Privacy Policy

Privacy Policy (GDPR Compliant)

1. Introduction and Data Controller

This Privacy Policy outlines how Universal Valuables Inc., operating as ExchEngine (the "Service", "We", "Us"), collects, uses, and protects your personal data. We are committed to safeguarding your privacy while ensuring strict compliance with the General Data Protection Regulation (GDPR) and international Anti-Money Laundering (AML) directives.

For the purposes of the GDPR, Universal Valuables Inc. is the Data Controller of the personal information collected through our platform.

2. Data We Collect

To provide our non-custodial "Self-to-Self" (S2S) exchange services and comply with global financial standards, we collect the following categories of data:

• Identity Data: Government-issued ID (passport, national ID), full legal name, date of birth, and biometric liveness data (facial verification) for identity confirmation.
• Financial & Transactional Data: Bank account details (IBAN, SWIFT), fiat transaction metadata (Payment Purpose/Reference), stablecoin wallet addresses, and proof of Source of Funds/Wealth (SoF) when required.
• Technical & Geolocation Data: IP addresses, VPN/Proxy usage status, browser and system type and settings, and device identifiers used to assess jurisdictional eligibility and network security.

3. Legal Basis and Purpose of Processing

We do not collect data for marketing or advertising purposes. Your data is processed strictly under the following legal bases (Article 6 of the GDPR):

• Legal Obligation: To comply with the FATF Recommendations, EU 5AMLD/6AMLD directives, and international AML/CTF laws.
• Performance of a Contract: To execute the fiat-to-stablecoin exchange requested by you under our Terms of Service.
• Legitimate Interest: To prevent fraud, ensure the technical integrity of our platform, and protect against cyber-attacks.

4. Data Sharing and Disclosure

We treat your data with the highest level of confidentiality. We only share personal data with authorized third parties on a strict "need-to-know" basis:

• Verification Partners: Certified KYC/AML providers who process identity and biometric checks on our behalf.
• Banking Partners: Financial institutions processing your fiat wire transfers, who require end-to-end traceability details.
• Regulatory Authorities: Financial Intelligence Units (FIUs) or law enforcement, but only when compelled by a valid, legally binding request or Suspicious Activity Report (SAR) obligations.

5. Data Retention

In accordance with international AML/CTF regulations, the Service is legally mandated to retain all KYC records, transaction metadata, and technical logs for a minimum period of five (5) years after the termination of the business relationship or the last transaction. Once this statutory period expires, your data will be securely deleted or irreversibly anonymized.

6. Your GDPR Rights and AML Limitations

Under the GDPR, you possess rights regarding your personal data, including the right to access, rectification, and data portability.

Important Limitation on the "Right to be Forgotten": Please note that your right to erasure (Article 17 GDPR) is superseded by our legal obligations under AML/CTF laws. We cannot delete your KYC or transaction records before the statutory 5-year retention period has elapsed. This is necessary to prevent the platform from being used for illicit financial activities.

7. Contact Information

If you have any questions about this Privacy Policy or wish to exercise your data rights (subject to the limitations outlined above), please contact our Data Protection Officer (DPO) at: compliance[at]exchengine.com