1. Overview
This Privacy Policy explains how GADUIN Holdings Ltd. (the “Company”, “GADUIN”, “we”, “us”, “our”) collects, uses, shares and retains personal data when you visit our website, use the GADUIN platform (the “Platform”) or otherwise interact with us. It applies to all users worldwide.
We are the controller of your personal data for the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the equivalent regimes in the United Kingdom, Switzerland, Brazil and other jurisdictions with comparable protections.
2. Data We Collect
2.1 Account data
When you create an account we collect your email address, the timestamp of registration, an account identifier we generate for you, the locale and timezone of your client, the country you select during onboarding, and — for business accounts — the legal entity name and the company registration number you provide.
2.2 Identity and compliance data
Where required by law or our risk-based KYC programme, we may request additional information including legal name, date of birth, government-issued identification numbers, identity documents, source-of-funds information and proof of address. Identity documents are processed by a vetted third-party verification provider and we retain only the verification result and a redacted reference.
2.3 Trading and wallet data
We record every order, trade, deposit, withdrawal, market settlement and balance change associated with your account. For on-chain transactions we additionally record the blockchain network, transaction hash, source/destination address and the timestamp of confirmation.
2.4 Device and connection data
We log the IP address used to access the Platform, the user-agent string, the country and timezone derived from the IP, and the timestamp of each request. We also process a short-lived bot-protection challenge issued by our content delivery partner; the challenge does not identify you individually.
2.5 Cookies and similar technologies
We use a small number of cookies and equivalent storage mechanisms: a session cookie that keeps you signed in, a locale cookie that remembers your language choice, and an anonymised analytics identifier issued by PostHog. We do not use third-party advertising cookies and we do not load cross-site trackers.
3. Why We Process Your Data
We process your personal data for the following purposes:
- To provide the Platform — authenticate you, execute and settle your trades, custody your USDT balance, and pay out winnings (Art. 6(1)(b) GDPR — performance of a contract);
- To comply with our anti-money-laundering, counter-terrorist-financing, sanctions, tax-reporting and prudential obligations (Art. 6(1)(c) GDPR — legal obligation);
- To detect, investigate and prevent fraud, market abuse, security incidents and other unlawful activity (Art. 6(1)(f) GDPR — legitimate interest);
- To improve and secure the Platform — capacity planning, latency monitoring, aggregated product analytics (Art. 6(1)(f) GDPR — legitimate interest);
- To respond to your support enquiries and to send service communications (Art. 6(1)(b)/(f) GDPR).
5. International Transfers
Personal data may be transferred to, stored or processed in countries outside your country of residence, including jurisdictions that may not provide the same level of data protection as your home jurisdiction. Where we transfer personal data out of the European Economic Area or the United Kingdom we rely on Standard Contractual Clauses approved by the European Commission or the United Kingdom Information Commissioner’s Office, or another lawful transfer mechanism.
6. Retention
We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, to satisfy our legal and regulatory obligations, and to resolve disputes. Indicative retention periods are:
- Account, trading and wallet data — for the duration of the account plus seven (7) years after closure, in line with prevailing record-keeping obligations;
- Identity verification results — for the duration of the account plus five (5) years after closure;
- Connection and access logs — twelve (12) months;
- Support correspondence — twenty-four (24) months from the last interaction.
7. Your Rights
Depending on your jurisdiction, you may have the right to: access your personal data; have it rectified or erased; object to or restrict its processing; receive it in a portable format; and lodge a complaint with the supervisory authority in your country of habitual residence. We will respond to verified requests within one (1) month, extendable by two (2) further months for complex cases.
You may exercise any of these rights by emailing [email protected]. We may need to verify your identity before acting on the request.
8. Security
We take appropriate technical and organisational measures to protect your personal data, including transport-layer encryption, per-environment secrets management, role-based access controls, audited admin actions and periodic penetration testing. No system is impervious to attack; if we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the competent supervisory authority as required by law.
9. Children
The Platform is not directed at and may not be used by persons under the age of eighteen (18). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will take prompt steps to delete the information.
10. Changes to This Policy
We may amend this Privacy Policy from time to time. Material changes will be communicated to you by email or by a prominent notice on the Platform and reflected in the Last updated date above. The current version is always available at this URL.
11. Contact
Questions about this Privacy Policy or our data practices generally should be directed to [email protected].