1. Who We Are
Nexora Exchange (the "Exchange," "we," "us," or "our") is operated by Fermion, the data controller for all users worldwide:
| Entity | Applicable Region | Regulatory Framework |
|---|---|---|
| Fermion | Worldwide | FINTRAC (Financial Transactions and Reports Analysis Centre of Canada); applicable US state money-transmitter licences; Gibraltar Financial Services Commission (GFSC), Financial Services (Electronic Money) Regulations 2020, POCA 2015 |
Fermion trades publicly under the Nexora Exchange brand. References to "we" and "our" throughout this policy mean Fermion.
Our registered addresses and contact details are set out in Section 11.
2. Data We Collect
2.1 Identity & Verification Data
- Full legal name, date of birth, residential address, nationality
- Government-issued photo ID (passport, national identity card, driving licence)
- Selfie / biometric photograph for liveness checks and identity matching
- Tax identification number (TIN / SSN / equivalent)
- Politically Exposed Person (PEP) self-declaration
2.2 Financial & Compliance Data
- Source of funds and source of wealth declarations
- Bank account details used for deposits and withdrawals
- Crypto wallet addresses
- Full transaction history (deposits, withdrawals, trades, conversions)
- Sanctions and adverse-media screening results
- Ultimate Beneficial Owner (UBO) data and company documentation for business accounts
- Suspicious activity report (SAR) investigation records (where applicable)
2.3 Account & Authentication Data
- Email address and account credentials (password hash, not plaintext)
- Two-factor authentication (2FA) seed and SMS verification records
- Biometric authentication data where enabled on your device
- Login timestamps and session tokens
2.4 Technical & Device Data
- IP address and approximate geolocation (country / city level)
- Device type, operating system, browser or app version
- Cookie identifiers and similar tracking technologies (see Section 9)
- API access logs and WebSocket connection records
2.5 Communications Data
- In-app support chat transcripts
- Emails and messages you send us
- Complaint and dispute records
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Customer Due Diligence (CDD) and Know Your Customer (KYC) checks | Legal obligation (AML/CTF regulations) |
| Sanctions screening and adverse-media screening | Legal obligation |
| Anti-money laundering (AML), counter-terrorist financing (CTF), and counter-proliferation financing (CPF) compliance | Legal obligation |
| Transaction monitoring for financial crime detection | Legal obligation |
| Suspicious activity reporting to the relevant financial intelligence unit | Legal obligation |
| Fraud prevention and detection | Legitimate interests (protecting you and the platform from fraud) |
| Anti-bribery and corruption checks | Legal obligation / legitimate interests |
| Safeguarding of customer e-money in a designated segregated account | Legal obligation (electronic money / payment services regulations) |
| Providing and operating the Exchange services (trading, staking, deposits, withdrawals) | Performance of contract |
| Account registration and authentication | Performance of contract |
| Customer support and complaint handling | Performance of contract / legal obligation |
| Tax-evasion checks and reporting to tax authorities | Legal obligation |
| Regulatory reporting and external audits | Legal obligation |
| Service and security notifications (system alerts, login notifications) | Legitimate interests |
| Marketing communications (where separately opted in) | Consent |
We will not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects without informing you separately and, where required, obtaining your consent.
4. Who We Share Your Data With
We share personal data only as necessary for compliance, operations, and legal obligations. We do not sell your personal data to third parties.
4.1 Regulatory & Law Enforcement Bodies
- Financial intelligence units — FINTRAC (Canada) and the equivalent unit in your jurisdiction, where we are required to file Suspicious Transaction Reports (STRs) or other regulatory reports
- Sanctions authorities — OFAC (US), OSFI (Canada), HM Treasury (UK), and equivalent EU bodies, for sanctions screening and compliance
- Tax authorities — where required by FATCA, CRS, or applicable domestic tax law
- Law enforcement agencies — in response to lawful requests, court orders, or to prevent serious crime
4.2 Service Providers & Partners
- Identity verification / KYC vendors — third-party providers that perform biometric matching and document verification on our behalf
- Sanctions & adverse-media screening vendors — providers of watchlist data and automated screening tools
- Credit institution holding our safeguarding account — the bank or regulated institution where your e-money funds are held in a segregated safeguarding account
- IT infrastructure and cloud providers — hosting, storage, and platform services
- Payment processors — card acquirers and bank transfer intermediaries for fiat deposits and withdrawals
- External auditors — firms engaged to audit our financial statements and compliance programmes
- Legal advisors — to the extent necessary to obtain legal advice or defend legal claims
All third-party processors are bound by data processing agreements and are permitted to use your data only for the specific purposes for which they are engaged.
5. Retention Periods
We keep your personal data only for as long as necessary to fulfil the purpose for which it was collected, satisfy our legal obligations, or as required by applicable AML/CTF regulations.
| Data Category | Retention Period | Basis |
|---|---|---|
| Customer Due Diligence (CDD) records — identity documents, KYC files | 5 years from the end of the business relationship | AML/CTF regulatory requirement (FINTRAC PCMLTFA; AMLD equivalent) |
| Transaction records | 6 years from the date of the transaction | AML/CTF regulatory requirement; tax obligation |
| Company / business account documentation (UBO, corporate records) | 6 years from relationship end | AML/CTF regulatory requirement |
| SAR / investigation records | Minimum 5 years; extended if subject to ongoing investigation | Legal obligation; POCA 2015 / equivalent |
| Communications & support records | 5 years from last contact | Legitimate interests; dispute resolution |
| Cookies & analytics data | Up to 13 months from collection | Legitimate interests (performance measurement) |
After the applicable retention period expires, personal data is securely deleted or anonymised. Our confidentiality obligations to you survive the end of the business relationship.
6. Your Rights
Depending on where you are located, you may have the following rights regarding your personal data. To exercise any of these rights, see Section 11.
Rights Under GDPR / UK DPA 2018 (EU & UK Users)
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion of your personal data where there is no legitimate legal basis for retention (note: AML/CTF obligations may require us to retain data for the periods set out in Section 5 regardless of an erasure request)
- Right to data portability — receive your data in a structured, machine-readable format and transfer it to another controller, where technically feasible
- Right to object — object to processing based on our legitimate interests
- Right to restrict processing — ask us to pause processing while a dispute is resolved
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
- Right to lodge a complaint — with your national supervisory authority. For EU users: your national data protection authority (see the EDPB member list). For UK users: the Information Commissioner's Office (ICO).
Rights Under Canadian PIPEDA / Quebec Law 25 (Canadian Users)
- Access to, and correction of, personal information we hold about you
- Withdrawal of consent (subject to legal / contractual limitations)
- The right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC)
We will respond to verifiable requests within 30 days. We may ask you to verify your identity before fulfilling a request. We may be unable to fulfil a request where it would conflict with our AML/CTF, sanctions, or other legal obligations — in which case we will tell you why, to the extent the law permits.
7. Security
We implement technical and organisational measures appropriate to the risk, including:
- Segregated safeguarding account — customer e-money is held in a designated safeguarding account at a regulated credit institution, separate from our own corporate funds. No co-mingling of customer and operational funds takes place.
- Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest — sensitive data fields are encrypted in our databases.
- Access controls — access to personal data is restricted to employees and contractors who need it to perform their job functions, and is governed by role-based access policies.
- Multi-factor authentication — required for all internal staff accessing production systems.
- Penetration testing and vulnerability management — regular security assessments of our platform infrastructure.
- Confidentiality obligations — all staff with access to customer data are bound by confidentiality agreements that survive the end of their engagement with us.
No security measure is 100% foolproof. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.
8. International Transfers
Nexora Exchange operates across multiple jurisdictions. Your personal data may be transferred to and processed in countries outside your home jurisdiction, including countries that may not provide the same level of data protection as your home country.
Where we transfer personal data originating from the European Economic Area (EEA) or the UK to third countries, we ensure an appropriate safeguard is in place, including one or more of the following:
- An adequacy decision by the European Commission or UK Secretary of State
- Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO
- Binding Corporate Rules (BCRs) where applicable
- Other approved transfer mechanisms under GDPR Chapter V / UK GDPR
You may request a copy of the specific safeguard we rely upon for any given transfer by contacting us at the address in Section 11.
9. Cookies & Analytics
9.1 What We Use
Our website and app use cookies and similar tracking technologies. We use the following categories:
| Category | Purpose | Can you opt out? |
|---|---|---|
| Strictly necessary | Session management, authentication, security (e.g. CSRF protection) | No — these are required for the platform to function |
| Functional | Remembering your language and UI preferences | Yes |
| Analytics | Understanding how users navigate the site to improve performance (aggregated, not targeted advertising) | Yes |
9.2 Managing Cookies
You can manage or disable cookies through your browser settings. Note that disabling strictly necessary cookies may prevent you from using core Exchange functionality. For analytics cookies, you may also opt out via our cookie preference centre (if implemented) or by using your browser's "Do Not Track" setting.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you by email (if we hold your email address) or via an in-app notification
- Where required by applicable law, seek your consent for the updated processing
We encourage you to review this policy periodically. Your continued use of the Exchange following notification of material changes constitutes your acknowledgement of the updated policy.
11. Contact & DPO
Data Controller — Fermion
Fermion
⚠ [PLACEHOLDER] — Insert registered address, country, company number, and privacy contact email
Data Protection Officer (DPO)
How to Exercise Your Rights
To submit a data subject rights request, raise a privacy complaint, or ask a question about this policy:
- Email: privacy@nexorapay.com (address to be confirmed)
- In-app chat: available 24/7 within the Nexora Exchange app
We will acknowledge your request within 5 business days and aim to respond fully within 30 calendar days. If we need more time, we will let you know.