Skip to main content
Earn
Log InGet Started

Legal

Terms of ServicePrivacy PolicyCookie PolicyRisk DisclosureAML/KYC PolicyRWA DisclosureProhibited UseE-Sign ConsentLaw EnforcementBug BountyAPI TermsLegal Shield Terms

Privacy Policy

Last updated: February 10, 2026

This Privacy Policy ("Policy") describes how 3-102-954669 S.R.L., a sociedad de responsabilidad limitada organized under the laws of the Republic of Costa Rica (operating as "XEX"), and its subsidiaries, affiliates, and related entities (collectively, "XEX," "we," "us," or "our") collect, use, share, and protect personal information obtained from users ("you" or "User") of the XEX cryptocurrency exchange platform, including the website located at xex.to, the XEX mobile applications, the XEX API, and all related services (collectively, the "Platform"). By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with the practices described herein, you must immediately discontinue your use of the Platform.

This Policy applies to all Users worldwide, regardless of jurisdiction, and supplements (but does not replace) any jurisdiction-specific disclosures or notices we may provide. Where local law mandates additional protections or disclosures, those requirements shall be addressed in supplementary notices made available to affected Users.

1. Information We Collect

We collect a broad range of information to operate, maintain, and improve the Platform, to comply with our legal and regulatory obligations, and to protect the security and integrity of our services. The categories of information we collect include, but are not limited to, the following:

1.1 Personal Information

When you create an account, complete identity verification, or otherwise interact with the Platform, we may collect personal information that directly identifies you, including:

  • Full legal name (including any prior names, aliases, or name variations)
  • Email address (primary and any secondary addresses associated with your account)
  • Phone number (including mobile, landline, and any numbers used for two-factor authentication)
  • Date of birth and place of birth
  • Social Security Number (SSN), Tax Identification Number (TIN), or equivalent national identification number as required by applicable tax reporting and anti-money laundering regulations
  • Government-issued identification documents such as passports, national identity cards, driver's licenses, and residence permits, including photographs or scans of such documents
  • Residential address and proof of address documentation (such as utility bills, bank statements, or government correspondence)
  • Nationality and citizenship status, including dual or multiple citizenships
  • Facial biometric data collected through selfie verification or liveness checks conducted during the identity verification process
  • Employment and professional information, including occupation, employer name, and source of income

1.2 Financial Information

In order to facilitate transactions, comply with financial regulations, and monitor for suspicious activity, we collect and process financial information, including:

  • Bank account details, including account numbers, routing numbers, IBAN, SWIFT/BIC codes, and the name of the financial institution
  • Payment card information (where applicable), processed securely through PCI-DSS compliant payment processors
  • Cryptocurrency wallet addresses associated with deposits, withdrawals, and transfers
  • Complete transaction history, including all trades, deposits, withdrawals, conversions, transfers, staking activities, and any other financial operations conducted on the Platform
  • Source of funds and source of wealth documentation, including bank statements, pay stubs, tax returns, inheritance records, or other evidence of the legitimate origin of assets
  • Account balances and portfolio composition across all asset types held on the Platform
  • Fiat currency and cryptocurrency deposit/withdrawal amounts, frequencies, and counterparty information

1.3 Device and Technical Information

When you access the Platform, we automatically collect technical information from your device, including:

  • IP address (both IPv4 and IPv6), including geolocation data derived from your IP address
  • Browser type and version, including browser language, plugin, and extension information
  • Operating system and version (e.g., Windows, macOS, Linux, iOS, Android)
  • Device identifiers, including device ID, advertising ID, hardware model, and unique device fingerprints
  • Screen resolution, time zone, and locale settings
  • Network information, including connection type (Wi-Fi, cellular), carrier name, and signal strength
  • Referral URLs and exit pages

1.4 Usage Information

We collect detailed information about how you interact with the Platform, including:

  • Pages visited, including the sequence and duration of page views
  • Features accessed and used, including trading interfaces, wallet functionality, API endpoints, and staking or lending products
  • Trading patterns and behaviors, including order types, frequency, timing, size, and execution characteristics
  • Search queries entered on the Platform
  • Click patterns, scroll depth, and interaction events
  • Session duration, login frequency, and time-of-day usage patterns
  • Error logs and crash reports
  • Communications with our support team, including chat transcripts, email correspondence, and phone call recordings (where permitted by law)

1.5 Blockchain Information

Due to the inherent transparency of blockchain technology, we collect and analyze publicly available blockchain data, including:

  • Public wallet addresses associated with your account or linked to your transactions
  • Transaction hashes for all on-chain transactions involving the Platform
  • On-chain activity and transaction patterns, including interactions with decentralized applications, smart contracts, DeFi protocols, and other blockchain-based services
  • Token balances and holdings visible on public blockchains
  • Blockchain analytics data obtained from third-party analytics providers, including risk scores, cluster analyses, and exposure assessments for sanctioned entities, darknet markets, mixing services, and other high-risk categories

2. How We Use Your Information

We use the information we collect for the following purposes, and we reserve the right to use such information for any lawful purpose consistent with this Policy:

  • Providing and maintaining our services: To operate the Platform, process transactions, execute trades, manage your account, facilitate deposits and withdrawals, and deliver customer support
  • Identity verification and KYC/AML compliance: To verify your identity, conduct Know Your Customer (KYC) and Anti-Money Laundering (AML) checks, screen against sanctions lists and politically exposed persons (PEP) databases, and fulfill our obligations under the Bank Secrecy Act, EU Anti-Money Laundering Directives, the Financial Action Task Force (FATF) recommendations, and all other applicable regulatory frameworks
  • Regulatory compliance and reporting: To comply with tax reporting requirements (including IRS Form 1099, FATCA, CRS, and DAC8), file Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs), and respond to lawful requests from regulatory authorities and law enforcement agencies worldwide
  • Fraud prevention and security: To detect, prevent, and investigate fraud, unauthorized access, market manipulation, wash trading, and other prohibited activities; to enforce our Terms of Service; and to protect the rights, property, and safety of XEX, our Users, and the public
  • Platform improvement and analytics: To analyze usage trends, monitor the performance and reliability of the Platform, develop new features and products, conduct A/B testing, and improve the overall user experience
  • Communications: To send service-related notifications, security alerts, account updates, transaction confirmations, and regulatory notices. These communications are essential to the operation of your account and cannot be opted out of
  • Marketing (with consent where required): To send promotional materials, newsletters, market updates, and information about new products or features. Where required by applicable law, we will obtain your prior consent before sending marketing communications. You may withdraw your consent at any time by following the unsubscribe instructions in any marketing communication or by contacting us directly
  • Risk management: To assess and manage credit risk, counterparty risk, market risk, and operational risk associated with our services
  • Legal proceedings: To establish, exercise, or defend legal claims, and to comply with court orders, subpoenas, or other legal processes

3. Legal Basis for Processing (GDPR)

For Users located in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data on the following legal bases as provided under the General Data Protection Regulation (GDPR) and equivalent local legislation:

  • Contractual necessity (Article 6(1)(b) GDPR): Processing is necessary for the performance of the contract between you and XEX (i.e., our Terms of Service), including account creation, identity verification, transaction processing, and the provision of customer support. Without such processing, we would be unable to provide the Platform's services to you.
  • Legal obligation (Article 6(1)(c) GDPR): Processing is necessary for compliance with legal obligations to which XEX is subject, including AML/KYC regulations, tax reporting requirements, sanctions screening obligations, and data retention mandates imposed by financial regulators in any jurisdiction where we operate or are licensed.
  • Legitimate interests (Article 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by XEX or a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include: fraud prevention and detection; network and information security; platform improvement and analytics; enforcement of our Terms of Service; marketing of our products and services to existing customers; and the establishment, exercise, or defense of legal claims. We have conducted a balancing test for each of these interests and have determined that the processing is proportionate and does not unduly impact your rights.
  • Consent (Article 6(1)(a) GDPR): Where none of the above bases apply, we process your personal data on the basis of your freely given, specific, informed, and unambiguous consent. This includes, where applicable, the processing of special categories of data (such as biometric data for identity verification) and the sending of direct marketing communications. You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4. Information Sharing and Disclosure

We may share your personal information with the following categories of recipients. You acknowledge and agree that such sharing is necessary for the operation of the Platform and compliance with our legal obligations:

4.1 Service Providers

We engage trusted third-party service providers to perform functions on our behalf, including but not limited to: cloud hosting and data storage providers; identity verification and KYC/AML service providers; payment processors and banking partners; customer support platforms; email and communications service providers; analytics and business intelligence tools; and cybersecurity and fraud prevention services. All service providers are bound by contractual obligations to process your data only in accordance with our instructions and to implement appropriate technical and organizational security measures.

4.2 Regulatory and Tax Authorities

We disclose personal information to regulatory authorities, tax agencies, and governmental bodies as required by applicable law. This includes, without limitation, reporting to financial intelligence units (FIUs), securities regulators, tax authorities (including the IRS, HMRC, and equivalent agencies in other jurisdictions), and any other governmental body with jurisdiction over our operations. Such disclosures may occur without prior notice to you where prohibited by law.

4.3 Law Enforcement

We cooperate fully with law enforcement agencies and may disclose your personal information in response to lawful requests, including subpoenas, court orders, search warrants, national security letters, and other legal process. We reserve the right to disclose information we believe in good faith is necessary to prevent imminent harm, investigate potential violations of law, or protect the rights, property, or safety of XEX, our Users, or others. We are under no obligation to notify you of such disclosures unless required by applicable law.

4.4 Blockchain Analytics Firms

We share transaction data, wallet addresses, and related information with blockchain analytics and compliance firms (such as Chainalysis, Elliptic, and similar providers) for the purposes of transaction monitoring, risk scoring, sanctions screening, and compliance with the Travel Rule and other regulatory requirements. The data shared with these providers may be retained by them in accordance with their own data retention policies.

4.5 Corporate Transactions

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or other corporate transaction involving XEX, your personal information may be transferred to the acquiring entity or successor organization. We will endeavor to provide notice of such transfer, but you acknowledge that such notice may not always be possible or required by law.

4.6 With Your Consent

We may share your personal information with third parties for purposes not described in this Policy when we have obtained your explicit consent to do so. You may withdraw such consent at any time, but withdrawal will not affect the lawfulness of sharing that occurred prior to withdrawal.

4.7 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with any third party for any purpose, including research, analytics, marketing, and business development. Such data is not subject to the restrictions of this Policy.

5. International Data Transfers

XEX operates globally, and your personal information may be transferred to, stored in, and processed in countries other than the country in which it was collected, including countries that may not provide the same level of data protection as your home jurisdiction. By using the Platform, you explicitly consent to such transfers.

Where we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of data protection, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (as amended or replaced from time to time) as the primary mechanism for transferring personal data to countries without an adequacy decision. Copies of the relevant SCCs are available upon request.
  • Adequacy decisions: Where the European Commission or the UK Secretary of State has determined that a country provides an adequate level of data protection, we rely on such adequacy decisions to facilitate transfers to those countries.
  • Binding Corporate Rules (BCRs): For intra-group transfers, we may rely on binding corporate rules approved by the relevant supervisory authority to ensure consistent protection of personal data across our corporate group.
  • Supplementary measures: Where required by applicable law or guidance from supervisory authorities, we implement additional technical, organizational, or contractual measures to supplement the safeguards described above, including encryption of data in transit and at rest, pseudonymization, and access controls.

Notwithstanding the foregoing, certain transfers may be necessary for the performance of our contract with you, for the establishment, exercise, or defense of legal claims, or for important reasons of public interest, in which case we may rely on the applicable derogations under Article 49 of the GDPR or equivalent provisions under local law.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, and to protect our legitimate interests. Specific retention periods are as follows:

  • Active account data: We retain your personal information for the duration of your account's existence and active use of the Platform.
  • Post-account closure: Following account closure or termination, we retain your personal information for a minimum of five (5) years and up to seven (7) years (or longer where required by applicable law) to comply with AML/KYC regulations, tax reporting requirements, and other legal obligations. In certain jurisdictions, retention periods may extend to ten (10) years or more.
  • Transaction records: Records of all transactions conducted on the Platform are retained for a minimum of seven (7) years from the date of the transaction, or longer if required by applicable financial regulations.
  • Blockchain data: Information recorded on public blockchains is permanent and immutable by nature. XEX has no ability to delete, modify, or control data that has been recorded on a blockchain. You acknowledge and accept that on-chain data, including transaction hashes, wallet addresses, and transaction amounts, will persist indefinitely and is publicly accessible.
  • Dispute and litigation holds: Where we reasonably anticipate litigation, regulatory investigation, or dispute, we may retain relevant personal information beyond the standard retention period for as long as necessary to resolve such matters.
  • Aggregated data: Aggregated or de-identified data that cannot reasonably be used to identify you may be retained indefinitely for analytics, research, and business purposes.

7. Data Security Measures

We implement comprehensive technical and organizational measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. While no system can guarantee absolute security, our measures include:

  • Encryption: All personal data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption or equivalent standards. Cryptographic keys are managed using hardware security modules (HSMs) in accordance with industry best practices.
  • Access controls: Access to personal data is restricted to authorized personnel on a strict need-to-know basis. We enforce role-based access controls (RBAC), multi-factor authentication (MFA) for all internal systems, and regular access reviews to ensure compliance with the principle of least privilege.
  • Regular security audits: We conduct regular internal and third-party security audits, penetration testing, and vulnerability assessments to identify and remediate potential security weaknesses. Our security program is aligned with industry-recognized frameworks, including SOC 2 Type II and ISO 27001.
  • Incident response: We maintain a formal incident response plan that includes procedures for the detection, containment, investigation, and notification of data breaches. In the event of a breach that affects your personal information, we will notify you and the relevant supervisory authorities in accordance with applicable law. However, we reserve the right to delay notification where doing so is necessary for law enforcement purposes or to prevent further harm.
  • Employee training: All employees and contractors with access to personal data undergo mandatory security awareness and data protection training upon onboarding and at regular intervals thereafter.
  • Physical security: Our data centers and office facilities are protected by physical access controls, including biometric authentication, surveillance systems, and 24/7 security monitoring.

Notwithstanding the foregoing, you acknowledge and agree that no method of transmission over the Internet or method of electronic storage is 100% secure, and XEX cannot guarantee the absolute security of your personal information. You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account.

8. Your Rights Under the GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data under the GDPR and equivalent local legislation. These rights are not absolute and may be subject to limitations and exceptions as permitted by applicable law:

  • Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request a copy of the personal data undergoing processing. We may charge a reasonable administrative fee for manifestly unfounded or excessive requests, or where additional copies are requested.
  • Right to rectification (Article 16): You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. We will make reasonable efforts to rectify data promptly, subject to verification of the corrected information.
  • Right to erasure (Article 17): You have the right to request the deletion of your personal data in certain circumstances. However, this right is subject to significant limitations. We may refuse erasure requests where processing is necessary for compliance with a legal obligation (including AML/KYC retention requirements), for the establishment, exercise, or defense of legal claims, or for reasons of public interest. Given our regulatory obligations, we are unlikely to be able to comply with erasure requests for KYC data, transaction records, or other information subject to mandatory retention periods.
  • Right to restriction of processing (Article 18): You have the right to request the restriction of processing of your personal data where you contest the accuracy of the data, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of our legitimate grounds.
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible and where processing is based on consent or contractual necessity and carried out by automated means.
  • Right to object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interests. Upon receiving an objection, we will cease processing unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. You have an absolute right to object to processing for direct marketing purposes.
  • Rights related to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such decision is necessary for the performance of a contract, authorized by law, or based on your explicit consent. See Section 11 below for further details.

To exercise any of these rights, please contact our Data Protection Officer at dpo@xex.to. We will respond to your request within thirty (30) days or such longer period as permitted by applicable law. We may require you to verify your identity before processing your request.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"). These rights are subject to certain exceptions and limitations set forth in the CCPA:

  • Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purpose for collecting it, the categories of third parties with whom we shared it, and the categories of personal information we sold or disclosed for a business purpose in the preceding twelve (12) months. You may make such a request up to twice in any twelve-month period.
  • Right to delete: You have the right to request that we delete personal information we have collected from you. This right is subject to extensive exceptions, including where retention is necessary to complete a transaction, comply with a legal obligation, detect security incidents, or exercise or defend legal claims. Given the regulatory requirements applicable to cryptocurrency exchanges, we may be unable to honor deletion requests for most categories of personal information.
  • Right to correct: You have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing: You have the right to opt out of the "sale" or "sharing" of your personal information as those terms are defined under the CCPA. XEX does not sell personal information in the traditional sense. However, to the extent that certain data sharing activities (such as sharing data with analytics or advertising partners) constitute a "sale" or "sharing" under the CCPA, you may exercise your right to opt out by contacting us at privacy@xex.to.
  • Right to limit use of sensitive personal information: You have the right to limit our use of sensitive personal information (such as SSN, financial account information, and precise geolocation) to uses that are necessary to provide the services you requested. However, substantially all of our uses of sensitive personal information fall within the permissible use exceptions under the CCPA.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. However, if you exercise certain rights (such as deletion) that prevent us from providing services to you, we may be unable to continue to maintain your account.
  • Authorized agent: You may designate an authorized agent to submit requests on your behalf. We may require proof of the agent's authorization, such as a signed written authorization or a power of attorney, and we may require you to verify your own identity directly.

To submit a verifiable consumer request under the CCPA, please contact us at privacy@xex.to or through the contact details provided in Section 15 below.

10. Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, local storage, and similar tracking technologies to collect information about your interactions with the Platform. These technologies serve various purposes, including ensuring the proper functioning of the Platform, remembering your preferences, analyzing usage patterns, and delivering targeted advertising.

For detailed information about the types of cookies we use, the purposes for which we use them, and how you can manage your cookie preferences, please refer to our Cookie Policy.

We use the following categories of tracking technologies:

  • Essential cookies: These are strictly necessary for the operation of the Platform and cannot be disabled. They include session cookies, security tokens, CSRF protection tokens, and load balancing cookies.
  • Analytics cookies: We use analytics tools, including Google Analytics, to collect aggregated information about how Users interact with the Platform. This data helps us understand usage patterns, identify performance issues, and improve our services.
  • Marketing and advertising cookies: We may use cookies from advertising networks and social media platforms to deliver targeted advertisements, measure ad effectiveness, and retarget Users who have visited the Platform. You can opt out of marketing cookies through your browser settings or our cookie consent mechanism.

11. Automated Decision-Making and Profiling

We employ automated decision-making and profiling technologies as part of our compliance, risk management, and fraud prevention processes. These systems process personal information to make decisions without human intervention in certain circumstances:

  • Risk scoring: We assign risk scores to Users and transactions based on a variety of factors, including geographic location, transaction patterns, counterparty analysis, and blockchain analytics data. Risk scores are used to determine the level of enhanced due diligence required, to flag transactions for manual review, and to restrict or terminate accounts that exceed acceptable risk thresholds.
  • Fraud detection: Our automated systems monitor transactions, login attempts, and account activity in real time to detect and prevent fraudulent activity, unauthorized access, and account takeover. Automated decisions may result in the temporary suspension of transactions, the freezing of account funds, or the restriction of account functionality pending manual review.
  • Trading pattern analysis: We analyze trading patterns to detect market manipulation, wash trading, spoofing, layering, and other prohibited trading activities. Automated detection of such patterns may result in trade cancellations, account restrictions, or referral to regulatory authorities.
  • AML/KYC screening: Automated screening is performed against sanctions lists, PEP databases, adverse media databases, and other compliance data sources. Positive matches may result in the suspension of onboarding, the restriction of services, or the filing of regulatory reports.

Right to human review: Where an automated decision produces legal effects concerning you or similarly significantly affects you, you have the right to request human review of that decision, to express your point of view, and to contest the decision. To request human review, please contact us at dpo@xex.to. We will respond to such requests within a reasonable timeframe, but you acknowledge that human review may not always result in a different outcome.

12. Children's Privacy

The Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect, solicit, or maintain personal information from anyone under the age of 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take reasonable steps to delete such information from our records as promptly as practicable, subject to our regulatory retention obligations. If you believe that a child under 18 has provided personal information to us, please contact us immediately at dpo@xex.to.

In jurisdictions where the minimum age for processing personal data is higher than 18, or where parental consent is required for the processing of personal data of minors, we will comply with such local requirements. However, under no circumstances will we provide access to trading or financial services to any individual under the age of 18.

13. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, services, or resources that are not operated or controlled by XEX, including but not limited to blockchain explorers, decentralized applications, external wallet providers, news outlets, and social media platforms. This Policy does not apply to those third-party services, and we are not responsible for the privacy practices, security measures, or content of any third party.

We strongly encourage you to review the privacy policies and terms of service of any third-party service before providing personal information to them. XEX shall not be liable for any loss, damage, or harm arising from your interactions with third-party services, including any unauthorized collection, use, or disclosure of your personal information by such third parties.

14. Changes to This Policy

We reserve the right to modify, amend, or replace this Privacy Policy at any time, in our sole discretion, without prior notice to you except as required by applicable law. Any changes to this Policy will be effective immediately upon posting the revised Policy on the Platform, with an updated "Last updated" date at the top of this page.

We may, but are not obligated to, notify you of material changes through one or more of the following methods: posting a prominent notice on the Platform; sending an email to the address associated with your account; displaying an in-app notification or banner; or requiring you to acknowledge and accept the updated Policy before continuing to use the Platform.

Your continued use of the Platform after the posting of any changes to this Policy constitutes your acceptance of and agreement to those changes. If you do not agree with any modification, your sole and exclusive remedy is to discontinue your use of the Platform and close your account.

15. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws. If you have any questions, concerns, or requests regarding this Policy or our data protection practices, you may contact our DPO as follows:

  • Email: dpo@xex.to
  • Subject line: "Privacy Inquiry" or "Data Subject Request"
  • Postal address: XEX (3-102-954669 S.R.L.), Attn: Data Protection Officer, Calle 37, Avenida Tercera, Oficina 101, Barrio Dent, San Pedro, Montes de Oca, San José, Costa Rica

We will acknowledge receipt of your inquiry within five (5) business days and will endeavor to respond substantively within thirty (30) days. For complex requests, we may extend the response period by an additional sixty (60) days, in which case we will notify you of the extension and the reasons for it.

For general privacy-related inquiries that do not require the attention of the DPO, you may also contact us at privacy@xex.to.

16. Complaint Rights

If you believe that our processing of your personal information violates applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority in your jurisdiction. Without limiting your right to contact any supervisory authority, below is a non-exhaustive list of relevant bodies:

  • European Economic Area: You may lodge a complaint with the data protection authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
  • United Kingdom: You may lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk.
  • Switzerland: You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch.
  • Other jurisdictions: If you are located outside the EEA, UK, or Switzerland, you may have the right to lodge a complaint with the relevant data protection authority in your jurisdiction. Please contact us at dpo@xex.to if you require assistance identifying the appropriate authority.

We encourage you to contact us first at dpo@xex.to so that we may attempt to resolve your concern before you escalate the matter to a supervisory authority. However, lodging a complaint with a supervisory authority is your right and does not require that you first contact us.

Products

  • Spot Trading
  • Futures
  • Options
  • Margin
  • Convert
  • Earn

Real World Assets

  • Overview
  • Treasuries
  • Bonds
  • Commodities
  • Real Estate
  • Equities
  • RWA Analytics

Services

  • P2P Trading
  • Copy Trading
  • Trading Bots
  • Fiat Gateway
  • Referral Program
  • Download Apps

Company

  • About
  • Security
  • Legal Shield
  • Compliance
  • Fees
  • Careers
  • Press
  • Contact

Resources

  • Learn & Earn
  • Help Center
  • Blog
  • API Docs

Legal

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Risk Disclosure
  • AML/KYC Policy
  • RWA Disclosure
  • Prohibited Use
  • Legal Shield Terms
Execute. Exchange. Excel.

Cryptocurrency trading involves significant risk. Digital asset values can fluctuate substantially and you may lose your entire investment. Past performance does not guarantee future results. This is not investment, financial, or legal advice. Full Risk Disclosure

© 2026 3-102-954669 S.R.L. (XEX). All rights reserved.

Services may not be available in all jurisdictions. Please check local regulations.