Privacy Policy

Last updated: June 8, 2026

1. Introduction

Herald Exchange ("Herald", "we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the rights you have regarding your personal data.

This Policy applies to your use of the Herald Exchange website, mobile applications, APIs, and related services (collectively, the "Services"). It supplements any other notices we may provide. If you are located in the European Economic Area (EEA), the United Kingdom, California, or any other jurisdiction with specific data protection laws, additional rights and obligations may apply as described below.

2. Information We Collect

2.1 Identity & Contact Information

When you register an account, we collect your full name, email address, phone number, username, date of birth, nationality, and residential address. We may also collect supplementary information you provide, such as occupation and source of funds.

2.2 KYC / Verification Documents

To comply with anti-money-laundering and know-your-customer obligations, we collect government-issued identification documents (passport, national ID, or driving licence), proof of address (utility bill or bank statement), selfie or liveness-check biometric data, tax identification numbers where required, and supporting documentation for enhanced due-diligence checks.

2.3 Financial & Transactional Information

We collect details about your deposits, withdrawals, trading activity, wallet and bank-account information, and on-chain blockchain transaction data related to your account.

2.4 Device & Technical Information

We automatically collect information about the devices you use to access the Services, including IP address, device type and model, operating system, browser type, language settings, unique device identifiers, and approximate geolocation derived from IP.

2.5 Usage Data

We collect information about how you interact with the Services, including pages visited, features used, actions taken, timestamps, referring URLs, session duration, and error logs.

2.6 Cookies & Similar Technologies

We use cookies, local storage, pixels, and similar technologies to operate the Services, remember preferences, and analyze traffic. Please see our Cookie Policy for details and your choices.

3. How We Use Your Information

We process personal information for the following purposes:

  • Providing, operating, and maintaining the Services;
  • Registering and authenticating users, including identity verification and fraud prevention;
  • Processing deposits, withdrawals, trades, and other transactions;
  • Complying with legal, regulatory, and tax obligations, including AML, CTF, KYC, sanctions screening, and transaction reporting;
  • Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity;
  • Responding to support requests and communicating with you about the Services;
  • Sending service announcements, security alerts, and policy updates;
  • Measuring performance, analyzing usage trends, and improving the Services;
  • With your consent, sending marketing communications about products, features, or promotions.

4. Legal Basis for Processing (GDPR)

If you are located in the EEA or United Kingdom, we rely on the following legal bases under the General Data Protection Regulation (GDPR) and UK GDPR:

  • Contract: to perform our agreement with you and provide the Services you request;
  • Legal obligation: to comply with AML, KYC, tax, sanctions, and other applicable laws;
  • Legitimate interests: to secure the Services, prevent fraud, improve our products, and conduct business operations, in a manner that does not override your fundamental rights;
  • Consent: for optional activities such as marketing and certain cookies; you may withdraw consent at any time.

5. How We Share Information

We do not sell your personal information. We may share it with:

  • Service providers: vendors that host our infrastructure, perform identity verification, monitor transactions, deliver email, provide analytics, or assist with customer support, under contractual confidentiality and data-protection obligations;
  • Regulators and authorities: financial regulators, tax authorities, and other government bodies where required by law, regulation, or legal process;
  • Law enforcement: in response to lawful requests, subpoenas, court orders, or to protect our rights, property, and safety, or that of our users or the public;
  • Professional advisers: auditors, lawyers, and insurers bound by confidentiality;
  • Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards;
  • With your consent: for any other purpose disclosed to you at the time.

6. International Data Transfers

Herald operates globally and may transfer your personal information to countries outside your home jurisdiction, including countries that do not provide the same level of data-protection law. Where we transfer personal data from the EEA, United Kingdom, or Switzerland to a country not recognized as providing adequate protection, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or other lawful transfer mechanisms.

You may request a copy of the safeguards we use by contacting us at [email protected].

7. Data Retention

We retain personal information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. KYC records, transaction histories, and AML data are generally retained for at least five (5) years after an account is closed, or longer if required by law. Marketing preferences are retained until you opt out. Support correspondence and fraud-investigation records are kept for the period needed to demonstrate the outcome of any investigation and to defend against future claims.

When information is no longer required, we will delete or anonymize it in a secure manner. In some cases we may retain limited metadata (such as the fact that an account existed, or the date of an AML filing) because it is required for regulatory recordkeeping even after we no longer hold the underlying identifiers.

8. Your Rights

Subject to applicable law and verification of your identity, you have the following rights in respect of your personal information:

  • Access: obtain a copy of the personal data we hold about you;
  • Rectification: correct inaccurate or incomplete data;
  • Erasure: request deletion where there is no legal basis to keep the data (note: many records must be retained to comply with AML and other laws);
  • Portability: receive your data in a structured, machine-readable format and transmit it to another controller;
  • Restriction: limit how we process your data in certain circumstances;
  • Objection: object to processing based on legitimate interests or for direct marketing;
  • Withdraw consent: at any time, without affecting the lawfulness of prior processing;
  • Complain: lodge a complaint with your local data-protection authority.

California residents (CCPA/CPRA) have additional rights to know the categories and specific pieces of personal information collected, the categories of sources, the business or commercial purpose, and the categories of third parties with whom information is shared. California residents also have the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law.

To exercise any of these rights, please contact [email protected]. We will respond within the timeframes required by applicable law.

9. Security

We implement technical and organizational measures designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest, network segmentation, access controls, multi-factor authentication, continuous monitoring, regular penetration testing, and employee training.

We require our staff and contractors to handle personal information only when necessary for their role and under written confidentiality obligations. Access to production systems is logged, reviewed, and limited by the principle of least privilege. We maintain incident-response procedures to contain, investigate, and remediate any suspected security incident and to notify affected users and relevant authorities where required by law.

No security system is impenetrable. You are responsible for safeguarding your credentials, enabling 2FA, using a strong and unique password, keeping your recovery codes offline, reviewing devices signed in to your account, and notifying us immediately of any suspected compromise.

9a. Automated Decision-Making

Herald uses automated tools to screen transactions, detect fraud, and comply with sanctions obligations. In limited circumstances, these tools may block a transaction or restrict account features without human intervention. Where an automated decision produces legal or similarly significant effects for you, you have the right to request human review, to express your point of view, and to contest the decision, subject to our regulatory obligations.

9b. California Residents (CCPA/CPRA)

In the preceding 12 months, we have collected the categories of personal information described in Section 2 (identifiers, commercial information, internet/network activity, geolocation data, professional information, and inferences drawn from the above). We collect this information from the sources described in Section 2 and use it for the purposes described in Section 3. We disclose personal information for a business purpose to the categories of recipients described in Section 5.

California residents may also designate an authorized agent to submit requests on their behalf. We will verify the agent's authority before acting. We do not discriminate against residents for exercising their rights.

10. Children

The Services are not directed to, and we do not knowingly collect personal information from, children under the age of 18. If you believe we have inadvertently collected personal information from a child, please contact us and we will take appropriate steps to delete it.

10a. Marketing Communications

From time to time, we may send you product updates, newsletters, or promotional material about Herald features that we think may interest you. We will only do so where we have a lawful basis, and in the EEA and United Kingdom we will rely on either your consent or the soft opt-in for existing customers. You can opt out of marketing at any time by clicking the unsubscribe link in any marketing email or by updating your communication preferences in your account settings.

Operational messages related to your account, transactions, security, or compliance obligations are not marketing communications. You cannot opt out of these while your account remains active, since they are required for us to provide the Services.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the Services. Material changes will be communicated through the Services or by email to the address associated with your account. The "Last updated" date above reflects the most recent revision.

Your continued use of the Services after the updated Policy becomes effective constitutes acceptance of the changes. Where applicable law requires renewed consent for a change (for example, a new processing purpose not covered by your original consent), we will ask you to provide that consent before the change takes effect for you.

12. Contact Us

If you have questions, concerns, or requests regarding this Policy or our privacy practices, please contact our Data Protection Officer: