Cookie Policy
How Nortyx collects, uses, shares and protects personal data across onboarding, exchange and support \u2014 aligned with GDPR, Finnish law and crypto-asset regulatory requirements.
1. About This Privacy Notice
This Privacy Notice explains how Nortyx (“Nortyx”, “we”, “our”, or “us”) processes personal data in connection with our website, crypto-asset exchange platform, client portal, onboarding processes, transaction services, customer-support channels and related online services.
For the purposes of this Privacy Notice, “personal data” means any information relating to an identified or identifiable natural person. This may include information that directly identifies a person, such as a name or identification document, as well as information that may identify a person indirectly, such as transaction data, wallet information, device information, online identifiers, security signals or compliance records.
Nortyx processes personal data in a lawful, fair, transparent and secure manner. This Privacy Notice is intended to describe our data-processing practices in accordance with applicable data-protection requirements, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), applicable Finnish data-protection legislation, anti-money laundering and counter-terrorist financing requirements, sanctions obligations, fraud-prevention obligations, crypto-asset regulatory requirements and other applicable legal or regulatory obligations.
Nortyx is the controller of personal data processed for the purposes described in this Privacy Notice, unless otherwise stated. Additional legal entity details, registered address, contact details and, where applicable, data protection officer or representative details should be inserted once available.
2. When This Notice Applies
This Privacy Notice applies when you visit our website, create or use a user account, apply for onboarding or verification, submit information to Nortyx, use our crypto-asset exchange services, make fiat or crypto- asset transactions, communicate with our customer-support or compliance teams, interact with our platform, or otherwise use the services provided by Nortyx.
This Privacy Notice also applies to prospective clients, verified clients, rejected applicants, former clients, business clients, representatives of corporate clients, beneficial owners, authorised persons, payers, payees, transaction counterparties and other individuals whose personal data may be processed in connection with the services.
Certain services, products or jurisdictions may be subject to additional privacy notices, contractual terms or regulatory disclosures. If there is any inconsistency between this Privacy Notice and a more specific notice, the more specific notice will apply to the relevant processing activity.
3. Personal Data We May Process
Nortyx may process different categories of personal data depending on how you interact with the services, the type of account you apply for, the transactions you perform, the jurisdiction involved and the level of due diligence required.
We may process identification and contact information, including full legal name, date of birth, nationality, citizenship, country of residence, email address, telephone number, account username and similar contact or account details.
We may process verification and due-diligence information, including government-issued identity document details, copies or images of identity documents, proof of address, selfie photographs, liveness checks, facial-verification results, document-authentication results and information required to verify identity, eligibility or account ownership.
Where required for onboarding, enhanced due diligence, transaction review, sanctions screening, fraud prevention or legal compliance, we may process information about occupation, employer, business activity, source of funds, source of wealth, expected account activity, purpose of transactions, tax residency, corporate role, beneficial ownership, control structure or other risk-related information.
We may process financial and transaction information, including fiat payment details, bank account ownership information, crypto-asset transaction records, exchange instructions, order history, blockchain transaction identifiers, external wallet addresses, payment status, transaction amounts, transaction dates, fees, refunds, chargeback information and related operational records.
We may process technical, device and usage information, including IP address, approximate location derived from IP address, device type, browser type, operating system, session identifiers, login timestamps, authentication status, pages visited, referral source, platform activity, cookies, local storage, log files, error reports, security events and fraud-prevention signals.
We may process communication records, including messages sent to or from Nortyx, customer-support requests, compliance questionnaires, uploaded documents, call notes, complaints, disputes, requests, feedback and other information voluntarily provided through the services.
For business clients, we may process information relating to directors, officers, shareholders, beneficial owners, authorised representatives, account operators, contact persons and other individuals connected with the business relationship.
4. Sources of Personal Data
Nortyx may collect personal data directly from you when you provide information through our website, platform, forms, onboarding flows, account settings, verification procedures, transaction instructions, customer-support channels or other communications.
Nortyx may also collect personal data automatically when you access or use the services. This may include technical information, session information, device information, usage information, security logs, authentication records and cookie-related information.
In addition, Nortyx may receive personal data or verification results from third parties where necessary for the services, risk management or legal compliance. These may include identity verification providers, document-authentication providers, liveness-detection providers, sanctions and watchlist screening providers, politically exposed person and adverse media databases, blockchain analytics providers, transaction monitoring systems, payment service providers, banking partners, fraud-prevention providers, cybersecurity providers, public registers, corporate registries, business-information databases and other compliance or operational service providers.
Nortyx may also derive or generate personal data internally, including risk scores, compliance alerts, transaction monitoring results, fraud indicators, account status records, security flags, internal notes, case- management records and audit-trail information.
5. Why We Process Personal Data
Nortyx processes personal data for purposes connected with operating, securing, improving and complying with the requirements applicable to a crypto-asset exchange and related services.
We process personal data to provide and administer the services. This includes creating and maintaining accounts, verifying user credentials, enabling platform access, processing exchange instructions, facilitating fiat and crypto-asset transactions, delivering crypto-assets to wallet addresses provided by users, maintaining transaction records, providing customer support and communicating service-related information.
We process personal data to comply with legal and regulatory obligations. This may include customer identification, know-your-customer checks, know-your-business checks, beneficial ownership verification, sanctions screening, anti-money laundering controls, counter-terrorist financing controls, transaction monitoring, travel rule-related information processing, fraud prevention, recordkeeping, auditability, regulatory reporting and responses to lawful requests from competent authorities.
We process personal data to protect the security and integrity of the services. This includes detecting suspicious logins, preventing unauthorised account access, monitoring fraud risks, investigating misuse, protecting users and third parties, enforcing platform rules, maintaining operational resilience and responding to technical or security incidents.
We process personal data to assess and manage transaction risk. This may include reviewing wallet addresses, blockchain transaction identifiers, transaction patterns, geographic indicators, device-risk signals, payment information, sanctions exposure, adverse media indicators and other financial crime risk factors.
We process personal data to communicate with users. This includes service notices, account messages, security alerts, verification requests, compliance requests, transaction-related communications, operational updates, legal notices and responses to customer-support enquiries.
We may process personal data for analytics, platform improvement and business operations. This may include understanding how users interact with the website and platform, improving usability, identifying technical issues, testing functionality, developing internal reporting, maintaining business continuity and improving service reliability. Where required by law, non-essential analytics or similar technologies will only be used with consent.
We may process personal data for marketing or optional communications only where permitted by applicable law and subject to any required consent or opt-out rights.
6. Legal Bases for Processing
We may process personal data where necessary to perform a contract with you or to take steps at your request before entering into a contract. This includes account creation, onboarding, provision of services, transaction processing, customer support and service administration.
We may process personal data based on consent where consent is required or appropriate. This may include certain cookies, optional analytics, optional marketing communications or other processing activities that require consent under applicable law. You may withdraw consent at any time, but withdrawal does not affect processing carried out before withdrawal and may be subject to legal or regulatory limitations.
7. Crypto-Asset Compliance, Wallet Screening and Transaction Monitoring
Because Nortyx operates in the crypto-asset sector, certain processing activities are necessary to identify clients, prevent misuse of the platform, monitor transactions and comply with financial crime prevention obligations.
Nortyx may use blockchain analytics, wallet screening, transaction monitoring, sanctions screening, fraud- detection tools and compliance case-management systems to assess whether transactions, wallet addresses or users present elevated risk. These tools may identify potential exposure to sanctioned persons, sanctioned jurisdictions, darknet markets, ransomware, scams, stolen funds, mixers, obfuscation services, high-risk wallet clusters, suspicious transaction patterns or other financial crime indicators.
Nortyx may also review transaction information manually or through semi-automated systems. This may result in requests for additional information, delayed processing, transaction rejection, account restrictions, account closure, reporting to competent authorities or other actions required or permitted by law.
Some compliance-related processing is mandatory. Nortyx may be unable to provide services if required information is not provided or if verification, screening or transaction monitoring cannot be completed.
8. Who We May Share Personal Data With
Nortyx does not sell personal data. We may share personal data where reasonably necessary for the purposes described in this Privacy Notice.
We may share personal data with service providers that support our operations. These may include identity verification providers, KYC providers, document authentication providers, liveness and fraud-prevention providers, blockchain analytics providers, transaction monitoring providers, sanctions and watchlist screening providers, payment processors, banking or financial infrastructure providers, cloud hosting providers, cybersecurity providers, analytics providers, communication tools, customer-support systems, professional advisers and technical platform providers.
We may share personal data with regulators, supervisory authorities, financial intelligence units, law enforcement, courts, public authorities or other competent bodies where required or permitted by law. This may include disclosures connected with AML, sanctions, fraud investigations, regulatory examinations, suspicious activity reporting, legal proceedings or formal information requests.
We may share personal data with banks, payment service providers, crypto-asset service providers, wallet infrastructure providers or transaction counterparties where necessary to process payments, crypto-asset transfers, refunds, disputes, chargebacks, compliance checks or transaction-related obligations.
We may disclose personal data to professional advisers, auditors, insurers, legal counsel or consultants where necessary for legal advice, audits, risk management, insurance, dispute resolution, internal governance or protection of legal rights.
If Nortyx undergoes a merger, acquisition, restructuring, financing, sale of assets, insolvency process or similar transaction, personal data may be disclosed or transferred as part of that transaction, subject to appropriate confidentiality and security safeguards.
9. International Transfers
Nortyx may use service providers, technology systems, compliance tools and infrastructure partners located in different countries. As a result, personal data may be transferred to, stored in or accessed from jurisdictions outside Finland, the European Economic Area or the user’s country of residence.
Where personal data is transferred outside the European Economic Area, Nortyx will seek to implement appropriate safeguards where required by applicable law. These may include adequacy decisions, standard contractual clauses, contractual protections, technical safeguards, organisational safeguards or other lawful transfer mechanisms.
Personal data processed in another jurisdiction may be subject to the laws of that jurisdiction, including lawful access by courts, regulators, law-enforcement bodies or governmental authorities.
10. Data Retention
Nortyx retains personal data only for as long as reasonably necessary for the purposes described in this Privacy Notice or as required or permitted by applicable law.
Retention periods may depend on the type of data, the nature of the relationship, the status of the account, legal obligations, AML/KYC requirements, sanctions obligations, tax and accounting requirements, transaction history, dispute risk, fraud-prevention needs, security requirements and regulatory recordkeeping duties.
Certain records, including identity verification records, due-diligence information, transaction records, compliance files, audit trails and AML-related records, may need to be retained after account closure or after the end of the business relationship where required or permitted by law.
Technical logs, security records and fraud-prevention records may be retained for periods necessary to protect the platform, investigate suspicious activity, maintain security, resolve disputes and comply with legal or regulatory requirements.
When personal data is no longer required, Nortyx will seek to delete, anonymise, archive or otherwise dispose of it in accordance with applicable requirements and internal retention procedures.
11. Security of Personal Data
Nortyx uses technical, organisational and administrative measures designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure or destruction.
These measures may include access controls, authentication measures, encryption where appropriate, secure hosting environments, monitoring systems, logging and audit trails, internal access restrictions, confidentiality obligations, staff controls, vendor due diligence, incident-response procedures and security reviews.
Although Nortyx takes steps to protect personal data, no online service, platform, communication channel or transmission method can be guaranteed to be completely secure. Users are responsible for maintaining the confidentiality of their login credentials, authentication methods, devices, email accounts, external wallets and communications with Nortyx.
12. Cookies and Similar Technologies
Nortyx may use cookies, local storage, session tokens, pixels, log files, device identifiers, analytics tags and similar technologies in connection with the website and platform.
These technologies may be used to operate the services, maintain secure sessions, authenticate users, remember preferences, monitor performance, detect fraud, support security controls, analyse website usage and improve user experience.
Some cookies are strictly necessary for the operation, security and availability of the services. Other cookies, such as analytics or optional functional cookies, may require consent under applicable law. Additional information is provided in Nortyx’s Cookie Policy.
13. Automated Tools and Human Review
Nortyx may use automated or semi-automated tools to support identity verification, sanctions screening, fraud prevention, transaction monitoring, blockchain analytics, device-risk assessment, compliance reviews and platform security.
These tools may generate alerts, risk indicators, matches, recommendations or scores that assist Nortyx in reviewing accounts, documents, transactions, wallet addresses or platform activity. Nortyx may use these outputs to support decisions relating to onboarding, verification, transaction review, account restrictions, enhanced due diligence, reporting or fraud prevention.
Where required by applicable law, Nortyx will provide appropriate safeguards, including human review, where automated processing may produce legal effects or similarly significant effects for an individual. Certain information about compliance models, fraud rules, sanctions screening or security controls may be limited where disclosure would undermine legal compliance, fraud prevention, security or confidential risk controls.
14. Privacy Rights and Choices
Depending on applicable law and your jurisdiction, you may have rights in relation to your personal data. These may include the right to request access to your personal data, the right to request correction of inaccurate or incomplete data, the right to request deletion, the right to restrict processing, the right to object to certain processing, the right to data portability, the right to withdraw consent and the right to lodge a complaint with a supervisory authority.
These rights are not absolute. Nortyx may be required or permitted to refuse, limit or delay a request where necessary to comply with AML/KYC obligations, sanctions requirements, regulatory recordkeeping, fraud prevention, security, legal claims, dispute resolution, confidentiality obligations, transaction integrity or other legal and operational requirements.
Nortyx may request reasonable identity verification before responding to a privacy request. This is necessary to protect personal data and ensure that requests are made by the relevant individual or an authorised representative.
If you are located in Finland or the European Economic Area, you may have the right to contact or lodge a complaint with the competent data-protection supervisory authority, including the Finnish Data Protection Ombudsman where applicable.
15. Communications, Marketing and Service Notices
Nortyx may send service-related communications, including account notices, transaction messages, verification requests, compliance requests, security alerts, legal notices, regulatory notices and operational updates. These communications are generally necessary for the services and may not be optional.
Where Nortyx sends optional marketing communications, users may opt out at any time by using the unsubscribe mechanism in the communication or by contacting Nortyx. Opting out of marketing communications does not affect service-related, legal, security, compliance or transaction-related communications.
16. Minors
The services are not intended for children or individuals who are under the minimum age required to use the services under applicable law or Nortyx’s terms. Nortyx does not knowingly provide services to minors.
If Nortyx becomes aware that it has collected personal data from a minor in circumstances where this is not permitted, Nortyx will take appropriate steps to address the issue, which may include deletion of the relevant data, account restriction or termination of the account.
17. External Services and Third-Party Links
The website or platform may contain links to third-party websites, applications, payment providers, wallet services, blockchain tools, financial institutions, social media platforms or other external services.
Nortyx is not responsible for the privacy practices, security measures, content or terms of third-party services. Users should review the privacy policies and terms of any third-party services before using them.
18. Changes to This Privacy Notice
Nortyx may update this Privacy Notice from time to time to reflect changes in the services, legal requirements, regulatory expectations, technical systems, compliance controls, business operations or data- processing practices.
The “Last updated” date at the top of this Privacy Notice indicates when it was last revised. Updated versions will be published on the website and will become effective upon publication unless otherwise stated.