Cookies are small text files that our website (or third-party services) place on your device’s browser. We use cookies and similar tracking technologies (such as web beacons, pixels, or local storage) to collect technical and usage information.These technologies help us provide and improve our services in several ways, for example by:

Essential Functions: Some cookies are necessary for our site to operate. They let you log in, keep your session active, and enable core features. Without these, the site may not function properly.
‍Preference and Functional Cookies: These remember your preferences (e.g. language or region) and enhance your experience by providing personalized features.

‍Analytics Cookies: We use analytics tools (most notably Google Analytics) to understand how users use our website. Google Analytics uses its own cookies to collect information about website usage and performance, such as pages visited, time on site, and link clicks. This helps us analyze traffic patterns and user behavior so we can improve our content and services. The information generated by Google Analytics cookies about your use of our site (which may include your IP address and browsing information) will be transmitted to and stored by Google on its servers. Google may process this information to compile statistical reports for us. We have configured Google Analytics to anonymize IP addresses where possible, but please be aware that data might be processed by Google in the United States or other jurisdictions. (Google is certified under the EU-US Data Privacy Framework, but we also implement contractual safeguards  as described in Data Transfers below.) More details can be found in Google's own Privacy Policy. You can opt out of Google Analytics by not accepting analytics cookies in our cookie banner or by installing the Google Analytics opt-out browser add-on.

‍Advertising and Third-Party Cookies: (If applicable) We may allow third-party advertising or social media partners to set cookies or similar technologies on our site to collect information about your browsing habits. This information, along with other data, can be used to provide you with ads about our services on other sites (re targeting) or to measure the effectiveness of ad campaigns. Currently, Axion Exchange does not display third-party ads, but if we do in future, we will update our cookie disclosures and obtain any necessary consents.

Your Choices: On your first visit to our site (and periodically there after), you will be presented with a cookie consent banner. You can choose to accept all cookies or reject non-essential cookies. You can also customize your cookie preferences. If you opt-out of certain cookies (like analytics or advertising), those will not be set in your browser. Additionally, most web browsers allow you to control and delete cookies through settings. However,please note that blocking certain cookies (especially “essential” ones) may impact the functionality of our website (for example, you might not be able to log in or use certain features).
‍
For more information on cookies and how we use them, please refer to our Cookies Policy (if provided) or contact us for details. By continuing to use our site with cookies enabled, you consent to our use of cookies as described here. You can withdraw or change your consent at any time by adjusting your browser settings or using our cookie preference tools.

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties. However, in certain situations we share your data with third parties,as outlined below, for the purposes described in this Notice. Whenever we share data, we ensure that the recipient has a valid reason to receive the data and is obligated to keep it secure and confidential (typically through data processing agreements or similar contracts). The main categories of recipients are:

Identity Verification and KYC Service Provider (Sumsub): We use an industry-leading third-party provider, Sum & Substance (Sumsub), to perform identity verification and KYC checks on our behalf. When you submit ID documents, selfies, or other verification information through our platform, this data is transmitted to Sumsub, which acts as our data processor for verification. Sumsub processes your personal data strictly according to our instructions and for the purpose of verifying your identity and documents. They may generate verification results (e.g.confirming the authenticity of your ID or running face match comparisons) and provide those results back to us. Sumsub stores your KYC data on their secure servers (with data centers in the EU/EEA or other regions as required –see Data Transfers below) and retains it as needed for compliance. Axion Exchange remains the controller of this data and we ensure Sumsub protects it consistent with GDPR. (For more details on Sumsub’s privacy practices, you can refer to their privacy notice.) We do not share your personal data with any other third-party identity verification agencies beyond what is necessary for KYC. Sum sub will not use your data for any purpose other than verifying your identity and improving their verification services in accordance withtheir contractual obligations.
‍
Analytics and Tracking Partners: As noted, we utilize Google Analytics as a third-party analytics service. Google acts as a data processor in providing aggregated website statistics to us. In doing so, Google may receive certain Usage Data (like your IP address and browsing info) collected via its cookies.We ensure any such partner only uses the data for analytics on our behalf and not for their own purposes (except in anonymized form). We may also use other analytics or user experience tools (e.g. performance monitoring services) that will similarly process data on our behalf.

Axion Group Companies: Axion Exchange Sp. z o.o. is part of the broader Axion group of companies (e.g.Axion Capital Ltd in the UK, etc.). We may share your personal data with our affiliates or subsidiaries if necessary to operate the services or for group administration. For instance, if Axion Capital Ltd (UK) provides certain support or IT infrastructure for the exchange, or if we centralize some operations, your data might be accessed by that affiliate. All Axion group entities are bound to maintain your data in line with this Privacy Notice and applicable law. In some cases, Axion group companies may act as independent or joint controllers for certain data processing, but we ensure compliance across our group.

Banking and Payment Partners: If you deposit or withdraw fiat currency through our platform, we will share relevant personal and transaction data with banks, payment processors, or electronic money institutions that facilitate those payments. This can include your name, account number or IBAN, transaction amount, and purpose, as needed to execute the transaction or comply with financial regulations. These institutions are themselves subject to strict data protection and banking secrecy laws. For example, if you wire money to us, your details will go to our bank; or if we use a payment gateway for card payments, your info is shared with that gateway for processing the payment.

Regulatory and Compliance Partners: We may disclose necessary personal data to third parties that assist us in complying with legal obligations.

Sanctions/AML Databases and Tools: We might use external databases or tools to screen your name and other personal details against sanction lists, PEP lists, or adverse media. For instance, we could send identifying information to a service that checks against the EU or UN sanctions list. This is done under our legal obligations for AML/CFT (Combating Financing of Terrorism).

Fraud Prevention Agencies: In cases of suspected fraud or criminal activity, we may share information with fraud prevention agencies or law enforcement partners to investigate and prevent harm.For example, we might share data about suspicious transactions with a blockchain analytics firm to trace illicit activities, or with other exchanges/banks if instructed as part of fraud mitigation.

Service Providers (Processors): We rely on a number of trusted third-party service providers to run our business. These providers process personal data on our behalf and under our instructions (as “processors”). They include:

(1) Hosting and IT Infrastructure Providers: We host our platform and data on secure servers, possibly using reputable cloud services or data center providers located in the EU.These providers store and transmit your data as necessary for our website and app to function. They are contractually bound to keep your data secure. (We currently ensure data hosting is within the EU to comply with regulations and maintain data residency).

(2) Email and Communication Tools: If we send emails or notifications, we might use email service providers or customer support platforms (for instance, a service to send bulk emails or a customer ticketing system to manage support inquiries). They will process contact data and message content as needed to deliver communications to you. 
‍
(3)Analytics/Monitoring Services: Aside from Google Analytics, we might use services for error tracking,performance monitoring, or usage analytics. These would collect Usage Data(likely pseudonymous) to help us maintain the stability and efficiency of our services. 

(4) Security Services:We may use services like DDoS protection networks, captcha providers (e.g.Google reCAPTCHA to prevent bots on forms), and other security tools that process some data (like IP addresses or user input) to protect our site. For example, Google’s reCAPTCHA (if used) would collect information to determine ifan action is by a human, subject to Google’s privacy policy.

All our service providers are carefully vetted and bound by contracts to only use your data for the specified purposes and to protect it under GDPR standards.

Business Transfers: If Axion Exchange is involved in a merger, acquisition,reorganization, or sale of assets, your personal data may be transferred to the acquiring or merging entity. In such an event, we will ensure the new owner will continue to respect your personal data in line with this Privacy Notice.We will provide notice of any such change in ownership and the resultant new controller of your data, if applicable. No transfer will take place if the receiving party cannot guarantee the same level of data protection.

Authorities and Legal Requirements: We may disclose personal data to government authorities, law enforcement, regulators, or courts if required to do so by law or legal process. For example:

- To comply with a subpoena, court order, or similar legal mandate.
- To respond to lawful requests by public authorities (including to meet national security or law enforcement requirements).
- to report suspicious activities or fulfill our obligations under anti-money laundering laws, we might submit KYC data or transactional data to the relevant regulatory agencies (such as the Polish Financial Intelligence Unit or other regulators in jurisdictions where we operate).
- To enforce our Terms of Service or other agreements, or to protect the rights, property, or safety of Axion, our users,or others. This may include exchanging information with other companies and organizations for fraud protection and credit risk reduction.

In all cases of data sharing, we strive to share the minimum amount of information necessary for the purpose and to ensure there are safeguards in place. Third parties who receive personal data must agree to treat it in accordance with applicable data protection laws.If any third party uses your data as a controller (e.g. a bank or regulator),they are responsible for complying with relevant privacy laws as well.
We will never sell or rent your personal information to advertisers or unrelated parties. Any sharing not covered by this section will only occur with your explicit consent.

Data Storage Location: Axion Exchange primarily stores and processes personal data on servers located within the European Union (EU/EEA). We use EU-based infrastructure to ensure that your data remains under the protection of EU data privacy laws. For example,our databases and application servers are hosted in secure data centers in the EU. We also require that our main service providers (such as Sumsub for identity verification and any cloud hosting providers) store and process EU user data within the EEA whenever feasible.

However, some of our service providers or partners are located outside the EU/EEA. For instance:

(1) Sumsub, our KYC provider, is a global company headquartered in the UK. The UK is not in the EU, but it is considered to have “adequate” data protection by the European Commission (at least through the current adequacy decision), meaning data can flow between the EEA and the UK under essentially equivalent protection. Sumsub also has an EU representative and may utilize EU servers for EU customer data. We ensure that Sumsub handles data from EU users in compliance with GDPR and, if data is processed outside the EEA(e.g. by Sumsub’s sub-processors in other regions), appropriate safeguards are in place.

(2) Google Analytics, as noted, may involve transferring certain analytics data to the United States (where Google’s servers or personnel might be located). The U.S. at present does not have an adequacy decision under GDPR (though there is a new EU-US Data Privacy Framework in 2025 which Google may be certified under). We treat these transfers with care and have measures in place. Specifically, we have enabled IP anonymization in Google Analytics and we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission to govern the transfer of data to Google, along with any supplementary measures required. Additionally, by accepting our analytics cookies, you are providing consent for the associated data transfers, where that consent is required by law.

If we engage other providers outside Europe(for example, an email service or cloud backup in the US, or a support center in another country), we will similarly ensure that a valid transfer mechanism is used.

Our Commitment on International Transfers: Whenever we transfer or allow access to your personal data outside of the EU/EEA, we will ensure that a similar degree of protection is afforded to it as under European law.We achieve this by one or more of the following safeguards:

- Transferring data only to countries that have been officially recognized by the European Commission as providing an adequate level of data protection (GDPR Article 45 decisions). (For example, countries in the EEA, the UK, or others deemed adequate.)
- Relying on any other valid GDPR transfer mechanisms that may be available, such as binding corporate rules (if applicable) or the derogation in Article 49 GDPR (in rare cases, e.g. if a transfer is necessary for the performance of a contract with you, or with your explicit consent).

We can provide you with a copy of the relevant transfer safeguards (such as SCCs) upon request.

Data Retention on Third-Party Systems: When using third-party processors like Sumsub or cloud services, your data might be stored in their systems as well. We ensure through contracts that such processors follow our retention and deletion protocols (see Data Retention next) and do not keep the data longer than necessary or permitted.

If you would like more information about where your data is stored or the safeguards for international transfers, please contact us (see How to Contact Us section). We remain responsible for the processing of personal data by any third-party agents on our behalf who are outside the EU, and we will uphold your rights and protections through these arrangements.

We will not retain your personal data for longer than necessary to fulfill the purposes we collected it for,including for satisfying any legal, accounting, or reporting requirements.The exact retention period will depend on the type of data and the reasons we process it. Here is a general overview of how long we keep different types of data:

Account Information and Customer Records: For the duration of your use of our services and up to several years after you close your account. Specifically, once you close your Axion Exchange account, we will archive most of your personal data and keep it for a defined retention period. In many cases, we retain customer data for 5 years after the end of the customer relationship, as this duration is commonly required under AML laws in the EU for retaining KYC data. In some cases, we may retain data for up to 7 years post-account closure to comply with certain regulatory or tax obligations, or in line with the statute of limitations for legal claims.After the retention period, we will securely delete or anonymize the data.

KYC/VerificationData: Identity verification data (copies of your ID, verification results, etc.) are generally retained for at least the minimum period required by law. In Poland and the EU,AML regulations typically require retention of customer due diligence records for 5 years from the end of the business relationship (which can be extended further by law or regulators). We will retain your KYC data for that period to comply with these obligations, and possibly longer if required by a specific regulation or if legal enforcement requires it. Sumsub, as our processor, will store the data on our behalf for these periods and will delete it upon our instruction once the retention period expires. We ensure that oncethe legal retention period is over and data is no longer needed, it is erased or irreversibly anonymized.

Transaction and Financial Records: We keep records of your trades, transactions, payments, and account statements as long as your account is active and for the required retention period after. Financial transaction data may be subject to statutory retention (often 5-7 years) under financial regulations and tax laws. For example, we might need to keep records of transactions for 5+ years for anti-money laundering audits or 5 years for tax audit trail purposes. This data will be securely archived and restricted once you are no longer an active customer.

Communication Data (Support Tickets,Emails): If you contact support or other wise communicate with us, we may retain those communications as long as necessary to address your inquiry and for a short period thereafter in case of follow-ups.Generally, routine support emails are kept for a year or two for reference,unless they need to be retained longer for legal reasons (e.g. evidence of transactions or disputes). Recorded phone calls (if any) would similarly be kept for a defined period according to our internal policy (often 90 days to 6 months, unless needed for a dispute).

Marketing Data: If you have consented to receive marketing, we will keep your contact details for that purpose until you unsubscribe or withdraw consent. If you opt out of marketing, we will add your details to a suppression list to ensure youno longer receive marketing emails. We will keep the fact that you opted out indefinitely (in a minimized form, usually just your email) to honor your opt-out choice. Other preference data (like whether you clicked certain campaigns) is typically anonymized or deleted after a short period if not needed.

Website Analytics Data: Analytics data collected via cookies is generally aggregated and anonymized. Raw analytics logs containing IP addresses or user identifiers are typically retained for a short period (e.g. 14 months by Google Analytics by default) and then deleted or anonymized. We do not store identifiable web log data longer than necessary; for example, our server logs may be kept for security analysis for a few weeks before automatic deletion.
‍
Legal Hold and Disputes: In the event of ongoing legal proceedings, investigations, or disputes, we may retain relevant data beyond the standard periods until those matters are resolved. If we receive a lawful preservation request or if data is needed as evidence, we will preserve it until we are cleared to delete it. We may also extend retention if needed to establish, exercise, or defend legal claims.

Once the applicable retention period expires, we will either securely delete or irreversibly anonymize your personal data. Deletion involves removing the data from all active systems and backups (with a slight delay for backups, which are eventually purged as well). Anonymization means we strip out personal identifiers so that the data can nolonger be linked to you – we may use anonymized data for statistical or business analysis, since this is no longer personal data.
Example: If you close your account, we might retain your account info and transaction history for up to 5 years to satisfy AML record-keeping laws. During that time, yourdata is archived and only accessed if required (e.g. by auditors or regulators). After 5 years, we delete or anonymize those records.

Please note that different laws may require different retention periods, so the above are general guidelines. We always comply with the maximum or minimum periods mandated by applicable law.If you have any specific questions about how long we keep a particular type of data, you can contact us for more information.

asd

asd