DATA PROTECTION POLICY

Effective Date: 30 July 2025

1. Controller Information

This Privacy Policy applies to the processing of personal data by:

AURUM NEO-BANK sp. z o.o.
Registered Headquarters: Ul. Długa 29, 00-238 Warsaw, Mazowieckie, Republic of Poland
Website: www.polex.io

AURUM NEO-BANK sp. z o.o., doing business as “Polex” (the “Company”), operates as a MiCA-aligned crypto-asset service provider and virtual asset service provider (VASP), facilitating the exchange of crypto-assets for fiat currency and vice versa.

The Company acts as the Data Controller within the meaning of the General Data Protection Regulation (GDPR).

2. Legal Framework

This Policy is adopted in compliance with:

  • General Data Protection Regulation (GDPR);
  • Markets in Crypto-Assets Regulation (MiCA);
  • Regulation (EU) 2023/1113 (Travel Rule);
  • Polish data protection law;
  • Polish AML/CFT legislation;
  • Supervisory expectations of the Polish Financial Supervision Authority.

3. Categories of Personal Data Collected

The Company collects and processes personal data strictly necessary for regulatory compliance, service provision, fraud prevention, and operational integrity.

3.1 Identification Data

  • Full name
  • Date and place of birth
  • Nationality
  • Residential address
  • Government-issued identification number
  • Copy of identification document
  • Biometric verification data (liveness checks)

3.2 Contact Data

  • Email address
  • Telephone number
  • Registered wallet addresses

3.3 Financial & Transaction Data

  • Bank account details
  • Crypto-asset wallet addresses
  • Transaction history
  • Blockchain transaction identifiers
  • Source of funds documentation

3.4 Compliance & Risk Data

  • Sanctions screening results
  • PEP screening results
  • Adverse media checks
  • Risk classification profile
  • IP address and geolocation (for fraud detection)

3.5 Website Usage Data

  • IP address
  • Device identifiers
  • Browser type
  • Session duration
  • Pages visited
  • Interaction history

4. Lawful Basis for Processing

Personal data is processed only where a lawful basis exists under Article 6 GDPR:

Purpose

Lawful Basis

AML/KYC verification

Legal obligation

Travel Rule compliance

Legal obligation

Transaction monitoring

Legal obligation

Fraud prevention

Legitimate interest

Service delivery

Contract performance

Customer support

Contract performance

Regulatory reporting

Legal obligation

Marketing (where applicable)

Consent

Failure to provide required personal data may prevent onboarding or result in termination of the relationship.

5. Purpose of Processing

Personal data is processed for the following purposes:

  1. Establishing and maintaining a contractual relationship;
  2. Verifying identity under AML/CFT obligations;
  3. Executing crypto-asset transactions;
  4. Conducting sanctions and PEP screening;
  5. Performing blockchain analytics and transaction monitoring;
  6. Preventing fraud, abuse, and financial crime;
  7. Complying with MiCA prudential and governance requirements;
  8. Fulfilling regulatory reporting obligations;
  9. Managing operational, risk, and security functions;
  10. Improving platform performance through anonymized analytics.

The Company does not process personal data for automated decision-making producing legal effects without appropriate safeguards.

6. Data Disclosure

Personal data may be disclosed only where strictly necessary:

6.1 Regulatory Authorities

  • Polish Financial Supervision Authority (KNF)
  • Financial Intelligence Units (including Polish FIU)
  • Courts and law enforcement agencies

6.2 Banking & Payment Institutions

For settlement and safeguarding of client funds.

6.3 Compliance Service Providers

Including:

  • Identity verification providers
  • Blockchain analytics providers
  • Sanctions screening vendors

All such processors are bound by contractual data protection agreements.

6.4 Corporate Transactions

In the event of merger, acquisition, or restructuring, subject to equivalent data protection safeguards.

The Company does not sell personal data.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area:

  • Transfers are made only to jurisdictions with an adequacy decision; or
  • Appropriate safeguards are implemented, including Standard Contractual Clauses (SCCs); and
  • Transfer impact assessments are conducted.

All third-party processors must maintain equivalent data protection standards.

8. Data Retention

The Company retains personal data strictly in accordance with legal requirements:

Data Category

Retention Period

AML/KYC records

10 years

Transaction records

10 years

Communications

5–10 years

Website analytics

12–24 months

Data may be retained longer where required by law or regulatory investigation.

Upon expiry, data is securely deleted or anonymized.

9. Data Security Measures

The Company maintains enterprise-level safeguards including:

  • End-to-end encryption in transit and at rest
  • Multi-factor authentication
  • Role-based access control
  • Regular penetration testing
  • Intrusion detection systems
  • Secure cloud infrastructure within EU
  • Strict internal access logging
  • Annual cybersecurity audits

All employees undergo mandatory data protection training.

10. Data Subject Rights

Under GDPR, individuals have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Request erasure (subject to AML retention rules)
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent (where processing is consent-based)

Requests may be submitted to:

compliance@polex.io

The Company will respond within one month, subject to complexity.

Where AML or legal obligations require retention, deletion requests may be lawfully declined.

11. Cookies and Tracking Technologies

The Company uses cookies for:

  • Website functionality
  • Security monitoring
  • Performance analytics
  • Fraud prevention

Non-essential cookies are deployed only with user consent.

Users may manage cookie settings via browser preferences.

The website does not rely on third-party behavioral advertising trackers.

12. Data Breach Notification

In the event of a personal data breach:

  • The Company will notify the competent supervisory authority within 72 hours where required;
  • Affected individuals will be informed without undue delay if high risk exists;
  • Incident response procedures are activated immediately.

13. Complaint Rights

If you believe your data protection rights have been infringed, you may file a complaint with:

President of the Personal Data Protection Office (UODO – Poland)

or your local EU data protection authority.

14. Policy Amendments

This Policy may be updated to reflect:

  • Regulatory changes;
  • Operational changes;
  • Security enhancements.

Material changes will be communicated in advance.

Continued use of services after notice constitutes acceptance of the updated Policy.

Register