Privacy Policy

Rules Holdings BVI Ltd. is authorized and regulated by the Financial Services Commission of the British Virgin Islands as a Virtual Asset Service Provider (VASP) under license number VASP/24/007, permitted to provide virtual asset exchange and custody services for accepted virtual assets.

We are committed to protecting your privacy and handling your personal data responsibly and in compliance with applicable data protection laws, including:

• BVI Data Protection Act 2021
• Brazilian Lei Geral de Proteção de Dados (LGPD)
• EU General Data Protection Regulation (GDPR) where applicable
• UAE Personal Data Protection Law (PDPL) where applicable

Direct Collection: Information you provide when registering, verifying your identity, making transactions, or contacting support.

Third Parties: We may receive information from:

• Identity verification providers (e.g., Sumsub)
• Sanctions and compliance screening services
• Credit reference agencies
• Regulatory authorities and law enforcement
• Public records and databases

Automatic Collection: Our servers automatically collect technical data when you access our platform through cookies, server logs, and analytics tools.

We process your personal data for the following purposes:

• Service Provision: To create and manage your account, process transactions, and provide customer support
• Legal Compliance: To comply with KYC/AML regulations, tax reporting requirements, and respond to legal requests
• Security: To detect, prevent, and investigate fraud, unauthorized access, and other illegal activities
• Communication: To send transaction confirmations, security alerts, and service updates
• Improvement: To analyze usage patterns and improve our services
• Marketing: With your consent, to send promotional materials about our products and services

We process your personal data based on one or more of the following legal grounds:

• Contract Performance: Processing necessary to provide our services to you
• Legal Obligation: Processing required to comply with applicable laws and regulations
• Legitimate Interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, platform security)
• Consent: Processing based on your explicit consent (e.g., marketing communications)
• Vital Interests: Processing necessary to protect your vital interests or those of another person

We may share your information with:

• Group Companies: Our affiliates, including Kinetic (Brazil) for fiat processing
• Service Providers: Third parties who assist us in providing services (identity verification, custody, banking)
• Regulatory Bodies: Financial regulators, tax authorities, and law enforcement when required by law
• Professional Advisors: Lawyers, auditors, and consultants under confidentiality obligations

International Transfers: Your data may be transferred to countries outside your residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by relevant data protection authorities.

We implement industry-standard security measures to protect your personal data, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Multi-factor authentication for account access
• Regular security audits and penetration testing
• Access controls and employee training
• Secure cloud infrastructure with validated security controls
• 24/7 monitoring for security threats

While we take every reasonable precaution, no system can guarantee absolute security. You are responsible for safeguarding your credentials and enabling available security features.

We retain your personal data for as long as necessary to:

• Provide our services while your account is active
• Comply with legal, regulatory, and tax obligations (typically up to 7 years after account closure)
• Resolve disputes and enforce our agreements
• Maintain records for audit and compliance purposes

When data is no longer required, we will securely delete or anonymize it in accordance with our data retention policies.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal retention requirements)
• Restriction: Request that we limit processing of your data
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Automated Decisions: Not be subject to decisions based solely on automated processing

Note that some rights may be limited where we have overriding legitimate interests or legal obligations.

To exercise your privacy rights or ask questions about this policy:

You may withdraw consent for marketing communications at any time using the unsubscribe link in our emails or by contacting us directly.

We use cookies and similar technologies to:

• Keep you logged in and remember your preferences
• Understand how you use our platform
• Provide security features
• Analyze and improve our services

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of our platform.

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify relevant supervisory authorities within required timeframes
• Inform affected users without undue delay
• Describe the nature of the breach and data affected
• Explain the likely consequences and measures taken
• Provide recommendations for protecting yourself

We may update this Privacy Policy from time to time. Material changes will be communicated through:

• Notices on our website
• Email notifications to registered users
• In-app announcements

We encourage you to review this policy periodically. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.