Privacy Policy

1. General Provisions

We, XBase Virtual Assets Broker & Dealer Services LLC (“XBase Digital”), a company incorporated in Dubai, United Arab Emirates, with its registered office at Office suite #1804, The Exchange tower, Business Bay, P. O. BOX: 120663, Dubai, U. A. E. and email dpo@xbase.digital (hereinafter — “We”), are committed to protecting the privacy and personal data of our clients in compliance with the UAE Federal Decree-Law No. (45) of 2021 (PDPL), the VARA regulations, and other applicable UAE laws.

This Privacy Policy explains how we protect Clients’ privacy and helps Clients understand how their personal data is processed and what our and Clients’ rights and responsibilities are in the course of processing their data.

In processing personal data, we observe the UAE Personal Data Protection Law (PDPL), as well as other laws, regulations, and binding instructions applicable within the United Arab Emirates.

This Privacy Policy applies to our relations with Clients, including any existing Client, buyer, applicant, or any other person using or wishing to use any of our services, or addressing us with any request or claim, submitting any kind of document, visiting our home page, or contacting us through remote means of communication, including post, e-mail, or phone (all together hereinafter – the Client).

We have created this Privacy Policy to be as simple as possible; however, if there are unknown terms such as “anonymised data”, “personal data”, etc., please first become acquainted with the following concepts used in this Privacy Policy:

• Personal data — any information related to an identified or identifiable natural person (data subject), for example, given name, surname, contact details, etc.
• Anonymised data — information that is not personal data and no longer applies to a natural person since all personal identification elements are excluded from the information set.

Processing — any operation or set of operations performed on personal data, whether or not by automated means, such as collection, organisation, structuring, storage, etc.

2. How Do We Obtain Personal Data and What Is the Basis for Data Processing?

We can receive personal data in different ways, including as follows:

• The Client has provided us with his or her personal data, i.e., when the Client or a person authorized by the Client contacts or cooperates with us or our authorized persons, for example, submits its data during the process of purchase or uses our services or requests any information or submits an application for examination of a particular issue or request, or contacts us through the specified information channels.
• Personal data created using our service, e.g., by visiting or using our website.
• Personal data received from legal entities, i.e., a legal entity submits an application that includes personal data of its employees and beneficiaries.
• Personal data collected from various databases and registers in the course of the provision of services, i.e., data received from databases and third parties in the course of analysing the Client’s submitted application and implementing anti-money laundering (AML), counter-terrorist financing (CFT), and sanctions compliance requirements in accordance with UAE regulatory obligations.

Data subjects have the right to refuse to provide their personal data to us, but in this case, it is possible that we will not be able to provide the services requested by the Client, and the provision of the services will be refused. We are not able to provide our services without processing personal data requested in our application forms and other documents.

We perform personal data processing only on specific applicable bases of data processing. We process personal data, which is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. Furthermore, we process personal data, which is necessary for compliance with applicable legal obligations, including AML/CFT laws in the UAE, as well as for the legitimate interests pursued, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.

3. What Personal Data Do We Collect?

Types of personal data may differ depending on the method of collaboration. Generally, types of personal data can be subdivided into the following categories:

• Personal data of a Client who is a natural person: First name, last name, contact details, citizenship, address, employment status, signature, trade expectations, source of funds, tax identification number, tax residency, information on politically exposed person (PEP) status, and relevant banking details.
• Personal data of Directors and Owners of a legal person: First name, last name, date of birth, citizenship, tax residency, tax identification number (TIN), residential address, PEP status, and control structure.
• Personal data of Ultimate Beneficial Owners (UBOs) of a legal person: First name, last name, date of birth, PEP status, control structure documents, and ownership details.
• Personal data of Employees of a legal person: Name, surname, contact details, position, signature, and content of communication.
• Personal data related to service provision: Transaction details, currency exchange data, application forms, compliance screening results, communications with the Client, and any additional data required under AML, sanctions compliance, and regulatory obligations in the UAE.

We do not deliberately collect and process personally identifiable information from persons younger than the age limit set in regulatory enactments, which gives the right to act independently. We respect the rights of such persons, if service is necessary, we invite the parents or guardians of such persons to contact us.

4. Usage of Personal Data

We process personal data to provide our services, comply with legal obligations, cooperate, and perform other activities that are important for our operations and Clients.

We process personal data only for specified, explicit, and legitimate purposes:

• Conclusion and execution of the contract/provision of our services and ensuring the execution of the transaction: This aim refers to offering services on our website, including related services in any application form. We process data to ensure the concluded contracts (transactions) and performance of the related services. We process personal data in communication with clients; for example, we send service-related notifications to inform clients about the result of an application or provide other important information to the Client. Likewise, we may need to contact the Client in order to clarify, for instance, information on the submitted application or to find out other additional information that promotes the progress of execution of the transaction. We conduct processing on the basis of regulatory enactments (laws) and contracts (transactions). Personal data is collected through the registration forms or during the purchasing process.
• Resolution of the submitted questions, including examination and resolution of various submitted queries or complaints: We conduct processing based on regulatory enactments (laws), contracts, and legitimate interest.
• Fulfilment of binding regulatory enactments: We process personal data to fulfil the duties specified in regulatory enactments, for example, compliance with anti-money laundering and terrorist financing prevention, also to ensure the availability of data to competent institutions, including to provide answers to the requests of institutions and courts received within the framework of regulatory enactments, as well as to enforce the rights provided for Clients within the framework of regulatory enactments and the obligations imposed upon us. We conduct processing based on regulatory enactments (laws).
• Provision of offers: We respect the right of each Client to give, revoke, or change the possibilities of receiving information. In cases when the Client has expressed a wish to receive information or to provide an opinion on particular services, personal data may be processed to ensure the provision of information necessary for the Client. In such cases, the Client’s consent is always required. In addition, under applicable laws, we have the right to provide information about our services to existing clients if our Clients do not object to such processing when submitting their personal data to us. In case of such objections, we always ask our Clients to inform us. We conduct processing based on legitimate interests and consent provided by the Client.
• Accounting/financial and tax management: The aim refers to accounting records, tax payments, settlements, etc. We conduct processing based on regulatory enactments (laws) and contracts (transactions).
• Administration of settlements: The aim refers to the activities carried out within the framework of settlements with persons. We conduct processing based on regulatory enactments (laws) and contracts (transactions).
• Statistics and analysis of services, processes, information systems to develop and improve thereof: The aim refers to the processing of personal data at our disposal in order to assess the results of the provision of the service for the purpose of developing and improving our services, processes, systems, and determining the goals and development directions of our Company. We can process data for statistical purposes and the collection and analysis of business information to allow us to make informed decisions on the improvement and protection of operations, as well as to prepare reports on the results of our business activities. We conduct processing based on legitimate interests.
• Organisational management (including record keeping, accounting of processes, services, information systems, and persons): The aim refers to measures for integrated management of the Company, according to national and internationally recognised corporate management principles, ensuring the traceability, control, and improvement of internal processes. We conduct processing based on regulatory enactments (laws) and legitimate interests.

In all cases, we process personal data only to the extent necessary for the purpose, taking into account the privacy of any person.

6. Confidentiality and Staff Compliance

6.1 Confidentiality and Client Information

XBase Digital takes all reasonable and appropriate steps to ensure the ongoing confidentiality of all information related to its clients, their property, and associated records. 

We apply a layered approach to confidentiality, incorporating legal, technical, and procedural safeguards to protect all client information, whether disclosed through formal agreements (e.g., NDAs or terms of service) or the ordinary course of business. This includes, but is not limited to:

• Encrypted communication channels for data transmission;
  
• Segregation of client environments and access controls;
  
• Secure data storage using encryption and pseudonymisation techniques;
  
• Internal classification and labelling of confidential materials;
  
• Role-based access to confidential records.

6.2 Internal Policies and Staff Training

XBase Digital enforces its internal policies to ensure that all employees and contractors understand and uphold their responsibilities in managing client information securely and ethically. These policies reflect the requirements of the Federal Data Protection Law No. (45) of 2021, particularly under Article 7 (Obligation of the Controller to Protect Data), and obligations under VARA’s Technology and Information Rulebook.

Our internal program includes:

• Mandatory onboarding training for all new staff on data privacy, confidentiality, and information security obligations;
  
• Annual refresher training and regulatory awareness modules to ensure ongoing understanding of legal updates and policy changes.
  
• Policy acknowledgement and certification, where all employees and contractors formally attest to their understanding and compliance with XBase Digital’s confidentiality and data protection procedures;
  
• Role-based policy briefings for staff in high-risk or sensitive data-handling positions;
  
• Incident response simulations involving confidentiality breaches to train staff on real-world scenarios and appropriate escalation protocols.
  

Our Human Resources and Compliance teams track participation, certification, and completion of training modules and report non-compliance to the Data Protection Officer and senior leadership.

6.3 Restrictions on sharing confidential information

XBase Digital enforces a strict “need-to-know” access principle. Internal sharing of confidential or personal data is limited to only those employees or departments whose functions directly require access to execute their responsibilities within the framework of virtual asset activities.

Accordingly:

• Staff must not disclose or distribute client information, internally or externally, unless the disclosure is explicitly required to fulfil a regulated business function.
  
• No information shall be shared informally (e.g., via messaging apps or personal email accounts) — all communication involving confidential data must occur through secure, approved channels.
  
• System-based access logs must be maintained and periodically reviewed to identify and investigate inappropriate or unauthorised access to client records.
  
• Third-party access (e.g., vendors, legal counsel, cloud service providers) is governed by Data Processing Agreements (DPAs) and is subject to audits and technical assessments.
  

Violating this policy may result in disciplinary action, revocation of system access, and referral to regulatory authorities as appropriate.

6.4 Prohibition on the use of confidential information for trading

To uphold the integrity of the virtual asset ecosystem and comply with anti-market abuse provisions, XBase Digital strictly prohibits the use of confidential or insider information for trading purposes by any employee, contractor, or affiliated third party.

Specifically:

• Staff are expressly forbidden from using client data, transaction histories, or strategic insights gained through their roles to trade virtual assets, whether on behalf of themselves or third parties.
  
• Virtual Asset trades by Staff in sensitive positions must receive pre-clearance before executing a trade, and reporting such activities is mandatory.
  
• The Data Protection Officer, Compliance Officer, and Internal Audit team conduct random and risk-based reviews of staff activity and system logs to detect anomalies or conflicts of interest.
  
• Employees are required to disclose any external relationships or financial interests that could pose a risk of misuse of confidential information.
  

This prohibition is enforced in alignment with UAE anti-fraud and anti-manipulation laws and the VARA regulatory framework. Breaches may result in criminal liability under applicable laws and immediate termination of employment or engagement.

7. Sharing of Personal Data

Personal data exchange may be necessary in some cases when it has a specific intended purpose, for example, it may be necessary to provide personal data to the following categories of data recipients:

• Cooperation partners, including cooperation partners for the provision of services, as well as partners that ensure certain delivery services, personal, facilities, and information protection and security services, financial, accounting and courier services, and other similar services. Such cooperation partners may only use personal data for the purposes for which we and our partners have agreed. We exercise due diligence to ensure that such cooperation partners act in accordance with this Privacy Policy and safety requirements provided for Clients in the laws and regulations.
• Supervisory and governmental authorities. To comply with the requirements laid down in laws and regulations, we may need to provide personal data to market surveillance and law enforcement authorities, including for the protection of our lawful rights, for example, by pursuing a claim in court, in accordance with the provisions laid down in laws and regulations.
• Databases and registers. While checking information about our Clients in databases and registers, we submit name, surname, date of birth, and personal identification number.
• Other service providers. Data may be transferred to attorneys, lawyers, or consultants who provide services to our Company.

In addition to the above, there may be cases where we can transfer personal data to another person in relation to the transfer of companies, any merger, acquisition, sale of our assets, or transfer of provision of services to another merchant.

We ensure the confidentiality of personal data by taking security measures in accordance with the requirements of regulatory enactments.

We can also process anonymised data. Such data that do not allow the identification of a person may be used for other purposes and transferred to other persons.

8. Storage of Personal Data

We store personal data only for such period as is necessary to achieve the goals set forth in this Privacy Policy unless longer storage thereof is determined or permitted by applicable laws and regulations in the UAE, including the UAE PDPL and other relevant regulatory requirements.

To determine the period of data storage, we use criteria that comply with the obligations laid down in laws and regulations, including taking into account the rights provided for Clients, for example, determining the storage of data for the period during which claims related to the transaction may be applied, if any. If the Client has made a purchase of our services, we store such data for eight (8) years in compliance with financial, anti-money laundering (AML), and other regulatory requirements applicable in the UAE.

No limitations shall be applied for storing anonymized data, but we store them only to the necessary extent and duration.

Our aim is to ensure that information about the Client is correct and up-to-date. Therefore, we invite the Client to keep us informed about any changes in the information provided by the Client.

Likewise, in accordance with the procedures laid down in UAE regulatory enactments, we can implement the protection of our legal interests (including, to submit objections and complaints or bring an action to the court until the limitation period for the fulfilment of obligations has set in) while any of the parties has a legal obligation to store data (for example, to store invoices for ten (10) years). After these circumstances cease (or upon the expiry of the deadline), the data shall be deleted.

9. Client’s Rights

Clients have the following rights regarding their personal data:

• To submit an application and receive information on data that we collect and store about the Client, unless applicable regulatory enactments mandates otherwise.
• To request access to his/her data, rectification, or deletion thereof, if necessary, supplementing or restriction of processing.
• To exercise the right to object to processing, including to object to data processing carried out on the basis of legitimate interests, insofar as it is provided for in laws and regulations.
• To exercise the right to data portability, Clients can request the transfer of their personal data in a structured, commonly used, and machine-readable format.
• To revoke the consent given by the Client at any time – Giving or revocation of consent shall be the Client’s free choice and shall not impose mandatory additional duties. However, if the Client decides to withdraw any consent, it must be taken into account that the withdrawal does not affect processing carried out before the withdrawal, and processing of data related to consent will no longer be ensured, and the Client may not have access to possibilities in the previous extent.
• To contact us and lodge a complaint with the UAE Data Office or other relevant UAE data protection authority regarding data processing issues. If support for wider receipt of information on this Privacy Policy, aspects of data processing, or applicable data protection laws and regulations is necessary, we hereby request that you contact us so that we can carefully review the matter and provide an answer.

To ensure compliance and protect personal data, Clients are expected to:

• Inform us about changes in the information and data provided. It is important for us to have true and up-to-date information on the Client.
• Provide the necessary information to enable us to identify the Client in relation to the Client’s request and to be sure that the communication or cooperation is performed directly with the particular Client. It is necessary for the protection of the personal data of the Client and other persons so that we might be certain that the Client is a data subject of the personal data and that information disclosed within the framework of communication and/or cooperation on the Client is provided only to the Client without prejudice to the rights of other persons.
• Prior to commencing cooperation with us, we need to become acquainted with this Privacy Policy and introduce it to any person related to the Client whose interests may be affected in the process of processing the Client’s data. We expect the Client to use the data we provide in good faith and without affecting the legal interests of other persons. In cases where data directly refers to another person (in case of change of data subjects), the Client shall be liable to inform them without delay. Until full identification of persons, data shall be attributed to the Client as a data subject.

10. Updates to the Privacy Policy

We constantly improve and develop our operations by modifying and supplementing this Privacy Policy from time to time. Therefore, we invite Clients to regularly become acquainted with the current version of the Privacy Policy on our website and other communication channels. Once we make changes to this Privacy Policy, we will inform our Clients by notice on our website.

If the changes are significant, we will notify Clients directly, where legally required, through email notifications, website announcements, or other appropriate communication channels.

11. Incident Reporting & Notification

XBase Digital is committed to maintaining the security and integrity of personal data. In the event of a data breach or security incident affecting personal data, we ensure prompt action and compliance with regulatory requirements.

In such cases, we will:

• Notify VARA as soon as possible and, in any event, within 24 hours of reporting the incident to a data regulator in the UAE or a Data Subject.
• Provide VARA with a summary report detailing the nature of the incident, potential impact, and actions taken. Where applicable, we will also submit a copy of the report to the relevant UAE data regulator, unless legally restricted from doing so.
• Implement remediation measures to mitigate risks, prevent recurrence, and strengthen security controls to protect personal data.

We ensure that Clients are informed of any incident that may affect their personal data and provide clear guidance on protective measures they may need to take.

12. How to Contact Us

In case of any questions or uncertainties in relation to this Privacy Policy or Personal Data Processing, please contact us by using the contact details provided below:

• Company Name: XBase Virtual Assets Broker & Dealer Services LLC (“XBase Digital”)
• Registered Address: Office suite #1804, The Exchange tower, Business Bay, P. O. BOX: 120663, Dubai, U. A. E.
• Email: dpo@xbase.digital
• Phone: TBC
• Data Protection Officer (DPO): Mate Ballabas
• DPO Contact Email: Mate@xbase.digital

The Data Protection Officer (DPO) is responsible for overseeing data protection compliance, handling inquiries related to personal data processing, and addressing any concerns regarding data privacy rights. Clients may contact the DPO directly for any privacy-related matters or to exercise their data protection rights.