AX Coin

Privacy Notice

As of 1st June 2026

1. Scope

This Product Privacy Notice (this "Notice") applies to personal data and related business information processed in connection with product-side activities, including onboarding, KYB and KYC, sanctions and PEP screening, wallet screening (KYA), transaction monitoring (KYT), Travel Rule compliance, minting, burning, redemption, distributor or conversion arrangements, customer support, and complaints handling. It supplements (and does not replace) the broader AX Coin website Privacy Policy.

2. Controller

For the purposes of this Notice, the controller of personal data is AX Coin Bahrain BSC(c). Where personal data is processed jointly with a group entity, distributor, banking partner, or third-party service provider, the relevant controller / processor allocation is set out in the underlying arrangement and reflected in the Issuer's records of processing activities.

3. Categories of Data

  • Identity and verification data: full name, date and place of birth, nationality, identification documents, photographs, signatures, contact details.
  • Corporate and onboarding data: corporate registry information, beneficial ownership and control structure, controllers, authorised signatories, source of funds and source of wealth, expected activity, FATCA / CRS classification, sanctions and PEP self-certifications.
  • Banking and transaction data: bank account details, payment records, fiat remittance evidence, wallet addresses, on-chain transaction history, screening results, Travel Rule data, holdings information.
  • Communications and support data: correspondence, complaints records, customer-support tickets, recordings of telephone calls (where lawfully recorded), relationship-management notes.
  • Technical and security data: device identifiers, IP addresses, access logs, audit trails, cyber-security telemetry, and other records generated through the Issuer's product systems.

4. Sources of Data

  • Directly from Customers, Holders, authorised representatives, and complainants.
  • From the Issuer's service providers, including KYC/KYB providers, screening and transaction-monitoring providers, Travel Rule providers, blockchain-analytics providers, wallet and key-management providers, hosting and communications providers, and security providers.
  • From distributors, conversion providers, banking partners, custodians, regulators, law-enforcement authorities, and counterparties, where lawfully relevant.
  • From public sources, including registries, sanctions lists, adverse-media databases, and publicly available blockchain data.

5. Purposes and Lawful Bases

The Issuer processes personal data for the following purposes:

  • Onboarding, ongoing due diligence, and reverification of Customers and Holders.
  • Screening for sanctions, PEP exposure, adverse media, and other risk factors.
  • AML/CFT compliance, including transaction monitoring, suspicious-activity reporting, and Travel Rule compliance.
  • Processing Subscription Orders, Redemption Requests, settlement, wallet designation, and related instructions.
  • Customer support, dispute handling, and complaints handling.
  • Audit, incident response, recordkeeping, and compliance with legal and regulatory obligations.
  • Risk management and protection of the Issuer, its customers, and its service providers from fraud, security incidents, and abuse.

The Issuer relies on the following lawful bases for processing, as applicable: performance of a contract; compliance with a legal obligation (including AML/CFT and CBB obligations); the legitimate interests of the Issuer and third parties (subject to a balancing assessment); and, where required, the data subject's consent.

6. Disclosures

The Issuer may disclose personal data to:

  • Affiliates within AX Coin, where necessary for the purposes set out in Section 5.
  • KYC / KYB, screening, transaction-monitoring, Travel Rule, and blockchain-analytics providers.
  • Wallet, key-management, hosting, communications, and security providers.
  • Reserve-side service providers, banking partners, and custodians.
  • Distributors and authorised conversion providers, in respect of customers introduced by them.
  • Professional advisers (legal, audit, tax, compliance) bound by professional duties of confidentiality.
  • Regulators, supervisory authorities, and law-enforcement authorities, where required or permitted by law.

7. International Transfers

Because the Issuer's services are supported by service providers and group participants in more than one jurisdiction, personal data may be transferred outside the Kingdom of Bahrain. Where this occurs, the Issuer applies the safeguards required by applicable law (including the Bahrain Personal Data Protection Law) and the CBB SIO framework, including, as appropriate, contractual protections, adequacy assessments, and transfer authorisations.

8. Retention

The Issuer retains personal data for as long as necessary for the purposes set out in Section 5, including:

  • AML/CFT records: at least 5 years after the end of the relationship or the date of the relevant transaction, in accordance with AML-2.
  • Complaint records: 5 years from the date of receipt of the complaint, in accordance with SIO-5.7.14.
  • Onboarding, KYC/KYB, and ongoing-due-diligence records: for the duration of the relationship and for the longer of any retention period required by law and any period reasonably necessary for legal-defence or regulatory purposes.
  • Other records: for the period reasonably necessary for legitimate business purposes, subject to any stricter law or regulatory requirement.

9. Security

The Issuer applies technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, including access controls, encryption, segregation of duties, monitoring, and incident response procedures aligned with the Issuer's information-security framework and the CBB SIO Module on technology governance and cyber security.

10. Rights of Individuals

Subject to the Issuer's legal and regulatory obligations, individuals may have the right to:

  • Request access to their personal data.
  • Request correction of inaccurate or incomplete personal data.
  • Request deletion of personal data, subject to retention requirements set out in Section 8.
  • Object to or request restriction of certain processing.
  • Withdraw consent, where consent is the lawful basis for the relevant processing.
  • Lodge a complaint with the Bahrain Personal Data Protection Authority (and, separately, with the Issuer through the Complaints Notice).

The Issuer may verify the identity of any individual making a request before responding, and may decline a request to the extent permitted by law (for example, where compliance would conflict with an AML/CFT recordkeeping obligation).

11. Complaints and Contact

Privacy enquiries and data-subject requests are handled separately from product complaints. Privacy enquiries should be sent to the data-protection contact specified in the AX Coin website Privacy Policy. Product complaints (including complaints relating to the handling of a Subscription Order, Redemption Request, or onboarding outcome) are submitted through the Complaints Route in the Complaints Notice.

12. Updates to this Notice

The Issuer may update this Notice from time to time. The current version is published on the Issuer's website. Where an update materially affects the rights of data subjects, the Issuer will provide a reasonable form of additional notice.