The present version of the Privacy Policy is effective since 23.08.2023

This policy (“Policy”, together with our Terms of Use) describes the policies and procedures of Olympus Capital JSC (“Changex”, “we,” “our,” or “us”) pertaining to the collection, use, and disclosure of your information on www.changex.io (“Website”) and the related mobile application (“App”, “Platform”) and products we offer (collectively the “Services”).

Your privacy and security are of great importance to us. We are focused on giving you the best possible experience, while showing consideration to the information you are sharing with us by using our Services. This policy is meant to give you a detailed description of how we handle your data and how you can manage it.

We may revise, modify, amend, update or supplement this Policy from time to time so please check it occasionally to ensure that you agree with any changes. Your continued use of our Services will constitute your acceptance of, and agreement to, any changes.

By using our website, platform and services, or interacting with us personally, you hereby consent to our Privacy Policy and agree to its terms.

The purpose of this Privacy Policy is to inform you of:

(i) the kinds of Personal Information we may collect about you and how it may be used;

(ii) use of information regarding IP Addresses and our use of cookies;

(iii) disclosure of Personal Information to third parties;

(iv) the transfer of your Personal Information within and outside of the European Economic Area (“EEA”);

(v) your ability and rights to correct, update and delete your Personal Information;

(vi) the security measures we have in place to prevent the loss, misuse, or alteration of Personal Information under our control;

(vii) Changex’s retention of your Personal Information.

4.1 CLIENT DATA

When utilising our Services or interacting with us, such as when creating an account, we collect specific data. To fulfil our regulatory obligations regarding know-your-customer (KYC) and anti-money laundering (AML) requirements, we may gather information from you:

(i) Identification Information: This includes but is not limited to personal details such as your name, date of birth, age, nationality, country of residence, gender, and government-issued ID. We may also collect photographs, video footage, and any other information necessary to confirm your identity and ensure compliance with legal obligations.

(ii) Contact Information: We collect contact information including your email address, phone number, and other contact details when you seek customer or technical support or communicate with us in any capacity.

(iii) Financial Information: We collect financial data such as open banking data, bank account and payment card details, other payment details, including your digital wallet address(es).

(iv) Transaction History: We record your account and portfolio details, such as live and historical orders, trades and positions, balances, and details associated with your transactions. This includes information about the transactions you make using our services.

(v) Due Diligence Data: We gather information and documents related to your source of income and funds (including assets), occupation and employment information, the purpose of the transactions, sender and receiver of funds, ultimate beneficiary information, copies of identification document(s), and tax information.

4.2 TECHNICAL DATA

When you access or use our Services, we automatically collect information about you. This information is used to provide statistical data about our users browsing actions and patterns, and does not personally identify individuals. This information may include:

(i) Log Information: the type of browser you use, access times, pages viewed, your IP address, and the page you visited before navigating to our services.

(ii) Device Information: information about the computer or mobile device you use to access our services, including the hardware model, operating system and version, unique device identifiers, and mobile network information.

(iii) Information processed in relation to push notifications - Device operating system and Device IDFA.

The collection and processing of this technical data is for the purpose of enabling the use of our Services, continuously ensuring system security and stability, optimising our Services, and for internal statistical purposes. This is our legitimate interest in the processing of data in the sense of Art. 6 Par. 1 lit. f GDPR.

4.3 IP ADDRESSES

We may collect information about your device, including your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns and does not identify any individual.

Furthermore, the IP addresses will be evaluated, together with other data, in case of attacks on the network infrastructure or other unauthorised use or misuse of the Services, for the purpose of intelligence and protection, and if appropriate, used in criminal proceedings for identification and civil and criminal proceedings against the relevant users. This is our legitimate interest in the processing of data in the sense of Art. 6 Par. 1 lit. f GDPR.

4.4 USAGE OF COOKIES

The Services use cookies. Cookies are text files that are stored in a computer system via an Internet browser. More detailed information on cookies and how they work can be found at: https://www.allaboutcookies.org.

We use information collected from cookies to assess the effectiveness of our Services, analyse trends, and administer the Services. The information collected from cookies allows us to determine which parts of our Services are most visited and what difficulties our visitors may experience in accessing our Services. With this knowledge, we can improve the quality of your experience by recognizing and delivering more of the most desired features and information, as well as by resolving access difficulties. We also use cookies, and/or a technology known as web bugs or clear gifs, which are typically stored in emails to help us confirm your receipt of, and response to, our emails and to provide you with a more personalised experience when using our Services.

By continuing to use our Services you agree to the following cookies:

(i) Cookies that are strictly necessary to operate our Services: cookies to log in, transact and otherwise use our Services;

(ii) Cookies for analytical and performance purposes;

(iii) Cookies for targeting user actions used for the collection of information about browsing habits in order to make advertising more relevant to the users and their interests;

(iv) Cookies from third parties;

The strictly necessary cookies are not an object of consent by users because they are required for the normal operation of our services. You can provide your consent for the use of the other types of cookies with a click on the button “I accept and agree” in the cookie banner which is situated at the bottom of the screen.

Every visitor can control and restrict and even delete the cookies stored on their technical devices by following the necessary steps according to the settings to the devices. You can install different programs for the browsers you use to block cookies. In case you make any of these actions, it is possible that you may have to manually adjust them to your preferences.

Please note that the restriction or refusal to use cookies may affect the full potential and use of our Services. Please bear in mind that by blocking cookies, you may not be able to use certain features on the Services, which is not recommended.

4.5 DATA COLLECTED FROM THIRD PARTIES

We use third party service providers, to assist us in better understanding the use of our Services. Our service providers will place cookies on your device and will receive information that we select that will educate us on such things as how visitors navigate around our Services, what products are browsed, and general Transaction information. Our service providers analyse this information and provide us with aggregate reports. The information and analysis provided by our service providers will be used to assist us in better understanding our visitors' interests in our Services and how to better serve those interests. The information collected by our service providers may be linked to and combined with information that we collect about you while you are using the Services. Our service providers are restricted from using information they receive from our Services other than to assist us.

Third-party providers that we use include and they may collect information as determined by their own privacy policies, as below:

(i) App Store: For more information please review the App Store Privacy policy at https://www.apple.com/legal/privacy/data/en/app-store/

(ii)Google Play Console and Google Analytics: For more information please review the Google Privacy policy at https://policies.google.com/technologies/product-privacy/

(iii) Sendgrid: For more information please review the Twilio Privacy policy at https://www.twilio.com/legal/privacy

(iv) Facebook Analytics: For more information please review the Meta Privacy policy at https://www.facebook.com/privacy/policy

(v) Branch.io: For more information please review the Branch.io Privacy policy at https://branch.io/policies/privacy-policy/#privacy-our-clients-use-of-information

(vi) AppsFlyer: For more information please review the AppsFlyer Privacy policy at https://www.appsflyer.com/legal/services-privacy-policy/

(vii) Onesignal: For more information please review the Onesignal Privacy policy at https://onesignal.com/privacy_policy

As part of our business relations, we may share your data with third-party vendors and service providers that help us with specialised services, including but not limited to billing, payment processing, customer service, and marketing efforts. In this regard some of our third-party service providers may also use cookies or other methods to gather information regarding your use of our Services.

Specifically, concerning the processing conducted through our partnership with X Vienas UAB ("X1"), a company incorporated in Lithuania, with its registration number 305937631 and registered address at Zalgirio av. 90-100, Vilnius, LT-09303, Lithuania, whose software functionality, known as the “Widget,” is utilised by us as a Payment method, please refer to X1's Privacy Policy at https://x1.gr/en/legal/privacy-policy.

4.6 E-MAIL SUBSCRIPTION

Users who complete the e-mail registration process on our Services can at the same time grant Changex permission to send them e-mail messages in order to receive regular updates, newsletters, promotional offers, or other types of communication. This consent constitutes the legal basis for our processing of your e-mail address in the sense of Art. 6 Par. 1 lit. a GDPR. All information gathered this way will never be passed on or sold to any third party.

Users have the right to unsubscribe from these communications at any time by clicking the "unsubscribe" link provided at the end of each newsletter.

4.7 INFORMATION PROCESSED IN RELATION TO PUSH NOTIFICATIONS

4.7.1 Тo send push notifications to your device in order to provide service activity information, service updates, promotional communications and other related messages;

4.7.2 Your consent to the processing of your personal data for the above-mentioned purposes can be withdrawn at any time through your device settings or through contacting our support at [email protected].

4.8 SOCIAL MEDIA

We may use plug-ins from social networks such as Twitter, GitHub, YouTube, Reddit, Facebook on our Services. These plug-ins allow users to interact with our content, share information, and communicate with other users through these social media platforms. When you activate them (by clicking on them), the operators of the respective social networks may record that you are on our Services and may use this information. This processing of your personal data lays in the responsibility of these individual social media platforms and occurs according to their privacy policy. Please check with these individual social media platforms regarding their privacy policies. Changex is not responsible for data collected by these individual social media platforms. Our use of social media plug-ins is exclusively intended to enhance the experience of our users and benefit our community by keeping them informed of updates and responding to their inquiries.

At Changex, we respect your privacy rights and recognise the importance of protecting your personal data. We collect and process your personal information for the following purposes:

(i) Service Provision, Improvement, and Administration: We use your personal data to provide access to our Services, enhance their functionality, and administer their operation to offer you a seamless experience.

(ii) Communication: We employ your personal data to deliver effective customer support and to notify you about important aspects related to the usage of our Services, including changes in terms, conditions, and policies.

(iii) Security and Fraud Prevention: To maintain the security of our Services and prevent fraudulent activities, we use your personal data. Such usage helps us fulfill our legal obligations related to ensuring secure transactions and customer safety.

(iv) Legal Compliance: In line with applicable laws and regulations, including data protection and privacy laws such as the General Data Protection Regulation (GDPR), we use your personal data to maintain compliance.

(v) Anti-Money Laundering (AML) Measures: Your data also helps us comply with anti-money laundering laws and regulations. This is crucial in preventing financial crimes and illicit transactions.

(vi) Resolution of Disputes and Troubleshooting: In case of any disputes related to our Services or any problems you encounter while using them, we employ your data to resolve such issues effectively.

(vii) Customizing, measuring, and improving our Services: We use your data to develop new products and services, to analyse and enhance the effectiveness of our services.

(viii) Marketing and promotional offers: We may use your data to deliver targeted marketing messages, service update notices, and promotional offers based on your communication preferences. We always ask for your consent before approaching you via email for marketing purposes, unless such consent is not required by law. You have the option to unsubscribe from our mailings at any time.

The data that we collect from you will depend on how you interact with our Services. We will always strive to use your data responsibly and in accordance with all applicable laws and regulations.

Your Personal Information may be disclosed to third parties and/or legal authorities under the following circumstances/conditions:

6.1 DISCLOSURE TO THIRD PARTIES

We may share your information with third parties, listed below, to perform functions required to provide certain Services to you:

(i) Business partners, suppliers, sub-contractors and other service providers;

(ii) Advertisers and/or advertising networks that require data in order to select and show you relevant advertisements;

(iii) Analytics and/or search engine providers that assist us in the optimization of our Services.

(iv) All our third party service providers are bound by contract to protect and use our users’ Personal Information only for the purposes listed above, except as otherwise required by law.

6.2 DISCLOSURE TO LEGAL AUTHORITIE

We may share your Personal Information with law enforcement, data protection authorities, government officials, and other authorities in the following cases:

(i) If we believe disclosure is in accordance to any law, regulation or legal procedure;

(ii) If we think disclosure is needed to prevent any harm or financial loss;

(iii) If disclosure is necessary to report certain illegal activity;

(iv) To protect the rights, property or safety of Changex and its community.

(v) If we believe your actions are in violation of this Privacy Policy and/or our Terms of Use.

We store and process your Personal Information in data centers around the world, wherever Changex facilities or service providers are located. As such, we may transfer your Personal Information outside of the EEA. Such transfers are undertaken in accordance with our legal and regulatory obligations. To ensure that your personal data is protected, we take certain measures when transferring it outside the European Economic Area (EEA). These measures include:

- Transferring your personal data to countries that have a similar level of protection as the EEA, as determined by the European Commission and Information Commissioner's Office ("ICO");

and

- Transferring your personal data to countries that have a similar level of protection as the EEA, as determined by the European Commission and Information Commissioner's Office ("ICO");

THE SERVICE IS NOT FOR PERSONS UNDER THE AGE OF 18 OR FOR ANY USERS PREVIOUSLY SUSPENDED OR REMOVED FROM THE SERVICE. IF YOU ARE UNDER 18 YEARS OF AGE, THEN YOU MUST NOT USE OR ACCESS THE SERVICE AT ANY TIME OR IN ANY MANNER. By accessing or using the Services, you affirm that you are at least 18 years of age.

Changex does not knowingly collect or use any personal data from minors. A minor may be able to willingly share personal information with others, depending on the products and/or media channels used. If a minor provides us with their information without the consent of their parent or guardian, we will ask the parent or guardian to contact us for the purpose of deleting that information. If we become aware that we have collected Personal Data from minors without verification of parental consent, we take steps to remove that information from our servers.

Changex may provide references and/or links to other websites. This Policy applies only to Changex’s Services.

Under the GDPR and relevant implementation acts, individuals have statutory rights related to their Personal Data. Please note that rights are not absolute and may be subject to conditions.

You have the right to:

(i) Withdraw your consent for the push notifications;

(ii) Request access to the personal data that we hold about you in a portable format;

(iii) Request correction of any collected personal data when the data is inaccurate;

(iv) Receive a copy of your personal data in electronic format;

(v) You have the right to request the deletion of your data – “the right to be forgotten”, which right, however, is not absolute (exceptions – the personal data holds is needed to exercise the right of freedom of expression; there is a legal obligation to keep that data; for reasons of public interest);

(vi) Receive information from us about our activities in connection to your personal data, including the purposes of collection and storage, the period of time for storage, the methods of collecting, the presence of automated processing, etc.;

(vii) You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that there is personal data breach.

(viii) To exercise your rights you can always contact us at [email protected] or through the support channels of the service you are using. You can also send us a letter to 33 Simeonovsko shose Blvd, Sofia 1700, Bulgaria.

We will respond to all privacy related requests in a timely fashion. If you have an unresolved privacy or data use concern you may contact your local data protection authority.

We undertake all necessary technological, technical and organisational measures to protect your personal data. Your personal data is stored on protected servers with strictly controlled access. Only strictly defined people have access to your personal data in connection to the provision of our Services. Our Services have SSL certificates which represent Internet security protocols and they provide additional guarantee for the safe use of our services. We implement other appropriate technical and organisational measures to ensure a level of security appropriate to the risk such as pseudonymisation and encryption of personal data, we ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and we regularly test and evaluate the effectiveness of the measures. Some of the above-mentioned information is stored in such a form that could not be used to identify you directly. In case of breach, we will undertake every possible action according to the applicable legislation in an appropriate and timely manner, to avoid any material or non-material damage to users and to protect the personal data of users. We have undertaken measures to ensure the ability to restore the availability and access to personal data in a timely manner in the event of physical or technical incident.

We retain Personal Information for as long as necessary to fulfil purposes described in this Privacy Policy, subject to our own legal, accounting, reporting and other regulatory obligations. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We retain Personal Information for as long as necessary to fulfil purposes described in this Privacy Policy, subject to our own legal, accounting, reporting and other regulatory obligations. The duration for which we retain your personal information may differ based on the jurisdiction. However, the details regarding our standard retention periods for various categories of your personal information are outlined below.

(i) Personal information collected to comply with our legal obligations under financial or anti-money laundering laws may be retained after account closure for as long as required under such laws.

(ii) Contact Information such as your name, email address and telephone number for marketing purposes is retained on an ongoing basis until you unsubscribe.

(iii) Content that you post on our Sites such as support desk comments, photographs, videos, blog posts, and other content may be kept after you close your account for audit and crime prevention purposes (e.g. to prevent a known fraudulent actor from opening a new account).

Once the purpose of collecting Personal Data has been fulfilled, we will either securely delete any identifiable information or completely dispose of the records, as permitted by law."

Our Privacy Policy may be revised from time to time to accommodate changes to our information practices. We will post any modifications to this policy on this page and, if they are substantial, we will also issue a notification on our Website and/or App. Your continued use of our Services will be subject to the updated Privacy Policy. Therefore, we encourage you to check our Policy periodically for the most up-to-date information on our privacy practices and to contact us if you have any questions or concerns.

If you have any questions or concerns about how we process your data, including if you would like to exercise any rights, and/or in case of any other matters related to Data Protection, you can get in touch with our contact point for privacy queries at [email protected].