Personal Data Processing Policy

1. General Provisions

  • This Policy defines the procedure for processing personal data and the measures for its protection implemented by the operator, and is subject to public availability on the Internet.
  • The purpose of this Policy is to ensure the protection of the rights and freedoms of individuals during the processing of their personal data, including the protection of the right to privacy, personal and family secrets.
  • The provisions of this Policy are mandatory for all employees of the operator who have access to personal data.
  • Confirmation of consent to the Policy (by clicking a button or checking a checkbox) constitutes the user's full and unconditional acceptance of its terms.

2. Key Definitions

  • personal data — any information relating to a directly or indirectly identified individual (personal data subject), including financial, payment, technical and other information that allows the user to be identified;
  • personal data permitted by the subject for dissemination — data to which access has been granted to an unlimited number of persons with the subject's consent;
  • operator — a person who organizes the processing of personal data and determines the purposes and methods of such processing;
  • processing of personal data — any actions with data (collection, recording, storage, use, transfer, deletion and other operations);
  • automated processing — processing using computing technology;
  • dissemination of personal data — disclosure of data to an unspecified number of persons;
  • provision of personal data — transfer of data to a specific person or group of persons;
  • blocking of personal data — temporary suspension of data processing;
  • destruction of personal data — actions as a result of which the restoration of data becomes impossible;
  • anonymization of personal data — actions as a result of which it is impossible to determine the data's belonging to a specific subject;
  • personal data information system — a set of databases and technical means of processing;
  • cross-border transfer of personal data — transfer of data beyond the borders of a state;
  • mobile application — software for accessing the service from a mobile device;
  • personal account — a protected user section, access to which is provided using a login and password;
  • login and password — unique data for accessing the user's account;
  • user — a legally capable individual who has reached the age of 18;
  • website — the BuySell internet resource containing the software and informational content of the service.

3. Processing of Personal Data on the Website

The operator processes the following categories of data:

  • email address;
  • transaction and order history;
  • account identifiers;
  • payment details;
  • verification status data;
  • full name;
  • phone number;
  • passport data (including photo/scan);
  • support correspondence;
  • technical data (IP, browser and device).

Processing is carried out for the purposes of:

  • user registration;
  • execution of exchange operations;
  • providing service functionality;
  • conducting AML/KYC procedures;
  • providing technical support;
  • informing the user.

Verification may be carried out using third-party services. The operator receives only the verification result without access to the full data.

Processing of biometric data is not carried out, except in cases provided for by identification procedures.


4. Website Identifiers and Technologies

4.1. Data collection is carried out in two ways: provided by the user and automatic collection.

4.2. Data is provided through website forms, the personal account, and email.

4.3. Information about user actions on the website is automatically collected, including pages visited and behavior.

4.4. Technologies used include: cookies, web beacons, analytical tools, and server logs.

4.5. Cookies are files that allow the user's browser to be identified and settings to be saved.

4.6. The user may disable cookies, however this may affect the operation of the website.

4.7. Automatic data collection is not carried out without the user's participation in providing personal information.


5. Rights and Obligations of the Parties

The operator is obliged to:

  • ensure the protection of personal data;
  • not disclose data without legal grounds;
  • comply with the requirements of applicable law.

The user has the right to:

  • receive information about their data;
  • request its modification or deletion;
  • restrict processing;
  • withdraw consent;
  • appeal the operator's actions.

The operator has the right to:

  • request additional information;
  • restrict access to the service;
  • suspend operations in the presence of risks.

Processing of data for marketing purposes is permitted only with the user's consent.


6. Updating, Correcting, and Deleting Data

The user has the right to request clarification, blocking, or deletion of their data.

The operator is obliged to:

  • make changes upon confirmation of data inaccuracy;
  • cease processing upon identification of violations.

Data is subject to destruction:

  • upon achievement of the processing purposes;
  • upon withdrawal of consent;
  • in other cases provided for by law.

The deadline for making changes or deletion is up to 7 business days.


7. Handling of Requests from Users and Authorities

The user has the right to obtain:

  • confirmation of data processing;
  • purposes and grounds for processing;
  • list of data;
  • sources of its collection;
  • storage periods;
  • information about transfers to third parties.

The operator has the right to refuse to provide information if:

  • this is provided for by applicable law;
  • the data affects the interests of third parties;
  • the processing is related to AML/CFT checks.

A response is provided within 10 business days, with the possibility of extension to 15 days.

The request must contain document details and identity confirmation.

The request may be submitted in electronic form.

A repeat request is permitted no earlier than 30 days after the previous one.

The operator is obliged to provide access to the data or a reasoned refusal.

Upon request from government authorities, information is provided in the manner established by law.


8. Protection of Personal Data

The operator takes necessary measures to protect data:

  • access restrictions;
  • encryption;
  • monitoring of employee actions;
  • prevention of unauthorized access;
  • data backup.

Regular security threat assessments are conducted.

Modern information security tools are used.


9. Final Provisions

9.1. The Policy is an official document of the operator.

9.2. The operator has the right to amend the Policy without prior notice.

9.3. The new version takes effect from the moment of publication on the website.