Login
Privacy

Privacy Policy

Last updated 2026-05-09

1. Introduction

This Privacy Policy explains what information bitexasia ("we", "us") collects when you use our website and platform, why we collect it, and the choices you have. We try to keep this short and readable; if anything is unclear, the support team will explain it in plain language.

2. Data Controller and lawful basis

bitexasia Pte. Ltd., a company registered in Singapore, is the Data Controller for personal information collected through this platform. For data-protection enquiries: dpo@bitexasia.com. EU representative (per GDPR Art. 27) and UK representative are listed in the full enterprise privacy notice available on request.

We process your personal data under the following lawful bases (GDPR Art. 6, UK GDPR Art. 6):

  • Contract performance (Art. 6(1)(b)): account creation, order routing, deposits and withdrawals, settlement.
  • Legal obligation (Art. 6(1)(c)): KYC and AML obligations, sanctions screening, tax-reporting where applicable, regulator requests.
  • Legitimate interest (Art. 6(1)(f)): fraud prevention, abuse mitigation, platform security, aggregate product analytics. Balanced against your privacy interests; objection mechanism described below.
  • Consent (Art. 6(1)(a)): optional marketing communications, optional analytics cookies.

3. Data we collect

Account data

When you create an account we collect your email address, hashed password, and a country of residence. To comply with KYC obligations in most jurisdictions, we additionally collect a government-issued ID, a proof of address, and a selfie at verification time.

Activity data

Trading activity, deposits, withdrawals, balances and connected payment methods are stored alongside your account. Server logs (IP address, user-agent, timestamp) are kept for 90 days for security and abuse prevention.

Cookies and similar technologies

See our Cookies policy for the full list. In short: we use first-party cookies for session management and a small set of opt-in cookies for analytics.

4. How we use your data

  • To operate the platform: route orders, settle trades, process deposits and withdrawals.
  • To meet regulatory obligations: KYC, AML monitoring, tax reporting where applicable.
  • To secure accounts: detect anomalous logins, prevent fraud, respond to incidents.
  • To communicate with you: confirmations, security alerts, product updates (with opt-out).
  • To improve the product: aggregated analytics, never individually identifying.

5. Sharing

We share data with service providers strictly as needed to operate the platform — payment processors, KYC providers, cloud infrastructure, on-chain custody partners. Each provider is bound by a data-processing agreement.

We share data with regulators and law enforcement when legally required and only to the minimum extent required.

We never sell your data to third parties for advertising or any other purpose.

6. International data transfers

bitexasia is established in Singapore. Personal data of EU/EEA and UK residents may be transferred outside the EEA/UK to our service providers and infrastructure regions. We rely on the following safeguards (GDPR Chapter V, UK GDPR Schedule 21):

  • Standard Contractual Clauses (SCCs): all processors in non-adequate countries are bound by the European Commission's 2021 SCCs (or the UK International Data Transfer Addendum), with a transfer impact assessment on file.
  • Adequacy decisions: where the destination is covered by an adequacy decision (e.g., Switzerland, UK ↔ EU), we rely on that mechanism.
  • Supplementary measures: encryption in transit and at rest, access controls, contractual restrictions on government-data access requests.

Following the CJEU Schrems II ruling (2020), transfers to countries without an adequacy decision are subject to ongoing risk assessment. To request our transfer impact assessment summary or to raise concerns, contact dpo@bitexasia.com.

7. Retention

Account data is retained for the lifetime of your account plus the period required by applicable AML and tax-record law (typically five to seven years after closure). Server logs are kept for 90 days. Marketing-preference signals are kept until you change them or delete the account.

8. GDPR rights (EU/EEA/UK residents)

Under GDPR (and UK GDPR), you have the following rights with respect to your personal data:

  • Right of access (Art. 15): request a copy of the personal data we hold about you, including processing purposes, categories, recipients and retention periods.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17), with limits: request deletion of your data. Note that we may not be able to delete everything — KYC and AML records must be retained for 5–7 years post-closure under regulation; tax records may be retained for up to 10 years; outstanding settlements, chargebacks and active legal disputes also block deletion. Where retention is mandatory, we anonymise or pseudonymise where practical.
  • Right to restriction of processing (Art. 18): ask us to halt active processing pending verification of an objection or accuracy complaint.
  • Right to data portability (Art. 20): receive your account data, transaction history and KYC documents in a structured, commonly used, machine-readable format (typically JSON or CSV).
  • Right to object (Art. 21): object to processing based on legitimate interest. We will stop unless we demonstrate compelling legitimate grounds that override your interests.
  • Rights related to automated decision-making (Art. 22): we do not use solely-automated decisions producing legal effects on you. Where automated screening (e.g., AML alerts) flags a case, a human reviews before any account action.
  • Right to lodge a complaint: contact your local supervisory authority (e.g., the EDPB directory for EEA, the ICO for UK).

To exercise any of these rights, write to privacy@bitexasia.com from your registered email. We respond within 30 days; for complex requests we may extend by an additional 60 days with notice (Art. 12(3)).

9. California rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights in addition to the GDPR rights above:

  • Right to know: the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to delete: request deletion of your personal information, subject to the same regulatory exceptions described in the GDPR Erasure section above.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: bitexasia does not sell personal information and does not "share" personal information for cross-context behavioural advertising as defined by CPRA. We have no opt-out mechanism to offer because no opt-out is required for practices we do not engage in. If our practices change, we will publish a "Do Not Sell or Share My Personal Information" link prominently before any such change takes effect.
  • Right to limit use of sensitive personal information: we use SPI (e.g., government IDs, account credentials) only for the explicit purposes described in this policy — primarily KYC, AML and security — never for inferring characteristics or for advertising.
  • Non-discrimination: we will not discriminate against you for exercising any CCPA right (no fee differences, no service degradation).

To exercise California rights, email privacy@bitexasia.com with "California request" in the subject line. We verify identity using your registered email and one additional account-control signal before responding. Authorised agents must provide written authorisation. We respond within 45 days; extension up to 90 days for complex requests with notice.

10. Security and breach notification

We follow industry-standard practices: encryption in transit (TLS 1.2+) and at rest (AES-256), hardware security modules for key custody, 2FA enforcement on all admin and customer accounts, annual SOC 2 Type II audit (see the SOC 2 report), quarterly external penetration testing (see the pen-test report). No system is 100% secure.

In the event of a personal-data breach affecting you, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33), where the breach is likely to result in a risk to your rights and freedoms.
  • Notify you directly without undue delay (GDPR Art. 34, CCPA §1798.82) where the breach is likely to result in a high risk to your rights and freedoms, with details of the nature of the breach, the categories of data affected, and steps we are taking.
  • Publish a public post-mortem on the blog and the status page for any incident that materially affected the platform.

11. Changes to this policy

We update this policy when our practices change or when regulation requires it. We post material changes with at least 30 days notice via email and on this page. The "Last updated" date at the top reflects the most recent revision.

12. Contact

Privacy enquiries: privacy@bitexasia.com. Data Protection Officer: dpo@bitexasia.com. California-specific requests: subject line "California request" to the privacy address. For general support, see FAQs or contact support.