C
Loading…
Loading…
Version: 2026-05-19 · Effective: 19 May 2026 · Last updated: 19 May 2026
Plain-language summary (non-binding)
This Privacy Policy explains how CEGOAT (“CEGOAT”, “we”, “us”, “our”) collects, uses, shares and protects your personal information when you use our websites, mobile applications, APIs, and trading, custody and related services (together, the “Services”). It also explains your rights under applicable data-protection laws — including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”), the Australian Privacy Act 1988, and equivalent laws in jurisdictions where we operate.
The data controller responsible for your personal data is the CEGOAT group entity that provides the Services to you, as identified during onboarding and listed at cegoat.com/legal/licenses. Where two or more CEGOAT entities jointly determine the purposes and means of processing (for example, group-wide fraud monitoring) they act as joint controllers and have agreed on their respective responsibilities in line with Article 26 GDPR.
This policy applies to personal data we process when you (a) visit our public websites; (b) open or operate a CEGOAT account; (c) interact with our APIs, mobile apps or support channels; or (d) attend our events or communicate with us in any other capacity. It does not apply to third-party services that you may access via links from the Services — those are governed by the third party's own privacy policy.
| Category | Examples | Primary purpose |
|---|---|---|
| Identifiers | name, date of birth, nationality, government ID number, photo, signature, residential address, email, phone number | Account creation, identity verification (KYC), sanctions screening, fraud prevention, regulatory reporting |
| Account & authentication | username, hashed password, MFA secrets, recovery codes, API keys, withdrawal address whitelist | Operate your account, secure access, prevent account takeover |
| Financial & transactional | source-of-funds declarations, deposits, withdrawals, trades, on-chain addresses, transaction hashes, fiat payment metadata, fee records | Execute and record your transactions, calculate fees, satisfy record-keeping and tax-reporting obligations |
| Device & technical | IP address, approximate geolocation, device fingerprint, browser, OS, language, screen resolution, session and request logs | Secure access, detect fraud, enforce geographic restrictions, debug and improve the Services |
| Communications | support tickets, chat transcripts, recorded compliance calls, emails, in-app messages | Provide support, resolve disputes, train support staff, comply with record-keeping |
| Marketing | newsletter subscription status, email engagement, on-site behaviour where you have consented to analytics | Send service updates and (where consented) marketing communications, measure campaign effectiveness |
| Third-party data | watchlist/PEP/adverse-media matches, blockchain-analytics risk scores, fraud-database hits | AML/CTF compliance, sanctions screening, fraud prevention |
We do not intentionally collect “special categories” of data (such as racial or ethnic origin, political opinions, religion, health data, sexual orientation, or biometric data for unique identification) except where (i) you submit a government ID that incidentally reveals such data, or (ii) we use facial biometrics solely for identity verification with your consent (where required) and with a regulated KYC provider.
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
A current list of our material sub-processors and the categories of data they process is published at cegoat.com/legal/disclosure and is updated when new sub-processors are engaged.
We operate globally, which means your personal data may be processed in countries other than your country of residence, including the United States, the European Economic Area, the United Kingdom, the United Arab Emirates, Australia and other jurisdictions in which our group entities or sub-processors operate.
Where personal data is transferred from the EEA, the UK or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards — principally the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and supplementary measures including encryption in transit and at rest, access controls and transfer-impact assessments. A copy of the relevant SCCs is available on request.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, satisfy applicable legal, regulatory, tax, accounting or reporting requirements, or to establish, exercise or defend legal claims. The table below summarises typical retention periods; specific periods may be longer where required by law or shorter where consent is withdrawn and no other basis applies.
| Type of data | Retention period |
|---|---|
| Account & KYC records (incl. ID documents, selfies) | Duration of the relationship plus at least 5 years after closure (extended to 7 years in certain jurisdictions) |
| Transaction records and trade history | At least 5 years from the date of the transaction, longer where required by tax or financial-services law |
| AML investigation files, SARs/STRs and related supporting data | Minimum 5 years from the date of filing or for as long as required by the receiving FIU |
| Support communications | Up to 3 years from last contact |
| Marketing preferences and unsubscribe records | For as long as we send marketing; unsubscribe records retained indefinitely to honour your choice |
| Server, security and access logs | 12–24 months on hot storage, then archived where required for incident-response or legal reasons |
| Cookies and similar identifiers | Up to 13 months from the last interaction (or shorter where indicated in the Cookie Policy) |
We maintain an information-security programme aligned with ISO/IEC 27001 and SOC 2 control objectives. Controls include encryption in transit (TLS 1.2+) and at rest (AES-256-GCM with AWS KMS), tenant-level role-based access controls, hardware security modules and multi-party approval for cold-storage operations, continuous vulnerability scanning, third-party penetration testing, 24/7 security monitoring and incident-response capability, mandatory MFA for all staff, secure SDLC and code review, and supplier due diligence. We will notify affected users and competent authorities of personal-data breaches in accordance with applicable law.
Subject to applicable law and any exemptions (for example, AML/CFT record-keeping obligations that override deletion requests), you have the right to:
To exercise your rights, contact us at privacy@cegoat.com. We will respond within the timeframes required by applicable law (typically within 30 days). We will need to verify your identity before fulfilling any request.
We use automated tools to detect fraud, sanctions and AML risk, and to determine eligibility for certain Services. Where an automated decision produces legal or similarly significant effects (for example, declining to open or maintain an account), you have the right to obtain human review of the decision, express your point of view, and contest the outcome by contacting privacy@cegoat.com.
We send transactional and service-related communications that you cannot opt out of while you have an Account. Marketing communications are sent only with your consent (where required by law) and you can unsubscribe at any time using the link in any marketing email or via your Account preferences.
The Services are not directed at, and we do not knowingly collect personal data from, individuals under the age of 18 (or higher where required by local law). If we become aware that we have collected personal data from a minor without verifiable parental consent, we will delete it.
The legal bases for our processing are set out in Section 7. You have the rights described in Section 13. Where required, we have appointed a Data Protection Officer, contactable at dpo@cegoat.com, and an EU/UK representative, contactable via the same address. You may lodge a complaint with your local supervisory authority.
In the preceding 12 months we have collected the categories of personal information described in Section 4 for the business purposes described in Section 6, and disclosed them to the categories of recipients described in Section 8. We do not sell or share personal information for cross-context behavioural advertising. California residents have the right to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising those rights. To submit a request, email privacy@cegoat.com. Authorised agents may submit requests with proof of authority.
We handle personal information in accordance with the Australian Privacy Principles in the Privacy Act 1988 (Cth). You may request access to or correction of your data by contacting privacy@cegoat.com. Complaints can be directed to us first; if unresolved, you may contact the Office of the Australian Information Commissioner (OAIC).
Where DIFC, ADGM or UAE federal data-protection laws apply, we process personal data in accordance with the relevant legislation. You have rights of access, rectification, erasure (subject to AML retention), and objection. Contact us at privacy@cegoat.com.
We may update this Privacy Policy from time to time. Material changes will be notified through the Account dashboard or by email at least 14 days before they take effect, unless a shorter period is required by law. The version and effective date at the top of this page reflect the most recent revision.