Privacy Policy | Axis Protocol

INTRODUCTION

This Privacy Policy (hereinafter referred to as the “Policy”) provides a clear and comprehensive explanation of how Axis Protocol Inc., a company incorporated under the laws of Canada, under the Company number 2027786017, having its legal and business address at: 700-602 12 AVE SW, Calgary, Alberta, T2R1J3, Canada, represented by the Director Roman Moroz (hereinafter referred to as the “Company”, “We”, or “Us”), as the data controller, processes personal data in the context of providing OTC services which means the direct over – counter – trading of virtual assets with Our Customers on a principal – to – principal base (hereinafter referred to as the “OTC”).

The Company is currently registered in Canada under company number 2027786017, which permits it to offer services involving virtual assets in accordance with applicable regulatory requirements and also being in the process of preparing to obtain an Money Services Business (hereinafter referred to as the “MSB”) authorization under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (hereinafter referred to as the “PCMLTFA”). We process personal data in strict compliance with Canadian and European data protection frameworks. This includes:

Personal Information Protection Act (hereinafter referred to as “PIPA”);
Personal Information Protection and Electronic Documents Act (hereinafter referred to as “PIPEDA”);

Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the “GDPR”);
Directive 2002/58/EC of the European Parliament and of the Council (hereinafter referred to as the “ePrivacy Directive”);

This Policy outlines the Company’s procedures for collection, processing, storage, transfer, and security of personal data obtained in the course of delivering OTC (over-the-counter) cryptocurrency-fiat exchange Services.

We are committed to data processing practices that are transparent, proportionate, secure and which uphold Your rights at every step.

By accessing or using the Platform or/and Services, you confirm that you have read, understood, and agreed to be legally bound by this Policy, as well as by Our Terms of Use, Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) Policy, and any other applicable guidelines, policies, or documents referenced herein or communicated to you during onboarding or in the course of Your use of the Services.

If you do not agree with this Policy or any of the provisions contained within it, kindly exit this Platform and refrain from using Our Services.

If you have any questions about this Policy, please contact Us via E-mail officialaxisprotocol@gmail.com.

1. DEFINITIONS

1.1. ”Client(s)”, or “You” – shall mean an individual with full civil capacity, or a legal entity that uses our Platform or Service and agrees to be bound by the Terms of Use.

1.2. “Data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.3. “Platform” – dashboards or interfaces (if applicable), communication tools such as Telegram bots or chats, and any other means by which the Company interacts with Clients and Services are provided.

1.4. “Personal data” means any information relating to an identified or identifiable natural person.

1.5. “Data processing” – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.6. “Restriction of processing” is the marking of stored personal data with the aim of limiting their processing in the future.

1.7. “Data subject” means an identified or identifiable natural person. At the same time, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.8. “Service(s)” – all and any Services provided by the Company through the Platform.

1.9. “Third party” – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

1.10. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

1.11. “Parties” means the Company and the Client(s).

1.12. “Privacy Policy” – rules of personal data collection, storage, and use, developed following the applicable law.

1.13. “Platform” – dashboards or interfaces (if applicable), communication tools such as Telegram bots or chats, and any other means by which the Company interacts with Clients and Services are provided.

1.14. “Politically exposed persons” or “PEP” – natural persons who are or who have been entrusted with prominent public functions as well as their family members or close associates of such persons.

These and other terms are used in the meanings as defined by the legislation of Canada.

2. СATEGORIES OF PERSONAL DATA WE PROCESS

2.1. To provide Our Services effectively, securely, and in full compliance with applicable data protection laws, We collect and process specific categories of personal data. These categories are tailored to the nature of Our OTC operations and aligned with legal requirements for identity verification, transaction processing, regulatory reporting, and risk management.

2.2. Identification Data

2.2.1. Used to verify Your identity and fulfill legal due diligence requirements:

Full name, including title and any middle names;
Citizenship;
Date of birth and place of birth;
Passport or other valid government-issued identity document;
Government-issued identification (passport, national ID card);
Personal identification number (where required);

2.3. Contact Data

2.3.1. Used for secure communication and account-related correspondence:

Residential address details;
Proof of residential address (e.g., recent utility bill not older than 3 months);
Telephone number and email address.

2.4. Verification and Compliance Data

2.4.1. Obtained during onboarding and periodically throughout Our business relationship to ensure adherence to regulatory obligations:

Proof of residential address (e.g., recent utility bill not older than 3 months);
Declarations on the source of funds and wealth;
Confirmation that the person does not have a Politically Exposed Person (PEP) status and has no relationship to PEPs;
Liveness check (biometric verification).

2.5. Financial and Payment Information

2.5.1. Required to initiate, route, and complete fiat and crypto-asset transactions:

Bank account details (e.g., IBAN, SWIFT);
Virtual asset wallet addresses (public keys only);
Payment instructions and references;
Confirmation of incoming/outgoing settlements.

2.6. Details of company data:

Full legal name;
Organizational form;
Email address;
Business address and registered office address (if different);
Tax Identification Number (TIN) or equivalent;
Description of the primary business activity and principal place of operations;
Legal Entity Identifier (if available);
Official website (if available);
The AML policies, if applicable;
Detailed ownership and control structure, including both direct and indirect ownership;
Register of Directors or equivalent documentation;
Register of Shareholders or equivalent records;
Incorporation documents (proof of the legal existence of the legal entity):

– Certificate of Incorporation; or

– Articles of Association; or

– Memorandum of Association; or

– Extract from the register.

Proof of the legal entity’s registered address and office: A recent utility bill (e.g., electricity, water, phone), dated within the last 3 months.

2.7. Our data processing practices follow the principles of purpose limitation, data minimization, accuracy, and storage limitation, ensuring that Your information is handled with the highest level of confidentiality and care.

3. PURPOSES AND LEGAL BASIS FOR PROCESSING

3.1. We collect, use and process personal information only for purposes that are reasonable, in full compliance with Part 2 of the Personal Information Protection Act, Schedule 1 of the Personal Information Protection and Electronic Documents Act and Article 6 of the GDPR.

3.2. The primary purposes for which We process personal data, together with the corresponding legal bases are:

3.2.1. Provision of OTC Services and Contractual Performance

We use Your data to create and manage Your User account, process fiat and crypto-asset transactions, and deliver Our Services in line with the contractual relationship.

3.2.2. Protection of the vital interests of the data subjects

Our Company may process personal data to secure the protection of the vital interests of the data subject or any other natural person.

3.2.3. Fraud Prevention, Security Monitoring, and Risk Management

As a licensed and regulated Company, We process personal data to fulfill obligations arising under Article 6 (1) (c) of the GDPR and in compliance with the provisions of PIPA and PIPEDA.

3.2.4. Ensuring the security, efficiency, and lawful operation of Our Services

We may process personal data when it is necessary to support the Company’s operational, commercial, and security interests – such as preventing fraud, securing transactions, optimizing internal processes – provided such use does not infringe upon the fundamental rights and freedoms of the Client.

3.2.5. Consent-Based Processing

In certain cases — such as marketing communications, third-party integrations, and non-essential cookies — We will request Your explicit consent before processing Your data. You have the right to withdraw this consent at any time without affecting the lawfulness of prior processing.

3.3. We do not process special categories of personal data unless legally required and supported by explicit consent or another permitted exemption. Where such processing becomes necessary, We will inform you in advance and implement heightened safeguards.

3.4. All processing activities are continuously reviewed for compliance, and records are maintained in accordance with data protection accountability standards.

4. DATA RETENTION

4.1. Personal data is retained only for as long as it is necessary to fulfill the specific purposes for which it was collected, or as long as retention is legally required.

4.2. Retention periods are determined based on the nature of the data, the context in which it is processed, applicable legal or regulatory obligations, and the legitimate interests of Our Company. These interests include:

4.2.1. Ensuring the smooth delivery of OTC Services, including technical operation, transaction processing, and internal reporting;

4.2.2. Maintaining records for regulatory audits, supervisory inspections, and financial controls;

4.2.3. Responding to requests from supervisory authorities to demonstrate compliance with PIPA, PIPEDA, GDPR and other legal acts that form the worldwide and Canadian data protection frameworks;

4.2.4. Optimizing internal systems and workflows for better service quality and User experience.

4.3. Upon the conclusion of the retention period, data is securely destroyed under management oversight, unless legal obligations require further preservation.

4.4. Retention periods are regularly reviewed to ensure compliance with the principles of storage limitation, data minimization, and accountability.

5. DATA SHARING AND TRANSFER

5.1. Our Company ensures that personal data is shared and transferred only where there is a clear legal basis, a defined purpose, and appropriate safeguards in place. Data sharing practices are governed by the principles of lawfulness, transparency, necessity, and data minimization.

5.2. All disclosures are assessed in light of the data subject’s fundamental rights and are subject to strict controls to prevent unauthorized access, misuse, or excessive exposure.

5.3. Recipients of Personal Data

5.3.1. Personal data may be disclosed to specific categories of recipients, as outlined below:

Internal personnel, including authorized employees, legal representatives, compliance officers, and risk managers, on a strict need-to-know basis;
Service providers, such as:

– Identity verification platforms (e.g., KYC/KYB/AML tools);

– Payment institutions and banking partners involved in transaction processing;

– Cloud service providers and IT infrastructure suppliers;

– Analytics or blockchain forensics partners (when justified by risk assessment)

Public authorities and regulatory bodies, including law enforcement agencies, financial intelligence units, tax authorities, courts, and privacy regulators, where such disclosure is required or permitted by applicable laws, including PIPA and PIPEDA.

5.3.2. All third-party service providers are bound by data processing agreements (DPAs) that ensure their compliance with applicable data protection obligations and security standards.

5.4. No Commercial Disclosure

5.4.1. Under no circumstances is personal data sold, rented, licensed, or commercially shared with unauthorized third parties. Data disclosure is limited strictly to what is required for legitimate operational or legal purposes, as described in this Policy.

6. DATA SECURITY MEASURES

6.1. We are committed to maintaining the highest standards of data security across all layers of its operations. Recognizing the sensitivity of the data processed in the course of providing regulated OTC and virtual asset Services, the Company implements a comprehensive set of technical and organizational controls to ensure confidentiality, integrity, and availability of personal data at all times.

6.2. All security measures are designed in accordance with applicable legal frameworks and best industry standards and are continuously assessed and refined in light of emerging threats, evolving regulatory requirements, and business risks.

6.3 Organizational and Procedural Controls

6.3.1. Beyond technical hardening, the Company enforces strict organizational policies designed to control access and maintain accountability:

Role-based access control (RBAC) – Access to personal data is limited to authorized personnel based on defined roles, following the principle of least privilege, with all access logged and subject to audit.
Employee training and obligations – Personnel involved in data processing receive regular security and privacy training and are bound by contractual confidentiality obligations.
Vendor and third-party assurance – External processors and service providers are engaged only after due diligence and are governed by legally binding data protection agreements.
Incident response and breach notification – A structured data breach response framework is maintained to ensure timely detection, containment, legally required notification, and remediation of security incidents.
Documentation and accountability – Security measures are underpinned by documented procedures, internal audit records, and established governance oversight.
Continuous Improvement and Oversight

6.3.2. We maintain a proactive security posture by:

Performing ongoing risk assessments and threat modeling;
Monitoring the effectiveness of security measures;
Implementing improvements in response to operational reviews, audit findings, or legal developments;
Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

6.3.3. Where applicable, security practices may be certified or externally verified in accordance with relevant international standards such as ISO/IEC 27001 or SOC 2, and Clients or partners may request information on current attestations during onboarding or due diligence.

7. DATA SUBJECT RIGHTS

7.1. The Company is fully committed to protecting the rights of individuals whose personal data it processes. In accordance with PIPA, PIPEDA and GDPR, data subjects are entitled to exercise specific rights concerning their personal information. These rights may be exercised at any time and without charge, unless otherwise permitted by law, and are handled in a timely and transparent manner.

7.2. Requests may be submitted to the Company’s designated contact point for data protection matters and will be responded to within one month of receipt, or within an extended period where permitted by law, with clear reasoning provided.

7.3. Right to Have an Access to Records and Provision of Information

7.3.1. Data subjects may request that a Company provide access to the data subject`s personal information or disclose information regarding how that personal information has been used or shared.

7.4. Right to Request Correction

7.4.1. Data subjects may challenge the accuracy and completeness of their personal information and request that inaccuracies or omissions be corrected or annotated, as appropriate.

7.5. Right to Rectification

7.5.1 Processing may be restricted under certain conditions, such as when the accuracy of the data is contested, the processing is unlawful and the data subject opposes deletion, or pending verification of an objection request.

7.6. Right to Withdraw Consent

7.6.1. Data subjects may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice.

7.7. Right to Lodge a Complaint

7.7.1. Data subjects have the right to raise concerns or complaints regarding the handling of their personal information and, where appropriate, escalate such complaints to the Office of the Privacy Commissioner of Canada.

7.8. Right of Access to Personal Data

7.8.1. The data subjects have the right to request confirmation as to whether their personal data is being processed by Our Company.

7.8.2. Where processing is confirmed, they are entitled to access that data and receive relevant information, including:

the purposes of processing,
the categories of data involved,
the recipients (including international transfers, where applicable),
the intended retention period,
their rights regarding rectification, erasure, objection, or restriction,
the right to lodge a complaint with a supervisory authority,
the source of the data (if not obtained directly from the individual),
the existence of any automated decision-making, including profiling, along with its significance and potential consequences.

8. AUTOMATED DECISION-MAKING

8.1. We do not make decisions based solely on automated processing, including profiling, that would produce legal effects concerning individuals or similarly significantly affect them.

8.2. All decisions with potential legal or material impact on Clients, such as account approval, transaction authorization, or risk categorization, involve meaningful human assessment and oversight.

8.3. Should automated decision-making be introduced in the future in any specific context (e.g., automated fraud scoring, transaction pattern flagging), affected individuals will be:

8.3.1. Clearly informed in advance;

8.3.2. Provided with meaningful information about the logic and significance of such processing;

8.3.3. Offered the right to request human intervention, express their point of view, and contest the decision.

8.4. Automated tools, where used, are implemented exclusively to support decision-making processes, improve service responsiveness, or enhance risk management and do not replace human review in any legally or financially binding case.

9. AMENDMENTS AND NOTICES

9.1. The Company reserves the right to revise, update, or modify this Policy at any time, either partially or in full, to accommodate changes in applicable legislation, technological advancements, business operations, or others.

9.2. Material changes to the Policy will be announced by publication on the Platform and/or through official communication channels such as email, Telegram or other methods specified by the Company. Unless otherwise specified, such changes will take effect immediately upon publication on the Platform, and such publication will be read as appropriate to notify Clients of the changes.

9.3. By continuing to access or use the Services following the implementation of updated Policy, the Client affirms their acceptance and agreement to be legally bound by the revised Policy. If the Client disagrees with any modifications, they must discontinue use of the Services without delay and may request deactivation of their User ID and associated access rights.

9.4. All official notifications from the Company shall be considered effectively delivered when sent to the most recent contact information provided by the Client, whether during initial onboarding or via later updates. Clients are solely responsible for maintaining the accuracy and completeness of their contact details at all times.

9.5. The Company shall not be held accountable for any failure to deliver notices resulting from outdated or incorrect contact information.

All notices and communications under this Policy shall be conducted in English, unless expressly agreed otherwise by both Parties.