDPR)

The Client has the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. Exceptions apply where such processing is necessary for a contract, is authorised by applicable law, or is based on the Client’s explicit consent. In such cases, the Service shall implement appropriate safeguards.

6.1.8. Right to Contact the Data Protection Officer (hereinafter referred to as the “DPO”)

The Client has the right to contact the Company’s appointed DPO with any questions, concerns, or requests related to the processing of their Personal Data.

6.1.9. Right to Lodge a Complaint with a Supervisory Authority

If Client resides in the European Economic Area (hereinafter referred to as the "EEA") and has a concern about our processing of their Personal Data that We are not able to resolve through our internal resolution process, Client has the right to lodge a complaint with the data privacy authority where they reside. For contact details of your local Data Protection Authority, please see: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

6.2. If the Client wishes to exercise their rights, they must send a request to the Service.

6.3. The Service may restrict the Client’s rights where disclosure would infringe the rights of others, where data must be retained for legal compliance, or where processing is necessary for the operation of the Service or the defence of legal claims. In such cases, the data shall not be subject to access, erasure, or other Client requests, to the extent permitted by applicable law.

7.1. Disclosure of Personal Data without the consent of the Client or their authorized representative is permitted in cases specified by law and only in the interests of national security, economic well-being, and human rights, including but not limited to reasonable requests from governmental authorities with the right to request and receive such data.

7.2. The Service may provide Personal Data of Clients upon requests from competent authorities, in accordance with the requirements of applicable laws.

7.3. According to this Rules, the Service undertakes not to rent or sell any Personal Data of the Client. In the event that the business or part of this business is sold or reorganized, and the Service transfers all or part of its assets to the new owner, the Clients' Personal Data may be transferred to the buyer to ensure continuity of service.

7.4. The Service is entitled to transfer certain anonymized information (data that does not allow for the identification of Clients individually) to third-party service providers and trusted partners to improve the overall quality and effectiveness of services.

8.1. The Service may transfer Personal Data to recipients located outside the EEA, including to countries that may not offer the same level of data protection as within the EEA.

8.2. Where such transfers occur, the Service ensures that adequate safeguards are implemented in accordance with the GDPR, including:

• Decisions on adequacy adopted by the European Commission (Article 45 GDPR);
• Standard Contractual Clauses (Article 46 GDPR); or
• Other appropriate safeguards as required by law.

8.3. In the absence of an adequacy decision or appropriate safeguards, international transfers shall be carried out based on the explicit consent of the Client (Article 49(1)(a) GDPR), or where the transfer is necessary for the performance of a contract or to comply with a legal obligation.

8.4. By using the Service and submitting Personal Data, the Client acknowledges and consents to such international transfers, as may be necessary for the operation of the Service and performance of related obligations.

9.1. The Service ensures that all requests from Clients relating to their data subject rights are handled in a transparent, timely, and consistent manner.

9.2. Clients may submit requests concerning access, rectification, erasure, restriction of processing, data portability, or objection to processing by contacting the Service via the contact methods provided in this Rules.

9.3. The Service shall respond to any such request without undue delay and, in any case, within one (1) month from receipt.

9.4. The Service shall facilitate the exercise of these rights and may request additional information where reasonable doubts exist regarding the identity of the requesting Client.

9.5. If the Service does not take action on the request, the Client will be informed within one (1) month of receipt, along with the reasons and information on their right to lodge a complaint with the competent supervisory authority and seek judicial remedy.

9.6. Requests shall be processed free of charge unless they are manifestly unfounded or excessive, in which case a reasonable administrative fee may be charged or the request may be rejected, with justification.

9.7. Responses will be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, by written or electronic means.

10.1. The Company implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of Personal Data. These measures aim to prevent unauthorised access, disclosure, alteration, or loss of data.

10.2. Such measures include, without limitation:

• Physical safeguards. Personal Data is stored in secured facilities with restricted access.
• Access controls. Only authorised personnel with a legitimate business need may access Personal Data, subject to confidentiality obligations.
• Technical protections. Encryption, intrusion detection systems and two-factor authentication are used to protect data in transit and at rest.
• Secure storage. Personal Data is held on servers protected by up-to-date security protocols and monitored infrastructure.
• Vendor due diligence. Third-party service providers are subject to data protection agreements and are required to apply comparable security standards.

10.3 Despite the measures taken, the Company cannot guarantee absolute security. Clients are encouraged to notify the Company without delay if they become aware of any actual or suspected breach involving their Personal Data.

10.4 To the extent permitted by applicable law, the Company shall not be held liable for any damages resulting from unauthorized access, disclosure, or misuse of Personal Data arising from circumstances beyond its control.

11.1. The processing of Personal Data subject to the GDPR is carried out on the basis of one or more of the following legal grounds:

11.1.1. Performance of a contract

We process Personal Data when it is necessary to fulfill our obligations under the Client Agreement, including the delivery of our Services, provision of technical and Client support, as well as maintaining, improving, and adapting the functionality and performance of the Website.

11.1.2. Legitimate interests

Processing may be conducted where it is required to pursue our legitimate interests or those of a third party, provided such interests are not overridden by your fundamental rights and freedoms. These legitimate interests may include, but are not limited to, product development and innovation, Client communication and engagement (including direct marketing), personalization of services, fraud detection and prevention, safeguarding network and information systems, and generating anonymized or aggregated datasets.

11.1.3. Consent

Where explicit consent has been obtained from Clients for a specific purpose, processing is conducted strictly in accordance with the scope of that consent.

11.1.4. Legal and regulatory compliance

We may process your Personal Data where required to comply with applicable legal or regulatory obligations. This includes, but is not limited to, adherence to AML/CFT laws, suspicious transaction monitoring and reporting, sanctions compliance, Client identification and due diligence procedures, risk management and audit obligations, cooperation with law enforcement or supervisory authorities, tax and financial reporting, record retention requirements, and defense or exercise of legal claims.

12.1. We reserve the right to revise, update, or modify these Rules at any time to reflect changes in applicable legislation, regulatory requirements, technological advancements, or adjustments to the functionality of our Website and services.

12.2. The new version of this Rules takes effect three (3) days after the new version of the relevant documents is posted on the Service.

12.3. Clients agree to periodically review these Rules to stay informed about how the Service protects their information.

12.4. If the Service makes any changes to these Rules that the Client does not agree with, the Client must stop using the services.

12.5. Continuing to use the Service confirms the Client's consent and acceptance of the new version of this Rules.

12.6. The Service is not responsible for any damages or losses incurred by the Client or third parties resulting from the Client's misunderstanding or failure to understand the terms of this Rules, instructions, or guidelines on how to use the Service, how to post data, and other technical issues.

13.1. If any provision of this Rules, including any proposal, clause, or part thereof, is found to be contrary to law or invalid, the other provisions not contrary to law shall remain in force and valid, and any invalid or unenforceable provision shall be deemed amended, modified to the extent necessary to ensure its validity and enforceability.

13.2. The Client has rights provided by GDPR concerning the processing of Personal Data and on the free movement of such data.

13.3. This Rules applies to the Client from the moment they agree to its terms when submitting their Personal Data while using the Service and remains in effect as long as the Service retains any information about the Client, including Personal Data.

13.4. The Client may contact the Service electronically using the tools available on the Service or via the support email address: [email protected]. Any electronic message is considered delivered once We confirm its receipt.