Privacy Policy

01

What we collect#

The data we collect falls into four categories:

• Account and authentication data: email address (via your chosen authentication provider), wallet address (derived deterministically from your sign-in), session tokens, account-creation timestamp, and account preferences.
• Transaction and trading data: deposit, withdrawal, order, and fill records (all of which are also recorded on-chain and therefore public).
• Technical and device data: IP address (used at the edge for geographic routing and abuse detection), browser and operating-system identifiers, device type, screen size, timezone, and language preference.
• Compliance data: jurisdiction signal derived from your IP and self-declared country, sanctions-list screening results, and any KYC artifacts collected from you when our compliance posture requires it (typically passport or government-ID image, proof of address, source-of-funds declaration).

02

How we collect#

We collect data when you create an account, when you interact with the platform (browsing, depositing, trading, withdrawing), when our edge layer processes your network requests, and when our compliance providers screen your account.

On-chain activity is collected by the public Base network and is outside Kyron's control. Anyone can observe blockchain transactions from your wallet address.

03

How we use it#

We use your data for:

• Operating the platform (authenticating you, displaying your portfolio, routing your trades, processing deposits and withdrawals).
• Enforcing the External Communication Policy and Terms (geographic restrictions, sanctions screening, fraud prevention, account-security checks).
• Customer support (responding to your messages and resolving issues you report).
• Service-quality monitoring (uptime, error tracking, performance, abuse detection — using aggregated and de-identified data where possible).
• Legal and regulatory compliance (responding to lawful information requests, mandatory reporting where applicable, tax-reporting cooperation if required by regulation).
• Product improvement (analysing usage patterns to improve UX — never tied to identifying you specifically when it can be avoided).

We do not use your data for advertising, profiling beyond compliance purposes, or sale to third parties.

04

Who we share with#

We share data with:

• Authentication provider: Magic Labs Inc. receives the data necessary to authenticate you (email address, session tokens, wallet derivation) per their privacy policy.
• Sanctions and KYC providers: we use third-party providers (named in your account compliance settings when applicable) to screen against sanctions lists and to perform identity verification when required. They receive only the data necessary for screening.
• Hosting and infrastructure providers: our hosting, CDN, monitoring, and error-tracking vendors receive data necessary to operate the platform. We choose providers with appropriate data-processing agreements in place.
• Regulators and law enforcement: when required by valid legal process, we may disclose data. We do not proactively report user activity to authorities except where specifically mandated by regulation.
• Successor entities: in the event of a merger, acquisition, or asset transfer, your data may transfer to the successor entity, subject to the same protections described here.

We do not share data with execution-side third-party venues beyond what is technically necessary to route an order, and even then only the minimal pricing and quantity information required for the trade.

05

How long we keep it#

We keep data for as long as your account is active and for a period afterward as required by applicable financial-services and anti-money-laundering regulations (typically five to seven years from the date of the last transaction or account closure, whichever is later, in most jurisdictions).

Technical logs (IP, device, session) are retained for shorter periods (typically 30 to 180 days) for security and abuse-detection purposes, then aggregated or deleted.

On-chain transaction records cannot be deleted — they are permanently recorded on the public blockchain. This is inherent to the technology.

06

Cookies and tracking#

We use cookies and similar technologies for essential functions (session management, locale preference, security), service-quality monitoring (uptime, error tracking), and analytics (aggregated usage patterns).

On your first visit you can configure your cookie preferences via the consent banner. You can change them at any time from Settings → Privacy. Essential cookies cannot be disabled because the platform cannot function without them.

07

Third-party services#

Third-party services that receive your data, in addition to those named in §4:

• Authentication and wallet provisioning (Magic Labs Inc.).
• Edge networking and DDoS protection (named in your account compliance settings).
• Error tracking and uptime monitoring (named in your account compliance settings).
• Email delivery for transactional notifications.

We review third-party providers periodically. We will update this policy if we add or change a provider that receives your data.

08

International data transfers#

Kyron operates globally. Your data may be processed in jurisdictions other than the one you reside in, including the United States, the European Union, the United Kingdom, Singapore, and other locations where our service providers operate. We use standard contractual clauses, intra-group transfer agreements, and equivalent safeguards where applicable to ensure adequate protection during cross-border transfers.

09

Your rights#

Depending on your jurisdiction, you have the following rights:

• Access: request a copy of the personal data we hold about you.
• Correction: ask us to correct inaccurate or incomplete data.
• Deletion: ask us to delete your data, subject to retention obligations under applicable law (financial-services and anti-money-laundering regulations typically prevent immediate full deletion).
• Portability: receive your data in a structured, machine-readable format and transmit it to another service.
• Restriction and objection: ask us to restrict processing or object to specific uses of your data.
• Withdraw consent: withdraw consent for processing based on consent (this does not affect lawfulness of prior processing).
• Complaint: lodge a complaint with your local data-protection authority.

To exercise any of these rights, email privacy@kyron.exchange. We will respond within the time required by applicable law (typically 30 days under GDPR and CCPA).

10

Security#

We protect your data with industry-standard controls: encryption in transit (TLS 1.2 or higher) and at rest, network segmentation, least-privilege access controls, audit logging, multi-factor authentication for administrative access, and continuous security monitoring.

No security is perfect. In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify affected users and applicable regulators within the timeframes required by law (typically 72 hours under GDPR).

11

Children#

Kyron is not directed to anyone under the age of 18 (or the age of majority in your jurisdiction, if higher). We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us at privacy@kyron.exchange and we will delete it promptly.

12

Changes to this policy#

We may update this policy from time to time. Material changes will be announced via in-app notification at least seven (7) days before they take effect, except where shorter notice is required by law. The current effective date is shown in the header.

13

Contact and Data Protection Officer#

For privacy-related questions, requests to exercise your rights, or to report a privacy concern, contact privacy@kyron.exchange.

Where required by applicable law, our Data Protection Officer can be reached at the same address.