Nivex Privacy Policy

1. Introduction and Overview

1.1 Purpose of the Policy

This Privacy Policy details how Nivex Digital Currency Exchange (hereinafter referred to as "Nivex," "we," or "our") collects, uses, stores, protects, and shares users' personal information. We are committed to complying with all applicable data protection laws and regulations, including but not limited to the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), China's Personal Information Protection Law (PIPL), and data protection requirements in other relevant jurisdictions.

1.2 Scope of Application

This policy applies to all users who access our services through the Nivex official website, mobile applications, API interfaces, or any other means. Whether you access our services through a personal or institutional account, this policy applies equally.

1.3 Policy Updates

We may update this Privacy Policy from time to time to reflect legal changes or modifications to our business practices. Significant changes will be notified to users via email or platform announcements at least 30 days before implementation. We recommend that users review this policy periodically to stay informed.

2. Collection of Personal Information

2.1 Directly Provided Personal Information

When you register for a Nivex account, complete identity verification (KYC), use trading services, or contact us, we collect various types of personal information you voluntarily provide. This includes, but is not limited to:

- Identification Information: Your full name, date of birth, nationality, scanned copies or photos of government-issued identification documents (e.g., passport, ID card, or driver's license), and selfies or videos for biometric verification.

- Contact Information: Your email address, phone number, residential address (e.g., billing address), and other means of contacting you.

- Financial Information: Bank account details, credit or debit card information, digital currency wallet addresses, and details related to your transaction activities.

- Transaction Data: All your transaction records on our platform, including order history, transaction amounts, timestamps, and IP addresses associated with transactions.

- Communication Records: All correspondence between you and our customer support team, including emails, chat logs, and call recordings (where applicable).

2.2 Automatically Collected Information

When you access or use our services, we automatically collect certain technical information:

- Device Information: Including but not limited to your IP address, device model, operating system version, browser type, device identifiers (e.g., IMEI or advertising ID), and mobile network information.

- Usage Data: The time of your visits, pages viewed, links clicked, time spent on pages, and navigation paths.

- Cookies and Similar Technologies: We use various technologies to collect information, including essential session cookies (to maintain login status), analytical cookies (e.g., Google Analytics), and marketing cookies (for personalized ads, requiring separate consent).

2.3 Information Obtained from Third Parties

In certain cases, we may obtain your personal information from third-party sources:

- Identity Verification Providers: We may use third-party services to verify the authenticity of the information you provide.

- Credit Agencies and Anti-Fraud Databases: To comply with anti-money laundering regulations and reduce fraud risks, we may query relevant databases.

- Blockchain Analysis Tools: We may use tools like Chainalysis to analyze blockchain transaction data for regulatory compliance.

- Social Media Platforms: If you choose to log in via social media accounts (e.g., Google or Facebook), we may receive limited information shared by these platforms.

3. Use of Personal Information

3.1 Purposes of Use

We collect and use your personal information primarily for the following purposes:

- Account Registration & Management: To create and maintain your Nivex account and provide the services you request.

- Identity Verification & Compliance: To perform Know Your Customer (KYC) and anti-money laundering (AML) checks to meet legal and regulatory requirements.

- Transaction Processing: To execute digital currency trades, transfers, and other related transactions.

- Security Protection: To detect and prevent fraud, misuse, and security incidents, protecting our services and users.

- Customer Support: To respond to inquiries, resolve technical issues, and provide general assistance.

- Service Improvement: To analyze usage patterns and enhance our products and services.

- Marketing & Promotions: To send you information about our services, promotions, or market analyses (with your consent).

- Legal Compliance: To comply with applicable laws, regulations, court orders, or other legal processes.

3.2 Legal Basis (GDPR-Specific)

For users subject to GDPR, our legal bases for processing personal data include:

- Contractual Necessity: Processing required to provide the services you request.

- Legal Obligation: Processing necessary to comply with EU or member state laws.

- Legitimate Interests: Processing to protect our or third parties' legitimate interests, such as fraud prevention.

- User Consent: For non-essential processing (e.g., marketing communications), we will proceed only with your explicit consent.

4. Sharing and Disclosure of Personal Information

4.1 General Sharing Circumstances

We share your personal information with third parties only in the following cases:

- Service Providers: Trusted third parties providing services such as cloud hosting, payment processing, customer support, KYC verification, marketing, and analytics. These providers process data only per our instructions and under strict contractual obligations.

- Business Transfers: If Nivex undergoes a merger, acquisition, or asset sale, your personal information may be transferred as part of the transaction. We will ensure the recipient continues to comply with this Privacy Policy.

- Legal Requirements: When we believe disclosure is necessary to comply with applicable laws, regulations, legal processes, or government requests.

- Rights Protection: When disclosure is necessary or appropriate to protect Nivex’s, our users’, or the public’s rights, property, or safety.

4.2 Cross-Border Data Transfers

Due to our global operations, your personal information may be transferred to jurisdictions outside your country for processing and storage:

- EU Data Transfers: For transfers from the EU to non-EU countries, we implement safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

- China Data Transfers: Under China’s PIPL, we conduct security assessments for outbound data and may adopt standard contracts approved by regulators.

- Other Regions: We evaluate data protection levels in destination countries and implement supplementary measures to ensure adequate protection.

5. User Rights and Controls

5.1 Basic Rights

All Nivex users enjoy the following fundamental rights:

- Right to Access: You may request a copy of your personal information held by us.

- Right to Rectification: You may request correction of inaccurate or incomplete data.

- Right to Erasure: Under certain conditions, you may request deletion of your personal information ("right to be forgotten").

- Right to Restriction of Processing: You may request limiting the processing of your data.

- Right to Data Portability: You may obtain your data in a structured, machine-readable format and, where feasible, transfer it to another provider.

- Right to Object: You may object to processing based on legitimate interests, including direct marketing.

5.2 Region-Specific Rights

Certain jurisdictions grant additional rights:

- EU (GDPR): Right not to be subject to solely automated decision-making (including profiling).

- California (CCPA): Right to request disclosure of personal information collected in the past 12 months, opt out of "data sales," and exercise rights without discrimination.

- Brazil (LGPD): Right to know about third-party data sharing, request review of automated decisions, and receive clear information about processing activities.

5.3 How to Exercise Rights

You may exercise your rights via:

1. Account Settings: Many rights (e.g., access, correction, deletion) can be exercised directly in your Nivex account settings.

2. Contact Form: Use the dedicated data subject request form on our website.

3. Email: Send requests to our Data Protection Officer’s email.

4. Mail: Send written requests to our registered office address.

We will respond within 30 days (or sooner if required by law) of receiving a verifiable request. In some cases, we may charge a reasonable fee or deny requests (e.g., if manifestly unfounded or excessive).

6. Data Security Measures

6.1 Technical Security Measures

We implement industry-standard technical measures to protect your personal information:

- Encryption: All sensitive data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

- Access Controls: Strict role-based access control (RBAC), multi-factor authentication (MFA), and regular permission reviews.

- Wallet Security: Hardware Security Modules (HSMs) and multi-signature technology for digital asset protection.

- Network Security: Firewalls, intrusion detection/prevention systems, and regular vulnerability scans.

- Data Minimization: Collecting and processing only the minimum necessary data.

6.2 Organizational Security Measures

We adopt the following organizational measures:

- Employee Training: Regular data protection and privacy compliance training for all staff.

- Confidentiality Agreements: Employees and contractors sign strict NDAs.

- Incident Response: A data breach response plan ensures notification of regulators and affected users within 72 hours (per GDPR) of discovery.

- Vendor Audits: Regular assessments of third-party security practices.

6.3 Business Continuity

We implement comprehensive business continuity and disaster recovery plans, including:

- Data Backups: Regular encrypted backups stored in secure, geographically dispersed locations.

- System Redundancy: Critical components designed for high availability.

- Emergency Drills: Regular testing of recovery procedures.

7. Data Retention Policy

7.1 General Principles

We retain your personal information only as long as necessary for the purposes outlined herein, unless law requires or permits longer retention. Criteria for determining retention periods include:

- Purpose of Processing: Retention aligns with the original collection purpose.

- Legal Obligations: Compliance with AML, tax, and other regulatory retention requirements.

- Legal Claims: Retention may be extended during disputes or potential litigation.

7.2 Specific Retention Periods

- Account Information: Retained for 5 years after the last activity to comply with AML laws.

- Transaction Records: Retained for 7 years for tax and financial reporting.

- KYC Documents: Retained for 5 years after account closure, unless local laws require longer.

- Customer Communications: Retained for 3 years for quality assurance and dispute resolution.

- Marketing Data: Retained for 2 years after last interaction or until consent withdrawal (whichever is earlier).

- Cookies: Session cookies deleted when the browser closes; persistent cookies retained for up to 12 months.

7.3 Data Destruction

Upon expiry of retention periods or your erasure request, we will:

1. Securely Erase: Permanently delete electronic data using industry-standard methods (e.g., DoD 5220.22-M).

2. Physical Destruction: Shred or incinerate paper records.

3. Blockchain Data: Note that on-chain transaction data may be immutable due to blockchain technology.

8. Children’s Privacy

8.1 Age Restrictions

Nivex services are not directed at children:

- Minimum Age: Users must be at least 18 or the legal age of majority in their jurisdiction (whichever is higher).

- Special Rules: In the U.S., we do not knowingly collect data from children under 13; in the EEA, the limit is 16 (unless member states set a lower age, not below 13).

8.2 Parental Controls

If we inadvertently collect a child’s personal information, we will:

1. Immediately cease processing the data.

2. Delete it promptly upon verification.

3. Notify parents/guardians (if contact details are available and appropriate).

9. Contact Information and Dispute Resolution

9.1 Data Protection Officer

Nivex has appointed a Data Protection Officer (DPO) to oversee privacy practices.

9.2 EU Representative

Under GDPR Article 27, we have designated an EU representative.

9.3 Complaint Channels

If you have concerns about our privacy practices:

1. First contact us directly via the above methods.

2. If unresolved, you may lodge a complaint with a supervisory authority:

- EU Users: Complain to the data protection authority in your residence, workplace, or where the alleged violation occurred.

- Other Regions: Contact your local data protection authority.

9.4 Governing Law

This policy and any disputes are governed by the laws of [Nivex’s jurisdiction]. Parties submit to the exclusive jurisdiction of its courts, unless mandatory laws dictate otherwise.

10. Final Provisions

10.1 Policy Acceptance

By using Nivex services, you confirm that:

1. You have read, understood, and agreed to this Privacy Policy.

2. You understand how to exercise your privacy rights.

3. You consent to our collection, use, and sharing of your personal information as described herein.

10.2 Policy Interpretation

The English version is authoritative; other translations are for reference only. In case of conflict, the English version prevails.

10.3 Separate Consents

For high-risk processing (e.g., biometric data or sensitive personal information sharing), we will obtain separate explicit consent.

10.4 Disclaimer

While we implement reasonable security measures, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but pledge to notify relevant parties of breaches as required by law.