In This Article:
Never bother to read the privacy policy when signing up for a cryptocurrency exchange? Maybe you should.
For Privacy Week, CoinDesk reviewed the privacy policies and notices of 24 major crypto exchanges and lending services to see how much they know about users and how transparent they are about it. The two dozen companies represent a cross-section of popular consumer-facing platforms.
It turns out crypto platforms collect a wealth of their users’ personal data – ironic considering this asset class grew out of the privacy-championing cypherpunk movement and was originally conceived as anonymous digital cash.
All major crypto services these days are subject to laws and regulations obliging them to perform know-your-customer (KYC) checks on any new client. Crypto platforms are inherently online so to make sure they are dealing with the same person who submitted ID documents, over the past few years they adopted biometric verification, asking prospective users to provide a photo with their ID, a short video of themselves or both.
Given that many of these platforms are accepting fiat payments from bank accounts of their clients to let them buy crypto with their local currencies (acting as so-called fiat on-ramps), they also process users’ banking information, and in some cases tax IDs, too.
Such platforms collect their users' home addresses, phone numbers, employment information, banking details, photos of their IDs and photos and/or videos of their faces. In addition, platforms can see the entire history of their users' trades, cryptocurrency addresses they use to deposit and withdraw funds and any transactions related to them on public blockchains.
Platforms also routinely gather technical information about the devices users are logging in from, including operating systems, browser details, IP addresses and the location and time zone settings of computers and phones their clients use to trade.
This is a pretty typical set of data more or less any regulated crypto service would process and store. However, they differ in the amount of data they store, how they protect users' privacy and how much they disclose about such practices.
The companies explain in their privacy policies that they use this data to provide quality service to their clients, prevent fraud and keep customers posted about relevant news and updates. However, this abundance of personal information makes the platforms huge data banks – and, in cases of security breaches, they may become sources of massive leaks.
It's hard to verify how companies are actually handling their users’ data. But by reading the privacy policies these companies publish on their websites, we can see how explicit and forthright they are about it.
Here are some of the issues to be mindful of.
Financial data use and storage
Crypto platforms provide varying levels of disclosure about the data they receive and store related to users' financials. (In this article, we don't look at the financial information platforms collect about corporate users, only about individuals.)
Most of the privacy policies CoinDesk reviewed mentioned bank account numbers and (as one would expect) trading history on the platform. Crypto lending provider BlockFi stood out with the longest list of types of banking data it collects. Exchanges Binance, BitMEX, Poloniex, and OKEx did not mention what banking data they collect at all in their privacy policies.
Paxful mentions that financial information may be stored if users send it to their trading counterparties via the chat on the platform, as Paxful keeps the chat records.
"BitMEX doesn’t operate any fiat payment gateways for its users and so does not receive credit card or other banking information in respect of its users,” explained BitMEX Communications and Content Manager Jessica Lindeman. “Instead users are able to purchase XBT or USDT through Banxa,” a payments company.
Poloniex said via spokesperson Gabriel Wang that it too "does not deal with fiat directly, so no credit card/banking info is stored on our system."
Richard Kay, OKEx’s senior public relations manager in the U.K. and Europe, said the exchange also does not store its users’ banking information. That's taken care of by third-party payment providers, including Coinify, MoonPay, Okcoin, Banxa, Mercuryo, Simplex and Itez, he said.
Binance told CoinDesk via spokesperson that it actually does process banking information. "We would would only process credit card or banking information when users decide to share this information with Binance, for transactional purposes, as it is not mandatory information to open an account," the company added.
| Platform | Financial data collected, according to privacy policy |
|---|---|
| Bakkt (last updated Oct. 28, 2020) | Bank account number, credit card number, debit card number, details of transactions on the platform |
| Binance (last updated Jan. 12, 2022) | Transaction history |
| Bitfinex (last updated May 27, 2021) | Bank statements, bank account number |
| BitMEX (last updated Aug. 28, 2020) | Payment details, including wallet address(es) |
| Bitstamp (last updated Nov. 5, 2020) | Bank account number, bank statement and trading information |
| Bittrex (last updated Dec. 31, 2019) | Bank account and payment details, transactions data, portfolio data |
| Blockchain.com (last updated Dec. 16, 2021) | Bank account information and/or credit card details, transactions history and account balances |
| BlockFi (last updated June 15, 2021) | "Transaction Data such as cryptocurrency wallet address(es), information relating to your BlockFi account and cryptocurrency trading transactions and related information for deposits or withdrawals, credit card information (last four digits of number, expiration date, card status), credit card payment information (amount, date, frequency, status, balance), information relating to credit card transactions; |
| Celsius (last updated October, 2021) | Bank account or other financial information; records of products or services purchased, obtained, or considered, or other purchasing histories or tendencies |
| Coinbase (last updated Oct. 8, 2021) | Bank account information, payment card primary account number (PAN), transaction history, trading data, and/or tax identification. |
| Crypto.com (last updated Sept. 30, 2021) | Bank account, payment card details, virtual currency accounts, stored value accounts, amounts associated with accounts, external account details, source of funds and related documentation. |
| Deribit (undated) | Bank account statement, the address of your wallet from which you deposit/withdraw cryptocurrency into/from your account; orders, trades, positions and balances. |
| eToro (last updated May 20, 2020) | Annual income, investment portfolio, total cash and liquid assets and other details; value and currency of any deposit, withdrawal, or transaction made and the payment method. |
| FTX (last updated Dec. 23, 2021) | Bank account information, routing number, transaction history, trading data and/or tax identification, transaction information, name of the recipient and the trading amount. |
| Gemini (last updated Dec. 8, 2021) | Bank account information, routing number, trading activity, order activity, deposits, withdrawals, account balances |
| Huobi (last updated April 27, 2021) | Debit card information and/or other account information, transactions record |
| Kraken (last updated Nov. 23, 2021) | Bank account information, credit card details, details about source of funds, assets and liabilities, Office of Foreign Assets Control (OFAC) information, trading account balances, trading activity |
| LocalBitcoins (last updated June 10, 2020) | Financial information may include information related to your income, wealth, bank account information and/or tax identification, bitcoin transaction information. |
| Nexo (undated) | Not specified |
| Okcoin (last updated Dec. 18, 2020) | Bank account information, transactions data |
| OKEx (last updated Dec. 3, 2020) | Not specified |
| Paxful (undated) | Social Security number or account balances, payment history or transaction history, credit history or credit scores, trade chat messages, "which may contain financial information if you provide it to sellers" |
| Poloniex (last updated May 4, 2020) | Transactional data including records for trades, deposits, and withdraws, other session data linked to account |
| SALT (last updated Jan. 6, 2021) | Loan requests, loan amounts, loan payment information, transaction history, cryptocurrency wallet information and financial data such as bank name and account number |
Third parties with access to data
Crypto services usually need multiple partners to maintain their websites and process trades, so they have to share users’ data with those partners. Various services provide different levels of openness about which companies they share users' data with, and about their reasons for doing so.
Some companies merely mention they might share data with third parties, while others provide names and explanations, with varying degrees of detail.
Bitfinex and BitMEX provided the longest lists of counterparties they share data with. Bitfinex lists third parties at the end of its privacy policy and BitMEX has a special page dedicated to the list of its data partners.
Europe-based platforms normally mention, among other things, if they are transferring users' data to any places outside the EU, and how they make sure such transfers are secure. These parts of the privacy policies look pretty similar across different platforms.
Many companies separately describe their approaches for EU citizens, whose personal data since 2018 has been protected by the General Data Protection Regulation (GDPR), or for Californians, under the California Consumer Privacy Act (CCPA). Some platforms also specify their treatment of residents of Vermont, which has its own local privacy laws.
We won’t delve into those sections in this article, as they’re largely relevant only to residents of these particular areas, but if you are one, check if your crypto service notes anything important for you.
| Crypto exchange | Third parties with access to data |
|---|---|
| Bakkt (last updated Oct. 28, 2020) | Service providers and/or data processors, counterparties in transactions, financial institutions and credit bureaus, other third parties |
| Binance (last updated Jan. 12, 2022) | Subsidiaries or affiliates, third-party service providers and others. |
| Bitfinex (last updated May 27, 2021) | Bitrefill, Chainalysis, Celsius Network, getResponse, happyCOINS, hCaptcha, Mercuryo, OWNR WALLET, WorldCheck, Twilio, Simplex, Zendesk. (This list does not include banks to which personal information is transferred for payment purposes in accordance with international banking practice.) |
| BitMEX (last updated Aug. 28, 2020) | Companies belonging to HDR Group (BitMEX parent company), Amazon Web Services, Google ReCAPTCHA, Yubikey, Jumio, Freshdesk, Segment.io, Sentry.io, Google Analytics, SendGrid, Pagerduty, Solarwinds, Intercom, Onfido. |
| Bitstamp (last updated Nov. 5, 2020) | "May share information with credit reference agencies, anti-fraud databases, screening agencies and other partners we do business with." |
| Bittrex (last updated Dec. 31, 2019) | Suppliers and external agencies, subsidiaries, associates and agents, regulators, law enforcement agencies and other authorities, consultants, bankers, professional indemnity insurers, brokers and auditors; "other organizations where exchange of information is for the purpose of fraud protection or credit risk reduction," debt recovery agencies. |
| Blockchain.com (last updated Dec. 16, 2021) | Affiliates, cloud service providers, fraud detection service, spam and abuse detection providers |
| BlockFi (last updated June 15, 2021) | Affiliates, BlockFi Rewards Visa Signature Card partners, service providers. |
| Celsius (last updated October 2021) | Subsidiaries, affiliated companies, subcontractors and other third-party service providers, business partners (such as GEM, Coinify, Simplex and Wyre), auditors or advisers, "any potential purchasers or third party acquirer(s) of all or any portion of our business or assets, or investors in the company." |
| Coinbase (last updated Oct. 8, 2021) | Jumio, SolarisBank AG, Sift Science, Plaid, Paysafe, other financial institutions and service providers. |
| Crypto.com (last updated Sept. 30, 2021) | Service providers, agents, subcontractors and other associated organizations, affiliates |
| Deribit (undated) | Cloud service providers, software suppliers, affiliates |
| eToro (last updated May 20, 2020) | Affiliates, advisors, vendors, consultants and other service providers, such as payment service providers, IT hosting companies, banks, other financial institutions and credit reference agencies |
| FTX (last updated Dec. 23, 2021) | Service providers, business partners, NFT partners, affiliates, advertising partners |
| Gemini (last updated Dec. 8, 2021) | Service providers, affiliates, advisers |
| Huobi (last updated April 27, 2021) | Affiliates and partners |
| Kraken (last updated Nov. 23, 2021) | Affiliates, subsidiaries, service providers and business partners |
| LocalBitcoins (last updated June 10, 2020) | Onfido, Jumio, Google, Sentry.io, SendGrid Inc, Nexmo, Twilio, TM4B; |
| Nexo (undated) | "Hosting partners and other parties who assist us in operating our website, conducting our business, or serving our users, so long as those parties agree to keep this information confidential." |
| Okcoin (last updated Dec. 18, 2020) | Affiliates, service providers and other third parties, "entities in connection with any financing, acquisition or dissolution proceedings." |
| OKEx (last updated Dec. 3, 2020) | Not disclosed |
| Paxful (undated) | Service providers, data processors, other parties to transactions, such as sellers, financial institutions, affiliates |
| Poloniex (last updated May 4, 2020) | Affiliates, advertisement and other business partners, service providers. |
| SALT (last updated Jan. 6, 2021) | Subsidiaries and affiliates, contractors, service providers, including those providing ID verification, consulting, sales, client support operations, payment processing and technical support or services; financial institutions. |
Data gathered from third parties
To make sure they know enough about their users, platforms gather information about them from outside sources, meaning they might know much more about you than you yourself told them.
This might include companies affiliated with the platform via common owners; third-party providers of identity verification and other technology; banks; government organizations; social networks and other sources.
Out of the 24 platforms in our list, Gemini, founded by Cameron and Tyler Winklevoss, seems to have the most exhaustive list of outside sources of information it’s gathering about users
Many companies mention they might look you up in anti-fraud databases, public court documents, sanctions lists, and also ask credit bureaus and various government bodies about you.
| Crypto exchange | Data gathered from third parties |
|---|---|
| Bakkt (last updated Oct. 28, 2020) | "We also collect information about you from third parties, such as money laundering and fraud prevention information providers, marketing agencies, identity and creditworthiness verification services, and analytics and information providers. We may combine information we collect about you with information from third parties." |
| Binance (last updated Jan. 12, 2022) | "We may receive information about you from other sources such as credit history information from credit bureaus." |
| Bitfinex (last updated May 27, 2021) | Not specified |
| BitMEX (last updated Aug. 28, 2020) | "We receive personal data from partners when they refer you to us (for example, we receive data about the service you used, and that referred you). We will receive confirmation from Yubico Cloud that you have successfully authenticated using a Yubikey registered with that service. Third parties may monitor the Web on our behalf, for example looking for stolen usernames and passwords. Our communications service provider may also enable us to learn more about your social media presence, in order for us to send you more personalised communications. Finally, some authorities or other persons seeking access to information about users may provide information about the circumstances of their request, and about the individuals of interest." |
| Bitstamp (last updated Nov. 5, 2020) | "We may collect Personal Data from third-party partners and public sources, which include: |
| Bittrex (last updated Dec. 31, 2019) | "Analytic providers such as Google Analytics; advertising networks; search information providers. |
| Blockchain.com (last updated Dec. 16, 2021) | Affiliates, banks or payment processors, advertising or analytics providers. |
| BlockFi (last updated June 15, 2021) | "May include, but are not limited to, public databases, credit bureaus, identity verification partners, resellers and channel partners, joint marketing partners, advertising networks and analytics providers, social media platforms, and our BlockFi Rewards Visa Signature Card partner." |
| Celsius (last updated October 2021) | "Our affiliates, our service providers, or our affiliates’ service providers; public websites or other publicly accessible directories and sources, including bankruptcy registers, tax authorities, governmental agencies and departments, and regulatory authorities; and/or from credit reporting agencies, sanctions screening databases, or from sources designed to detect and prevent fraud or financial crimes." |
| Coinbase (last updated Oct. 8, 2021) | Companies affiliated with Coinbase, public databases, credit bureaus, ID verification partners, joint marketing partners and resellers, advertising networks and analytics providers, public blockchains. |
| Crypto.com (last updated Sept. 30, 2021) | "- Fraud and crime prevention agencies, |
| Deribit (undated) | Not specified |
| eToro (last updated May 20, 2020) | "May include, for example, identity verification agencies, credit referencing agencies and similar bodies. We may also collect information about you from third parties, when you use or connect to eToro by or through a third party platform, such as Facebook or another site, you allow us to access and/or collect certain information from your Third Party Platform profile/account as permitted by the terms of the agreement and your privacy settings with the third party platform. We will share such information with the third party platform for their use." |
| FTX (last updated Dec. 23, 2021) | "We may also use Google Analytics and other service providers to collect information regarding visitor behavior and visitor demographics on our Services... We may use Plaid Technologies, Inc. ('Plaid'), as a vendor to collect information about you... |
| Gemini (last updated Dec. 8, 2021) | "Identification Information, such as name, email, phone number, postal address, government identification numbers (which may include Social Security Number or equivalent, driver’s license number, passport number); |
| Huobi (last updated April 27, 2021) | Not specified |
| Kraken (last updated Nov. 23, 2021) | Banks: name, address, bank account details. |
| LocalBitcoins (last updated June 10, 2020) | Not specified |
| Nexo (undated) | Not specified |
| Okcoin (last updated Dec. 18, 2020) | Not specified |
| OKEx (last updated Dec. 3, 2020) | Not specified |
| Paxful (undated) | Service providers and data processors, affiliates, "third-parties who may help us verify identity, prevent fraud, and protect the security of transactions," "third-parties who may help us evaluate your creditworthiness or financial standing," "third-parties who may help us analyze Personal Data, improve the Website or the Services or your experience on it, market products or services, or provide promotions and offers to you," social media platforms |
| Poloniex (last updated May 4, 2020) | "We may obtain Personal Data about you from other sources, including through third party services such as sanctions screening services and other organizations to supplement information provided by you." |
| SALT (last updated Jan. 6, 2021) | Google Analytics, Full Story. |
Reasons to share data with government agencies
Major crypto exchanges these days are closely watched by regulators around the world and often asked to disclose information about their users when the authorities suspect wrongdoing, from tax evasion to money laundering.
"The companies that collect that information can – and often do – share that personal information with governments, even when the government has not gotten a warrant to collect that information," said Marta Belcher, a cryptocurrency and civil liberties attorney.
A silver lining is that more and more companies are disclosing how many requests from authorities they get.
"What it really comes down to is whether companies are going to stand up for their users, and whether they are going to be transparent about the requests they receive from governments and whether they voluntarily turn that information over," Belcher said.
The most famous (or infamous) precedent of a government body reaching for a trove of crypto exchange users' data was the U.S. International Revenue Service (IRS) getting access to information on about 13,000 U.S. users of Coinbase in 2018. The move was preceded by a long court fight between the exchange and the IRS, which initially wanted data about 500,000 users.
The way a company describes its reasons for answering questions from governments matters, said Peter Van Valkenburg, director of research at Coin Center, an industry think tank.
"Do they need a warrant or subpoena, or they’re happy to answer even without the warrant from the judge?" Van Valkenburg said.
Out of 24 companies CoinDesk looked at, 13 mentioned subpoenas and court orders in their privacy policies among reasons to cooperate with the requests from government agencies and law enforcement. However, not all companies claim to require such a formal request before handing over customer information.
Blockchain.com, an exchange and crypto wallet provider, says it would insist that authorities present "a court order, or equivalent proof that they are statutorily authorised to access your data." By contrast, eToro says it would provide information "to assist regulatory, cybercrime, data and information protection agencies and police with their enquiries and enforcement, even if not compelled to do so."
Bitfinex dedicated a separate page on its website to explain how it approaches requests from law enforcement bodies.
Ultimately, it's hard to predict how a particular platform would act in a real-life situation when a regulatory body is knocking on its door, or how evolving crypto regulation around the world could change the rules of the game in years to come. But the way platforms describe their approach might give some clues about what you can possibly expect.
| Crypto exchange | Reasons to share data with government agencies |
|---|---|
| Bakkt (last updated Oct. 28, 2020) | "Complying with our policies and obligations, including but not limited to, disclosures made in response to any requests from law enforcement authorities and/or regulators in accordance with any applicable law, rule, regulation, judicial or governmental order, regulatory authority of competent jurisdiction, discovery request, advice of counsel or similar legal process." |
| Binance (last updated Jan. 12, 2022) | "When we believe release is appropriate to comply with the law or with our regulatory obligations; enforce or apply our Terms of Use and other agreements; or protect the rights, property or safety of Binance, our users or others." |
| Bitfinex (last updated May 27, 2021) | "When such requests are received, Bitfinex requires that it be accompanied by appropriate legal process. This can vary from place to place. For example, production orders, search warrants, freezing orders, seizure orders and subpoenas, but also requests for voluntary disclosure of data may all amount to legal process. Bitfinex reviews each order and request for voluntary disclosure to determine that it has valid legal basis and that any response is narrowly tailored to ensure that only the data and/or remedy to which law enforcement is entitled is provided. In addition, in respect of requests relating to the freezing and/or seizing of assets, Bitfinex requires that the request (i) follows the relevant local jurisdiction’s legal process and (ii) contains all necessary instructions, including, where applicable, the duration of the freeze." |
| BitMEX (last updated Aug. 28, 2020) | "Mandated by law or regulation, or required for the legal protection of our or third party legitimate interests, in compliance with applicable laws and regulations, and relevant / competent public authorities’ requests." |
| Bitstamp (last updated Nov. 5, 2020) | "We may share your Personal Data with law enforcement, data protection authorities, government officials and other authorities when: |
| Bittrex (last updated Dec. 31, 2019) | "To comply with any legal obligation, judgment or under an order from a court, tribunal or authority." |
| Blockchain.com (last updated Dec. 16, 2021) | "We shall require any third-party, including without limitation, any government or enforcement entity, seeking access to the data we hold to a court order, or equivalent proof that they are statutorily authorised to access your data and that their request is valid and within their statutory or regulatory power." |
| BlockFi (last updated June 15, 2021) | "Comply, as necessary, with applicable laws and regulatory requirements; |
| Celsius (last updated October, 2021) | "To comply with any applicable law, regulation, legal process or governmental request." |
| Coinbase (last updated Oct. 8, 2021) | "When we are compelled to do so by a subpoena, court order, or similar legal procedure, or when we believe in good faith that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our User Agreement or any other applicable policies." |
| Crypto.com (last updated Sept. 30, 2021) | "Where the law allows or requires us to do so." |
| Deribit (undated) | "We may provide your personal data to competent authorities upon their request to the extent legally required or to the extent necessary to defend our rights in legal proceedings or investigations." |
| eToro (last updated May 20, 2020) | "To comply with court orders, mandatory dispute resolution determinations and mandatory government authority or law enforcement orders or directions; |
| FTX (last updated Dec. 23, 2021) | "To comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity." |
| Gemini (last updated Dec. 8, 2021) | "In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information." |
| Huobi (last updated April 27, 2021) | "In compliance with laws, regulations, rules and regulations or orders from courts of law or other competent authorities." |
| Kraken (last updated Nov. 23, 2021) | "To comply with any applicable laws and regulations, subpoenas, court orders or other judicial processes, or requirements of any applicable regulatory authority." |
| LocalBitcoins (last updated June 10, 2020) | "When such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests and/or the vital interests of a third-party." |
| Nexo (undated) | Not specified |
| Okcoin (last updated Dec. 18, 2020) | "To comply with any law, court order, subpoenas or government requests." |
| OKEx (last updated Dec. 3, 2020) | "To comply with government agencies, including regulators, law enforcement and/or justice departments." |
| Paxful (undated) | "In response to a request by a government agency, such as law enforcement authorities or a judicial order." |
| Poloniex (last updated May 4, 2020) | "To comply with any law, subpoenas, court orders, or government request, defend against claims, investigate or bring legal action against illegal or suspected illegal activities, enforce our Terms, or to protect the rights, safety, and security of us, our users, or the public." |
| SALT (last updated Jan. 6, 2021) | "To comply with any court order, law, regulatory requirement or legal process, including to respond to any government or regulatory request." |
Data retention
Another thing to pay attention to is how long your data is stored on the exchange's servers after you're no longer a client. Such disclosures often are put under the title "data retention" in privacy policies.
In most cases, it would take platforms about five years to erase your data after you part ways, but most also note that due to some specific reasons, like an ongoing investigation, they can keep your data longer.
Among the 24 companies, Bittrex and Bistamp mention the longest possible time for keeping users' data, with each saying it might store information for up to 10 years after an account is deleted.
Bitstamp appeared to be the only company among the 24 that said it destroys biometric data as soon as account verification is complete.
Coinbase and LocalBitcoins provided the most detailed descriptions of how long they keep various kinds of data. LocalBitcoins also specified that the information of users who never actually used the platform to trade will be stored for a much shorter time than that of active users: up to 13 months compared to five years.
| Crypto exchange | Data gets erased after... |
|---|---|
| Bakkt (last updated Oct. 28, 2020) | Not specified |
| Binance (last updated Jan. 12, 2022) | Not specified |
| Bitfinex (last updated May 27, 2021) | Not specified |
| BitMEX (last updated Aug. 28, 2020) | 6 years from the last interaction |
| Bitstamp (last updated Nov. 5, 2020) | Biometric data destroyed immediately after completion of ID verification process. |
| Bittrex (last updated Dec. 31, 2019) | 7-10 years after account deletion |
| Blockchain.com (last updated Dec. 16, 2021) | 5 years or longer after deletion |
| BlockFi (last updated June 15, 2021) | Not specified |
| Celsius (last updated October 2021) | Not specified |
| Coinbase (last updated Oct. 8, 2021) | "Personal information collected to comply with our legal obligations under financial or anti-money laundering laws may be retained after account closure for as long as required under such laws. |
| Crypto.com (last updated Sept. 30, 2021) | 5 years after account deletion. |
| Deribit (undated) | 5 years or longer after account deletion |
| eToro (last updated May 20, 2020) | Not specified |
| FTX (last updated Dec. 23, 2021) | Not specified |
| Gemini (last updated Dec. 8, 2021) | Not specified |
| Huobi (last updated April 27, 2021) | Not specified |
| Kraken (last updated Nov. 23, 2021) | 5 years or longer after account deletion |
| LocalBitcoins (last updated June 10, 2020) | "For all users who have deleted their account: |
| Nexo (undated) | Not specified |
| Okcoin (last updated Dec. 18, 2020) | Not specified |
| OKEx (last updated Dec. 3, 2020) | Not specified |
| Paxful (undated) | Not specified |
| Poloniex (last updated May 4, 2020) | Not specified |
| SALT (last updated Jan. 6, 2021) | Not specified |
Data protection
There is no universal standard for disclosing data security measures among crypto services: Some of them just say they take technological and organizational measures to ensure your information is safe, while others mention specific tech solutions, rules of access to their data centers and other steps.
Data security is a complex task, and to prevent attacks, companies in most cases refrain from fully disclosing the details and specifics of their data security systems, so as not to tip their hands to potential attackers.
In this sense, these disclosures serve not so much as attestations of platforms' actual security level, but more as a demonstration of how straightforward and diligent they are in talking to users about privacy and security.
"If the company doesn’t outline how they protect user data, it is a red flag,” said Lili Rhodes, senior mining analyst at Compass Mining, a bitcoin mining firm in the U.S. “Users do not know how this company will safeguard their data in the event of a breach."
| Crypto exchange | Data protection measures |
|---|---|
| Bakkt (last updated Oct. 28, 2020) | "Bakkt has implemented administrative, physical and technical safeguards designed to protect your Personal Information." |
| Binance (last updated Jan. 12, 2022) | "We work to protect the security of your personal information during transmission by using encryption protocols and software. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your personal information." |
| Bitfinex (last updated May 27, 2021) | "Internally, only people with a business need to know Personal Information, or whose duties reasonably require access to it, are granted access to customers' Personal Information. Such individuals will only process your Personal Information on our instructions and are subject to a duty of confidentiality. We audit our personal compliance regularly." |
| BitMEX (last updated Aug. 28, 2020) | Not specified |
| Bitstamp (last updated Nov. 5, 2020) | "...security measures include, but are not limited to: |
| Bittrex (last updated Dec. 31, 2019) | "We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality." |
| Blockchain.com (last updated Dec. 16, 2021) | "We protect Personal Data with appropriate physical, technological and organisational safeguards and security measures. Your Personal Data comes to us via the internet which chooses its own routes and means, whereby information is conveyed from location to location. We audit our procedures and security measures regularly to ensure they are being properly administered and remain effective and appropriate. Every member of Blockchain is committed to our privacy policies and procedures to safeguard Personal Data. Our site has security measures in place to protect against the loss, misuse and unauthorised alteration of the information under our control. More specifically, our server uses TLS (Transport Layer Security) security protection by encrypting your Personal Data to prevent individuals from accessing such Personal Data as it travels over the internet." |
| BlockFi (last updated June 15, 2021) | "We seek to protect non-public Personal Information that is provided to BlockFi by third parties and you by implementing physical and electronic safeguards. Where we believe appropriate, we employ firewalls, intrusion prevention, encryption technology, user authentication systems (i.e. passwords and personal identification numbers) and access control mechanisms to control access to systems and data. We endeavor to engage service providers that have security and confidentiality policies, if such service providers have access to our client’s Personal Information. We instruct our employees to use strict standards of care in handling the personal financial information of clients. As a general policy, our staff will not discuss or disclose information regarding an account except with authorized personnel of our service providers, as required by applicable law and regulatory requirements law or, pursuant to a regulatory request and/or authority. |
| Celsius (last updated October 2021) | "We will take reasonable steps and use technical, administrative and physical security measures appropriate to the nature of the information and that comply with applicable laws to protect Personal Information against unauthorized access and exfiltration, acquisition, theft, or disclosure." |
| Coinbase (last updated Oct. 8, 2021) | "We work to protect the security of your personal information during transmission by using encryption protocols and software. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your personal information. |
| Crypto.com (last updated Sept. 30, 2021) | "- Organisational measures (including but not limited to staff training and policy development); |
| Deribit (undated) | "We will adopt appropriate technical and organisational measures to ensure that all the information is correct, current and complete and to prevent it from being accessed by unauthorised persons inside and outside our organisation. We use ‘best practices’ to secure your personal data. For instance, your personal data is encrypted with Secure Sockets Layered (SSL) technology and our directories and databases are password protected." |
| eToro (last updated May 20, 2020) | "We protect your personal information by using data security technology and using tools such as firewalls and data encryption. We also require that you use a personal username and password every time you access your account online. As set out in the relevant eToro Entity’s terms and conditions, terms of business and/or terms of use, you must not share your password with anyone else. We restrict access to personal information at our offices so that only officers and/or |
| FTX (last updated Dec. 23, 2021) | "We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy." |
| Gemini (last updated Dec. 8, 2021) | "Measures we take may include encryption of the Gemini website communications with SSL; required two-factor authentication for all sessions; periodic review of our Personal Information collection, storage, and processing practices; and restricted access to your Personal Information on a need-to-know basis for our employees, contractors and agents who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations." |
| Huobi (last updated April 27, 2021) | "(1) Physical measures: Records containing Your personal data will be stored in a properly locked place. |
| Kraken (last updated Nov. 23, 2021) | "We regularly train and raise awareness for all our employees to the importance of maintaining, safeguarding and respecting your personal information and privacy. We regard breaches of individuals’ privacy very seriously and will impose appropriate disciplinary measures, including dismissal from employment. We have also appointed a Group Data Protection Officer, to ensure that our Company manages and processes your personal information in compliance with the applicable privacy and data protection laws and regulations, and in accordance with this Privacy Notice... |
| LocalBitcoins (last updated June 10, 2020) | Not specified |
| Nexo (undated) | "Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology." |
| Okcoin (last updated Dec. 18, 2020) | "We take various measures to ensure information security, including encryption of the Okcoin communications with SSL; required two-factor authentication for all sessions; periodic review of our Personal Data collection, storage, and processing practices; and restricted access to your Personal Data on a need-to-know basis for our employees and vendors who are subject to strict contractual confidentiality obligations." |
| OKEx (last updated Dec. 3, 2020) | "We take various measures to ensure information security, including encryption of the OKEx communications with SSL; required two-factor authentication for all sessions; periodic review of our Personal Data collection, storage, and processing practices; and restricted access to your Personal Data on a need-to-know bases for our employees and vendors who are subject to strict contractual confidentiality obligations." |
| Paxful (undated) | "Paxful has implemented safeguards designed to protect your Personal Data, including measures designed to prevent Personal Data against loss, misuse, and unauthorized access and disclosure." |
| Poloniex (last updated May 4, 2020) | "We use industry-standard data encryption technology and have implemented restrictions related to the storage of and the ability to access your Personal Data. Our servers and business operations are entirely located in the United States." |
| SALT (last updated Jan. 6, 2021) | "All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions will be encrypted." |
What about data breaches?
What if security measures fail and the platform where you're trading is breached? We checked the privacy policies for indications if these companies pledge to disclose security breaches and data leaks to their users.
Note that the answer "No" in the table does not mean the platform won't tell you if it gets hacked; it means it doesn't explicitly promise to do so if that happens.
A spokesperson for Nasdaq-listed Coinbase noted that many jurisdictions have rules about disclosing breaches to customers, which the crypto exchange follows, and that disclosing everything the company does to comply with laws would make a privacy policy an unwieldy read.
| Crypto exchange | Promise to notify about data breaches? |
|---|---|
| Bakkt (last updated Oct. 28, 2020) | No |
| Binance (last updated Jan. 12, 2022) | No |
| Bitfinex (last updated May 27, 2021) | "Where we are legally required to do so" |
| BitMEX (last updated Aug. 28, 2020) | No |
| Bitstamp (last updated Nov. 5, 2020) | No |
| Bittrex (last updated Dec. 31, 2019) | "Where we are legally required to do so." |
| Blockchain.com (last updated Dec. 16, 2021) | No |
| BlockFi (last updated June 15, 2021) | No |
| Celsius (last updated October, 2021) | No |
| Coinbase (last updated Oct. 8, 2021) | No |
| Crypto.com (last updated Sept. 30, 2021) | "Where we are legally required to do so" |
| Deribit (undated) | No |
| eToro (last updated May 20, 2020) | No |
| FTX (last updated Dec. 23, 2021) | "We may attempt to notify you electronically by posting a notice on the Services, by mail or by sending an e-mail to you." |
| Gemini (last updated Dec. 8, 2021) | No |
| Huobi (last updated April 27, 2021) | No |
| Kraken (last updated Nov. 23, 2021) | No |
| LocalBitcoins (last updated June 10, 2020) | No |
| Nexo (undated) | No |
| Okcoin (last updated Dec. 18, 2020) | No |
| OKEx (last updated Dec. 3, 2020) | No |
| Paxful (undated) | No |
| Poloniex (last updated May 4, 2020) | No |
| SALT (last updated Jan. 6, 2021) | No |
Privacy policies are not the most exciting reads (no comparison to price charts and market analytics). But if you want to check them yourself and see how the platforms you use treat your sensitive information, below you’ll find links to all the privacy policy pages CoinDesk reviewed for this story.
As they say: don't trust, verify.