Privacy Policy

Summit Exchange Ltd. ("Summit Exchange", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use the Summit Exchange platform at summitexchange.net. By creating an account or using our services, you acknowledge that you have read and understood this Privacy Policy. This policy is incorporated by reference into our Terms of Service and Policy Notice.

We collect the following categories of personal data: Identity Data — Full name, email address, phone number, country of residence, and date of birth collected at registration and during KYC verification. KYC Documents — Government-issued identification documents including passports, national IDs, driver's licences, utility bills, and selfie photographs submitted for identity verification. These are stored securely in encrypted cloud storage. Wallet Data — Public wallet addresses for each supported cryptocurrency. We do not store, collect, or have access to your seed phrase, private keys, or mnemonic phrases. These remain exclusively on your device. Transaction Data — Records of all transactions conducted on the platform including send, receive, swap, buy, sell, and P2P trades. This includes amounts, timestamps, blockchain transaction hashes, and counterparty addresses. NFC Card Data — Physical card UID, logical card ID, key type, usage history, and provisioning records for any NFC hardware cards linked to your account. Technical Data — IP address, browser type and version, device type, operating system, session duration, and pages visited. Collected automatically when you access the platform. Communications Data — Records of support requests, feedback, or correspondence you send to us.

We use your personal data for the following purposes: • Account creation, authentication, and security (including JWT session management and NFC card verification) • Identity verification (KYC) and ongoing compliance with AML/CTF regulations • Processing cryptocurrency transactions and maintaining accurate transaction records • Sending OTP codes, security alerts, password reset emails, and account notifications via email • Detecting, investigating, and preventing fraudulent transactions and other illegal activities • Improving platform functionality through anonymized analytics • Complying with legal obligations, court orders, or requests from regulatory authorities • Communicating material updates to our policies or services

Where applicable under data protection law (including GDPR), we process your personal data on the following legal bases: Contract Performance — Processing necessary to provide you with our services as outlined in the Terms of Service. Legal Obligation — Processing required to comply with AML, KYC, tax reporting, and other applicable legal requirements. Legitimate Interests — Processing for fraud prevention, platform security, and operational analytics, where these interests are not overridden by your rights. Consent — For any optional communications or non-essential data processing where we have requested and obtained your consent.

Your data is stored on our self-hosted Supabase infrastructure running on a secured VPS with the following protections: • All data is encrypted at rest and in transit (TLS 1.3) • Row-level security policies enforce strict data isolation between users • KYC documents are stored in encrypted object storage with access-controlled paths • OTP codes are bcrypt-hashed before storage and expire after 10 minutes • Passwords and passcodes are bcrypt-hashed with a minimum of 10 rounds — never stored in plain text • Seed phrases and private keys are never transmitted to or stored on our servers under any circumstances • Access to production databases is restricted to authorized personnel only We retain your data for as long as your account is active or as required by applicable law, typically a minimum of 5 years for AML-regulated transaction records.

We do not sell your personal data. We may share your data with: Regulatory Authorities — Financial intelligence units, law enforcement agencies, or regulators when required by law or court order. KYC Verification Partners — Third-party identity verification services used to validate documents submitted during KYC. These partners operate under data processing agreements. Fiat On-Ramp Providers — When you initiate a fiat-to-crypto purchase, your wallet address is shared with our on-ramp partner (currently Mercuryo) to fulfil the transaction. Their handling of your data is governed by their own privacy policy. Blockchain Networks — Transaction data (wallet addresses and amounts) is inherently public on the respective blockchain networks by the nature of how cryptocurrencies function. Service Providers — Hosting, email delivery (SMTP), and analytics providers who process data on our behalf under strict data processing agreements.

Depending on your jurisdiction, you may have the following rights regarding your personal data: Right of Access — Request a copy of the personal data we hold about you. Right to Rectification — Request correction of inaccurate or incomplete data. Right to Erasure — Request deletion of your data, subject to legal retention obligations (AML regulations may require us to retain transaction data regardless). Right to Restriction — Request that we restrict processing of your data in certain circumstances. Right to Data Portability — Request a machine-readable export of your personal data. Right to Object — Object to processing based on legitimate interests. Right to Withdraw Consent — Where processing is based on consent, withdraw it at any time. To exercise any of these rights, contact us at privacy@summitexchange.com. We will respond within 30 days.

We use essential cookies required for platform security and authentication. Please refer to our Policy Notice for full details on the types of cookies used and how to manage them.

Summit Exchange is not directed at, and does not knowingly collect personal data from, individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete it promptly. If you believe a minor has provided us with personal data, please contact us at privacy@summitexchange.com.

We may update this Privacy Policy from time to time. The revised version will be published on this page with an updated effective date. For material changes, we will notify registered users via email. We encourage you to review this policy periodically.

For privacy-related enquiries, data subject requests, or to report a concern: Email: privacy@summitexchange.com Website: summitexchange.net/contact Summit Exchange Ltd. Data Protection Office summitexchange.com