Privacy Policy

We collect information you provide directly when creating an account and completing KYC/KYB verification: full legal name, date of birth, nationality, government-issued ID documents, selfie photographs, residential address, email address, phone number, and bank or mobile money account details.

We also collect wallet addresses you register, transaction data from your use of the platform (subscriptions, orders, redemptions), and technical data such as IP address, device type, and session tokens.

For KYC/KYB verification we use Sumsub, a third-party identity verification provider. Your identity documents are processed by Sumsub under their privacy policy.

Identity and KYC data is used solely to comply with applicable financial regulations (AML/KYC obligations under FICA, CMA, SEC, and similar laws), to verify your eligibility to participate in security token offerings, and to fulfil our obligations as a regulated platform.

Transaction and portfolio data is used to provide the platform, process payments, settle trades, and generate compliance reports required by regulators.

We do not sell, rent, or share personal data with third parties for marketing purposes.

KYC/KYB records, transaction history, and audit logs are retained for a minimum of 7 years from the date of the last transaction, as required by applicable AML/CFT regulations in our operating jurisdictions.

Wallet addresses and on-chain transaction data are publicly visible on the relevant blockchain and cannot be deleted from those networks by Token-x.

All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted at the database level. Signing keys are held in Fireblocks MPC custody — no private keys are stored in plaintext anywhere in our infrastructure.

Access to personal data is role-restricted. Compliance Officers can access KYC records. Investors can access their own records. No employee has unrestricted access to production personal data.

Depending on your jurisdiction, you may have the right to access, correct, or request deletion of your personal data. Note that some data cannot be deleted due to regulatory retention requirements.

To exercise your rights, contact compliance@token-x.finance with your account email and the specific request.

Token-x uses session cookies (JWT tokens stored in httpOnly cookies) for authentication only. We do not use advertising or analytics cookies. No third-party trackers are embedded in the platform.

We may update this policy to reflect regulatory changes or platform updates. Material changes will be notified by email to registered users at least 14 days before taking effect.