Scope
This Privacy Policy covers personal data we collect, process, and store when you use Cooud Exchange — including the website at cooud.exchange, the public and authenticated APIs, the trader and operator dashboards, and any product surface we operate under the Cooud name.
It does not cover third parties we link to or that you choose to connect. That includes RPC node providers, market-data sources (such as the Binance proxy we use for public-page price feeds), block explorers, and any external wallet, DeFi protocol, or fiat ramp you interact with through self-custody features. Their privacy practices are governed by their own policies.
What we collect
Account information
- Email address (required for account creation);
- Full legal name;
- Password — stored only as an argon2id hash, never in plain text;
- TOTP secret (encrypted at rest, used for withdrawal 2FA).
Identity verification (KYC)
- Phone number — collected at KYC level 1 and above;
- Government-issued identity document — collected at KYC level 2;
- Selfie / liveness check — collected at KYC level 2;
- Proof of address and source of funds — collected at KYC level 2 enhanced.
Device and session signals
- Device fingerprint via Fingerprint Pro — visitorId and IP address;
- User agent, browser, operating system, language;
- Session traces via OpenTelemetry — anonymised at the application layer.
Transactional records
- Deposit, trade, conversion, and withdrawal history;
- On-chain transaction hashes and counterparty addresses (these are public on-chain regardless);
- Order history including price, quantity, side, and fill state.
What we don't collect
For clarity, we never collect or store:
- Passwords in plain text — only argon2id hashes;
- Raw private keys, mnemonic seed phrases, or HD master seeds — custodial seeds live in HSM-backed Vault and never enter application logs;
- Self-custody passkeys — these are generated on, and never leave, your device;
- Social security numbers or national identification numbers in plain text — when required by KYC vendors, we store a one-way hash plus the last four digits;
- Behavioural data for advertising — we do not build advertising profiles.
How we use it
We process your data for the following purposes:
- Authentication and account security — login, session management, withdrawal challenges, fraud detection;
- Regulatory compliance — KYC, AML, sanctions screening, transaction monitoring, suspicious-activity reporting;
- Service operation — routing trades to the matching engine, settling deposits and withdrawals, reconciling balances;
- Customer support — diagnosing and resolving issues you raise;
- Product improvement — aggregated, de-identified analytics on feature performance and error rates;
- Legal obligations — responding to lawful requests from regulators, courts, and law enforcement.
Retention
We retain personal data for as long as it is needed to provide the service and as long as required by applicable law.
- Account data: while the account is active, plus 7 years after closure (financial-regulatory minimum);
- Transaction records: 10 years from the date of the transaction (AML record-keeping);
- KYC documents: 7 years from collection or last update;
- Device fingerprint and IP logs: 90 days;
- Application and audit logs: 30 days hot, then summarised and retained 1 year;
- Support ticket history: 3 years from resolution.
After the applicable period, data is either deleted or irreversibly anonymised.
Your rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Access — request a copy of the personal data we hold about you;
- Correction — ask us to update inaccurate data;
- Deletion — ask us to delete your data, subject to regulatory retention obligations;
- Portability — receive your data in a structured, machine-readable format;
- Restriction and objection — limit or object to certain types of processing;
- Withdraw consent — where processing is based on consent, withdraw it at any time;
- Complain — lodge a complaint with your local data-protection authority.
Residents of the European Economic Area, the United Kingdom, and California have specific statutory rights (GDPR, UK GDPR, CCPA / CPRA). These do not limit any broader rights available under local law.
To exercise any of these rights, contact us at privacy@cooud.exchange. We will respond within 30 days.
Security
Security is engineered into the platform end-to-end. The principal controls are:
- Passwords hashed with argon2id (memory-hard, side-channel resistant);
- HSM-backed signing for custodial withdrawals in production;
- TLS 1.3 for all data in transit; HSTS enforced on public surfaces;
- AES-256-GCM for at-rest secrets, with keys rotated on a defined cadence;
- SAML SSO with hardware-key MFA for staff access to internal tooling;
- Least-privilege access controls and audited break-glass procedures;
- SHA-256 hash-chained audit log for every privileged action;
- Hourly automated reconciliation of off-chain balances against on-chain state.
No system is impregnable. If we discover a security incident affecting your data, we will notify you and the relevant regulators within the timeframes required by law.
International transfers
Personal data is stored primarily in data centres in the United States and the European Union, with replication and backup in other adequate jurisdictions for disaster recovery.
Transfers outside the European Economic Area or the United Kingdom are made under appropriate safeguards — including Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms.
Children
The Platform is not intended for, and may not be used by, anyone under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal data from minors.
If we become aware that we have collected personal data from a minor, we will delete it and close the account.
Changes
We may update this Privacy Policy from time to time. Material changes will be notified by email to the address on file and via an in-product banner, at least 30 days before the effective date.
The “Last updated” date at the top of this page reflects the most recent version. Continued use after the effective date constitutes acceptance.
Contact
For privacy enquiries, data-rights requests, or breach reports:
Privacy team
privacy@cooud.exchange
Responses within 30 days.
EU data protection officer
dpo@cooud.exchange
For EEA / UK residents under GDPR.

