Privacy Notice Statement EEA

Published on 9 May 2024

Last updated: October 11, 2024

1. INTRODUCTION

Thank you for visiting OKX.com or the OKX app (the “Site”). For residents of one of our approved operating locations within the European Economic Area (“EEA”), your use of the Site is being facilitated by OKCoin Europe LTD, a Malta limited liability company, (“OKX”, “We”, “Us” or “Our”).

OKX, as a/the data controller, provides this Privacy Notice Statement (the “Privacy Notice”) to describe our practices regarding the collection, storage, use, disclosure, and other processing of Personal Data (defined below). By visiting, accessing, or using the Site and associated application program interfaces or mobile applications, you (a) acknowledge that you have the right, capacity, and authority to accept this Privacy Notice; (b) acknowledge that you have read and understand this Privacy Notice; and (c) consent to the policies and practices outlined in this Privacy Notice. So please read them carefully to understand what we do.

This Privacy Notice explains what data we collect, why we collect it, how such data is used and stored, how such data may be shared by us, rights you may have, and how you can contact us about our privacy practices. If you do not wish for your Personal Data (as defined below) to be used in the ways described in this Privacy Notice, you should not use the Site or any services, software, API (application program interface), technologies, products and/or functionalities offered by this Site (collectively, the “Service(s)”).

2. DEFINITIONS

Personal Data

Personal Data” typically means any information which, either alone or in combination with other data, enables you to be directly or indirectly identified, such as your name, email address, username, contact details, identification number, location data, an online identifier such as a complete IP address, device ID, or one or more factors specific to the physical, economic, cultural, or social identity of you. Only the personal data from applicable national law of your legal residence will apply to you and be deemed your Personal Data.

Sensitive Information

Sensitive Information” is Personal Data that includes information relating to a person's racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences,criminal record, and/or biometric or health information.

3. WHAT PERSONAL DATA WE COLLECT AND HOLD, AND HOW WE COLLECT IT

OKX collects, processes, and stores Personal Data via your use of the Service or where you have given your consent. This Personal Data may include contact details, copies of identification documentation provided by you or derived from publicly accessible databases, your government identification number, as well as information relating to your device or internet service (such as an IP address and a MAC number).

To understand how OKX protects the data it collects from its users, please see the details below.

Furthermore, we conduct business and collect Personal Data from individuals and entities located within the EEA (“European Residents”). We are required to protect Personal Data processed in the EEA in accordance with the General Data Protection Regulation (the “GDPR”). To understand more about how we protect the data collected from individuals and entities located within the EEA, please see the sections below entitled “Additional Information for Persons Subject to the EU GDPR” and “Sending Information to Other Countries.”

We collect information you provide during the OKX onboarding process, which may be a completed, incomplete, or abandoned process. We also collect Personal Data when you communicate with us through customer support, subscribe to marketing communications, correspond with us by phone, email, or other communication channels, or when you conduct a transaction on the Site. We may actively or automatically collect, use, store, or transfer your Personal Data, which may include, without limitation, the following:

  • Personal identification information such as name, email, phone number, nationality, date of birth, address, image, and government identification information;

  • Photographs or images, which then we provide to third parties that process that information and generate and store biometric information solely for identity verification purposes (please see the section below entitled “Identity Verification and Biometric Data Privacy Notice” for more information);  

  • Institutional details such as corporate legal name, corporate registration information, government identification number, proof of identity and legal existence, address, business description, and beneficial owner information;

  • Commercial information such as data related to transactions conducted on the Site;

  • Financial information such as bank account information;

  • Correspondence information such as communications with our Customer Support team and responses to user surveys;

  • Information required by regulatory agencies such as state and federal licensing authorities and consumer protection agencies;

  • Other identifiers such as device fingerprint data, IP address, and geolocation information;

  • Information about applications installed on your device and your device settings, to better protect you against interference with your funds by verifying and alerting you if you have any suspicious or malicious applications on your device or if your device may have been jailbroken; and

  • Sampling rate sensors and external storage device information and activities.

We may also collect Personal Data about you from a third party, such as electronic verification services, referrers, marketing agencies, or liquidity providers. If so, we will take reasonable steps to ensure that they are made aware of applicable privacy laws. We may also use third parties to analyze traffic at the Site, which may involve the use of Cookies (please see the section below entitled “Cookie Usage” for more information). Information collected through such analysis is not anonymous.

We will not collect Sensitive Information about you without your consent, unless an exemption or exception applies. These exemptions or exceptions include if the collection is required or authorized by law, or necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct.

If the Personal Data we request is not provided by you, we may not be able to provide you with the benefit of our Services or meet your needs appropriately. Accordingly, we do not give you the option of dealing with us anonymously or under a pseudonym.

4. UNSOLICITED PERSONAL DATA

We may receive unsolicited Personal Data about you. We destroy or de-identify all unsolicited Personal Data we receive, unless it is relevant to the purposes stated in this Privacy Notice for collecting Personal Data or otherwise required by applicable law. We may retain additional information we receive about you if it is combined with other information we are required or entitled to collect. If we do this, we will retain the information in the same way we hold your other Personal Data.

5. WHO WE COLLECT PERSONAL DATA ABOUT

The Personal Data we may collect and hold includes (but is not limited to) Personal Data about users, potential users, service providers or suppliers of the Site or our Services, prospective employees, as well as employees, contractors, and other third parties with whom we come into contact.

6. HOW WE USE YOUR PERSONAL DATA

OKX uses Personal Data to administer, deliver, improve, and personalize the Service for you and to comply with our legal and regulatory obligations. We also may use such data to communicate with you in relation to other products or services offered by OKX and/or its partners to consider any concerns or complaints you may have.

We may use and disclose your Personal Data for any of these purposes. We may also use and disclose Personal Data for secondary purposes which are related to the primary purposes set out in this section or in other circumstances authorized by the law.

Sensitive Information will be used and disclosed for the purpose for which it was provided (or a directly related secondary purpose), unless you explicitly consent otherwise, or an exemption under law applies.

Below are specific ways in which we may process your Personal Data:

  1. Verifying your eligibility for our Services. We use your Personal Data to assess your eligibility for our Services pursuant to our legal obligations. For example, we utilize your name, address, nationality, government identification number, date of birth, and biometric information generated by our third-party service provider to verify your identity to provide you access to our Services.    

  2. Providing you with our Services. We use your Personal Data to provide you with our Services pursuant to our contractual agreement. For example, we need to know certain financial information to conduct fiat currency transfers into and out of your account.

  3. Detecting and preventing fraud. Your Personal Data is used to detect and prevent fraud.

  4. Protecting the security of our Services. We process your Personal Data, such as information about your device and activity, to maintain the security of your account and our Services.

  5. User/customer support. We process your Personal Data when you contact our Customer Service team to help us address your requests.

  6. Enhancing our Services. We process your Personal Data to understand how our products and Services are being used to improve our Services, train our systems to improve our Services and develop new Services.

  7. Product marketing. We process your Personal Data to identify our products and Services that we believe may be of interest to you. We may contact you about them. You may opt out of marketing communications with us at any time. If you do not want to receive these communications, please send an email to support@okcoin.com.

  8. Consent. We may use your Personal Data for additional purposes with your consent.

  9. Other business purposes. We may use your Personal Data for other reasonably expected business purposes as permitted by law or required to comply with our legal obligations.

To Whom We Might Disclose Personal Data

OKX may disclose Personal Data to:

  • Members of our corporate group, which includes our subsidiaries, holding companies, and companies under common control including their respective contractors, affiliates, employees, or representatives;

  • Our service providers and other third parties who assist us in providing Services to you and/or as required or permitted by law or professional standards including, for example, payment processing, customer support, data analytics, information technology, data processing, network infrastructure, storage, identity verification, and tax reporting;

  • Entities in connection with corporate transactions involving OKX, including any financing, acquisition, or dissolution proceedings which involve disclosing a certain portion or all of our business or assets;

  • Government entities or other parties to legal process, including law enforcement agencies and authorities, officers, regulators, or other third parties to comply with any law, court order, subpoena, or government request;

  • Professional advisors, including legal, accounting, or other consulting services for purposes of audits or to comply with our legal obligations;

  • Consent. We may share or disclose your information with your consent; and

  • Other business purposes as permitted by law or required to comply with our legal obligations.

Other than as disclosed in this Privacy Notice, OKX does not share your Personal Data with any other third parties unless required to do so by law or legal obligation. This Site may contain links to other third-party websites where their own privacy policies / notices may apply, and OKX is not responsible for the privacy policies / notices of such third-party websites.

If we disclose your Personal Data to service providers that perform business activities for us, they may only use your Personal Data for the specific purpose for which we supply it. We will take reasonable steps to ensure that all contractual arrangements with third parties adequately address compliance with applicable privacy laws.

Additionally, we have implemented standards to prevent money laundering, terrorist financing, and circumvention of applicable trade and economic sanctions, which require us to undertake due diligence on our users. This may include the use of third-party data and service providers to cross-reference your Personal Data for identity verification, fraud detection and prevention, transaction monitoring, credit verification, and security threat detection.

7. HOW WE STORE YOUR PERSONAL DATA

We recognise the importance of securing the Personal Data of our users. We take steps to ensure your Personal Data is protected from misuse, interference or loss, and unauthorized access, modification or disclosure.

Your Personal Data is generally stored in our or our affiliates’ computer databases and/or with third party storage providers. In relation to information that is held on our computer database, we apply data security guidelines to ensure that your Personal Data is managed securely. For more information, refer to the section below entitled "Information Security".

The data that we collect from you may be transferred to, and stored at, a destination outside of the country of your residence. It may also be processed by staff operating outside of your residence who work for us or for one of our suppliers. By submitting your personal data, you consent to this transfer, storing or processing, as detailed in the section below “Collection and Transfer of Data Outside of the EEA”.

We retain your Personal Data for as long as is reasonably necessary to provide services to you, for our legitimate business purposes, and to comply with our legal and regulatory obligations. If you close your account with us, we will continue to retain your Personal Data as necessary to comply with our legal and regulatory obligations.

8. SENDING INFORMATION TO OTHER COUNTRIES

OKX is a global business and Personal Data may be stored and processed in any country where we have operations or where we engage service providers. We may disclose information to third party storage providers or affiliates that are located outside your country of residence or disclose to third-party storage providers or affiliates that are located outside your country of residence. 

We may transfer Personal Data that we maintain about you to recipients in countries other than the country in which the Personal Data was originally collected. Those other countries may have data protection or privacy rules that are different from those of your country. However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that your Personal Data remains protected to the standards described in this Privacy Notice. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your Personal Data. By communicating electronically with OKX, you acknowledge and agree to your Personal Data being processed in this way.

Collection and Transfer of Data Outside of The EEA

As discussed above, we collect Personal Data from users located in the EEA. 

We comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Data to other countries outside of the EEA. OKX relies on data processing agreements and the European Commission’s standard contractual clauses to facilitate the transfer of such Personal Data. We may transfer Personal Data from the EEA to countries outside of the EEA where the transfers are necessary to satisfy our obligations to you under our Terms of Service (including providing you with our Services and optimizing and enhancing OKX) and where, to the extent applicable, you have consented to the transfer of your personal data to a country outside of the EEA.

9. ACCESS, CORRECTION, AND DELETION OF YOUR PERSONAL DATA

Subject to certain exceptions prescribed by applicable law, you have the right to obtain a copy of your Personal Data upon request and ascertain whether the information we hold about you is accurate and up-to-date. We will provide access within 30 days of your request. If we refuse to provide the information, we will provide reasons for the refusal. We will require identity verification and specification of what information is required before providing you with access. If any of your Personal Data is inaccurate, you may request to update your information. Where we are satisfied that the request to update the information is accurate, we will take reasonable steps to correct the information within 30 days, unless you agree otherwise. You may also request to delete your Personal Data, with the exception that we may refuse your deletion request in certain circumstances, such as compliance with applicable law or legal obligations. For data access, correction, or deletion requests, or to request withdrawal of your previously provided consent, please contact dpoeu@okx.com with the subject “DATA INQUIRY”.

In response to data access, correction, or deletion requests, we will verify the requesting party’s identity to ensure that they are legally entitled to make such request. While we aim to respond to these requests free of charge, we reserve the right to charge you a reasonable fee should your request be repetitive or onerous. Please note that you may not be able to continue receiving the Services, depending on the extent of your withdrawal of consent.

10. CHILDRENS’ PERSONAL DATA

OKX does not knowingly offer services to or collect the Personal Data of anyone under the age of 18. If we learn that we have collected Personal Data of anyone under the age of 18, we will promptly delete it from our systems. If you are aware of anyone under the age of 18 using our Services, please notify us so we can take prompt action to prevent access to our Services.

11. IDENTITY VERIFICATION AND BIOMETRIC DATA Privacy Notice

To comply with applicable laws, regulations, and other legal obligations in the EEA and in other countries, including “know your customer” obligations, we require all users to verify their identity before using our Services. 

In order to verify a user’s identity for the use of certain Services, the user is asked to capture an image of their government ID (e.g., a passport or driver’s license) and take a real-time selfie image of their face. We provide those images to our identity verification service provider, who then uses a combination of machine learning tools and statistical algorithms to confirm the authenticity of the government ID and selfie image, and to perform biometric facial comparisons to determine whether the face contained in the government ID and selfie image belong to the same person. Through this process, the verification service provider will typically generate a confidence score representing the confidence level that the images of the individuals match, which we or the relevant service provider may use in determining the level of confidence that the individual submitting the selfie image is the same person as the individual on the government ID. 

We do not receive, store, or collect any facial biometric information generated by our third-party identity verification service provider from the images, and our identity verification service provider retains biometric information only as long as necessary for us to provide our Service to you and to help us comply with our legal obligations. We do not use, disclose, or retain facial biometric information for any other commercial purpose. However, we do retain the information and images you provide in connection with the identity verification process, along with the results of the identity check, as long as necessary to provide our service to you and to comply with our legal obligations. 

We currently use identity verification services provided by Sumsub. Each provider collects, processes, and shares your personal information, which may include biometric data, as set out in the Sumsub Privacy Notice

 12. MARKETING

We may only use Personal Data we collect from you for the purposes of direct marketing with your consent, we provide a simple way of opting out of direct marketing, and you have not requested to opt out of receiving direct marketing from us.

If we collect Personal Data about you from a third party, we will only use that information for the purposes of direct marketing if you have consented (or it is impracticable to obtain your consent), and we will provide a simple means by which you can easily request not to receive direct marketing communications from us. We will draw your attention to the fact that you may make such a request in our direct marketing communications.

You have the right to request us not to use or disclose your Personal Data for the purposes of direct marketing, or for the purposes of facilitating direct marketing by other organizations. We must give effect to the request within a reasonable period of time. You may also request that we provide you with the source of the information. If such a request is made, we must notify you of the source of the information free of charge within a reasonable period of time.

We may communicate company news, promotions, and information relating to our products and services provided by OKX. We may share Personal Data with third parties to help us with our marketing and promotional projects or sending marketing communications.

Users can opt out from these marketing communications at any time. If you do not want to receive these communications, please send an email to support@okcoin.com.

For product related communications, such as policy/terms updates and operational notifications, you will not be able to opt out of receiving such information.

While you access our Site, we may use the industry practice of placing a small amount of data that will be saved by your browser (“Cookies”). This information can be placed on your computer or other devices used to visit our Site. We use Cookies to enhance your experience of using our Site. The information is used to identify users, remember user preferences, and allow users to complete tasks without having to re-enter information when browsing from one webpage to another or when re-visiting the Site at a later date. We also use Cookies to collect and analyze Site usage data related to user use and patterns. This data is used to improve our Site and enhance users’ experience. We may also use the information collected to ensure compliance with our Anti-Money Laundering program (“AML Program”) and to ensure that your account security has not been compromised by detecting irregular, suspicious, or potentially fraudulent account activities.

You can set your browser to block or alert you about these Cookies, but this may affect the functionality of our Services or your user experience. Session Cookies are added when a user starts to browse our Site or interacts with a specific feature and are deleted when the browser is closed. Persistent Cookies are added when a user starts to browse our Site or interacts with a specific feature, but may remain stored on your device until a certain termination date is reached.

14. INFORMATION SECURITY

We endeavor to protect our Site and you from unauthorized access, alteration, disclosure, or destruction (or other similar risks) of Personal Data we collect and store. We take various measures to ensure information security, including: encryption of our Site communications; required two-factor authentication for all sessions; periodic review of our Personal Data collection, storage, and processing practices; and restricted access to your Personal Data on a need-to-know basis for our employees and service providers who are subject to strict contractual confidentiality obligations.

If you have any questions about information security or report any security issues, please contact us by sending an email to the following address dpoeu@okx.com with the subject “INFORMATION SECURITY REQUEST”.

15. CONTACTING OKX ABOUT PRIVACY QUESTIONS OR CONCERNS

If you have any questions about this Privacy Notice or the use of your Personal Data, please contact us by sending an email to the following address support@okcoin.com with the subject “PRIVACY REQUEST”. For users from the EEA, you have the right to make a complaint for unresolved questions in relation to the collection, use or disclosure of your Personal Data to the applicable supervisory authority within your jurisdiction. 

16. CHANGES TO OUR Privacy Notice

We may update this Privacy Notice at any time by posting the amended version on this Site including the effective date of the amended version, so please check frequently to see if there are any updates or changes. Your continued access to or use of this Site and/or the Services constitutes your acknowledgment and acceptance of such changes to this Privacy Notice.

17. LANGUAGES

This Privacy Notice may be posted in different languages. If there are any discrepancies, the English version shall prevail.

18. ADDITIONAL INFORMATION FOR PERSONS SUBJECT TO THE EU GDPR

For European Residents, we adhere to relevant and applicable EU data protection laws and provide them with the following additional information. For the purposes of this section, Personal Data has the applicable meaning provided for in the GDPR.

Legal Basis For Processing Personal Data

We process Personal Data subject to the GDPR on one or more of the following legal bases:

  • To comply with legal obligations and regulations. To comply with applicable laws, regulations and legal obligations, including “know your customer” obligations based on applicable anti-money laundering and anti-terrorism requirements, financial crime and fraud prevention, suspicious activity reporting, responding to requests from public authorities, complying with economic and trade sanctions requirements, performing customer due diligence, performing audit and risk assessments, preparing tax reports, fulfilling our retention obligations, and handling legal claims.

  • To comply with contractual obligations. To comply with our contractual obligations to you under our Terms of Service, including to provide you with our Services and customer support and to optimize and enhance the Site.

  • Consent. To provide and market our Services to you based on your consent. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before it is withdrawn.

  • Legitimate interest. To monitor the usage of the Site, fraud prevention, network, and information security, conduct automated and manual security checks of our Services, to engage in direct marketing activities, and to protect your rights. When we process your personal data for our legitimate interests, we consider and balance any potential impact on you and your rights under data protection laws.

Your Rights

European Residents have the following rights under the GDPR with respect to their Personal Data, subject to certain exceptions provided under the law.

  • Right to Access and Rectification. You may submit a request that OKX disclose the Personal Data we process about you and correct any inaccurate Personal Data.

  • Right to Erasure. You may submit a request that OKX delete the Personal Data that we have about you.

  • Right to Restriction of Processing and Right to Object. You have the right to restrict or object to our processing of your Personal Data under certain circumstances.

  • Right to Data Portability. You have the right to receive the Personal Data you have provided to us in an electronic format and to transmit the Personal Data to another data controller.

  • Right to withdraw consent. You have a right at any time where we are relying on consent to process your Personal Data.

  • Right to complain. You may lodge a complaint with a data protection supervisory authority.

When handling requests to exercise European privacy rights, we check the identity of the requesting party to ensure that they are the person legally entitled to make such a request. While we endeavor to respond to these requests free of charge, should your request be repetitive or unduly onerous, we reserve the right to charge you a reasonable fee for compliance with your request.

Automated Decision-Making

We may engage in automated decision-making for purposes of risk and fraud detection. When we do, we implement suitable measures to safeguard your rights and freedoms and legitimate interests, including the right to obtain human intervention, to express your point of view and to contest the decision.