PRIVACY POLICY – BITX, S.L.

BITX, S.L. (“BITX”, “we”, or “us”) is committed to protecting the privacy of our Users. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you interact with BITX. It applies to all individuals and legal entities who use our Services or Website, including Users (both natural persons and representatives of legal entities), prospective Users, and Website visitors. By using BITX’s Services or Website, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

This Privacy Policy is adapted to current European and Spanish legislation on the protection of personal data on the Internet. Specifically, it respects the following rules:

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
• Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPD-GDD).
• Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de desarrollo de la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal (RDLOPD).
• Ley 34/2002, de 11 de julio, de Servicios de la Sociedad de la Información y de Comercio Electrónico (LSSI-CE).

BITX is the data controller for the personal data processed under this Policy.

BITX is a Spanish company duly incorporated under the laws of Spain, registered with the Mercantile Registry of Barcelona, with registered office at Passeig de Gràcia 53, AT, 08007, Barcelona, Spain, and holding VAT number B06932297.

BITX is registered with the Bank of Spain under registration number D738 as a Virtual Asset Service Provider (VASP) authorized to provide services consisting of the exchange of virtual currencies for fiat currencies and vice versa, in accordance with Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing.

If you have any questions or requests regarding your personal data, you can contact us using the information provided in the “Contact Information” section of this Policy.

This Privacy Policy governs all personal data processing by BITX in connection with our cryptocurrency exchange and related Services. It covers data collected from Users and their personnel, potential Users during inquiries or onboarding, and visitors to our Website or online Services. We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and Spanish data protection law.

In compliance with Articles 37 to 39 of Regulation (EU) 2016/679 (GDPR) and Article 34 of the Spanish Organic Law 3/2018 (LOPDGDD), BITX has appointed a Data Protection Officer (“DPO”) to oversee and ensure BITX’s compliance with applicable data protection laws, act as the primary contact point for data subjects, and liaise with the Spanish Data Protection Authority (AEPD).

The DPO operates as an independent supervisory entity, monitoring BITX’s processing activities, providing expert advice on data protection matters, and ensuring that all processing is carried out in accordance with the applicable legal framework. It is important to distinguish between the data controller and the DPO: while the data controller (BITX) determines the purposes and means of processing personal data, the DPO advises, supervises, and monitors compliance but does not make decisions on how personal data should be processed.

Data subjects may contact the DPO for any inquiries, requests, or to exercise their rights under Articles 15 to 22 of the GDPR through the following channels:

• PROFESSIONAL GROUP CONVERSIA SLU
• Email: info@conversia.es
• Address: Avenida Mas Pins, 150, P.I. Polingesa, 17457, Riudellots de la Selva, Girona, Spain.

All communications to the DPO must clearly indicate “BITX Data Protection” in the subject line or on the envelope to ensure proper handling.

We collect various categories of personal data to fulfill the purposes described in this Policy. The types of personal data we may collect and process include:

• Identification Data: Full name, date of birth, nationality, government-issued identification numbers (such as DNI/NIE or passport number), and copies of identity documents (e.g. passport, ID card, driver’s license). For corporate Users, we also collect company identification details and data on directors, legal representatives, and ultimate beneficial owners (including their names, identification information, and proof of authority).
• Contact Details: Physical address (residential and/or business address), email address, phone number, and other contact information.
• KYC/Due Diligence Data: Information gathered for “Know Your Customer” (KYC) and Anti-Money Laundering (AML) compliance. This can include identity verification materials (such as selfies or videos for facial recognition, liveness checks via our identity verification provider), nationality and residency details, occupation and employer, source of funds and source of wealth information, banking references, and results of background checks or screenings (e.g. sanctions lists, politically exposed person (PEP) status). We may also record responses you provide in compliance questionnaires or onboarding forms
• Financial and Transaction Data: Information necessary to provide our virtual asset Services, such as your cryptocurrency wallet addresses, transaction histories (amounts, timestamps, origin/destination of crypto or fiat funds), bank account details (IBAN, account holder name, etc.) for fiat deposits/withdrawals, payment transaction records, and account balance information. For corporate Users, this may include company bank details and transaction references.
• Service Usage Data: Data about how you use our Website and Services. This includes login credentials (username, password) and security information (such as two-factor authentication details), account settings and preferences, logs of account activities (e.g. trades, transfers), and support tickets or inquiries. We may also keep records of communications with you (email correspondence, chat logs, or call recordings, where permitted) for service quality and compliance purposes.
• Website Usage and Technical Data: When you visit our Website or use our online Services, we collect information through cookies and similar tracking technologies (see “Cookies and Tracking Technologies” below). This may include your IP address, browser type, device identifiers, pages viewed, date/time of visits, and referring site. We also collect data about interactions with our Website (such as clicks and page response times) and any information you submit through Website forms (for example, if you request information or subscribe to updates).
• Marketing and Communication Data: If you subscribe to our newsletter or consent to receive marketing, we may collect data such as your email address and topics of interest. We also keep track of your communication preferences (e.g. opt-in or opt-out for marketing). Additionally, if you attend our events or webinars or participate in surveys, we might collect your feedback and any personal data you choose to provide in those contexts.

We collect most personal data directly from you (for instance, information you provide in onboarding forms, identification documents you upload, or data you enter on our Website). In some cases, we obtain data from third-party sources: for example, we may receive updated address or identity information from identity verification services, or risk indicators from blockchain analytics providers about crypto addresses you transact with. We will also generate certain data internally (such as an internally assigned User ID, or risk scores derived from your transaction patterns for AML purposes).

• Providing Our Services: We process personal data to set up and administer your account, provide our cryptocurrency exchange and payment Services, and handle transactions. This includes using your data to facilitate crypto-fiat conversions, execute your trade or transfer instructions, maintain your account ledger, and provide User support.
• Legal Basis: Performance of a contract – this processing is necessary to deliver the Services you request under our Terms and Conditions. It may also involve steps taken at your request before entering into a contract (e.g. processing data of a prospective User who asks to open an account).
• Compliance with KYC/AML and Legal Obligations: As a regulated VASP, we are legally required to verify User identities, understand the nature of our Users’ activities, monitor transactions, and report any suspicious activities. We use personal data to conduct KYC due diligence at onboarding and on an ongoing basis, to screen for fraud, money laundering or terrorist financing risks, to comply with sanctions and asset-freeze regulations, and to fulfill record-keeping obligations.
• Legal Basis: Compliance with legal obligations – specifically, laws and regulations on anti-money laundering (such as Law 10/2010 in Spain) and counter-terrorist financing, as well as other financial and tax regulations. For example, BITX must retain certain identification and transaction records for up to 10 years as mandated by Spanish AML regulations. We also rely on legal obligation basis to respond to lawful requests from authorities or court orders requiring disclosure of data.
• Fraud Prevention and Security: We process personal data to protect our Services, our Users, and BITX from fraud, cyber-attacks, theft of funds, and other unlawful activities. This includes using data to authenticate User identity, enforce account security (e.g. multi-factor login), detect suspicious behavior or vulnerabilities, and implement fraud monitoring tools.
• Legal Basis: Our legitimate interests in maintaining the security of our services and preventing fraud, and in certain cases compliance with legal obligations (for example, obligations to implement adequate security measures under GDPR or sectoral law). This processing is necessary to safeguard your assets and our business from harm.
• Communications and User Service: We use contact information to communicate with you about your account and our Services. This includes sending service-related emails or messages such as transaction confirmations, notifications of important changes (e.g. updates to terms or policies), security alerts (like password changes or login attempts), and administrative messages. We also process data to respond to your inquiries, support requests, or complaints.
• Legal Basis: Performance of contract (for communications that are necessary to provide our Services or respond to your requests) and our legitimate interests in ensuring quality User service and keeping you informed about your account.
• Marketing and Promotional Communications: If you are an existing User, we may inform you about new products or Services, special offers, or industry updates that we believe could be of interest to you. For example, we might send a newsletter or promotional emails about BITX’s offerings or events.
• Legal Basis: We rely on your consent for email marketing where required by law. In certain cases, we may use our legitimate interest to promote our Services to our User base, but we will always respect your choice and include an easy opt-out mechanism. You have the right to withdraw consent or object to marketing communications at any time, as described in the “Rights of Data Subjects” section. We will not spam you, and will only send marketing communications in accordance with applicable e-privacy laws.
• Service Improvements and Analytics: We may analyze usage data, feedback, and trends in order to improve and personalize our Services and Website. This can involve reviewing how Users use our Services, which features are most popular, and where Users encounter issues, so we can enhance User experience and develop new features. We might also use analytics cookies or tools to understand Website traffic and the effectiveness of our communications.
• Legal Basis: Legitimate interests – it is in our interest (and we believe the interest of our Users) to continually improve our Services’ functionality, security, and quality. We perform such analysis in a privacy-conscious manner, often using aggregated or anonymized data where possible. You can object to certain data analytics activities as described in “Rights of Data Subjects.”
• Service Improvements and Analytics: We may analyze usage data, feedback, and trends in order to improve and personalize our Services and Website. This can involve reviewing how Users use our Services, which features are most popular, and where Users encounter issues, so we can enhance User experience and develop new features. We might also use analytics cookies or tools to understand Website traffic and the effectiveness of our communications.
• Legal Basis: Legitimate interests – it is in our interest (and we believe the interest of our Users) to continually improve our Services’ functionality, security, and quality. We perform such analysis in a privacy-conscious manner, often using aggregated or anonymized data where possible. You can object to certain data analytics activities as described in “Rights of Data Subjects.”
• Business and Legal Purposes: On occasion, we may need to process data for general business management and legal reasons. For example, this could include maintaining accounting records, conducting audits, handling billing and invoicing, performing internal analytics and reporting, or exercising and defending legal claims.
• Legal Basis: Depending on the context, the legal basis may be compliance with a legal obligation (e.g. retaining invoices for tax law, or providing data to auditors under law), performance of contract (collecting payments as per our agreement with you), or our legitimate interests in effectively managing our business and defending our legal rights.

We will not use personal data for purposes that are incompatible with the above purposes without first obtaining your consent or unless required or permitted by law. If we need to process your personal data for a new purpose, we will update this Privacy Policy and notify you as required.

This information may include, without limitation:

• Full name, address, and account or wallet identifiers of the originator.
• Full name and account or wallet identifiers of the beneficiary.

The processing of such data is carried out exclusively for compliance with applicable AML/CFT obligations and is based on Article 6(1)(c) GDPR (compliance with a legal obligation). These data will be retained for a minimum period of ten (10) years in accordance with Spanish Law 10/2010, after which they will be securely deleted unless further retention is required by law.

BITX ensures that any transmission of such information is conducted through secure channels and in accordance with industry standards, guaranteeing the confidentiality and integrity of the data during the entire process.

• Service Providers: We use trusted third-party companies to support our business operations and Services. These providers process personal data on our behalf and under our instructions. Key service providers include:
• Identity Verification Services: NEOCHECK S.L., with registered address at Ronda de la Circunvalación 188, 12003, Castellón de la Plana, Spain, and VAT number B87974531, provides digital identity verification and biometric check services to BITX. We may share identification details and document images with NeoCheck to confirm user identity during onboarding.
• Blockchain Analytics Services: BITRANK VERIFICATION SERVICES INC, operating as Blockchain Intelligence Group, with registered address at Suite 220 - 1130 W. Pender Street Vancouver, BC, V6E 4A4, registered in Canada, provides blockchain analytics tools, including BitRank Verified®, which are used to screen cryptocurrency addresses and transactions for risk indicators such as links to illicit activities or sanctioned entities. This process may involve sending hashed or truncated identifiers of blockchain addresses or transaction details to obtain risk scores or alerts for compliance purposes.
• Banking and Payment Services: BITX partners with regulated financial institutions to facilitate fiat currency services:
• BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (BBVA), with registered address at Plaza de San Nicolás, 4, 48005 Bilbao, Spain, and VAT number A48265169.
• EASY PAYMENT AND FINANCE, E.P., S.A., with registered address at Calle Leganitos 47, Planta 9ª, 28013 Madrid, Spain, and VAT number A85785905.

These entities receive necessary information, such as name, account number, and transaction details, in order to process euro deposits and withdrawals, execute wire transfers, maintain user segregated accounts, and comply with their own legal obligations, including AML/CFT checks.

• Data Protection and GDPR Compliance Services: PROFESSIONAL GROUP CONVERSIA, S.L.U., with registered address at Avenida Mas Pins, 150, P.I. Polingesa, 17457, Riudellots de la Selva, Girona, Spain, and VAT number B17962655, assists BITX with regulatory compliance obligations. This may involve access to personal data solely for compliance-related purposes, such as conducting independent audits, providing training, or advising on AML program effectiveness. Such activities are carried out under strict confidentiality agreements and in accordance with applicable data protection laws.
• External Audit Services: LINARES ABOGADOS, S.L.P., with registered address at Calle Alcalá, 75, 4º Dcha., 28009, Madrid, Spain, and VAT number B86809951, acts as BITX’s external auditor. This may require access to certain personal data strictly for audit purposes, including the assessment of AML/CFT controls and procedures. All such access is conducted under confidentiality obligations and in compliance with applicable law.
• Technical Infrastructure Services: BITX uses trusted third-party providers to host and maintain its technical infrastructure, including cloud hosting services such as Amazon Web Services (AWS). These providers may host or transmit personal data as part of our IT systems and are contractually bound to protect your data and refrain from using it for any purpose other than providing the contracted Services.
• Affiliated Entities: BITX may share personal data with its affiliates or subsidiaries, including entities established in other jurisdictions, as necessary to operate its Services. This may include the transfer of information to an affiliate that provides certain operational functions or supports the servicing of User accounts, always under strict privacy and security controls. All BITX group companies receiving personal data will apply protections consistent with this Policy.
• Regulatory Authorities and Law Enforcement: BITX may disclose personal data to supervisory authorities, law enforcement agencies, governmental bodies, or courts when we are required to do so by law or legal process. As a regulated entity, BITX must share information with authorities such as the Bank of Spain, SEPBLAC (Spain’s Financial Intelligence Unit), or other regulators for inspections, audits, or reporting obligations. We may also respond to official requests (subpoenas, court orders, or similar legal directives) for information in investigations or proceedings. In each case, we will verify the request’s validity and only disclose the minimum data necessary to comply with our legal obligations.
• Professional Advisors and Auditors: We may share personal data with our external auditors, legal counsel, accountants, or other professional advisors if that is necessary for auditing our financial statements, protecting our legal rights, or managing corporate affairs. Any such sharing is done only to the extent needed and under duties of confidentiality.
• Business Transfers: If BITX undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of our assets, personal data may be disclosed to the parties involved (e.g. to prospective purchasers and their advisors) as part of due diligence or transferred as an asset of the business. In such cases, we will ensure that appropriate safeguards are in place and that the receiving party agrees to protect personal data consistent with this Privacy Policy. We will inform you of any change in data controllers if your personal data will be handled by a different entity as a result of a business transaction.

Whenever we share your data with third-party service providers, we remain responsible for ensuring its protection. Our processors are bound by contractual agreements to implement adequate security measures, to process data only per our instructions, and to uphold the confidentiality of your information.

BITX is based in Spain and generally stores and processes personal data on servers located within the European Union (EU)/European Economic Area (EEA). However, some of our service providers and partners may be located in other jurisdictions. Similarly, if you request an international wire transfer or use our Services from outside the EU, your data might be transferred to or accessed from a location outside your country.

Whenever we transfer personal data outside of the EU/EEA, we will ensure that adequate safeguards are in place as required by GDPR. These safeguards may include:

• Adequacy Decisions: If the destination country is one that the European Commission has recognized as providing an adequate level of data protection (for instance, transfers to certain countries or jurisdictions under adequacy decisions), your data may be transferred on that basis. (Note: Canada, for example, has an adequacy decision for commercial organizations, which may cover our Canadian analytics provider.)
• Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision, we will typically use the European Commission’s approved Standard Contractual Clauses, which contractually oblige the recipient to protect your data to EU standards. We will also assess on a case-by-case basis whether additional technical or organizational measures are needed to ensure your data’s security and privacy.
• Other Lawful Transfer Mechanisms: In limited cases, we may rely on other transfer mechanisms permitted by law, such as explicit consent from you (if you are informed of the risks), or transfers necessary for the performance of a contract with you (e.g. when you initiate a transfer to a recipient in a third country).

You can request more information about international data transfers and obtain a copy of the relevant safeguards (such as SCCs) by contacting us. We remain committed to protecting your personal information regardless of where it is processed, and we will ensure any international transfers are done in compliance with applicable privacy laws.

• Account and Transaction Data: For Users who use our Services, we keep your account information and transaction records while you have an active relationship with us. After your account is closed or you cease using BITX, we will generally retain relevant data for a certain period to satisfy legal obligations or our legitimate interests. For example, transaction records and account details may be kept for up to 10 years from the end of the business relationship, in line with Spain’s anti-money laundering laws (which require obliged entities to retain identification and transactional data for a decade). This extended retention is necessary to comply with AML record-keeping rules and to respond to any inquiries from regulators or law enforcement even after an account is closed.
• KYC and Due Diligence Documentation: Copies of identification documents, verification information, and due diligence records are typically kept for at least the minimum period mandated by law (up to 10 years as noted above). In some cases, data may be kept longer if required by a competent authority or under an official order, or for the establishment, exercise or defense of legal claims. After the retention period, such data will be securely disposed of or anonymized.
• Prospective User Data: If you provided personal data to us but did not ultimately become a User (for example, if you inquired about our Services or began an application but did not complete it), we will generally not retain your data longer than necessary. Such inquiry data may be kept for a short period (e.g. up to 12 months) to allow us to follow up on your request or maintain records of our communications. If we collected any identification data as part of a preliminary due diligence for a prospective User, and the person does not sign up, we may retain that information for a limited time to demonstrate compliance with our obligations and then delete it.
• Marketing Data: If you have consented to receive marketing communications, we will retain the necessary contact details until you unsubscribe or withdraw your consent. Upon opt-out, we will stop using your data for marketing and will only retain the minimum information needed to respect your opt-out (for instance, your email address on a suppression list to ensure we do not send you further emails).
• Website Data: Information collected through cookies and similar technologies is retained in accordance with the lifespans of the specific cookies (see our Cookie Policy for details). For example, analytics cookies may retain data for a few months, while essential cookies may have shorter durations. Web server logs containing IP addresses are generally kept for a short period (a few weeks) unless used for security analysis.
• Legal and Business Records: We may retain certain data as required for other legal purposes. For instance, accounting and financial records (which may include personal data in invoices or transaction logs) are kept for the period required by Spanish commerce and tax laws (commonly 5–6 years or more, depending on the document). Also, if personal data is relevant to a legal dispute or required for our legitimate interests (e.g. records of consent, communications, or contracts), we will keep that data for as long as necessary to resolve the matter, within permitted limits.

After the applicable retention period expires, we will either delete your personal data or anonymize it so it can no longer be associated with you. We take care to ensure that deletion or destruction of personal data is done securely to prevent any further use or disclosure.

• Right of Access: You have the right to obtain confirmation as to whether we are processing your personal data, and if so, to request a copy of the data we hold about you. We will provide you with relevant information, including the categories of data, the purposes of processing, and any parties with whom it has been shared, subject to any legal limitations.
• Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to keep your information up to date and will promptly make corrections based on your verified request.
• Right to Erasure (Right to be Forgotten): You may request the deletion of your personal data in certain circumstances. For example, if the data is no longer necessary for the purposes it was collected, you withdraw consent and no other legal basis for processing exists, or you believe the data is being unlawfully processed. We will review such requests and, if legitimate, erase the data. Please note that we cannot delete data that we are required to keep by law or that is necessary to establish, exercise, or defend legal claims. For instance, we generally cannot honor immediate deletion of data subject to AML retention requirements or active contractual necessity, but we will inform you of the retention obligations if they apply.
• Right to Restriction of Processing: You have the right to request that we limit the processing of your data in certain situations. This could apply if you contest the accuracy of your data (while we verify it), if our processing is unlawful but you prefer restriction over deletion, if we no longer need the data but you need it for a legal claim, or if you have objected to processing and await verification of overriding grounds. When processing is restricted, we will store your data securely and only process it with your consent or for specific legal reasons.
• Right to Data Portability: For data that you have provided to us and is processed by automated means on the legal basis of contract or consent, you have the right to receive that data in a structured, commonly used, machine-readable format. You also have the right to request that we transmit such data directly to another data controller where technically feasible. This right facilitates you in moving your account data to other service providers if needed.
• Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests or on public interest/exercise of official authority. If you object, we must stop processing the data unless we demonstrate compelling legitimate grounds that override your rights or if the processing is for the establishment, exercise, or defense of legal claims. You also have an absolute right to object at any time to processing of your personal data for direct marketing purposes. If you object to or opt out of marketing, we will cease using your data for that purpose immediately.
• Right to Withdraw Consent: In cases where we rely on your consent (for example, for optional marketing communications), you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of processing that occurred before the withdrawal. If you withdraw consent for a particular purpose, we will stop the processing for that purpose and, if no other lawful basis applies, delete or anonymize the relevant data.
• Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, if such decision produces legal effects concerning you or similarly significantly affects you. In practice, BITX does not make solely automated decisions without human review that have legal or significant effects on individuals. For example, while we use automated tools to assess risks (such as fraud or AML risk scoring), any decision to refuse service or report an activity is reviewed by our compliance team. However, should we ever engage in purely automated decision-making that falls under Article 22 GDPR, you would have the right to request human intervention, to express your point of view, and to contest the decision.

Exercising Your Rights: You may exercise any of these rights by contacting us (see “Contact Information” below). Please be as specific as possible in your request to help us fulfill it effectively. We may need to verify your identity before executing certain requests, to ensure that we do not disclose data to an unauthorized person. Verification may include asking for information or documents to confirm your identity. Exercising your rights is free of charge; however, if a request is manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee or refuse to act on it (as permitted by law). We will respond to valid requests as soon as possible and at the latest within one month, unless an extension is permitted by law (we will inform you if we require more time).

If you believe that our processing of your personal data infringes the law or your privacy rights, you also have the right to lodge a complaint with a supervisory authority. BITX is regulated in Spain, so our lead supervisory authority is the Spanish Data Protection Agency (AEPD – Agencia Española de Protección de Datos), http://www.agpd.es. You can contact the AEPD or your local EU data protection authority for further guidance or to file a complaint. Of course, we encourage you to contact us first so we can address your concerns directly.

• Encryption of data in transit and at rest wherever appropriate, to ensure that sensitive information (such as personal IDs or passwords) is protected during transfer and storage.
• Secure network protocols and firewalls to safeguard our IT infrastructure, plus continuous network monitoring to detect and block suspicious activities.
• Strict access controls within our organization: only employees or contractors with a need-to-know are authorized to access personal data, and they do so under confidentiality obligations. Access to sensitive data (like KYC documents or transaction records) is limited to personnel in compliance, finance, or support roles that require it.
• Regular security assessments and penetration testing of our Services and Websites, to identify and address vulnerabilities. We also keep our systems updated with the latest security patches.
• Authentication and Account Security: We enforce strong authentication practices (including multi-factor authentication) for access to systems containing personal data. Users are also encouraged to use two-factor authentication on their accounts. We securely hash and store account passwords, and never store them in plain text.
• Employee training and policies on data protection: Our staff receive training on data privacy, cybersecurity, and how to handle personal data safely. We maintain internal policies and incident response plans to deal with any data security issues.
• Measures to ensure data integrity and availability, such as regular backups of critical data, and business continuity/disaster recovery plans to prevent data loss or prolonged downtime in the event of an incident.

While we strive to use best-in-class security, please note that no system can be 100% secure. We continuously improve our security practices to adapt to evolving threats. In the unfortunate event of a data breach that poses a high risk to your rights, we will notify you and relevant authorities as required by law.

• Essential Cookies: These are necessary for the Website to function properly (e.g. to remember your login session or preferences). Without these cookies, certain features of the site may not work.
• Analytics Cookies: We use analytics or performance cookies to collect information about how visitors use our Website, which pages are popular, or if any errors occur. This helps us optimize the User experience and troubleshoot issues. The data collected is usually aggregated and does not directly identify individuals. For instance, we might use Google Analytics or similar tools to understand our web traffic patterns (in compliance with applicable consent requirements).
• Functionality Cookies: These cookies allow the site to remember choices you make (such as language selection or region) and provide enhanced, more personalized features.
• Advertising/Marketing Cookies: Currently, BITX does not serve third-party ads on our site, but if we ever do, such cookies would be used to tailor advertising to you on our site or others based on your interests. We will inform you and obtain consent if such cookies are in use.

When you first visit our Website, you will be presented with a cookie consent banner or pop-up that allows you to accept or reject non-essential cookies. You can manage your cookie preferences at any time via our Cookie Settings tool (if available) or through your browser settings. For more detailed information on the cookies we use and your choices, please see our separate Cookie Policy (available on our Website). The Cookie Policy forms part of this Privacy Policy and provides specifics on the types of cookies, their purposes, and retention periods.

Please note that if you disable certain categories of cookies (e.g. analytics or functionality cookies), some features of our Website may not function optimally. However, the site will remain usable with essential cookies alone. We do not collect sensitive personal data via cookies, and any third-party tools we use are configured to minimize data collection and to avoid directly identifying you.

We encourage you to review the privacy policies of any third-party websites or services you interact with. For example, if our site links you to a banking partner or a social media page, please check their privacy policy to understand how they handle your data. BITX’s inclusion of a link does not imply our endorsement of the third party or their data practices. If you believe a linked third-party site is misusing your personal data, you should address your concerns to that third party.

If we become aware that a person under 18 has provided us with personal data or has attempted to use our Services, we will take steps to remove that data and terminate any associated account. We reserve the right to ask for proof of age or identity verification at any stage to prevent underage usage.

Parents or guardians: if you suspect that your child who is under 18 may have submitted personal information to BITX, please contact us immediately so that we can take appropriate action to delete the information and (if applicable) close the account.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of our Website or Services after any changes to the Policy constitutes your acknowledgment of the updated terms. If you do not agree with the changes, you should discontinue use of our Services and may exercise your rights as described (for example, to delete your account or data).

Please note that if you are accessing our Services from outside of Spain, there may be mandatory laws of your country that apply for your benefit. This clause does not override any consumer rights or statutory protections that you have under the law of your habitual residence, insofar as those are applicable.

Users have the right to request and review the Policy in Spanish (and may contact BITX if they require a copy).

• BITX, S.L.
• Address: Passeig de Gràcia 53, Ático, 08007 Barcelona, Spain
• Email: legal@bitx.es

When contacting us, please provide your name and contact information, and clearly state the nature of your request (for example, if you are requesting access to your data, or have a question about security). We will address your communication promptly and courteously.

Thank you for reading our Privacy Policy. We value your trust and are committed to safeguarding your personal data while providing you with high-quality, compliant crypto-financial services. Your privacy is integral to our business, and we will always handle your personal information in accordance with the principles and practices outlined above.

Last Update Date: 01 August 2025