Legal
Last updated: June 1, 2026
What we collect, why we collect it, and what we will never do with it. The short version: we collect what a regulated exchange must, we encrypt it, and we don't sell it.
1. What we collect
Account data: username, email, password (stored encrypted, never in plain text). Identity data, required by law: name, date of birth, phone, address, nationality and verification documents. Usage data: logins, device fingerprints and IP addresses (hashed where used for security decisions), trading activity, support conversations.
Cookie-derived data only within the categories you consent to — see the Cookie Policy.
2. Why we collect it
To run your account and execute your orders; to meet AML, KYC and sanctions obligations; to secure the platform (fraud prevention, login anomaly detection, lockouts); to improve the product through aggregated analytics; and to communicate service messages you cannot opt out of, like security alerts and attestation notices.
3. Legal bases
Contract performance for account and trading services; legal obligation for identity and transaction records; legitimate interest for security and fraud prevention; consent for optional cookies and marketing — withdrawable at any time, as easily as it was given.
4. Who we share it with
Service providers under contract (identity verification, banking and card rails, cloud infrastructure) — bound to our standards and only what they need. Authorities, where a lawful request compels us. Nobody else. We do not sell personal data, and we never have.
5. How long we keep it
Identity and transaction records: the retention period required by financial regulation (typically five years after account closure). Security logs: up to two years. Everything else: as long as your account is active, then deleted or anonymized.
6. How we protect it
Encryption at rest and in transit, segregated infrastructure, least-privilege access for staff, and security reviews of every change that touches personal data. Authentication secrets — passwords, 2FA seeds, backup codes — are stored using dedicated encryption with keys held separately from the data.
7. Your rights
Access, rectification, erasure (within the limits regulation places on a financial institution), restriction, portability and objection. Exercise any of them from your account settings or by writing to privacy@obsidiate.com — we answer within 30 days, usually much faster.
8. International transfers
Where data leaves your jurisdiction, it travels under recognized safeguards such as standard contractual clauses. Our primary infrastructure is in the European Union.
9. Changes and contact
Material changes are announced before they take effect, with the date at the top of this page updated. Data protection questions: privacy@obsidiate.com.