EUNX

EUNX MENA - FZE (“we,” “our,” or “the Company”), a Virtual Assets Broker & Dealer licensed under the Dubai Virtual Assets Regulatory Authority (VARA), prioritizes the protection of personal and financial data as a cornerstone of our operational integrity. In the rapidly evolving virtual asset sector, where innovation intersects with regulatory rigor, this Privacy Policy serves as a comprehensive guide to our data practices.

This policy is designed to comply with:

VARA’s Technology and Information Rulebook (2023), which mandates robust cybersecurity and transparency standards.
UAE Federal Decree-Law No. 45/2021 on Personal Data Protection (PDPL), governing lawful data processing and user rights.
FATF Recommendations (2023), particularly those addressing cross-border data flows and AML/CFT obligations.

Scope: This policy applies to all interactions with EUNX MENA - FZE, including but not limited to:

Clients engaging in virtual asset trading, custody, or brokerage services.
Visitors to our websites, mobile applications, and trading platforms.
Third-party vendors, liquidity providers, and regulatory bodies.

By detailing our practices, we aim to foster trust, ensure compliance, and empower users with clarity about their data rights. Our commitments include transparent processing, strict data security, and giving you control over your data.

2. TYPES OF DATA COLLECTED

We collect personal data that is necessary to provide and improve our virtual asset services. “Personal Data” means any information relating to a natural person that can identify them directly or indirectly This includes, without limitation, your identity and contact details (such as name, postal address, email, telephone number), demographic information, and government-issued identifiers (such as passport or national ID number). We also collect financial and transactional information, including your bank account or payment details, virtual asset wallet addresses, transaction history, trading activity and investment preferences.

In the course of providing our services, we may also process sensitive personal data and biometric data. UAE law defines “sensitive personal data” to include information such as a person’s biometric data, criminal history, health data, or other data revealing racial, religious, or philosophical beliefs “Biometric data” is personal data obtained by specific technology related to the unique physical or behavioral characteristics of a person (e.g. facial images or fingerprints) For example, we may collect your facial image or fingerprint if you use biometric identity verification in our onboarding process. Any such sensitive information is collected only when explicitly required for legal or security purposes (for instance, to comply with know-your-customer (KYC) requirements) and is treated with enhanced safeguards.

We may also gather non-sensitive data to support our platform. This includes device and usage data collected automatically as you navigate our website or apps, such as IP address, browser type, operating system, location data, and activity logs. We use cookies and similar tracking technologies to personalize your experience, understand your usage patterns, and improve our services. Any data that cannot be linked back to you (de-identified or aggregated data) may also be collected for statistical or analytical purposes. In all cases, we restrict collection to what is required for the specified purpose and keep it accurate and up to date.

To fulfill regulatory obligations and deliver seamless services, we collect and process the following categories of data:

2.1 Personal Identification Data

Full Name, Nationality, and Date of Birth: Required for identity verification under VARA Rule III.E (Customer Due Diligence).
Government-Issued Identification: Scanned copies of Emirates IDs, passports, or residency visas to comply with AML/CFT Law Decree No. 20/2018.
Contact Details: Email addresses, phone numbers, and residential/business addresses to facilitate communication and transaction alerts.
KYC/CDD Documentation:
Source of Wealth: Bank statements, employment contracts, or tax returns to verify the legitimacy of funds (per VARA Rule III.F).
Proof of Address: Utility bills or bank statements dated within the last three months.
Biometric Data: Facial recognition scans for high-risk clients, stored securely in encrypted databases.
Example: A corporate client opening an institutional trading account must submit a board resolution authorizing VA activities and UBO disclosures.

2.2 Financial and Transactional Data

Account Information: Virtual asset wallet addresses (e.g., Bitcoin, Ethereum) and linked bank accounts for fiat conversions.
Transaction Records:
On-Chain Data: Blockchain hashes, timestamps, and transaction amounts.
Off-Chain Data: OTC trade tickets, settlement instructions, and counterparty details.
Risk Profiles: Behavioral analytics derived from trading patterns (e.g., frequency, volume, asset diversification) to detect anomalies.
Example: A client trading AED 500,000 daily may trigger enhanced monitoring under VARA Rule III.D.6 (Anonymity-Enhanced Transactions).

2.3 Technical and Usage Data

Device Information: IP addresses, device IDs (IMEI/MEID), browser types, and operating systems to prevent unauthorized access.
Cookies:
Essential Cookies: Session IDs for secure login and transaction authentication.
Analytics Cookies: Google Analytics to track page visits and user engagement (anonymized).
Advertising Cookies: Retargeting pixels (used only with explicit consent).
Geolocation: Approximate location data derived from IP addresses to flag suspicious login attempts (e.g., logins from high-risk jurisdictions).

2.4 Communication Data

Customer Support: Transcripts of live chats, emails, and call recordings for quality assurance and dispute resolution.
Marketing Preferences: Opt-in/opt-out status for newsletters, market insights, and promotional offers.

3. How We Collect Personal Data

We obtain your personal data in several ways, always with appropriate legal grounds or your consent. When you register for an account or use our platform, you may provide data directly: for instance, by filling out online forms, uploading identity documents, or communicating with our support team. We also collect data when you use our services, such as placing orders, making transactions, or engaging in virtual asset trading – every action you take on our platform is logged for security and regulatory compliance.

Some data is gathered through our technology: for example, analytics and security systems automatically record usage patterns, IP addresses, device IDs, cookies, and other technical identifiers. If you use cloud-based or mobile applications, we may collect metadata from those systems in accordance with your consent and the terms of service of those applications.

We also integrate with third-party service providers and partners. For identity verification and KYC purposes, we may engage specialized providers (such as digital identity verification or credit-check services) who collect identity documents or perform background checks on our behalf. We obtain your explicit consent before using such services, and we require these vendors to apply contractual data protection safeguards. Similarly, we may receive personal data from banks, payment processors, or affiliates in order to open accounts or process transactions, again under strict confidentiality. When law requires, we also obtain data from government or regulatory sources (for example, using UAE Pass or official registries to verify your identity).

In all cases of data collection, we follow the PDPL’s principle that personal data must be processed in a fair, transparent, and lawful manner. We inform you at the point of collection about what data is collected and the purpose of collection. Where appropriate, we ask for your consent in a clear and easily understandable form, and you have the right to withdraw consent at any time (except for data processed under other legal bases).

4. LEGAL BASIS AND PURPOSE OF DATA PROCESSING

We process your data under strict legal frameworks, ensuring alignment with regulatory mandates and ethical standards.

4.1 Legal Basis

Regulatory Compliance: Mandated by VARA Rule III.B.1 (Policies and Procedures) and PDPL Article 5 (Lawfulness of Processing).
Contractual Necessity: To execute client agreements, such as facilitating trades or providing custodial services.
Consent: For non-essential processing (e.g., marketing emails), obtained via explicit opt-in mechanisms.
Legitimate Interests: Fraud prevention, network security, and service optimization.

4.2 Purpose of Processing

KYC/AML Verification:

Cross-referencing client data against global sanctions lists (e.g., OFAC SDN List) using tools like Refinitiv World-Check.
Conducting PEP screenings for high-risk clients, requiring Senior Management approval under VARA Rule III.F.1.

Transaction Monitoring:

Real-time analysis of blockchain transactions via Chainalysis Reactor to detect mixing services or darknet linkages.
Filing Suspicious Activity Reports (SARs) with the UAE FIU within 48 hours of detection (VARA Rule III.F.4).

Service Delivery:

Enabling instant settlements through API integrations with banking partners.
Providing portfolio dashboards with real-time market data.
Legitimate Interests: We use data to pursue our legitimate business interests in a way that does not override your privacy rights. For example, we analyze your usage data to improve our platform’s performance, to prevent fraud and secure our network, and to market and develop new services. We ensure that these legitimate interests are balanced against your privacy, and where required by law, we inform you of such use.

Fraud Prevention:

Machine learning algorithms analyze login attempts, flagging IP addresses associated with VPNs or TOR networks.

Regulatory Reporting:

Submitting routine AML/CFT audits to VARA, including redacted transaction samples and risk assessments.

4.3 Consent

In certain situations, we rely on your explicit consent. For example, if we ask to use your data for direct marketing or promotional emails, or for any purpose not strictly necessary for our services or compliance obligations, we will obtain your clear permission first. Consent is always freely given, specific, informed and unambiguous. You have the right to withdraw your consent at any time by contacting our Data Protection Officer.

Each time we collect data, we process it only for the specific purposes for which it was collected. Typical purposes include: (a) opening and administering your account; (b) executing transactions and trades; (c) fulfilling our regulatory and legal obligations (such as KYC/AML compliance, tax reporting, and responding to legal requests); (d) communicating with you about your account or providing support; (e) improving and securing our services (including fraud prevention and system maintenance); (f) statistical analysis and service optimization; and (g) marketing and promotional activities where you have opted in. We do not use or retain your personal data for purposes incompatible with the original reason for collection.

5. DATA SHARING AND DISCLOSURES

EUNX MENA - FZE does not sell or lease your personal data to marketing companies or other third parties. We disclose data only under stringent protocols to ensure confidentiality and compliance.

5.1 Regulatory and Government Authorities

We share personal data with regulators, law enforcement agencies, and other government authorities when required or permitted by law. For example, as a licensed VASP, we must report certain transactions and suspicious activity to UAE authorities (such as the Financial Intelligence Unit or VARA) under AML/CFT laws. We also provide information to courts or enforcement agencies in response to lawful orders (e.g. subpoenas or search warrants). These disclosures are necessary to comply with legal obligations and protect public interests, which are recognized exceptions under the PDPL.

VARA: Submission of audited financial records, AML CFT reporting, CDD files, and STRs during routine required regulatory reporting and examinations.
UAE Central Bank: Transaction data related to fiat conversions under Anti-Money Laundering Law Article 15.
Law Enforcement: Data shared in response to subpoenas or court orders, limited to legally mandated scope.

5.2 Third-Party Service Providers

Custodians: Partners and Ledger Vault that store virtual assets in offline, geographically distributed cold wallets.
Cloud Providers:
Analytics Providers:
Elliptic:
SWIFT: For cross-border fiat transactions, adhering to ISO 20022 standards.

5.3 Cross-Border Data Transfers

Safeguards:

Standard Contractual Clauses (SCCs): For transfers to non-PDPL adequacy countries (e.g., US-based analytics vendors).
Data Localization: Critical client data (e.g., KYC records) stored in UAE-based servers unless explicitly permitted.

6. DATA SECURITY MEASURES

We deploy a multi-layered security architecture to mitigate risks. This includes Technical Safeguards such as Encryption, Cold Storage, Network Security etc. We use encryption (both at rest and in transit) to protect sensitive data and authentication mechanisms (such as multi-factor authentication) to secure accounts. We deploy industry-standard firewalls, intrusion detection and prevention systems, and secure protocols (HTTPS/TLS) to guard against attacks. All access to personal data is logged and audited.

We also deploy organizational safeguards such as Staff Training, Vendor Management, Incident Response mechanism. Access to personal data within our organization is limited strictly on a need-to-know basis. Employees receive regular training on data privacy and security. We require third-party vendors and affiliates who process our data to adopt similar high standards and to contractually comply with our security policies.

We also conduct periodic security assessments, vulnerability scans, and penetration tests to identify and fix weaknesses in our systems. We also perform data backups and disaster recovery exercises to prevent data loss. Where feasible, we pseudonymize or anonymize personal data used for testing and analytics.

Incident Response

Breach Protocol:

Containment: Immediate isolation of affected systems.
Assessment: Forensic analysis by cybersecurity partners (e.g., Mandiant).
Notification: Disclosure to VARA and affected users within 72 hours (PDPL Article 14).
Remediation: System patching and post-incident reviews.

7. DATA RETENTION PERIODS

General Retention: 8 years post-account closure, as mandated by VARA Rule III.I (Recordkeeping) and AML Law Article 12.

Extended Retention:

Ongoing litigation or regulatory investigations (e.g., pending FIU inquiries).
Legacy data archived in write-once-read-many (WORM) systems to prevent tampering.

8. YOUR RIGHTS UNDER UAE PDPL

You may exercise the following rights by contacting our Data Protection Officer (DPO):

8.1 Access

Process: Submit a written request detailing the data sought.
Timeline: Fulfilled within 30 days, extendable for complex queries.
Format: Data provided in PDF or CSV formats.

8.2 Rectification

Scope: Correct outdated addresses, misspelled names, or erroneous transaction labels.
Verification: Updated data must be validated via secure channels (e.g., OTP verification).

8.3 Erasure

Limitations: Data essential for regulatory compliance (e.g., KYC records) cannot be deleted.
Non-Essential Data: Marketing preferences or unused account data may be erased.

8.4 Objection

Opt-Out: Withdraw consent for marketing communications via the Privacy Dashboard.
Legitimate Interests: Challenge data processing by demonstrating overriding privacy risks.

8.5 Data Portability

Delivery: Data exported in machine-readable formats (JSON, XML) for seamless transfer to competitors.

8.6 Complaints

Escalation: Unresolved grievances may be filed with the UAE Data Office within 30 days.

To exercise any of these rights, please contact our Data Protection Officer (see Contact Information below). We will respond to your requests as soon as possible and in line with the timeframes required by law. We may require proof of your identity before granting access or making changes to ensure the security of your data. We will also provide you with information about the outcome of your request and, where applicable, the reasons if a request is denied or limited.

If you have concerns or grievances about how your personal data is handled, we encourage you to contact us first. You may lodge a complaint with our Data Protection Officer (contact details below) describing the issue. We have internal procedures to investigate complaints and will endeavor to resolve them fairly and promptly, including taking corrective actions if a privacy violation occurred.

9. CONTACT INFORMATION

Data Protection Officer (DPO):
- Name: [Insert Name]
- Email: [Insert Email]
- Phone: [+971 X XXX XXXX]
- Address: [Insert Office Address, Dubai, UAE]

APPROVED BY:

[Name], Chairman of the Board

[Name], Chief Executive Officer

[Date]

* EUNX MENA - FZE reserves the right to update this Privacy Policy as laws change or our services evolve. Any substantial changes will be communicated to you (for example, by email or via a notice on our website) before they take effect. We encourage you to review this policy periodically. Your continued use of our services after changes are posted will constitute your acceptance of the revised policy.*

Disclosure