Privacy Policy Apex Digital

I. INTRODUCTION

This Apex Digital Privacy Policy (the "Privacy Policy") governs the privacy relations between you ("Client" or "you") and any holding company, subsidiary or entity belonging to the Apex Digital group of companies ("Apex Digital" or "we"), in regard to how we process and protect your personal data as you use the Apex Digital Services provided on any Apex Digital website, including https://Apex Digital.com/ (the "Website"), mobile application(s), Apex Digital application programming interfaces ("APIs") or third party applications relying on our API (together, our "Apps"), and any other official Apex Digital communication channel, including the content and services made available on or through the same, and any updates, upgrades, and versions thereof, and constitutes a legally binding agreement (the "Agreement") between Apex Digital and you. We encourage you to seek out and read the Privacy Policy to understand how the information that we collect about you is used and protected.

The Privacy Policy is reviewed regularly to ensure that any new services or updates, as well as any changes to our business model and practices are taken into consideration. We will alert you of material changes by, for example, placing a notice on the Website, the Apex Digital Platform and/or by sending you an email. Your continued use of the Apex Digital Platform after we make changes is deemed to be acceptance of those changes, so please review the Privacy Policy periodically for updates.

Unless stated otherwise herein, references shall be made to the Apex Digital Terms of Service, Apex Digital Cookies Policy, Apex Digital Chat Terms of Service, Apex Digital Card Provider General Terms and Conditions,and any other terms and conditions governing the use of the Apex Digital Platform and the Apex Digital Services (jointly the "Apex Digital General Terms"). All capitalised terms not defined herein, shall have the same meaning as the one given to them in the Apex Digital General Terms, as the case may be.

II. DEFINITIONS

  • Controller means any holding company, subsidiary or entity belonging to the Apex Digital group of companies, which may have the capacity of a personal data controller for the purpose of this Privacy Policy;
  • Processor means a natural or legal person, public authority, agency or other body which processes personal data when it processes data on behalf of the Controller;
  • Personal Data means any information relating to an identified or identifiable natural person ("Data Subject");
    an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to that natural person;
  • Privacy Laws means any applicable personal data protection legislation;
  • Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data.

III. INFORMATION WE COLLECT

Apex Digital may collect the following types of Personal Data when you visit the Website, the Apps, register on the Apex Digital Platform, use the Apex Digital Services, and when you interact and communicate with Apex Digital on the Website or through the Apps:

Client-provided information

  • Identification information: full name, personal identification number, tax number, date, place and/or country of birth, country of residence, copies of your identification document (passport, ID or driver's licence) - front and back, gender, email address, PEP status (Politically Exposed Persons), indicators of your social status or official position held, sanctions status;
  • Contact and communication information: permanent and current address, telephone number, social media profiles, tags and handles, messages in any social platform or communication channel or medium;
  • Labour status: occupation, industry, employment status;
  • Financial information: bank account number, digital asset wallet, source of funds or Digital Assets transaction history, assets on the Apex Digital Platform;
  • Biometric data: biometric information generated based on photos or videos of you and your identification document(s) necessary for the purpose of identity verification;
  • Other information: any information that you provide to Apex Digital at your own discretion. This may include any information you have voluntarily provided to a Digital Agent in accordance with the Apex Digital Chat Terms.

Information we collect automatically

When you visit the Apex Digital Platform, we automatically collect the following information:

  • App, browser, and device information: information about the device, operating system, and browser you use to access your Apex Digital Account, including your IP address and/or other characteristics or identifiers;
  • Product usage information: activity information, including information about what you view or interact with when using the Apex Digital Services and service-related diagnostic and performance information;
  • Information from cookies and similar technologies: as described in our Cookies Policy.

Information we get from third parties

Apex Digital may receive Personal Data about you from third parties such as payment processors, compliance service providers assisting with anti-money laundering (AML), fraud, and security matters, and information that can be lawfully accessed from public sources. For example:

  • Financial institutions: Banks involved in processing your transfers may share basic personal details (such as your name and address) together with financial information, including your account number and related transaction data.
  • Card-issuing partners: Our card-issuing partners supply us with transaction records and fraud-risk indicators so that we can display your card activity, investigate potential disputes, and meet applicable regulatory obligations.
  • Risk and compliance service providers: External partners may confirm identity attributes and supply information relevant to fraud, security, sanctions, AML, or other compliance matters.
  • Public sources: We may access and retain information recorded on blockchains, other publicly available ledgers, or otherwise accessible in the public domain.

Apex Digital receives Personal Data from third parties for the purposes of compliance with its legal obligations, and the provision of contractual obligations in relation to the requested services. These third parties may collect Personal Data on behalf of Apex Digital, or act as Controllers in accordance with their own privacy policies. Some of these third parties may have obtained your data from publicly daccessible sources.

Please note that if you refuse to provide Personal Data when requested, especially where we need to collect it by law, or under the terms of a contract we have or are looking to enter into with you, we may not be able to perform the relevant contract, including the ability to offer or continue to provide the Apex Digital Services to you.

IV. PURPOSES AND LEGAL BASIS FOR PROCESSING

Apex Digital processes Personal Data only in accordance with applicable Privacy Laws and this Privacy Policy. Apex Digital collects and processes your Personal Data in a legitimate and transparent manner under the Privacy Laws, and namely:

  • for the purpose of concluding and/or implementing a contract with you;
  • to fulfil our obligations under the applicable legislation;
  • for the purposes of our legitimate interests, except when your interests and rights take precedence over Apex Digital's legitimate interests; or
  • based on your consent, where necessary - in the event your consent is required, Personal Data Processing shall commence only after receipt of such consent.

The table below sets out the processing purposes, their legal justification, and the categories of Personal Data involved.

Why we process your personal data Legal justification Categories of personal data
Identification & Verification - to process onboarding applications, verify identity (including the level of due diligence) through onboarding checks, and evidence identity authentication. Performance of Contract; Legal Obligations. Identification information; Biometric data.
Provision of New Services - to deliver the Apex Digital Services as described in the Apex Digital General Terms. Performance of Contract. Identification information; Contact and communication information; Financial information.
Service Functionality & Improvements - to maintain and enhance the Apex Digital Platform, ensure quality and security, analyse performance, debug, and conduct research, audits, and reporting. Legitimate Interests (service improvement and security). Technical/usage data.
Personalisation - to tailor the Client experience, content, and service offerings. Legitimate Interests; Consent (where applicable). Contact and communication information; Financial information.
Legal & Regulatory Compliance - to meet obligations under Privacy Laws, AML, sanctions, tax, anti-terrorism financing, and other applicable laws. Legal Obligations. Identification information; Contact and communication information; Financial information.
Fraud & Security Monitoring - to detect, investigate, and prevent fraud, money laundering, terrorism financing, and other criminal or malicious activity. Legal Obligations; Legitimate Interests. Identification information; Financial information; Contact and communication information.
Communications - to contact you about your Apex Digital Account, the Apex Digital Platform, updates to the Apex Digital Services, or changes to our contractual relationship. Performance of Contract; Legitimate Interests. Contact and communication information.
Marketing - to provide information on Apex Digital products and Apex Digital Services via permitted communication channels (with opt-out options). Consent. Contact and communication information; Technical/usage data.
Consent-based Purposes - for specific activities explicitly agreed to by individuals, with the right to withdraw at any time. Consent. Categories depend on the consent obtained.
Other Compatible Uses - for purposes reasonably aligned with the above, or where required or permitted by Privacy Laws. Legal Obligations; Legitimate Interests. Categories depend on the related purpose.

V. AUTOMATED DECISION MAKING AND PROFILING

Automated decision-making refers to decisions made solely by technological means without human involvement, including profiling. Apex Digital may rely on automated decision-making in certain processes because it:

  • enhances consistency and fairness by reducing the potential for human error or bias;
  • enables faster and more efficient decision-making, thereby improving service delivery;
  • supports fraud prevention and responsible lending by reducing the risk of Clients failing to meet loan obligations;
  • facilitates customer interaction through innovative Digital Agent technologies.

Automated decision-making may occur in:

  • Identity verification: automated checks on identification documents and biometric data during onboarding.
  • Account opening: automated approval or rejection of applications, subject to compliance checks.
  • Fraud and AML monitoring: automated detection of unusual patterns of activity, sanctions screening, and other security checks.
  • Crypto credit decisions: automated assessment of LTV ratios or other risk indicators relevant to Apex Digital's lending services.
  • Service personalization: automated recommendations based on usage data and transaction history.

Automated decisions may be based on:

  • Client-provided information (e.g., identification data, financial data);
  • Data observed during use of the Apex Digital Platform (e.g., transactional or location data);
  • Inferred or derived data (e.g., LTV ratios).

VI. SHARING PERSONAL DATA WITH THIRD PARTIES

Apex Digital may disclose Personal Data to carefully selected third parties outside of Apex Digital, but only where such disclosure is lawful, limited to the necessary scope, and subject to appropriate safeguards. Any such disclosure is made in accordance with applicable Privacy Laws, this Privacy Policy, and the Apex Digital General Terms.

Apex Digital may share Personal Data with the following categories of external third parties:

  • Banking and payment partners: to enable the topping up of funds, execution of payments, and withdrawals. These include banks, card providers, acquirers, account information service providers, and alternative payment processors.
  • Compliance and risk management providers: to perform identity verification, (KYC) checks, anti-money laundering AML screening, sanctions monitoring, and fraud detection.
  • Card-issuing partners: to provide payment card services. Such partners may act as independent controllers for their own regulatory obligations (e.g., fraud prevention, AML checks).
  • Third-party providers of AI technology: to provide the Chat Service, in line with Chat Terms of Service;
  • Auditors, consultants, and advisors: including legal, tax, compliance, and accounting professionals, subject to strict confidentiality obligations.
  • Marketing and advertising platforms: for lawful marketing purposes, including online campaigns, subject to your consent or applicable legal bases. No Personal Data will be shared with third parties for their independent marketing or promotional purposes.
  • Regulators, courts, and law enforcement authorities: where required by Privacy Laws or other applicable regulation, including but not limited to financial supervisory authorities, tax agencies, police, and judicial authorities.

In certain cases, third parties to whom Apex Digital discloses Personal Data may act as independent data controllers for specific processing activities (e.g., card-issuing partners, banks, or governmental authorities). In such cases, those third parties are responsible for their own compliance with applicable Privacy Laws.

The Apex Digital Platform may contain links to third-party websites, plug-ins, or applications. Clicking on such links may allow third parties to collect or share Personal Data. Apex Digital does not control these third-party websites and is not responsible for their processing of Personal Data. We encourage you to review the privacy notices of each third-party website you visit.

VII. TRANSFERS

When transferring Personal Data, we are committed to ensuring that the data importer maintains materially similar security measures for storage and Processing of Personal Data as we do. Your Personal Data may be processed, stored and transferred to third parties in the manner and amount as provided in this Privacy Policy, the contract(s) concluded between you and us, and consents you give to us from time to time.

Locations outside your home jurisdiction may be used for processing (including storing) the data we collect about you. The information we transfer may be shared with our service providers. It may include such processes as processing a payment, data analysis (including fraud, risk and compliance checks), collecting data on the use of our websites and services, for advertising purposes (including behavioural advertising), or offering support for your service or product needs. We take all reasonable action to ensure the safety of your Personal Data in agreement with this Privacy Policy and applicable local and international legislation. The legal basis for international data transfers depends on your home jurisdiction. If Personal Data of individuals located in the European Economic Area (EEA) or the United Kingdom (UK) is transferred to a country that does not provide a level of data protection equivalent to that of the EU/EEA or the UK, Apex Digital will ensure that the data is appropriately protected by using contractual arrangements with strict data protection safeguards or other lawful transfer mechanisms recognised under applicable Privacy Laws. For more information, you can contact Apex Digital's Data Protection Officer (DPO) at dpo@Apex Digital.com.

VIII. DIRECT MARKETING

Subject to applicable Privacy Laws, Apex Digital may from time to time send direct marketing communications about the Apex Digital Services and related offerings to existing Clients, or to individuals who have subscribed to receive updates. Such communications may be sent by email, push notifications, or other electronic means, in accordance with applicable Privacy Laws.

You may opt out of receiving marketing communications at any time:

  • by using the unsubscribe link included in each communication; or
  • by contacting Apex Digital's Data Protection Officer (DPO) at dpo@Apex Digital.com.

If you opt out, Apex Digital will retain your contact details on a suppression list to ensure that you do not receive further marketing communications, except where you have expressly opted back in.

IX. DATA SECURITY

Personal Data collected by Apex Digital through the Apex Digital Platform or otherwise is stored on secure servers, hosted in a cloud environment in the European Union (EU). Apex Digital is certified under ISO/IEC 27001 and SOC 2 Type 2 and implements appropriate technical and organisational measures designed to protect Personal Data against accidental loss, unauthorised access, alteration, or disclosure. These measures include, among others, network safeguards such as firewalls and encryption, regular malware scanning, and continuous monitoring of systems.

Access to Personal Data is strictly limited to employees, contractors, and authorised third parties who require such access to perform their duties or comply with legal obligations. All such individuals are subject to confidentiality obligations and receive regular training on data protection and information security. Access rights are carefully screened, granted on a need-to-know basis, and periodically reviewed.

In the event of a personal data breach resulting in the destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, Apex Digital will, where required under applicable Privacy Laws, notify the competent data protection authority and affected individuals without undue delay. Such notification will include sufficient information to enable affected individuals to take protective measures. For additional details about Apex Digital's security practices, please visit the security panel on the Apex Digital Website.

To help maintain security, Clients are responsible for keeping their Apex Digital Account credentials confidential. Apex Digital employees will never ask for passwords or authentication codes. Clients should also exercise caution when accessing their Apex Digital Account from shared or unsecured devices.

X. STORAGE AND RETENTION

Apex Digital retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal, regulatory, or contractual obligations. When Personal Data is no longer required, Apex Digital will securely delete it or anonymise it so that individuals can no longer be identified.

Depending on the context, Personal Data may be retained for different reasons, including:

  • Marketing suppression: If you opt out of receiving marketing communications, Apex Digital will retain your contact details on a suppression list to ensure you do not receive further communications, unless you later choose to opt back in.
  • Contractual and operational purposes: Account and transaction information may be retained for the duration of your relationship with Apex Digital and for a reasonable period afterwards, in line with industry standards, contractual obligations, or legitimate interests (such as preventing abuse or resolving disputes).
  • Legitimate business interests: Some Personal Data may be retained to support fraud prevention, product and service improvement, record-keeping, handling complaints, or enforcing legal rights.
  • Legal and regulatory compliance: Apex Digital is subject to AML and other regulations that may require retention of certain Personal Data for at least five (5) years after the end of the Client relationship or the date of a specific transaction. This period may be extended if required by Applicable Law.
  • Third-party processing: Where Personal Data is processed on Apex Digital's behalf by third-party providers, they are contractually required to retain and protect it in line with this Privacy Policy and applicable Privacy Laws.

In some cases, Apex Digital may need to retain Personal Data beyond the periods outlined above, for example where deletion is not possible for legal, regulatory, or technical reasons. In such cases, Apex Digital will continue to ensure that the Personal Data is appropriately safeguarded.

XI. YOUR RIGHTS

Apex Digital will respond to any request to exercise your rights as a Data Subject without undue delay, and in any case within the timeframes required by applicable Privacy Laws (normally within one month, extendable by two further months where necessary). You may exercise the following rights to the extent permitted by applicable Privacy Laws:

  • Access: You have the right to obtain confirmation as to whether Apex Digital processes Personal Data concerning you, and, if so, to request access to a copy of that data together with details of how it is processed.
  • Rectification: You have the right to request correction of any inaccurate Personal Data and to have incomplete data completed. If Apex Digital has disclosed the data to third parties, those parties will be informed where possible.
  • Erasure: You have the right to request deletion of your Personal Data in certain circumstances. This right may be limited by Apex Digital's legal or regulatory obligations (for example, under AML laws). Where feasible, Apex Digital will inform third parties to whom your data has been disclosed of your request.
  • Restriction of processing: You have the right to request the restriction of processing of your Personal Data, for example where you contest its accuracy or object to its processing. Apex Digital may continue to store the data but will not process it further without your consent, except as permitted by Privacy Laws.
  • Portability: You have the right to receive Personal Data you have provided to Apex Digital in a structured, commonly used, and machine-readable format, and to transmit that data to another Controller, where technically feasible.
  • Objection: You have the right to object at any time to the processing of your Personal Data:
    • for direct marketing purposes (in which case the data will no longer be processed for such purposes); or
    • where processing is based on Apex Digital's legitimate interests, unless Apex Digital can demonstrate that the processing is based on a legal obligation or is necessary for the performance of a contract.
  • Automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects for you, except where the decision is necessary for a contract with Apex Digital, authorised by law, or based on your explicit consent. In such cases, you may contest the decision, express your point of view, and request human intervention.
  • Withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing carried out before the withdrawal.
  • Complaint: You have the right to lodge a complaint with a competent data protection authority if you believe that your rights have been infringed. Where possible, Apex Digital encourages you to first contact Apex Digital's DPO so that concerns can be addressed directly.

To protect your privacy, Apex Digital may need to verify your identity before responding to your request. We will make reasonable attempts to promptly investigate, comply with, or otherwise respond to your requests as may be required by applicable Privacy Laws. Depending upon the circumstances and the nature of the request, Apex Digital may not be permitted to provide access to certain Personal Data or may be unable to fully comply; for example, producing your information may reveal the identity of another individual.

You will not have to pay a fee to exercise the rights listed above. However, requests that are manifestly unfounded or excessive may be refused or subject to a reasonable fee, in accordance with applicable Privacy Laws. Please note that any request concerning Personal Data which is publicly available should be submitted directly to the third-party supplier of that information.

XII. CONTACT US

Apex Digital values your privacy. If you have any comments or questions about this Privacy Policy, Apex Digital's handling of your Personal Data, a possible Personal Data Breach, or if you wish to exercise your rights, please contact Apex Digital's DPO at dpo@Apex Digital.com.

When submitting a request, please include the following information to help Apex Digital process it efficiently:

  • your full name;
  • your preferred communication channel (if none is specified, email will be used by default);
  • your country of residence;
  • if applicable, the type of right you wish to exercise;
  • a detailed description of your request.

Apex Digital treats all requests and complaints with confidentiality and will make reasonable efforts to respond in line with applicable Privacy Laws.

If you believe that Apex Digital has not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority. For individuals located in the EEA, a list of supervisory authorities is available on the website of the European Data Protection Board (EDPB).

XIII. MISCELLANEOUS

Apex Digital Services are not directed to individuals under the age of 18 or under the legal age required to enter into a binding contract with Apex Digital, whichever is higher ("Children"). Apex Digital does not knowingly collect or process the Personal Data of Children.

If Apex Digital becomes aware that it has inadvertently collected Personal Data from a Child, Apex Digital will take legally permissible steps to delete that data and close the associated account.

If you are a parent or guardian and believe that a Child has provided Personal Data to Apex Digital, please contact Apex Digital's DPO at dpo@Apex Digital.com.