Version: V1.0 | Effective Date: May 20, 2026 www.perpvia.com
Article 1 Overview and Commitment
1.1 Purpose of the Policy
PerpVia Exchange Ltd. (hereinafter referred to as "PerpVia," "we," or "the platform") recognizes the importance of users' personal data. This Privacy Policy aims to clearly explain how we collect, use, store, share, and protect your personal information, as well as the rights you have regarding your personal data.
1.2 Core Commitments
- We only collect the minimum amount of data necessary to provide our services;
- We do not sell users' personal data;
- We will not use user data for purposes not disclosed in this policy;
- We adopt industry-leading technical and management measures to protect user data security;
- We respect and effectively safeguard users' rights to be informed about and control their own data.
1.3 Scope of Application
This policy applies to all users who visit www.perpvia.com, use the platform’s mobile applications, or interact with the platform through API interfaces. Using the platform’s services indicates that you have read and agreed to this policy.
Article 2 Data Controller Information
| Item | Details |
|---|---|
| Data Controller | PerpVia Exchange Ltd. |
| Registered Address | (Platform Registered Address) |
| Data Protection Officer (DPO) | dpo@perpvia.com |
| Privacy Policy Inquiries | privacy@perpvia.com |
| Official Website | www.perpvia.com |
Article 3 Types of Data We Collect
3.1 Identification Data
- Name, date of birth, nationality;
- Scans or photos of government-issued identification documents (ID card, passport, driver’s license);
- Facial recognition data (used for liveness detection and KYC verification);
- Tax Identification Number (TIN) or Social Security Number (only when required by applicable laws).
3.2 Contact Data
- Email address;
- Mobile phone number;
- Residential address and postal code;
- Emergency contact information (for institutional accounts).
3.3 Account and Transaction Data
- Account username and encrypted password;
- Deposit, withdrawal, and transaction history;
- Wallet addresses;
- Account balances and position data;
- Order records (including filled, canceled, and expired orders);
- Funding rate settlement records.
3.4 Financial Due Diligence Data
- Statements and supporting documents of fund sources;
- Bank account information (only applicable when fiat deposit and withdrawal functions apply);
- Wealth source explanations (for high-net-worth or large transaction users);
- Anti-money laundering screening results.
3.5 Technical Data
- IP address and geolocation information;
- Device identifiers (device ID, MAC address);
- Browser type and version;
- Operating system information;
- Login timestamps and session records;
- API key access logs.
3.6 Behavioral and Preference Data
- Platform page browsing records;
- Search and filter preferences;
- Click paths and interaction behaviors;
- Customer service communication records (including online chat and email correspondence);
- User feedback and survey responses.
3.7 Cookie Data
See Article 13 "Cookie Policy" of this policy for details.
Article 4 Methods of Data Collection
4.1 Direct Provision You provide relevant data to us actively when registering an account, completing KYC verification, submitting transactions, contacting customer service, or participating in surveys.
4.2 Automatic Collection When you use the platform’s services, we automatically collect technical and behavioral data through cookies, web beacons, log files, and analytics tools.
4.3 Third-Party Sources
- KYC service providers (identity verification results);
- Blockchain public ledgers (on-chain transaction verification);
- Sanctions lists and PEP (Politically Exposed Persons) database screening results;
- Credit risk assessment agencies (only where applicable);
- Social login services (if users choose to use them).
Article 5 Purposes and Legal Bases for Data Use
| Purpose of Use | Legal Basis |
|---|---|
| Account registration and identity verification | Performance of contract |
| KYC/AML compliance review | Legal obligation |
| Order matching and transaction settlement | Performance of contract |
| Risk control and fraud detection | Legitimate interests |
| Customer support and complaint handling | Performance of contract |
| Reporting to regulatory authorities | Legal obligation |
| Platform security and technical maintenance | Legitimate interests |
| Product improvement and user experience optimization | Legitimate interests |
| Marketing and promotion (with user consent) | User consent |
| Legal dispute handling | Legitimate interests / Legal obligation |
Article 6 User Location Data Compliance Obligations
6.1 General Explanation of Applicable Laws
Due to differences and continuous evolution in personal data protection legislation across global jurisdictions, we commit to processing your personal data in collection, use, storage, sharing, and cross-border transfer in accordance with the personal data protection, data security, and cybersecurity laws applicable in your jurisdiction, and to apply protection measures not lower than the standards stated in this policy to the extent reasonably feasible.
6.2 User Compliance Obligations and Confirmation
Before accessing or using the platform’s services, users must understand and confirm the legal regulations of their country or region (including but not limited to nationality, tax residence, actual residence, and network access location) regarding digital asset-related business and personal data processing activities. By providing personal data to the platform, users confirm that their actions do not violate any binding laws or regulations applicable to them.
6.3 General Framework of User Data Rights
To the extent permitted by applicable laws, you have the following rights regarding your personal data: right of access, right to correction, right to deletion, right to restrict processing, right to data portability, and right to object. The specific methods of exercising these rights and response timelines are subject to Article 10 of this policy and the laws applicable in your jurisdiction. If applicable laws grant you additional rights or shorter response times, we will handle them according to the standards more favorable to you.
6.4 Regulatory Cooperation and Service Restrictions
If the platform determines based on its internal compliance policies, KYC information, IP identification, or other reasonable judgments that the user’s location is unsuitable for continued service provision, or local laws prohibit related business, the platform reserves the rights to: (1) refuse registration applications; (2) restrict or suspend all or part of the account functions; (3) require users to withdraw assets and close accounts; (4) cooperate with regulatory authorities to disclose necessary information and conduct data localization in accordance with local laws. Users who circumvent compliance review by VPN, proxy, false identity, or other means will have their data handled according to applicable laws and bear all resulting legal liabilities themselves.
Article 7 Data Sharing and Third-Party Disclosure
7.1 We do not sell users' personal data.
7.2 Under the following circumstances, we may share your data with specific third parties:
- Service providers: strictly selected KYC verification service providers, cloud storage providers, data analytics platforms, and customer service system providers, only processing data within the scope necessary to provide services for the platform and required to sign data processing agreements (DPA);
- Regulatory and law enforcement authorities: disclosing necessary information to financial regulators, tax authorities, law enforcement agencies, or courts as required by applicable laws;
- Anti-money laundering screening databases: submitting necessary data to sanctions list checks, PEP screening, and suspicious transaction report (STR) related organizations;
- Group affiliated companies: when sharing data within the group, adhering to data protection standards equivalent to this policy;
- Business restructuring: in the event of mergers, acquisitions, or asset sales involving the platform, user data may be transferred as business assets, and the platform will notify affected users in advance.
7.3 Aggregated Anonymous Data
The platform may use anonymized aggregated data that cannot identify specific individuals for market research, product improvement, or public reporting. Such data is not subject to the data sharing restrictions in this policy.
Article 8 Cross-Border Data Transfers
8.1 The platform operates globally, and user data may be transferred to the platform’s registration location or server location for processing.
8.2 When conducting cross-border data transfers, the platform takes the following protective measures:
- Signing data transfer agreements that comply with internationally recognized standards (such as Standard Contractual Clauses, SCCs) or equivalent levels of protection;
- Ensuring that the receiving country or region has adequate data protection levels;
- Encrypting data during transmission;
- Complying with specific data localization storage requirements of the user’s jurisdiction.
Article 9 Data Retention Periods
| Data Type | Retention Period | Basis |
|---|---|---|
| KYC identity verification data | At least 5 years after account cancellation | AML/CFT regulatory requirements |
| Transaction records | At least 5-7 years | Financial record retention requirements of various jurisdictions |
| Communication records (customer service) | 3 years | Evidence needs for contract disputes |
| Technical logs | 90-180 days | Security audit requirements |
| Marketing preference data | Until user withdraws consent | User consent |
| Sanctions screening records | At least 5 years | OFAC and international sanctions regulations |
After the data retention period expires, the platform will permanently delete or anonymize the relevant data securely.
Article 10 User Data Rights
10.1 General Rights
All users have the following data rights and may submit requests via privacy@perpvia.com:
| Right | Description | Response Time |
|---|---|---|
| Right to be Informed | Know how we collect and use data | Policy available at any time |
| Right of Access | Request a copy of your personal data we hold | Within 30 days |
| Right to Rectification | Request correction of inaccurate or incomplete data | Within 15 business days |
| Right to Erasure | Request deletion of your personal data ("right to be forgotten") | Within 30 days |
| Right to Restrict Processing | Request restriction of data processing in specific circumstances | Within 30 days |
| Right to Data Portability | Request your data in a structured, machine-readable format | Within 30 days |
| Right to Object | Object to data processing based on legitimate interests | Within 30 days |
| Right to Withdraw Consent | Withdraw data processing consent at any time | Effective immediately |
10.2 Limitations on Exercising Rights
Under the following circumstances, the platform may not be able to fully comply with requests for data deletion or access:
- Data retention is required by law (e.g., AML record retention requirements);
- Data processing is necessary to perform a contract;
- Data involves ongoing regulatory investigations or legal proceedings.
Article 11 Data Security Measures
11.1 Technical Measures
- Data in transit is encrypted using TLS 1.3 or higher protocols;
- Stored data is encrypted using AES-256 standards;
- Passwords are stored using salted hash algorithms and never in plaintext;
- Sensitive operations require mandatory two-factor authentication (2FA);
- Regular penetration testing and vulnerability scanning are conducted;
- Intrusion detection systems (IDS) and anomaly behavior monitoring are deployed;
- The principle of least privilege is implemented; internal staff access only data necessary for their job duties.
11.2 Organizational Measures
- Develop and regularly drill data breach emergency response plans;
- Provide regular data protection training to all employees who access user data;
- Engage independent third parties to conduct regular data security audits;
- Sign data processing agreements (DPA) with all data processing service providers.
11.3 Data Breach Notification
In the event of a security incident involving users’ personal data, the platform will:
- Assess the scope of impact within 72 hours of discovery;
- Report to relevant regulatory authorities as required by applicable laws;
- Notify affected users promptly, explaining the types of data leaked, potential impacts, and protective measures users can take;
- Publicly disclose incident reports (for major incidents).
Article 12 Protection of Minors' Data
12.1 The platform’s services are not intended for minors under 18 years old. The platform does not intentionally collect personal data of minors.
12.2 If the platform discovers that it has collected data of minors, it will immediately take the following measures:
- Immediately close the related accounts;
- Securely delete related data according to applicable laws;
- Notify relevant regulatory authorities if required by applicable laws.
12.3 If parents or guardians discover that the platform may have collected personal data of their minor children, please contact privacy@perpvia.com immediately.
Article 13 Cookie Policy
13.1 Types of Cookies
| Type | Purpose | Can be Disabled |
|---|---|---|
| Necessary Cookies | Ensure basic platform functions operate properly (login status, security verification) | No |
| Functional Cookies | Remember user preferences (language, time zone, interface layout) | Yes |
| Analytical Cookies | Collect platform visit statistics to improve user experience | Yes |
| Marketing Cookies | Display relevant advertising content to users | Yes |
13.2 Cookie Management
Users can manage non-essential cookies through browser settings or the platform’s cookie preference center. Disabling certain cookies may affect normal platform functionality.
13.3 Third-Party Cookies
Third-party analytics tools used by the platform (such as Google Analytics) may place cookies on user devices. Users can opt out of data collection through the official channels of these tools.
Article 14 Policy Updates
14.1 The platform will update this Privacy Policy from time to time to reflect business changes, legal requirements updates, or adjustments in data processing practices.
14.2 Major updates will be notified to users 30 days in advance through: official platform announcements, registered email notifications, and in-site message pushes.
14.3 Continued use of platform services after the update takes effect will be deemed acceptance of the updated privacy policy. If users do not agree with the updates, they may request account cancellation within the notification period.
14.4 Historical versions of this policy will be retained on the platform’s archive page and available for users to review at any time.
PerpVia Exchange Ltd. www.perpvia.com © 2026 PerpVia. All Rights Reserved.