Privacy Policy

Last updated: 2026-04-18 · Version 1.0

This Privacy Policy describes how bayanX collects, uses, and protects information about you. It applies to all users of the Service. We aim for GDPR-level protections globally, regardless of your jurisdiction.

1. What we collect

Automatically collected

• Wallet address (pseudonymous identifier).
• IP address (hashed to /24 for rate limiting + anomaly detection; raw IP stored only in security logs for ≤ 90 days).
• User-agent string (hashed fingerprint for session binding).
• Trade and order history (necessary for the Service to function).
• Deposit / withdrawal transaction hashes (public on-chain data).

Provided by you

• Country of residence (optional, for regulatory compliance).
• Age range (optional, for analytics).
• Email address (optional; used for deposit / withdrawal notifications if enabled).

What we do NOT collect

• Your private keys or seed phrase. Ever.
• Your real name, address, phone number, or government ID (unless you opt into external KYC for a specific feature).
• Facial / biometric data.

2. How we use your data

• Service operation: matching orders, settling trades, crediting deposits.
• Security: JWT IP/UA binding, anomaly detection (wash-trading, SYBIL cluster, order spam).
• Compliance: geofencing of restricted jurisdictions, sanctions screening.
• Customer support: processing your inquiries.
• Product analytics: aggregate metrics (DAU, volume, retention). Individual behaviour is NOT sold to third parties.

3. Cookies & local storage

We use local storage (not cookies) for session tokens, user preferences (language, notification settings), and dismissal states of banners and prompts. No third-party advertising cookies are set.

4. Third parties

We share data with the following service providers, under strict contractual limits:

• Infrastructure: AWS, Cloudflare (hosting, DDoS mitigation, CDN).
• Error tracking: Sentry (scrubbed of PII before ingestion).
• Price feeds: Binance, Coinbase, Chainlink (public data only; no user data shared).
• Blockchain: Arbitrum RPC providers (public transaction data only).

We do not sell, rent, or trade your personal information with advertisers or data brokers.

5. Data retention

• Trade / order history: kept indefinitely (regulatory requirement).
• Security / anomaly logs: 90 days.
• Raw IP addresses in login logs: 90 days.
• Desktop notification preferences: stored locally on your device; deleted when you clear browser data.

6. Your rights

• Access: Request a copy of all data we hold about your account. We will deliver within 30 days.
• Correction: Update inaccurate optional fields via the settings page.
• Deletion: Request erasure of optional fields (country, age, email). Trade history cannot be deleted without also closing the account permanently, because it is part of the ledger and subject to regulatory retention.
• Portability: Export your trade history as CSV from the Portfolio page at any time.
• Objection: Opt out of analytics (non-security) by disabling telemetry in Settings → Notifications.

7. Security measures

• DB ↔ on-chain Vault reconciliation every 60 seconds.
• JWT tokens bound to your IP network (/24) and browser fingerprint.
• Hardware-key (FIDO2 / WebAuthn) support for admin accounts.
• Per-API-key sliding-window rate limit for external integrations.
• TLS 1.3 for all traffic; HSTS preload.

8. International transfers

Your data may be processed in any country where bayanX or its infrastructure providers operate, including those outside your country of residence. We use appropriate safeguards (standard contractual clauses) for cross-border transfers.

9. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from minors.

10. Changes

We may update this Policy. Material changes are announced via the Notice CMS and at next login.

11. Contact

Privacy questions or rights requests: privacy@bayanx.com
Data Protection Officer: dpo@bayanx.com