Privacy Policy

Última atualização: 12/01/2026

KuCoin EU Privacy Policy

1.Introduction

This Privacy Policy (this “Policy”) applies to the processing of personal data in connection with all services provided by KuCoin EU Exchange GmbH, legal entity code FN 641084x, a company registered at Am Grüner Prater 2/3. Stock, 1020 Vienna, Austria (the “KuCoin EU,” “we,” “us” or “our”). KuCoin EU services and products are offered via trading platform (including any related mobile applications and websites used to access the same) (collectively the “Platform”).

This Policy describes how Kucoin EU collects, uses, and discloses personal data processed during the provision of its services. This includes, but is not limited to:

Account creation and management;

Identity verification (KYC);

Execution of trades;

Customer support;

Promotional campaigns;

And any interaction with the Platform (“Services”).

This Policy supplements the other policies and is not intended to override them. Terms used within it shall have the meaning(s) given in the Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) and the Austrian Data Protection Act (Datenschutzgesetz (DSG)), as applicable.

2. Definitions

The following definitions are particularly relevant:

“Personal Data” refers to any information relating to an identified or identifiable natural person.

“Processing” refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Controller" refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Supervisory Authority” refers to the Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna (T +43 1 52 152-0, M dsb@dsb.gv.at).

“Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly, or indirectly, by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

3. Your Controller

KuCoin EU acts as the Controller of your Personal Data in connection with the Services we provide. This means we are responsible for ensuring the lawful and secure Processing of your Personal Data and for complying with applicable data protection laws and regulatory requirements.

By registering for and using the Platform, you acknowledge that your Personal Data will be processed in accordance with this Policy and the Terms and Conditions applicable to the Platform.

To help us meet these obligations, we have appointed an internal Data Protection Officer (DPO) who oversees our data protection compliance and serves as the main point of contact for both Supervisory Authorities and Data Subjects on all matters relating to privacy.

If you have any questions or concerns about how your Personal Data is being processed, you can contact our DPO at privacy@kucoin.eu. For certain requests, we require further identification data from you (e.g. passport, ID card, etc), in order to ensure that your Personal Data is only shared with you.

4. How we collect your Personal Data

We are committed to Processing only Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, in accordance with the data minimization principle set out in Article 5(1)(c) of the GDPR.

We collect your Personal Data in a variety of ways depending on how you interact with us and our Services, including:

When you register for an account or use our Platform;

During the Know-Your-Customer (KYC) or account opening process;

When you complete forms or upload documents on the Platform;

When you subscribe to news and updates from us;

When you contact our support or other employees via email or other communication channels;

When you submit support requests, participate in dispute resolution, or request assistance;

When you participate in events, fairs, interviews;
When you visit our offices in person.
Affiliates and partners who enable or support your access to our Services;

Service providers for identity verification, background screening, PEP and sanctions checks, and fraud prevention;

Credit reference agencies and financial service providers;

Publicly accessible sources (e.g., commercial registers or government databases within the EU);
Licensed data brokers or aggregators, where legally permissible.
Through your use of our Services and Platform via technical logs, usage tracking, or cookies.

5. What Personal Data we collect

In operating our Platform and providing our Services, we may process the following categories of Personal Data:

Identification data: full name, date and place of birth, nationality, identification number, passport/ID documents.

Contact details: residential address, email address, phone number.

Financial and transactional data: source of funds and wealth, bank account information, payment method details (e.g. credit card number, expiration date, security code), tax identification number, employment status, income.

Verification data: identity documents, certifications (e.g. employment or inheritance documentation), results of PEP/sanctions screening.

Employment-related data: professional background, education history, employer references (where applicable).

Platform usage data: login timestamps, device type, interaction history, user preferences.

Device and technical data: device model, operating system, browser type, crash logs, unique device identifiers.

Log data: IP address, access location, timestamps, user activity.

Account and transaction data: wallet addresses, account balances, trading history, deposit records, verification history.

Marketing Data: data collected through cookies and other marketing technologies to personalize communications.

Multimedia Data: photos, videos, and audio recordings.

On-site visit data: video and image recordings captured during visits to our office premises.

Other data: any additional information you provide when contacting our support or staff.

Please note: Certain Personal Data may be screened against risk profiles and regulatory watchlists in order to comply with our legal obligations under anti-money laundering (AML) laws and our internal KYC/AML policies. This may include checks against databases of politically exposed persons (PEPs), international sanctions lists, and fraud prevention agencies, including the involvement of credit reference providers where appropriate.

6. Why we process your Personal Data

We process your Personal Data in compliance with all applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the E-Privacy Directive, and relevant national legislation (such as the Austrian Data Protection Act). Your Personal Data is processed solely for the purposes described below, and always based on the legal grounds set forth in Article 6(1) of the GDPR.

6.1 Contractual necessity (Article 6(1)(b) GDPR)

We process your Personal Data where it is necessary to enter into or perform our contractual relationship with you, including:

Providing and managing access to our Services and your user account;

Processing transactions and executing your instructions;

Verifying your identity and authenticating your access;

Providing customer service and technical support;

Sending important service-related updates and notifications.

6.2 Compliance with legal obligations (Article 6(1)(c) GDPR)

Personal data processing may be necessary to fulfill various legal requirements, such as those set out in the 5th Anti-Money Laundering Directive (AMLD), the Austrian Money Laundering Act (FM-GwG), the Payment Services Act (ZaDiG 2018), the Trade Regulations Act (GewO 1994), FATF Travel Rule, and others. Examples of processing under these obligations include:

Ensuring compliance and mitigating risks;

Conducting Know-Your-Customer (KYC) procedures, including identity verification and proof of funds;

Managing contracts, invoicing, and accounting;

Monitoring to prevent fraud, illicit use, money laundering, and terrorist financing;

Disclosing information to fiscal or criminal authorities as legally required;

Checking creditworthiness through credit agencies;

Performing appropriateness assessments;

Processing transaction details (e.g., sender and recipient information) to comply with FATF Travel Rule;

Recording telephone and electronic communications when mandated.

6.3 Legitimate interests (Article 6(1)(f) GDPR)

We may process your Personal Data to pursue our legitimate interests, provided these interests are not overridden by your rights and freedoms. This includes:

Ensuring the security, integrity, and availability of our systems and infrastructure (e.g. IT security, fraud detection, disaster recovery);

Operating and maintaining our Platform, websites, and applications (e.g. error diagnostics, user interface optimization, device compatibility);

Analysis and improvement of the platform's quality and the general user experience (e.g.performance tracking on the platform);

To provide marketing communications, promotions to you for KuCoin EU own, similar products or services;

Conducting internal audits and investigations;

Responding to requests from authorities, lawyers, or collection agencies during legal proceedings;

Managing and reducing risks by checking credit agencies, debtor lists, or business analysts;

Engaging with you via social media and community channels including responding to user inquiries, moderating content, and maintaining a safe and engaging environment on our official communication channels;

Performing video surveillance at our premises to protect property and ensure the safety of staff, clients, and visitors (subject to Section 12 and 13 DSG).

6.4 Based on your consent (Article 6(1)(a) GDPR)

Where required by law or where we rely on your voluntary agreement, we process your Personal Data based on your consent, including:

Sending newsletters, promotional communications, or marketing offers (in line with Section 174 of the Austrian Telecommunications Act 2021 (TKG 2021));

Using optional cookies and tracking technologies for analytics and advertising;

Certain uses of audio, video and photo data for marketing and other representational purposes;

Carrying out video surveillance in areas where consent is legally required or appropriate;

Offering optional features on the Platform that require your express participation.

You may withdraw your consent at any time with effect for the future.

We will only process your Personal Data to the extent necessary for the purposes for which it was collected, and in accordance with the principles of data minimisation and purpose limitation set out in the GDPR.

Please note: If you choose not to provide certain Personal Data that is required by law or necessary for the conclusion or performance of a contract, we may not be able to provide you with the related Services.

7. How and why we share your Personal Data

We may share your Personal Data with the following categories of recipients, in accordance with Article 13(1)(e) and 14(1)(e) GDPR:

KuCoin Group Companies and Affiliates - To the extent necessary to respond to your requests, process transactions, secure our platform, or otherwise perform our Services;

IT Service Providers - For hosting, system maintenance, and cybersecurity support;
Card Provider - To issue and maintain card services;

Analytics Providers - To understand how you use our Services;

Payment and Financial Service Providers - To facilitate financial transactions and fund movements;

Customer Support and Communication Vendors - For managing customer inquiries through communication platforms, call centers, or ticketing systems;

Marketing and Promotions Providers - To promote our Services;

Identity Verification and Compliance Providers - For KYC/AML processes, sanction and PEP screenings, and fraud prevention;

Legal Advisors and Auditors - Where required for legal compliance, risk management, or the establishment, exercise or defense of legal claims;

Supervisory and Public Authorities - Where disclosure is required by law or based on lawful requests (e.g. tax authorities, regulators, law enforcement);

Cloud and Data Storage Providers - For secure data hosting and storage services;

External Tax Advisors - Where necessary for fulfilling our tax compliance obligations;

Potential Acquirers or Investors - In the context of mergers, acquisitions, or other corporate transactions, subject to strict confidentiality obligations.

Where we engage third parties to process your Personal Data on our behalf, we do so under a data processing agreement (DPA) in accordance with Article 28 GDPR. These processors are contractually obliged to:

Act only on our documented instructions,

Implement appropriate technical and organizational security measures, and

Refrain from disclosing your data to other third parties unless legally required.

Please note that not all recipients qualify as data processors. In some cases, parties process your Personal Data as independent Controllers under Article 4(7) GDPR. This applies, for instance, to financial institutions (e.g., fiat on-ramp providers) that are independently required to retain certain information for compliance with financial or anti-money laundering laws. In such cases, Processing is carried out based on their own legal grounds under Article 6 GDPR, and no processing agreement under Article 28 GDPR is required.

In specific situations, data may be processed under a joint controllership arrangement pursuant to Article 26 GDPR, where two or more parties jointly determine the purposes and means of Processing. In such cases, we enter into a binding agreement which transparently allocates the respective responsibilities - especially concerning the exercise of Data Subject rights and information obligations under Article 13 and 14 GDPR. The essence of this agreement is available upon request.

Disclosures to public authorities, courts or regulators are strictly based on a legal obligation under Article 6(1)(c) GDPR. Such entities act as independent Controllers.

In the context of corporate transactions (e.g. mergers or acquisitions), potential acquirers may process Personal Data as separate Controllers, depending on the stage and structure of the transaction.

8. Is Personal Data transferred to third countries or international organizations?

Our business operates internationally, with partners and service providers located in various countries. This means your Personal Data may be transferred outside your country of residence or, for European customers, outside the European Economic Area (EEA). Such transfers occur only when necessary to fulfill your requests, process transactions, or provide our Services.

Your personal information may be processed in countries where data protection laws differ from those in your home country. However, we are committed to protecting your data with the same standards and principles as apply where we first collected it.

To ensure your personal data receives a consistent level of protection, we rely on several legal mechanisms for international data transfers, including:

Transfers to countries recognized by the European Commission as having adequate data protection standards.

Use of European Commission-approved Standard Contractual Clauses (SCCs) for transfers to countries not deemed adequate, including intra-group transfers and transfers to service providers.

Where applicable, other lawful transfer bases such as your consent, compliance with legal requirements, performance of contracts, or important public interest justifications.

We will not transfer your personal data outside your country or, for Europeans, outside the EEA unless one of these legal safeguards or grounds applies.

For more details or to receive a copy of the safeguards we use, please contact our Data Protection Officer at privacy@kucoin.eu.

9. How long do we process (store) your Personal Data?

We retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including complying with legal, accounting, regulatory requirements or defending legal claims.

The specific retention periods vary depending on the legal basis and purpose of processing. In particular, statutory retention periods applicable to KuCoin EU include, but are not limited to, the following:

Personal Data processed to perform a contract is generally stored for the duration of the contractual relationship and until the expiry of applicable statutory limitation periods. Under Austrian civil law (Section 1486 of the General Civil Code (ABGB)), this period is typically three years. In certain cases, such as pending legal disputes or where the extended limitation period under Section 1487 ABGB applies, data may be retained for up to 15 years, based on practical experience with the enforcement of claims.

Tax-relevant data is retained for at least seven years following the end of the relevant calendar year, in line with Section 132 BAO and Section 212 UGB.

Where Processing is based on your consent, Personal Data is retained until consent is withdrawn or the data is no longer necessary for the original purpose. Retention beyond this only occurs where required by law (e.g., tax or civil law retention obligations or retention periods as described above, Section 1486 and 1487 ABGB).

Where Personal Data must be retained by law or to establish, exercise or defend legal claims,retention periods may extend beyond standard durations. For example, transaction data collected under anti-money laundering laws (such as under the FM-GwG) must be retained for 10 years after termination of the business relationship.

Once a retention period expires and no further legitimate purpose for retaining the Personal Data exists, we will securely delete or irreversibly anonymise your Personal Data, in line with applicable data protection laws.

10. Your rights regarding your Personal Data

You have the following rights under the GDPR in relation to your Personal Data:

Right of Access (Article 15 GDPR): You have the right to obtain confirmation as to whether we process Personal Data concerning you, and, where that is the case, to access such data and related information, including the purposes of Processing, categories of Personal Data, recipients, and retention periods.

Right to Rectification (Article 16 GDPR): You have the right to request the correction of inaccurate Personal Data and the completion of incomplete Personal Data concerning you.

Right to Erasure (“Right to be Forgotten”, Article 17 GDPR): You may request the deletion of your Personal Data where, for example, the data is no longer necessary for the purposes for which it was collected, or where you have withdrawn your consent and no other legal basis for Processing applies.

Right to Restriction of Processing (Article 18 GDPR): You may request that we restrict the Processing of your Personal Data in certain cases, e.g. if the accuracy of the data is contested, or if the Processing is unlawful but you oppose erasure.

Right to Data Portability (Article 20 GDPR): Where the Processing is based on your consent or a contract and carried out by automated means, you have the right to receive the Personal Data you provided in a structured, commonly used and machine-readable format and to transmit it to another Controller.

Right to Object (Article 21 GDPR): Where Processing is based on our legitimate interests (Article 6(1)(f) GDPR), you have the right to object on grounds relating to your particular situation. In that case, we will stop Processing your Personal Data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or if the Processing is necessary for the establishment, exercise, or defence of legal claims.

Right to Withdraw Consent (Article 7(3) GDPR): Where Processing is based on your consent (Article 6(1)(a) or Article 9(2)(a) GDPR), you may withdraw your consent at any time. This does not affect the lawfulness of Processing based on consent before its withdrawal.

Right not to be subject to Automated Decision-Making (Article 22 GDPR): You have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects or similarly significantly affects you, unless one of the exemptions under Article 22(2) GDPR applies.

Right to Lodge a Complaint (Article 77 GDPR): You may lodge a complaint with the competent data protection authority. In Austria, this is the Datenschutzbehörde (DSB), Barichgasse 40–42, 1030 Vienna (www.dsb.gv.at).

Right to Compensation (Article 82 GDPR): If you suffer material or non-material damage due to a breach of the GDPR, you may be entitled to compensation from the responsible Controller or processor. This does not affect any other legal remedies available to you.

10.1 How to exercise your rights

You may exercise these rights free of charge. However, if your requests are manifestly unfounded or excessive (e.g. due to their repetitive nature), we may:

Charge a reasonable fee based on administrative costs; or

Refuse to act on the request.

We will respond to your request without undue delay and in any case within one month of receipt, in accordance with Article 12(3) GDPR. This period may be extended by up to two additional months where necessary due to the complexity or number of requests. In such cases, we will notify you of the extension and provide the reasons. If we are unable to act on your request, we will inform you without delay, and in any case within one month of receipt of the request and provide reasons for not taking action.

Where we have reasonable doubts about your identity, we may request additional information to verify it (Article 12(6) GDPR). This ensures that your Personal Data is not disclosed to unauthorised individuals.

To exercise your data protection rights, please contact our DPO at privacy@kucoin.eu.

10.2 Restrictionsto your rights

In some cases, we may not be able to fully fulfill your request because:

We are legally required to keep certain Personal Data under laws like anti-money laundering (Section 21 FM-GwG), tax law (Section 132(1) BAO), or commercial law (Sections 190, 212 UGB).

We must retain data to respond to official requests by authorities, including investigations, subpoenas, or other legal actions.

We need to keep data to protect our legal rights when there is an ongoing or expected legal case (but not for hypothetical or unplanned cases).

Your request would reveal confidential or legally protected information. We will provide what is possible without violating these protections.

11. Cookies and tracking

Cookies are small files stored on your device when you visit our website. We use them to ensure a secure, user-friendly, and optimised browsing experience when you visit our website.

Cookies help us to:

Maintain user sessions across page requests,

Remember your preferences,

Improve the usability and performance of our website,

Facilitate navigation, and

Support essential features such as login functionality and shopping carts.

Cookies essential for these functions are processed based on our legitimate interest in maintaining site operation (Article 6(1)(f) GDPR).

For all other cookies, including those for analytics, marketing, or personalization, we obtain your clear, informed consent beforehand (Section 165(3) TKG 2021, Article 6(1)(a) GDPR). You can revoke this consent anytime for the future.

Types of Cookies we use:

Session cookies: These are temporary and are automatically deleted once you close your browser.

Persistent cookies: These remain stored on your device until they expire or are manually deleted in your browser settings.

You control cookie use via your browser settings, where you can:

Block all cookies,

Be notified before a cookie is saved,

Accept cookies only in specific cases, or

Delete all cookies automatically when closing the browser.

For example:

Microsoft Edge: Settings > Cookies and site permissions

Mozilla Firefox: Preferences > Privacy & Security > Cookies and Site Data

Google Chrome: Settings > Privacy and security > Cookies and other site data

Please note: Disabling certain cookies may limit the functionality of some parts of our website.

12. Protecting your personal data

We take the security of your Personal Data very seriously and employ a wide range of measures to keep it safe. Our security framework combines administrative, technical, and physical controls designed to prevent unauthorized access, loss, alteration, or misuse of your information.

Some of the key protections we use include:

Encryption technologies to secure data transfers and storage;

Two-factor authentication (2FA) to add an extra layer of account protection;

Regular security assessments and audits to ensure our safeguards remain effective;

Strict access controls limiting personal data access to authorized personnel only;

Data minimization methods such as pseudonymization where applicable;

Procedures for quick recovery of data availability in case of technical failures;

Ongoing staff training and clear IT security policies;

Incident response plans to promptly handle any security breaches.

We encourage you to enable two-factor authentication and keep your account credentials confidential to further enhance your security. Protecting your data is a continuous commitment, and we regularly update our security practices to stay ahead of emerging threats and comply with international standards.

13. No automated decisions and profiling

We do not use your Personal Data for automated decision-making, including profiling, within the meaning of Article 22(1) and (4) GDPR. This means that you are not subject to any decision based solely on automated Processing which produces legal effects concerning you or similarly significantly affects you.

14. Age restriction

Our platform is intended exclusively for users who are 18 years of age or older. We do not offer our services to minors, and therefore, we do not knowingly collect personal information from anyone under 18. If you are under 18, please do not use our services or submit any personal data to us.

15. Do I have to provide my data?

In principle, you are not legally required to provide us with your Personal Data. However, the provision of certain Personal Data is necessary to access and use our Platform, to comply with statutory obligations (e.g. under anti-money laundering and counter-terrorism financing laws), or to enter into and perform a contract with us.

In particular, we are legally obliged to collect and process specific categories of Personal Data (such as identification documents and proof of address) before entering into a business relationship, and on an ongoing basis, in accordance with applicable Know-Your-Customer (KYC) and Anti-Money Laundering (AML) requirements.

Without this information, we cannot provide you with access to our Services or might not be able to establish or continue a business relationship with you, or to provide certain features of our Platform.

16. Updates to this Policy

This Policy is current as of the “Last Updated” date indicated above. We may update or amend this Policy from time to time to reflect changes in legal requirements, our data Processing practices, or the features of our Services. Therefore, we encourage you to review this Policy periodically to stay informed about how we process your Personal Data.

17. How to contact us?

If you have any further questions about the processing of your personal data, please contact our DPO: privacy@kucoin.eu.