• Terms of Use
  • KYC and AML policy
  • Privacy policy
  • Cookie policy

Privacy Policy

  • Terms of Use
  • KYC and AML policy
  • Privacy policy
  • Cookie policy

1. Scope and Purpose

1.1. This Policy explains how personal data are processed in connection with the website and interfaces of buycoin.online (the “Platform”).

1.2. It applies to visitors, registered users, and verified clients of the Platform.

1.3. The Platform provides a front-end/marketplace interface to create orders and interact with independent exchange/payment operators/providers. Personal data processing related to the provision of such services is carried out in accordance with this Policy.

2. Data Controller and Contact Details

2.1. Platform Controller: X AURA LTD (HE448105), 15A Dimostheni Severi Avenue, 1080 Agioi Omologites, Nicosia, Cyprus. E-mail (privacy matters): info@buycoin.online.

3. Roles in Processing

3.1. X AURA LTD acts as controller for account management, Platform navigation, order routing, security, logging, communications, and governance compliance.

3.2. Exchange/payment operators, payment service providers, banks, and other contractors are engaged under contracts; their role (independent controller/ processor) is determined by law and contract.

4. Categories of Personal Data

Depending on your use of the Platform and chosen services, we may process:

  • Identification and contact data: first/last name, date of birth, nationality, residential/registration address, e-mail, phone.
  • KYC/AML data: copies of identity documents (passport, identity card, driver’s licence, residence permit), proof of address, selfie/video-selfie and liveness check results, source-of-funds/wealth information, sanctions/PEP/adverse-media screening results, transaction-monitoring and risk-assessment outputs, data required for the Travel Rule.
  • Operational data: order types and parameters, amounts, currencies/assets, payment instrument details, wallet addresses (including network and memo/tag), statuses and timestamps, activity logs.
  • Technical data: IP address, device/browser identifiers, interface language, cookies and similar identifiers, event logs.
  • Communications: support correspondence, complaints/requests and their outcomes.
  • Marketing preferences: opt-ins/opt-outs (where applicable).

5. Sources of Data

We obtain data:

  • directly from you;
  • from affiliated/independent providers involved in fulfilling your order;
  • from KYC/AML and blockchain-analytics providers;
  • from public registers and sanctions lists.

6. Purposes and Legal Bases (Art. 6 GDPR)

Processing is necessary for:

  • Contract performance and pre-contract steps (Art. 6(1)(b)): account creation/management; KYC for transactional access; processing and execution of orders; customer support; billing and notifications.
  • Legal obligations (Art. 6(1)(c)): AML/CFT measures, sanctions compliance, Travel Rule, accounting/tax requirements, responses to lawful authority requests.
  • Legitimate interests (Art. 6(1)(f)): Platform security and integrity; fraud/abuse prevention; risk management; internal analytics and service improvement; protection of rights and claims. You may object to processing based on legitimate interests.
  • Consent (Art. 6(1)(a)), where required: marketing communications; analytical/marketing cookies; certain biometric presenter-verification elements if mandated by local law. You may withdraw consent at any time (without affecting processing prior to withdrawal).

7. Necessity of Providing Data

Data required for KYC/AML and for executing orders are contractual and/or legal requirements. If you do not provide them, we cannot deliver services (your account/transactions may be limited or unavailable).

8. Categories of Recipients

Disclosures are limited to what is necessary:

  • exchange/liquidity and payment operators; payment providers and banks;
  • KYC/AML/sanctions screening, Travel Rule, and blockchain-analytics providers;
  • IT vendors (hosting, cloud, service desk, e-mail, security monitoring);
  • auditors, legal advisers, insurers (where relevant);

Each recipient’s role (controller/processor) is determined by law and by contract.

9. International Data Transfers

Where data are transferred outside the EEA/Switzerland/UK, appropriate safeguards are applied, including:

  • EU Standard Contractual Clauses (SCCs) with supplementary measures where necessary; and/or
  • adequacy decisions, where applicable. Details and key transfer recipients are available upon request.

10. Retention Periods

Retention depends on data category and legal requirements:

  • KYC/AML and transaction data: at least 5 years after the end of the relationship/transaction, and where required longer (e.g., up to 10 years) under law/limitation periods/tax rules or while inquiries/disputes remain open.
  • Contractual/financial records: as required by accounting and tax law.
  • Technical logs: for a reasonable period for security and audit.
  • Marketing: until consent is withdrawn or objection is raised.
  • When retention expires, data are deleted or anonymised unless a lawful basis requires longer storage.

11. Automated Decisions and Profiling

To comply with AML/sanctions obligations and to prevent fraud, automated checks and risk-scoring may be used, which can affect access to services (e.g., manual review, suspension/refusal). You have the right to request human intervention, express your view, and contest a decision—see the contacts in Section 18.

12. Cookies and Similar Technologies

We use strictly necessary cookies for the Platform to function and, with your consent, analytical/marketing cookies. Details and preference controls are set out in the Cookie Policy.

13. Data Security

We implement organisational and technical measures commensurate with risk: need-to-know access controls; encryption in transit and at rest; access logging; anomaly/fraud monitoring; vulnerability management and testing; and contractual safeguards with vendors. No system can be absolutely secure, but we maintain protection appropriate to the risks.

14. Age Restrictions

The Platform’s services are intended solely for individuals aged 18 or over. If you are under 18, please do not use the Platform or submit personal data.

15. Your Rights (GDPR)

You have the rights of access, rectification, erasure, restriction, portability, objection (including to processing based on legitimate interests), and to withdraw consent. Requests are handled without undue delay and typically within 1 month (extendable by up to 2 months for complex/multiple requests with notice).

16. Complaints to a Supervisory Authority

You may lodge a complaint with your local data-protection authority or with the Office of the Commissioner for Personal Data Protection (Cyprus). We would appreciate the opportunity to address your concerns first—please contact us.

17. Updates to this Policy

We may update this Policy periodically. The current version is published on the Platform. For material changes, we may post a notice and/or communicate through available channels where appropriate.