Privacy

Version 2: updated on 24 July 2024
‍‍
This Privacy Notice sets forth the information which the Company (as defined below) is required under applicable data protection law to provide to you concerning the policy and procedures of XBTO Global Ltd. and its affiliates (including but not limited to XBTO International Ltd., Stablehouse Ltd., SH UK Services Ltd., SH UK Strategies Ltd., Stablesend Services EU Limited, XBTO Middle East Ltd.) (collectively, “XBTO” or the “Company”) with respect to the processing of any personal data about you that you provide to us or that we create through this website (including any mobile application or version of XBTO’s website, collectively, the “Site”).

For purposes of data protection law, we are a data controller in respect of your personal data. XBTO is responsible for ensuring that it uses your personal data in compliance with applicable data protection law.

This Privacy Notice may be updated from time to time. If we make any substantial change to this Privacy Notice, we will post a prominent announcement on the Site and will post the updated Privacy Notice here.

Personal data that we collect about you

We may collect and process the following types of personal data from you (to the extent permissible under applicable laws):

1. Personal Identification Information: Full name, date of birth, nationality, gender, signature, utility bills, photographs, phone number, residential address, and/or email.
2. Formal Identification Documentation: Government issued identity documents such as Passport, Driver's License, and/or any other information deemed necessary to comply with our legal obligations under financial or anti-money laundering laws.
3. For institutional customers: Personal identification information for all material beneficial owners, controllers or directors of the entity.
4. Financial Information: Bank account information, source of wealth, annual income, transaction history, trading data, and/or tax identification.
5. Transaction Information: Information about the transactions you make on our Site, such as the name of the recipient, your name, recipient’s bank information, the amount, purpose and/or timestamp.
6. Employment Information: Office location, name of employer, job title, and/or description of role.
7. Correspondence: Information provided to our customer support team.

To the extent permitted under applicable laws, we may collect certain types of information automatically, such as whenever you interact with the Site. This information helps us address customer support issues, improve the performance of our Site, provide you with a streamlined and personalized experience, and protect your account from fraud by detecting unauthorized access.

Subject to your consent (to the extent required by applicable laws), we may collect information generated automatically including:

1. Online Identifiers: Geo location/tracking details, browser name and version, and/or personal IP addresses.
2. Usage Data: Authentication data, security questions, click-stream data, public social networking posts, information about your behavior and other data collected via cookies and similar technologies.

Please see the “Use of cookies” section below for more information.

Uses of your personal data

The Company may collect, store and process relevant personal data in accordance with this Privacy Notice and our User Agreement, for the following purposes:

1. To notify you about our products and services, features, new updates and improvements of our products and services.
2. To manage and maintain your account with us.
3. To process transactions you make within XBTO’s platform and any additional applications requested and/or used by you.
4. To enable user analytics and tracking of user behavior.
5. To make risk assessments, perform onboarding and provide customer service.
6. To provide information to our KYC/KYT third party service providers to assist us with performing identity verifications, due diligence, watchlist and negative media screenings in accordance with our KYC, AML/ATF requirements.
7. To provide KYC information to our related or third party business partners such as banking partners, token issuers or other related product providers to streamline your onboarding process with them.
8. To comply with applicable laws in any country and fulfill our obligations (including upon request) with any regulatory, legal, or good practice requirement.
9. To comply with our obligations under any reporting agreement entered with any tax authority or revenue service(s).
10. To prevent and detect money-laundering, terrorism, fraud, or other crimes.

We are entitled to use your personal data in these ways because:

1. we have obtained your consent;
2. we have legal and regulatory obligations that we have to discharge;
3. we may need to in order to establish, exercise and defend our legal rights or for the purpose of legal proceedings; or
4. the use of your personal data as described is necessary for our legitimate business interests (or the legitimate interests of one or more of our affiliates), such as listed above.

Disclosure of your information to third parties

The Company does not disclose any personal data to anyone, other than to its affiliates, to the extent required by law, to the Company’s attorneys and regulators and to certain third party service providers that it has a contractual relationship with who will process the personal data for the purposes identified above.

In particular, we use third party providers that provide the services below (including but are not limited to): (i) hosting of this Site; (ii) ID verification and watchlist / sanctions screening services such as Sum and Substance Ltd. (trading as SumSub) and IVXS UK Limited (trading as ComplyAdvantage); (iii) Know-Your-Transactions (“KYT”) services such as Chainalysis and TRM Labs Inc.; (iv) Travel Rule compliance services such as Notabene; (v) certain third party stablecoin issuers; (vi) wait list and referral services; (vii) data analytics and tracking services on the Site; (viii) customer identity management solutions for login; and (ix) customer support and any other marketing services such as Hubspot.

Third party sites are governed by their own privacy policies and we have included links to some examples of those sites below for your information:

1. SumSub
2. ComplyAdvantage
3. Chainalysis
4. Google Analytics
5. TRM Labs
6. Notabene
7. Auth0 / Okta
8. Hubspot

For the avoidance of doubt, this is not a complete list and subject to change. 

Your information will only be provided to a third party where we are satisfied that such party has adequate measures in place to protect your personal data. We regularly review and implement up-to-date technical security measures when processing your personal data.

The Company seeks to carefully safeguard your personal data and, to that end, restrict access to non-public personal data to those employees and certain other persons, including service providers, such as a third party that hosts this Site, who need to know such information. Third parties must in all cases agree to a strict duty to keep all personal data confidential and to use it only as described in this Privacy Notice.

Retention of personal data

How long we hold your personal data will vary. The retention period will be determined by various criteria, including:

1. the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
2. legal obligations – laws or regulation may set a minimum period for which we have to keep your personal data.

Transfers of personal data outside the European Economic Area / United Kingdom

The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) or the United Kingdom (“UK”). It may also be processed by staff operating outside of the EEA/UK who work for our affiliates or for one of our third party service providers.

Where we transfer your personal data outside the EEA/UK, we will ensure that it is protected in a manner that is consistent with how your personal data will be protected by us in the EEA/UK. This can be done in a number of ways, for instance:

1. the country that we send the data to might be approved by the European Commission/ UK government (as applicable) or;
2. the recipient might have signed up to a contract based on the “standard contractual clauses” as approved by the European Commission or UK Government (as applicable), obliging them to protect your personal data.

In other circumstances the law may permit us to otherwise transfer your personal data outside the EEA/ UK. In all cases, however, we will ensure that any transfer of your personal data is compliant with applicable data protection law.

You can obtain more details of the protection given to your personal data when it is transferred outside the EEA/ UK (including a copy of the standard data protection clauses which we have entered into with recipients of your personal data) by contacting us in accordance with the “Contacting us” section below.

Use of cookies

This Site may use “cookies,” which may automatically collect certain information and data. “Cookies” are small pieces of data sent to your computer browser from the Company’s web server and stored on your computer’s hard drive. The data identifies you as a unique user and facilitates your ongoing access to and use of this Site. Cookies also help the Company diagnose problems with the Company’s server.

For more information about how XBTO uses cookies, please refer to our Cookies Policy.

Your rights

You have a number of legal rights in relation to the personal data that we hold about you. These rights include:

1. the right to obtain information regarding the processing of the personal data which we hold about you;
2. the right to withdraw your consent to our processing of your personal data at any time. Please note that we may still be entitled to process your personal data if we have another legitimate reason (other than consent) for doing so;
3. the right to request the correction of any inaccurate or incomplete personal information that we hold about you;
4. the right to object to, and the right to request that we restrict, our processing of your personal data in certain circumstances. Again, there may be there may be circumstances where you object to, or ask us to restrict, our processing of your personal data but we are legally entitled to continue processing your personal data and / or to refuse that request;
5. the right to request erasure of your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data, but we are legally entitled to retain it ; and
6. the right to lodge a complaint with the data protection regulator if you think that any of your rights have been infringed by us.

You can exercise your rights by contacting us using the details set out in the “Contacting us” section below. You can find out more information about your rights by contacting an EU or UK (as applicable) data regulator such as the UK’s Information Commissioner’s Office, or by searching its website at ico.org.uk.

Contacting us

The Company has appointed Stephanie Shih as our Privacy Officer, to oversee compliance with applicable data protection requirements, including as set out in this Privacy Notice. If you have any questions or comments about this Privacy Notice or the exercise of your rights referred to above, please feel free to contact the Privacy Officer at:

• Email address: legal@xbto.com
• Postal address: Ideation House, G/F, 94 Pitts Bay Road, Pembroke, Bermuda HM08