This Privacy Policy applies to personal data collected through:
This Privacy Policy applies to the following individuals:
The Company is committed to compliance with applicable data protection laws, including:
Where different legal requirements apply depending on the user's jurisdiction, the Company will apply the relevant protections accordingly.
By accessing or using the Platform, users acknowledge that they have read and understood this Privacy Policy. Where required by applicable law, explicit consent may be requested for specific data processing activities.
This Privacy Policy should be read together with:
In the event of any conflict regarding data processing matters, this Privacy Policy shall prevail.
The data controller responsible for the processing of personal data is:
The Company acts as the Data Controller for all personal data processed through the Platform.
For any questions or concerns regarding this Privacy Policy or the processing of personal data, users may contact the Company at: privacy@bao.io
The Company may designate a Data Protection Officer (DPO). If a DPO is designated, their contact information will be made available on the Platform. Otherwise, privacy matters are handled by the Company's compliance and legal team.
The Company may appoint an EEA representative where required under applicable data protection laws.
Users have the right to lodge complaints with the relevant supervisory authority:
Users are encouraged to contact the Company first to resolve any concerns before filing a complaint with a supervisory authority.
The categories of personal data collected depend on how users interact with the Platform.
This information is used for account registration and user identification.
Identity verification may be required before:
Payment processing is conducted through third-party payment service providers.
This data is used for security, fraud prevention, and Platform optimization.
This data helps detect suspicious activity, unauthorized access, and potential violations of Platform rules.
This data is used for evaluation, monitoring, and fraud detection purposes.
Communications may be recorded for quality assurance and compliance purposes.
Users may withdraw consent for marketing communications at any time.
The Company may collect information from publicly accessible databases or sanctions lists. This data is used for compliance, fraud prevention, and risk management purposes.
Personal data may be collected directly from users through:
Certain data is collected automatically through:
Cookies and similar technologies may collect:
These technologies are used for functionality, security, analytics, and remembering user preferences.
The Company may monitor the following for security purposes:
This monitoring is used for detecting suspicious activity and fraud prevention.
The Company may receive data from third-party identity verification providers, including:
Payment service providers may process:
The Company receives limited confirmation data from payment providers.
Third-party analytics providers may collect:
Analytics data is generally collected in aggregated form.
The Company may collect data from public sources, including:
This data is used for compliance, fraud prevention, and risk management.
The Company processes personal data only where there is a valid legal basis for doing so.
Processing is necessary for the performance of a contract, including:
Processing may be required to comply with:
The Company may process personal data based on legitimate business interests, including:
The Company processes data for fraud prevention and security purposes, including:
Marketing communications are sent only with user consent or where permitted by law for existing customers. Users can unsubscribe from marketing communications at any time.
Where consent is the legal basis, it applies to:
Users may withdraw consent at any time without affecting the lawfulness of processing based on consent prior to withdrawal.
The Company may process data for analytics and service improvement, including:
Data used for analytics may be aggregated or anonymized.
Processing may be necessary to:
The Company may require identity verification to:
Identity verification may involve the collection and processing of:
The Company may use third-party identity verification providers for:
These providers are contractually required to maintain appropriate security and confidentiality standards.
The Company may conduct:
The Company may screen users against sanctions lists maintained by:
Access to the Platform may be restricted if a user appears on any applicable sanctions list.
If a user refuses or fails to complete identity verification, the Company may:
Identity verification data is processed in accordance with applicable data protection laws. The Company applies reasonable safeguards, limits access to authorized personnel only, and does not use verification data for unrelated purposes.
The Platform uses cookies and similar technologies. Cookies are small data files placed on a user's device, which may be set by the Company or by third parties.
Essential Cookies: Required for authentication, session management, and security.
Security Cookies: Used to detect suspicious login attempts, automated abuse, and maintain Platform integrity.
Analytics Cookies: Collect information about pages visited, time spent on the Platform, navigation patterns, and feature interactions.
Preference Cookies: Store language settings, UI preferences, and login preferences.
Marketing Cookies: Used to deliver relevant promotional content and track marketing campaign effectiveness, where permitted by law.
In addition to cookies, the Company may use:
Users can manage cookie preferences through their browser settings, including the ability to:
Disabling certain cookies may affect the functionality of the Platform.
Third-party cookies may be set by analytics providers, security monitoring services, and infrastructure providers. The Company does not control the use of cookies by third parties.
Session cookies expire when the browser is closed. Persistent cookies remain on the user's device for a defined period or until manually deleted.
The Company does not sell personal data. Personal data may be shared with third parties only in accordance with applicable data protection laws.
The Company may share personal data with service providers who assist in operating the Platform, including:
Payment processing providers may receive:
Payment providers operate under their own privacy policies.
Identity verification providers may receive:
Infrastructure and cloud providers may process technical data necessary for the operation and maintenance of the Platform. These providers are required to maintain appropriate security standards.
Analytics providers may receive:
Analytics data is typically aggregated before sharing.
The Company may disclose personal data to:
In the event of a merger, acquisition, or restructuring, personal data may be transferred as part of the business assets. The Company will take reasonable steps to protect personal data during any such transfer.
Personal data may be shared to:
The Platform is operated from Hong Kong and serves users from various jurisdictions. Personal data may be transferred to, stored in, and processed in countries other than the user's country of residence.
Data may be transferred to service providers located in multiple jurisdictions for:
For transfers of personal data outside the European Economic Area, the Company relies on:
Service providers receiving personal data are required to:
Personal data may be shared with affiliates or related entities for operational and administrative purposes.
By using the Platform, users acknowledge and accept that their personal data may be transferred internationally as described in this section.
Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected. Retention periods may be longer where required by legal obligations, ongoing disputes, contractual agreements, or security requirements.
Account information is retained for the duration of the user's relationship with the Company. After account closure, data may be retained for up to five (5) years unless a longer retention period is required by law.
Identity verification data is retained for as long as necessary for security, eligibility verification, and fraud prevention purposes. This data may be retained after account closure.
Trading and platform activity data is retained for evaluation, security, performance analysis, and dispute resolution purposes.
Communication and support records are retained for dispute resolution, service quality monitoring, and documenting user interactions.
The Company retains security-related data including:
When personal data is no longer needed, the Company will delete or anonymize it. Anonymized data, which can no longer be associated with an individual, may be retained indefinitely.
Where required by applicable law, personal data will be retained for the duration specified by such legal requirements.
Users have certain rights regarding their personal data, depending on their jurisdiction. These may include the right to access, correct, delete, or restrict the processing of personal data.
Users may request information about the categories of personal data processed, the purposes of processing, recipients of data, and retention periods. The Company may require identity verification before fulfilling an access request.
Users may request correction of inaccurate or incomplete personal data. Users may also update their information through account settings where available.
Users may request deletion of their personal data where:
The Company may retain certain data where necessary for legal, security, or contractual reasons.
Users may request restriction of processing where:
Users may request their personal data in a structured, commonly used, and machine-readable format. Where technically feasible, the Company may transfer data directly to another service provider.
Users may object to the processing of their personal data, particularly where processing is based on legitimate interests. The Company will review and respond to such objections in accordance with applicable law.
California residents have additional rights under the CCPA/CPRA, including:
The Company does not sell personal information.
Users in Hong Kong have rights under the Personal Data (Privacy) Ordinance, including:
The Company may charge a reasonable administrative fee for processing access requests.
To exercise any of the above rights, users may submit a request using the contact information provided in this Privacy Policy. Identity verification may be required before processing any request. The Company will respond within the timeframes required by applicable law.
The Company implements appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, unauthorized disclosure, alteration, or destruction.
Technical safeguards include:
Access to personal data is limited to authorized personnel only. The Company maintains internal policies, provides employee training, and restricts data access to those with legitimate business purposes.
Third-party service providers are required to maintain appropriate security safeguards in accordance with applicable laws and industry standards.
In the event of a data breach, the Company will investigate and take steps to mitigate the impact. Where required by applicable law, the Company will notify affected users and relevant regulatory authorities.
Users are responsible for:
The Company is not responsible for security breaches resulting from user failures to protect their credentials or devices.
No system can guarantee absolute security. Transmission of data over the internet carries inherent risks, and the Company cannot ensure or warrant the security of any information transmitted to the Platform.
The Platform is intended for individuals who are at least eighteen (18) years of age. The Company does not knowingly collect personal data from individuals under the age of 18.
The Company does not solicit personal data from minors. If it is discovered that personal data has been collected from an individual under 18, the Company will take steps to delete such data promptly.
If a parent or guardian believes that a minor has provided personal data to the Company without consent, they should contact the Company. The Company will investigate and take appropriate action.
If an underage user is identified, the Company may terminate their account and remove their personal data from the Platform.
The Company reserves the right to modify this Privacy Policy to reflect changes in Platform operations, legal requirements, or data processing practices.
Users will be notified of changes through:
Users are encouraged to review this Privacy Policy periodically.
Changes to this Privacy Policy are effective upon publication unless otherwise specified. Continued use of the Platform following publication constitutes acknowledgment of the updated Privacy Policy.
The Company may retain previous versions of this Privacy Policy. Users may request access to previous versions where required by applicable law.
For any questions, concerns, or requests regarding this Privacy Policy or the processing of personal data:
Users may submit requests regarding:
Identity verification may be required before processing any data protection request.
Users have the right to lodge complaints with the relevant supervisory authority:
Users are encouraged to contact the Company first to resolve any concerns.
The Company is committed to protecting user privacy and continually reviews its data processing practices to ensure transparency, accountability, and security.