Privacy Policy

We collect information you provide directly to us, information collected automatically through your use of our services, and information from third-party verification providers.

• Identity information: full name, date of birth, nationality, and government-issued ID documents for KYC/KYB verification
• Contact information: email address, phone number, and physical address
• Business information: company name, registration number, business type, financial statements, and ownership structure
• Wallet information: blockchain wallet addresses associated with your account
• Transaction data: history of trades, swaps, OTC orders, and on-chain interactions
• Device and usage data: IP address, browser type, operating system, and usage patterns
• Verification data: biometric data processed by third-party providers (Veriff, Sumsub) for identity verification

We use the information we collect to provide, maintain, and improve our services, comply with legal obligations, and protect against fraud.

• To verify your identity and comply with KYC/KYB and AML regulatory requirements
• To process transactions and provide access to our DeFi services
• To issue and manage NFT-based digital identity certificates (Convexo Passport, LP NFTs, E-Credit NFTs)
• To generate AI-powered credit scores for business clients
• To send service notifications, security alerts, and administrative messages
• To detect, investigate, and prevent fraudulent or illegal activity
• To comply with applicable laws in jurisdictions where we operate including the United States, Colombia, and Hong Kong
• To improve our platform and develop new features

We do not sell, trade, or otherwise transfer your personal information to outside parties except as described in this policy.

• Verification providers: Veriff (individual KYC) and Sumsub (business KYB) receive identity documents and biometric data solely for verification purposes
• Blockchain networks: wallet addresses and transaction data are inherently public on-chain (Base, Ethereum, UniChain)
• Legal compliance: we may disclose information when required by law, subpoena, or government authority
• Business transfers: in the event of a merger or acquisition, your information may be transferred as a business asset
• Consent: we may share information with your explicit consent for purposes not listed here

Our services operate on public blockchains. Certain information is permanently recorded on-chain and cannot be deleted or modified. You should be aware of the following when using our blockchain services.

• Wallet addresses, transaction amounts, and timestamps are publicly visible on Base, Ethereum, and UniChain
• NFT minting events and transfers are permanently recorded on-chain
• Zero-knowledge proofs used in zkPassport verification protect your underlying identity data while confirming verification status
• On-chain data is outside our control and cannot be erased upon request
• Smart contract interactions are immutable and cannot be reversed

We implement industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

• Encryption of sensitive data at rest and in transit using AES-256 and TLS 1.3
• Multi-signature wallet infrastructure for institutional asset custody
• JWT-based authentication with short-lived access tokens and secure refresh token rotation
• Redis-based token blacklisting for immediate session invalidation
• Regular security audits and penetration testing
• Strict access controls limiting employee access to personal data on a need-to-know basis

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honor rights under GDPR, Colombian Law 1581 of 2012, and other applicable privacy regulations.

• Right of Access: request a copy of the personal data we hold about you
• Right of Rectification: request correction of inaccurate or incomplete data
• Right of Erasure: request deletion of your personal data where legally permissible (note: on-chain data cannot be deleted)
• Right to Restrict Processing: request limitation of how we process your data
• Right to Data Portability: receive your data in a structured, machine-readable format
• Right to Object: object to processing of your personal data for certain purposes
• Right to Withdraw Consent: withdraw consent where processing is based on consent
• To exercise any of these rights, contact us at legal@convexo.xyz

We use cookies and similar tracking technologies to enhance your experience on our platform and analyze usage patterns.

• Essential cookies: necessary for the platform to function, including session management and security
• Analytics cookies: help us understand how visitors interact with our platform (we use privacy-respecting analytics tools)
• Preference cookies: remember your language and display preferences
• You can control cookies through your browser settings; disabling essential cookies may affect platform functionality

We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy and to comply with legal obligations.

• KYC/KYB verification records: minimum 5 years after account closure as required by AML regulations
• Transaction records: minimum 7 years for tax and regulatory compliance
• Account information: retained for the duration of your account and 3 years thereafter
• Communication records: 2 years from the date of communication
• On-chain data: permanently stored on the blockchain and cannot be deleted

Our platform integrates with third-party services that have their own privacy policies. We encourage you to review the privacy practices of these providers.

• Veriff — Individual identity verification: veriff.com/privacy-policy
• Sumsub — Business KYB verification: sumsub.com/privacy-notice
• Chainlink — Decentralized oracle data: chain.link/privacy-policy
• Uniswap — Decentralized exchange infrastructure: uniswap.org/privacy-policy
• Pinata — IPFS document storage: pinata.cloud/privacy
• Resend — Transactional email delivery

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the new policy on our website and updating the 'Last Updated' date. For significant changes, we will provide additional notice via email or in-platform notification. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection team.

• Email: legal@convexo.xyz
• Colombia: Calle 36 #128-321, Zona Franca Zonaamerica, Cali, Valle del Cauca
• United States: 159 North Wolcott Street, Suite 133, Casper, WY
• Hong Kong: Spaces, 8 Queens Road East, Hong Kong
• We will respond to all legitimate requests within 30 days