Never bother to read the privacy policy when signing up for a cryptocurrency exchange? Maybe you should.
For Privacy Week, CoinDesk reviewed the privacy policies and notices of 24 major crypto exchanges and lending services to see how much they know about users and how transparent they are about it. The two dozen companies represent a cross-section of popular consumer-facing platforms.
It turns out crypto platforms collect a wealth of their users’ personal data – ironic considering this asset class grew out of the privacy-championing cypherpunk movement and was originally conceived as anonymous digital cash.
All major crypto services these days are subject to laws and regulations obliging them to perform know-your-customer (KYC) checks on any new client. Crypto platforms are inherently online so to make sure they are dealing with the same person who submitted ID documents, over the past few years they adopted biometric verification, asking prospective users to provide a photo with their ID, a short video of themselves or both.
Given that many of these platforms are accepting fiat payments from bank accounts of their clients to let them buy crypto with their local currencies (acting as so-called fiat on-ramps), they also process users’ banking information, and in some cases tax IDs, too.
Such platforms collect their users’ home addresses, phone numbers, employment information, banking details, photos of their IDs and photos and/or videos of their faces. In addition, platforms can see the entire history of their users’ trades, cryptocurrency addresses they use to deposit and withdraw funds and any transactions related to them on public blockchains.
Platforms also routinely gather technical information about the devices users are logging in from, including operating systems, browser details, IP addresses and the location and time zone settings of computers and phones their clients use to trade.
This is a pretty typical set of data more or less any regulated crypto service would process and store. However, they differ in the amount of data they store, how they protect users’ privacy and how much they disclose about such practices.
The companies explain in their privacy policies that they use this data to provide quality service to their clients, prevent fraud and keep customers posted about relevant news and updates. However, this abundance of personal information makes the platforms huge data banks – and, in cases of security breaches, they may become sources of massive leaks.
It’s hard to verify how companies are actually handling their users’ data. But by reading the privacy policies these companies publish on their websites, we can see how explicit and forthright they are about it.
Here are some of the issues to be mindful of.
Financial data use and storage
Crypto platforms provide varying levels of disclosure about the data they receive and store related to users’ financials. (In this article, we don’t look at the financial information platforms collect about corporate users, only about individuals.)
Most of the privacy policies CoinDesk reviewed mentioned bank account numbers and (as one would expect) trading history on the platform. Crypto lending provider BlockFi stood out with the longest list of types of banking data it collects. Exchanges Binance, BitMEX, Poloniex, and OKEx did not mention what banking data they collect at all in their privacy policies.
Paxful mentions that financial information may be stored if users send it to their trading counterparties via the chat on the platform, as Paxful keeps the chat records.
« BitMEX doesn’t operate any fiat payment gateways for its users and so does not receive credit card or other banking information in respect of its users,” explained BitMEX Communications and Content Manager Jessica Lindeman. “Instead users are able to purchase XBT or USDT through Banxa,” a payments company.
Poloniex said via spokesperson Gabriel Wang that it too « does not deal with fiat directly, so no credit card/banking info is stored on our system. »
Richard Kay, OKEx’s senior public relations manager in the U.K. and Europe, said the exchange also does not store its users’ banking information. That’s taken care of by third-party payment providers, including Coinify, MoonPay, Okcoin, Banxa, Mercuryo, Simplex and Itez, he said.
Binance told CoinDesk via spokesperson that it actually does process banking information. « We would would only process credit card or banking information when users decide to share this information with Binance, for transactional purposes, as it is not mandatory information to open an account, » the company added.
PlatformFinancial data collected, according to privacy policyBakkt (last updated Oct. 28, 2020)Bank account number, credit card number, debit card number, details of transactions on the platformBinance (last updated Jan. 12, 2022)Transaction historyBitfinex (last updated May 27, 2021)Bank statements, bank account numberBitMEX (last updated Aug. 28, 2020)Payment details, including wallet address(es)Bitstamp (last updated Nov. 5, 2020)Bank account number, bank statement and trading informationBittrex (last updated Dec. 31, 2019)Bank account and payment details, transactions data, portfolio dataBlockchain.com (last updated Dec. 16, 2021)Bank account information and/or credit card details, transactions history and account balancesBlockFi (last updated June 15, 2021) »Transaction Data such as cryptocurrency wallet address(es), information relating to your BlockFi account and cryptocurrency trading transactions and related information for deposits or withdrawals, credit card information (last four digits of number, expiration date, card status), credit card payment information (amount, date, frequency, status, balance), information relating to credit card transactions;
Financial Data such as bank name, bank account number, bank routing number, income type, annual income amount, monthly housing expenses, information that may be received from consumer reporting agencies (e.g., credit bureau reports). »Celsius (last updated October, 2021)Bank account or other financial information; records of products or services purchased, obtained, or considered, or other purchasing histories or tendenciesCoinbase (last updated Oct. 8, 2021)Bank account information, payment card primary account number (PAN), transaction history, trading data, and/or tax identification.Crypto.com (last updated Sept. 30, 2021)Bank account, payment card details, virtual currency accounts, stored value accounts, amounts associated with accounts, external account details, source of funds and related documentation.Deribit (undated)Bank account statement, the address of your wallet from which you deposit/withdraw cryptocurrency into/from your account; orders, trades, positions and balances.eToro (last updated May 20, 2020)Annual income, investment portfolio, total cash and liquid assets and other details; value and currency of any deposit, withdrawal, or transaction made and the payment method.FTX (last updated Dec. 23, 2021)Bank account information, routing number, transaction history, trading data and/or tax identification, transaction information, name of the recipient and the trading amount.Gemini (last updated Dec. 8, 2021)Bank account information, routing number, trading activity, order activity, deposits, withdrawals, account balancesHuobi (last updated April 27, 2021)Debit card information and/or other account information, transactions recordKraken (last updated Nov. 23, 2021)Bank account information, credit card details, details about source of funds, assets and liabilities, Office of Foreign Assets Control (OFAC) information, trading account balances, trading activityLocalBitcoins (last updated June 10, 2020)Financial information may include information related to your income, wealth, bank account information and/or tax identification, bitcoin transaction information.Nexo (undated)Not specifiedOkcoin (last updated Dec. 18, 2020)Bank account information, transactions dataOKEx (last updated Dec. 3, 2020)Not specifiedPaxful (undated)Social Security number or account balances, payment history or transaction history, credit history or credit scores, trade chat messages, « which may contain financial information if you provide it to sellers »Poloniex (last updated May 4, 2020)Transactional data including records for trades, deposits, and withdraws, other session data linked to accountSALT (last updated Jan. 6, 2021)Loan requests, loan amounts, loan payment information, transaction history, cryptocurrency wallet information and financial data such as bank name and account number
Third parties with access to data
Crypto services usually need multiple partners to maintain their websites and process trades, so they have to share users’ data with those partners. Various services provide different levels of openness about which companies they share users’ data with, and about their reasons for doing so.
Some companies merely mention they might share data with third parties, while others provide names and explanations, with varying degrees of detail.
Bitfinex and BitMEX provided the longest lists of counterparties they share data with. Bitfinex lists third parties at the end of its privacy policy and BitMEX has a special page dedicated to the list of its data partners.
Europe-based platforms normally mention, among other things, if they are transferring users’ data to any places outside the EU, and how they make sure such transfers are secure. These parts of the privacy policies look pretty similar across different platforms.
Many companies separately describe their approaches for EU citizens, whose personal data since 2018 has been protected by the General Data Protection Regulation (GDPR), or for Californians, under the California Consumer Privacy Act (CCPA). Some platforms also specify their treatment of residents of Vermont, which has its own local privacy laws.
We won’t delve into those sections in this article, as they’re largely relevant only to residents of these particular areas, but if you are one, check if your crypto service notes anything important for you.
Crypto exchangeThird parties with access to dataBakkt (last updated Oct. 28, 2020)Service providers and/or data processors, counterparties in transactions, financial institutions and credit bureaus, other third partiesBinance (last updated Jan. 12, 2022)Subsidiaries or affiliates, third-party service providers and others.Bitfinex (last updated May 27, 2021)Bitrefill, Chainalysis, Celsius Network, getResponse, happyCOINS, hCaptcha, Mercuryo, OWNR WALLET, WorldCheck, Twilio, Simplex, Zendesk. (This list does not include banks to which personal information is transferred for payment purposes in accordance with international banking practice.)BitMEX (last updated Aug. 28, 2020)Companies belonging to HDR Group (BitMEX parent company), Amazon Web Services, Google ReCAPTCHA, Yubikey, Jumio, Freshdesk, Segment.io, Sentry.io, Google Analytics, SendGrid, Pagerduty, Solarwinds, Intercom, Onfido.
« Personal data may be shared with third party participants in our affiliate programme (or any other successor or parallel programme of a similar nature) who referred you to our site (so they can track successful referrals), and partners for promotions or service integrations. Information on historical trades may also be shared with other trading platforms and exchanges. Personal data may be shared with courts or public authorities if required as described above, mandated by law or regulation, or required for the legal protection of our or third party legitimate interests, in compliance with applicable laws and regulations, and relevant / competent public authorities’ requests. »Bitstamp (last updated Nov. 5, 2020) »May share information with credit reference agencies, anti-fraud databases, screening agencies and other partners we do business with. »
« With respect to US residents, we also may share your information with other financial institutions, as authorized under Section 314(b) of the US Patriot Act, and with tax authorities, including the US Internal Revenue Service, pursuant to the Foreign Account Tax Compliance Act (“FATCA”), to the extent that this statute may be determined to apply to Bitstamp. »Bittrex (last updated Dec. 31, 2019)Suppliers and external agencies, subsidiaries, associates and agents, regulators, law enforcement agencies and other authorities, consultants, bankers, professional indemnity insurers, brokers and auditors; « other organizations where exchange of information is for the purpose of fraud protection or credit risk reduction, » debt recovery agencies.Blockchain.com (last updated Dec. 16, 2021)Affiliates, cloud service providers, fraud detection service, spam and abuse detection providersBlockFi (last updated June 15, 2021)Affiliates, BlockFi Rewards Visa Signature Card partners, service providers.Celsius (last updated October 2021)Subsidiaries, affiliated companies, subcontractors and other third-party service providers, business partners (such as GEM, Coinify, Simplex and Wyre), auditors or advisers, « any potential purchasers or third party acquirer(s) of all or any portion of our business or assets, or investors in the company. »Coinbase (last updated Oct. 8, 2021)Jumio, SolarisBank AG, Sift Science, Plaid, Paysafe, other financial institutions and service providers.Crypto.com (last updated Sept. 30, 2021)Service providers, agents, subcontractors and other associated organizations, affiliatesDeribit (undated)Cloud service providers, software suppliers, affiliateseToro (last updated May 20, 2020)Affiliates, advisors, vendors, consultants and other service providers, such as payment service providers, IT hosting companies, banks, other financial institutions and credit reference agenciesFTX (last updated Dec. 23, 2021)Service providers, business partners, NFT partners, affiliates, advertising partnersGemini (last updated Dec. 8, 2021)Service providers, affiliates, advisersHuobi (last updated April 27, 2021)Affiliates and partnersKraken (last updated Nov. 23, 2021)Affiliates, subsidiaries, service providers and business partnersLocalBitcoins (last updated June 10, 2020)Onfido, Jumio, Google, Sentry.io, SendGrid Inc, Nexmo, Twilio, TM4B;
auditors, lawyers, accountants, consultants and other professional advisors, external services or authoritiesNexo (undated) »Hosting partners and other parties who assist us in operating our website, conducting our business, or serving our users, so long as those parties agree to keep this information confidential. »Okcoin (last updated Dec. 18, 2020)Affiliates, service providers and other third parties, « entities in connection with any financing, acquisition or dissolution proceedings. »OKEx (last updated Dec. 3, 2020)Not disclosedPaxful (undated)Service providers, data processors, other parties to transactions, such as sellers, financial institutions, affiliatesPoloniex (last updated May 4, 2020)Affiliates, advertisement and other business partners, service providers.SALT (last updated Jan. 6, 2021)Subsidiaries and affiliates, contractors, service providers, including those providing ID verification, consulting, sales, client support operations, payment processing and technical support or services; financial institutions.
Data gathered from third parties
To make sure they know enough about their users, platforms gather information about them from outside sources, meaning they might know much more about you than you yourself told them.
This might include companies affiliated with the platform via common owners; third-party providers of identity verification and other technology; banks; government organizations; social networks and other sources.
Out of the 24 platforms in our list, Gemini, founded by Cameron and Tyler Winklevoss, seems to have the most exhaustive list of outside sources of information it’s gathering about users
Many companies mention they might look you up in anti-fraud databases, public court documents, sanctions lists, and also ask credit bureaus and various government bodies about you.
Crypto exchangeData gathered from third partiesBakkt (last updated Oct. 28, 2020) »We also collect information about you from third parties, such as money laundering and fraud prevention information providers, marketing agencies, identity and creditworthiness verification services, and analytics and information providers. We may combine information we collect about you with information from third parties. »Binance (last updated Jan. 12, 2022) »We may receive information about you from other sources such as credit history information from credit bureaus. »Bitfinex (last updated May 27, 2021)Not specifiedBitMEX (last updated Aug. 28, 2020) »We receive personal data from partners when they refer you to us (for example, we receive data about the service you used, and that referred you). We will receive confirmation from Yubico Cloud that you have successfully authenticated using a Yubikey registered with that service. Third parties may monitor the Web on our behalf, for example looking for stolen usernames and passwords. Our communications service provider may also enable us to learn more about your social media presence, in order for us to send you more personalised communications. Finally, some authorities or other persons seeking access to information about users may provide information about the circumstances of their request, and about the individuals of interest. »Bitstamp (last updated Nov. 5, 2020) »We may collect Personal Data from third-party partners and public sources, which include:
– Reputational information;
– Financial information;
– Business activities of corporate customers. »Bittrex (last updated Dec. 31, 2019) »Analytic providers such as Google Analytics; advertising networks; search information providers.
Identity, Contact, AML / KYC Data from publicly available sources such as public court documents, the corporate registrars with the U.S. and other jurisdictions, and from electronic data searches, online KYC search tools (which may be subscription or license based), anti-fraud databases and other third party databases, sanctions lists, outsourced third-party KYC providers and from general searches carried out via online search engines (e.g. Google). »Blockchain.com (last updated Dec. 16, 2021)Affiliates, banks or payment processors, advertising or analytics providers.
« Banks or payment processors that you use to transfer fiat currency may provide us with basic Personal Data, such as your name and address, as well as, your bank account information.
Advertising or analytics providers may provide us with anonymised information about you, including but not limited to, how you found our website. »BlockFi (last updated June 15, 2021) »May include, but are not limited to, public databases, credit bureaus, identity verification partners, resellers and channel partners, joint marketing partners, advertising networks and analytics providers, social media platforms, and our BlockFi Rewards Visa Signature Card partner. »Celsius (last updated October 2021) »Our affiliates, our service providers, or our affiliates’ service providers; public websites or other publicly accessible directories and sources, including bankruptcy registers, tax authorities, governmental agencies and departments, and regulatory authorities; and/or from credit reporting agencies, sanctions screening databases, or from sources designed to detect and prevent fraud or financial crimes. »Coinbase (last updated Oct. 8, 2021)Companies affiliated with Coinbase, public databases, credit bureaus, ID verification partners, joint marketing partners and resellers, advertising networks and analytics providers, public blockchains.Crypto.com (last updated Sept. 30, 2021) »- Fraud and crime prevention agencies,
– a customer referring you,
– public blockchain,
– publicly available information on the Internet (websites, articles etc.). »Deribit (undated)Not specifiedeToro (last updated May 20, 2020) »May include, for example, identity verification agencies, credit referencing agencies and similar bodies. We may also collect information about you from third parties, when you use or connect to eToro by or through a third party platform, such as Facebook or another site, you allow us to access and/or collect certain information from your Third Party Platform profile/account as permitted by the terms of the agreement and your privacy settings with the third party platform. We will share such information with the third party platform for their use. »FTX (last updated Dec. 23, 2021) »We may also use Google Analytics and other service providers to collect information regarding visitor behavior and visitor demographics on our Services… We may use Plaid Technologies, Inc. (‘Plaid’), as a vendor to collect information about you…
if you access our Services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect information about you from that third-party application that you have made public via your privacy settings. Information we collect through these services may include your name, your user identification number, your user name, location, gender, birth date, email, profile picture, and your contacts stored in that service. »Gemini (last updated Dec. 8, 2021) »Identification Information, such as name, email, phone number, postal address, government identification numbers (which may include Social Security Number or equivalent, driver’s license number, passport number);
Financial Information, such as bank account information, routing number;
Transaction Information, such as public blockchain data (bitcoin, ether, and other Digital Assets are not truly anonymous).
Credit and Fraud Information, such as credit investigation, credit eligibility, identity or account verification, fraud detection, or as may otherwise be required by applicable law; and additional Information.Huobi (last updated April 27, 2021)Not specifiedKraken (last updated Nov. 23, 2021)Banks: name, address, bank account details.
Users’ business partners: name, address, financial.
Advertising networks, analytics providers, search information providers: anonymized or de-identified information on how you found website.
« Credit agencies do not provide us with any personal information about you, but may be used to corroborate the information you have provided to us. »LocalBitcoins (last updated June 10, 2020)Not specifiedNexo (undated)Not specifiedOkcoin (last updated Dec. 18, 2020)Not specifiedOKEx (last updated Dec. 3, 2020)Not specifiedPaxful (undated)Service providers and data processors, affiliates, « third-parties who may help us verify identity, prevent fraud, and protect the security of transactions, » « third-parties who may help us evaluate your creditworthiness or financial standing, » « third-parties who may help us analyze Personal Data, improve the Website or the Services or your experience on it, market products or services, or provide promotions and offers to you, » social media platformsPoloniex (last updated May 4, 2020) »We may obtain Personal Data about you from other sources, including through third party services such as sanctions screening services and other organizations to supplement information provided by you. »SALT (last updated Jan. 6, 2021)Google Analytics, Full Story.
Public databases and ID verification partners, public blockchains: « Such information may include your name, address, job role, public employment profile, credit history, status on any sanctions lists maintained by public authorities, and other relevant data. »
« We may analyze public blockchain data to ensure parties utilizing our services are not engaged in illegal or prohibited activity under our Terms, and to analyze transaction trends for research and development purposes. »
Reasons to share data with government agencies
Major crypto exchanges these days are closely watched by regulators around the world and often asked to disclose information about their users when the authorities suspect wrongdoing, from tax evasion to money laundering.
« The companies that collect that information can – and often do – share that personal information with governments, even when the government has not gotten a warrant to collect that information, » said Marta Belcher, a cryptocurrency and civil liberties attorney.
A silver lining is that more and more companies are disclosing how many requests from authorities they get.
« What it really comes down to is whether companies are going to stand up for their users, and whether they are going to be transparent about the requests they receive from governments and whether they voluntarily turn that information over, » Belcher said.
The most famous (or infamous) precedent of a government body reaching for a trove of crypto exchange users’ data was the U.S. International Revenue Service (IRS) getting access to information on about 13,000 U.S. users of Coinbase in 2018. The move was preceded by a long court fight between the exchange and the IRS, which initially wanted data about 500,000 users.
The way a company describes its reasons for answering questions from governments matters, said Peter Van Valkenburg, director of research at Coin Center, an industry think tank.
« Do they need a warrant or subpoena, or they’re happy to answer even without the warrant from the judge? » Van Valkenburg said.
Out of 24 companies CoinDesk looked at, 13 mentioned subpoenas and court orders in their privacy policies among reasons to cooperate with the requests from government agencies and law enforcement. However, not all companies claim to require such a formal request before handing over customer information.
Blockchain.com, an exchange and crypto wallet provider, says it would insist that authorities present « a court order, or equivalent proof that they are statutorily authorised to access your data. » By contrast, eToro says it would provide information « to assist regulatory, cybercrime, data and information protection agencies and police with their enquiries and enforcement, even if not compelled to do so. »
Bitfinex dedicated a separate page on its website to explain how it approaches requests from law enforcement bodies.
Ultimately, it’s hard to predict how a particular platform would act in a real-life situation when a regulatory body is knocking on its door, or how evolving crypto regulation around the world could change the rules of the game in years to come. But the way platforms describe their approach might give some clues about what you can possibly expect.
Crypto exchangeReasons to share data with government agenciesBakkt (last updated Oct. 28, 2020) »Complying with our policies and obligations, including but not limited to, disclosures made in response to any requests from law enforcement authorities and/or regulators in accordance with any applicable law, rule, regulation, judicial or governmental order, regulatory authority of competent jurisdiction, discovery request, advice of counsel or similar legal process. »Binance (last updated Jan. 12, 2022) »When we believe release is appropriate to comply with the law or with our regulatory obligations; enforce or apply our Terms of Use and other agreements; or protect the rights, property or safety of Binance, our users or others. »Bitfinex (last updated May 27, 2021) »When such requests are received, Bitfinex requires that it be accompanied by appropriate legal process. This can vary from place to place. For example, production orders, search warrants, freezing orders, seizure orders and subpoenas, but also requests for voluntary disclosure of data may all amount to legal process. Bitfinex reviews each order and request for voluntary disclosure to determine that it has valid legal basis and that any response is narrowly tailored to ensure that only the data and/or remedy to which law enforcement is entitled is provided. In addition, in respect of requests relating to the freezing and/or seizing of assets, Bitfinex requires that the request (i) follows the relevant local jurisdiction’s legal process and (ii) contains all necessary instructions, including, where applicable, the duration of the freeze. »BitMEX (last updated Aug. 28, 2020) »Mandated by law or regulation, or required for the legal protection of our or third party legitimate interests, in compliance with applicable laws and regulations, and relevant / competent public authorities’ requests. »Bitstamp (last updated Nov. 5, 2020) »We may share your Personal Data with law enforcement, data protection authorities, government officials and other authorities when:
Compelled by court order or other legal procedure;
Disclosure is necessary to report suspected illegal activity; or
Disclosure is necessary to investigate violations of this Privacy Policy or our Terms of Use. »Bittrex (last updated Dec. 31, 2019) »To comply with any legal obligation, judgment or under an order from a court, tribunal or authority. »Blockchain.com (last updated Dec. 16, 2021) »We shall require any third-party, including without limitation, any government or enforcement entity, seeking access to the data we hold to a court order, or equivalent proof that they are statutorily authorised to access your data and that their request is valid and within their statutory or regulatory power. »BlockFi (last updated June 15, 2021) »Comply, as necessary, with applicable laws and regulatory requirements;
Respond to legal or governmental requests or demands for information (e.g., subpoena, court order, or other legal proceedings); and meet national security requirements. »Celsius (last updated October, 2021) »To comply with any applicable law, regulation, legal process or governmental request. »Coinbase (last updated Oct. 8, 2021) »When we are compelled to do so by a subpoena, court order, or similar legal procedure, or when we believe in good faith that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our User Agreement or any other applicable policies. »Crypto.com (last updated Sept. 30, 2021) »Where the law allows or requires us to do so. »Deribit (undated) »We may provide your personal data to competent authorities upon their request to the extent legally required or to the extent necessary to defend our rights in legal proceedings or investigations. »eToro (last updated May 20, 2020) »To comply with court orders, mandatory dispute resolution determinations and mandatory government authority or law enforcement orders or directions;
to assist regulatory, cybercrime, data and information protection agencies and police with their enquiries and enforcement, even if not compelled to do so. »FTX (last updated Dec. 23, 2021) »To comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity. »Gemini (last updated Dec. 8, 2021) »In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information. »Huobi (last updated April 27, 2021) »In compliance with laws, regulations, rules and regulations or orders from courts of law or other competent authorities. »Kraken (last updated Nov. 23, 2021) »To comply with any applicable laws and regulations, subpoenas, court orders or other judicial processes, or requirements of any applicable regulatory authority. »LocalBitcoins (last updated June 10, 2020) »When such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests and/or the vital interests of a third-party. »Nexo (undated)Not specifiedOkcoin (last updated Dec. 18, 2020) »To comply with any law, court order, subpoenas or government requests. »OKEx (last updated Dec. 3, 2020) »To comply with government agencies, including regulators, law enforcement and/or justice departments. »Paxful (undated) »In response to a request by a government agency, such as law enforcement authorities or a judicial order. »Poloniex (last updated May 4, 2020) »To comply with any law, subpoenas, court orders, or government request, defend against claims, investigate or bring legal action against illegal or suspected illegal activities, enforce our Terms, or to protect the rights, safety, and security of us, our users, or the public. »SALT (last updated Jan. 6, 2021) »To comply with any court order, law, regulatory requirement or legal process, including to respond to any government or regulatory request. »
Data retention
Another thing to pay attention to is how long your data is stored on the exchange’s servers after you’re no longer a client. Such disclosures often are put under the title « data retention » in privacy policies.
In most cases, it would take platforms about five years to erase your data after you part ways, but most also note that due to some specific reasons, like an ongoing investigation, they can keep your data longer.
Among the 24 companies, Bittrex and Bistamp mention the longest possible time for keeping users’ data, with each saying it might store information for up to 10 years after an account is deleted.
Bitstamp appeared to be the only company among the 24 that said it destroys biometric data as soon as account verification is complete.
Coinbase and LocalBitcoins provided the most detailed descriptions of how long they keep various kinds of data. LocalBitcoins also specified that the information of users who never actually used the platform to trade will be stored for a much shorter time than that of active users: up to 13 months compared to five years.
Crypto exchangeData gets erased after…Bakkt (last updated Oct. 28, 2020)Not specifiedBinance (last updated Jan. 12, 2022)Not specifiedBitfinex (last updated May 27, 2021)Not specifiedBitMEX (last updated Aug. 28, 2020)6 years from the last interactionBitstamp (last updated Nov. 5, 2020)Biometric data destroyed immediately after completion of ID verification process.
Other information: stored at least 5 years after account deletion, « in some cases up to ten years, as required by applicable law. »Bittrex (last updated Dec. 31, 2019)7-10 years after account deletionBlockchain.com (last updated Dec. 16, 2021)5 years or longer after deletionBlockFi (last updated June 15, 2021)Not specifiedCelsius (last updated October 2021)Not specifiedCoinbase (last updated Oct. 8, 2021) »Personal information collected to comply with our legal obligations under financial or anti-money laundering laws may be retained after account closure for as long as required under such laws.
Contact Information such as your name, email address and telephone number for marketing purposes is retained on an ongoing basis until you unsubscribe. Thereafter we will add your details to our suppression list to ensure we do not inadvertently market to you.
Content that you post on our website such as support desk comments, photographs, videos, blog posts, and other content may be kept after you close your account for audit and crime prevention purposes (e.g. to prevent a known fraudulent actor from opening a new account).
Recording of our telephone calls with you may be kept for a period of up to six years.
Information collected via technical means such as cookies, webpage counters and other analytics tools is kept for a period of up to one year from expiry of the cookie. »Crypto.com (last updated Sept. 30, 2021)5 years after account deletion.
« Email addresses and content, chats, letters will be kept up to 6 years following the end of our relationship, in accordance with the limitation period applicable in the Cayman Islands. »Deribit (undated)5 years or longer after account deletioneToro (last updated May 20, 2020)Not specifiedFTX (last updated Dec. 23, 2021)Not specifiedGemini (last updated Dec. 8, 2021)Not specifiedHuobi (last updated April 27, 2021)Not specifiedKraken (last updated Nov. 23, 2021)5 years or longer after account deletionLocalBitcoins (last updated June 10, 2020) »For all users who have deleted their account:
Personally-identifiable analytics data is removed 14 days after account deletion.
Notification data is not generally stored by our processors but they may retain activity logs for a short period of time (this time varies depending on the processor in question but is not greater than 13 months).
For users who have not conducted or initiated any trades or bitcoin transactions to their wallet, we will delete all personal data 14 days after the approval of your account deletion request.
For users who have conducted or initiated any trades or sent or received any bitcoin transactions using their wallet and whose account deletion request has been approved by us, our data deletion policy is the following:
Your public profile and advertisements will be hidden 14 days after you delete your account.
Your personal identification information, formal identification information, company information, financial and employment information, trade information, technical information and communication information will be deleted 5 years after you delete your account.
Bitcoin transaction information from our internal systems will be removed 5 years after you delete your account, with the exception of publicly available information on the Bitcoin blockchain. »Nexo (undated)Not specifiedOkcoin (last updated Dec. 18, 2020)Not specifiedOKEx (last updated Dec. 3, 2020)Not specifiedPaxful (undated)Not specifiedPoloniex (last updated May 4, 2020)Not specifiedSALT (last updated Jan. 6, 2021)Not specified
Data protection
There is no universal standard for disclosing data security measures among crypto services: Some of them just say they take technological and organizational measures to ensure your information is safe, while others mention specific tech solutions, rules of access to their data centers and other steps.
Data security is a complex task, and to prevent attacks, companies in most cases refrain from fully disclosing the details and specifics of their data security systems, so as not to tip their hands to potential attackers.
In this sense, these disclosures serve not so much as attestations of platforms’ actual security level, but more as a demonstration of how straightforward and diligent they are in talking to users about privacy and security.
« If the company doesn’t outline how they protect user data, it is a red flag,” said Lili Rhodes, senior mining analyst at Compass Mining, a bitcoin mining firm in the U.S. “Users do not know how this company will safeguard their data in the event of a breach. »
Crypto exchangeData protection measuresBakkt (last updated Oct. 28, 2020) »Bakkt has implemented administrative, physical and technical safeguards designed to protect your Personal Information. »Binance (last updated Jan. 12, 2022) »We work to protect the security of your personal information during transmission by using encryption protocols and software. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your personal information. »Bitfinex (last updated May 27, 2021) »Internally, only people with a business need to know Personal Information, or whose duties reasonably require access to it, are granted access to customers’ Personal Information. Such individuals will only process your Personal Information on our instructions and are subject to a duty of confidentiality. We audit our personal compliance regularly. »
« The Site’s systems and data are reviewed periodically to ensure that you are getting a quality service and that leading security features are in place. We have put in place procedures to deal with any actual or suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. »BitMEX (last updated Aug. 28, 2020)Not specifiedBitstamp (last updated Nov. 5, 2020) »…security measures include, but are not limited to:
Password protected directories and databases; Secure Sockets Layered (SSL) technology to ensure that your information is fully encrypted and sent across the Internet securely; and PCI Scanning to actively protect our servers from hackers and other vulnerabilities.
All financially sensitive and/or credit information is transmitted via SSL technology and encrypted in our database. Only authorised Bitstamp personnel are permitted access to your Personal Data, and these personnel are required to treat the information as highly confidential. »Bittrex (last updated Dec. 31, 2019) »We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. »Blockchain.com (last updated Dec. 16, 2021) »We protect Personal Data with appropriate physical, technological and organisational safeguards and security measures. Your Personal Data comes to us via the internet which chooses its own routes and means, whereby information is conveyed from location to location. We audit our procedures and security measures regularly to ensure they are being properly administered and remain effective and appropriate. Every member of Blockchain is committed to our privacy policies and procedures to safeguard Personal Data. Our site has security measures in place to protect against the loss, misuse and unauthorised alteration of the information under our control. More specifically, our server uses TLS (Transport Layer Security) security protection by encrypting your Personal Data to prevent individuals from accessing such Personal Data as it travels over the internet. »BlockFi (last updated June 15, 2021) »We seek to protect non-public Personal Information that is provided to BlockFi by third parties and you by implementing physical and electronic safeguards. Where we believe appropriate, we employ firewalls, intrusion prevention, encryption technology, user authentication systems (i.e. passwords and personal identification numbers) and access control mechanisms to control access to systems and data. We endeavor to engage service providers that have security and confidentiality policies, if such service providers have access to our client’s Personal Information. We instruct our employees to use strict standards of care in handling the personal financial information of clients. As a general policy, our staff will not discuss or disclose information regarding an account except with authorized personnel of our service providers, as required by applicable law and regulatory requirements law or, pursuant to a regulatory request and/or authority.
Despite our efforts to protect the security of your information, no security system is always effective and we cannot guarantee that our systems will be completely secure. »Celsius (last updated October 2021) »We will take reasonable steps and use technical, administrative and physical security measures appropriate to the nature of the information and that comply with applicable laws to protect Personal Information against unauthorized access and exfiltration, acquisition, theft, or disclosure. »Coinbase (last updated Oct. 8, 2021) »We work to protect the security of your personal information during transmission by using encryption protocols and software. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your personal information.
For example, we use computer safeguards such as firewalls and data encryption, we enforce physical access controls to our buildings and files, and we authorize access to personal information only for those employees who require it to fulfill their job responsibilities. Full credit card data is securely transferred and hosted off-site by payment vendors like Worldpay, (UK) Limited, Worldpay Limited, or Worldpay AP Limited (collectively ‘Worldpay’) in compliance with Payment Card Industry Data Security Standards (PCI DSS). »Crypto.com (last updated Sept. 30, 2021) »- Organisational measures (including but not limited to staff training and policy development);
– Technical measures (including but not limited to physical protection of data, pseudonymization and encryption); and
– Securing ongoing availability, integrity, and accessibility (including but not limited to ensuring appropriate back-ups of personal data are held). »Deribit (undated) »We will adopt appropriate technical and organisational measures to ensure that all the information is correct, current and complete and to prevent it from being accessed by unauthorised persons inside and outside our organisation. We use ‘best practices’ to secure your personal data. For instance, your personal data is encrypted with Secure Sockets Layered (SSL) technology and our directories and databases are password protected. »eToro (last updated May 20, 2020) »We protect your personal information by using data security technology and using tools such as firewalls and data encryption. We also require that you use a personal username and password every time you access your account online. As set out in the relevant eToro Entity’s terms and conditions, terms of business and/or terms of use, you must not share your password with anyone else. We restrict access to personal information at our offices so that only officers and/or
employees with a legitimate business purpose can access it. »FTX (last updated Dec. 23, 2021) »We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. »Gemini (last updated Dec. 8, 2021) »Measures we take may include encryption of the Gemini website communications with SSL; required two-factor authentication for all sessions; periodic review of our Personal Information collection, storage, and processing practices; and restricted access to your Personal Information on a need-to-know basis for our employees, contractors and agents who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations. »Huobi (last updated April 27, 2021) »(1) Physical measures: Records containing Your personal data will be stored in a properly locked place.
(2) Electronic measures: Computer data containing Your personal information will be stored in computer systems and storage media that are subject to strict log-in restriction.
(3) Management measures: We have set up an internal safety defense department to protect the users’ information, established relevant internal control systems, and adopted the principle of strict authorization for our employees who may come into contact with Your information; therefore, only properly authorized employees are permitted to come into contact with Your personal information and such employees must comply with our internal confidentiality rules for personal data. Furthermore, we provide sustained training to our staff on relevant laws and regulations, privacy and safety guidelines, enhance publicity and education on safety awareness, and organize our relevant internal personnel to carry out emergency response training and emergency drills on a regular basis, so as to enable them to fully understand their job duties and emergency response strategies and procedures.
(4) Technical Measures: encryption technology such as Secure Socket Layer Encryption may be adopted to transfer Your personal data.
(5) Security Measures: In order to ensure Your information security, we are committed to using various currently available general security technologies and supporting management systems to minimize the risks that Your information may be disclosed, damaged, misused, accessed without authorization, disclosed without authorization or altered. For example, the Secure Socket Layer (SSL) software is used for encrypted transmission, encrypted information storage and strict restriction of data center access. When transmitting and storing sensitive personal information (including personal biometric information), we will adopt security measures such as encryption, authority control, removal of identification marks, and de-sensitization, inter alia.
(6) Other measures: We regularly review our personal data collection, storage and processing procedures; furthermore, we limit the access of our employees and suppliers to Your data in accordance with the principle of “as necessary”, and our employees and suppliers must abide by strict contractual confidentiality obligations. »Kraken (last updated Nov. 23, 2021) »We regularly train and raise awareness for all our employees to the importance of maintaining, safeguarding and respecting your personal information and privacy. We regard breaches of individuals’ privacy very seriously and will impose appropriate disciplinary measures, including dismissal from employment. We have also appointed a Group Data Protection Officer, to ensure that our Company manages and processes your personal information in compliance with the applicable privacy and data protection laws and regulations, and in accordance with this Privacy Notice…
Securely stored in a safe location, and only authorised personnel have access to it via a username and password. All personal information is transferred to the Company over a secure connection, and thus all reasonable measures are taken to prevent unauthorised parties from viewing any such information. »
« The Company uses encryption to protect your information and store decryption keys in separate systems. »LocalBitcoins (last updated June 10, 2020)Not specifiedNexo (undated) »Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. »Okcoin (last updated Dec. 18, 2020) »We take various measures to ensure information security, including encryption of the Okcoin communications with SSL; required two-factor authentication for all sessions; periodic review of our Personal Data collection, storage, and processing practices; and restricted access to your Personal Data on a need-to-know basis for our employees and vendors who are subject to strict contractual confidentiality obligations. »OKEx (last updated Dec. 3, 2020) »We take various measures to ensure information security, including encryption of the OKEx communications with SSL; required two-factor authentication for all sessions; periodic review of our Personal Data collection, storage, and processing practices; and restricted access to your Personal Data on a need-to-know bases for our employees and vendors who are subject to strict contractual confidentiality obligations. »Paxful (undated) »Paxful has implemented safeguards designed to protect your Personal Data, including measures designed to prevent Personal Data against loss, misuse, and unauthorized access and disclosure. »Poloniex (last updated May 4, 2020) »We use industry-standard data encryption technology and have implemented restrictions related to the storage of and the ability to access your Personal Data. Our servers and business operations are entirely located in the United States. »SALT (last updated Jan. 6, 2021) »All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions will be encrypted. »
What about data breaches?
What if security measures fail and the platform where you’re trading is breached? We checked the privacy policies for indications if these companies pledge to disclose security breaches and data leaks to their users.
Note that the answer « No » in the table does not mean the platform won’t tell you if it gets hacked; it means it doesn’t explicitly promise to do so if that happens.
A spokesperson for Nasdaq-listed Coinbase noted that many jurisdictions have rules about disclosing breaches to customers, which the crypto exchange follows, and that disclosing everything the company does to comply with laws would make a privacy policy an unwieldy read.
Crypto exchangePromise to notify about data breaches?Bakkt (last updated Oct. 28, 2020)NoBinance (last updated Jan. 12, 2022)NoBitfinex (last updated May 27, 2021) »Where we are legally required to do so »BitMEX (last updated Aug. 28, 2020)NoBitstamp (last updated Nov. 5, 2020)NoBittrex (last updated Dec. 31, 2019) »Where we are legally required to do so. »Blockchain.com (last updated Dec. 16, 2021)NoBlockFi (last updated June 15, 2021)NoCelsius (last updated October, 2021)NoCoinbase (last updated Oct. 8, 2021)NoCrypto.com (last updated Sept. 30, 2021) »Where we are legally required to do so »Deribit (undated)NoeToro (last updated May 20, 2020)NoFTX (last updated Dec. 23, 2021) »We may attempt to notify you electronically by posting a notice on the Services, by mail or by sending an e-mail to you. »Gemini (last updated Dec. 8, 2021)NoHuobi (last updated April 27, 2021)NoKraken (last updated Nov. 23, 2021)NoLocalBitcoins (last updated June 10, 2020)NoNexo (undated)NoOkcoin (last updated Dec. 18, 2020)NoOKEx (last updated Dec. 3, 2020)NoPaxful (undated)NoPoloniex (last updated May 4, 2020)NoSALT (last updated Jan. 6, 2021)No
Privacy policies are not the most exciting reads (no comparison to price charts and market analytics). But if you want to check them yourself and see how the platforms you use treat your sensitive information, below you’ll find links to all the privacy policy pages CoinDesk reviewed for this story.
As they say: don’t trust, verify.
Privacy policies reviewed by CoinDesk
Bakkt
Binance
Bitfinex
BitMEX
Bitstamp
Bittrex
Blockchain.com
BlockFi
Celsius
Coinbase
Crypto.com
undated
eToro
FTX
Gemini
Huobi
Kraken
LocalBitcoins
Nexo
Okcoin
OKEX
Paxful
Poloniex
SALT