# XPlace Privacy Policy *Effective Date: May 20, 2026* This Privacy Policy ("Policy") explains how Pontech Group L.L.C-FZ, operating as XPlace ("XPlace," "we," "us," or "our"), collects, uses, stores, shares, and protects your personal information when you access or use the XPlace mobile application, website, and related services (collectively, the "Platform"). This Policy also describes your rights regarding your personal data and how to exercise them. This Policy applies to all users of the Platform globally. Additional jurisdiction-specific disclosures for users in the European Economic Area ("EEA"), United Kingdom, and California are set out in Sections 15, 16, and 17 respectively. Where those sections conflict with the general provisions of this Policy, the jurisdiction-specific section governs for users in that jurisdiction. By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree, you must discontinue use of the Platform immediately. *** ### 1. KEY DEFINITIONS As used in this Policy: * "Biometric Data" means facial recognition data, liveness detection data, or other physiological identifiers collected during identity verification. * "Blockchain Data" means wallet addresses, transaction hashes, and other information recorded on a public blockchain that is inherently public and immutable. * "KYC Data" means identity documents, proof of address, selfies, Biometric Data, and other information collected for Know Your Customer and Anti-Money Laundering compliance purposes. * "Personal Data" means any information relating to an identified or identifiable natural person, including name, email address, wallet address, IP address, KYC Data, and usage data. * "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion. * "Sensitive Personal Data" means data revealing racial or ethnic origin, political opinions, religious beliefs, health data, Biometric Data, or financial account details. * "Third-Party Provider" means any external service provider, including our licensed Card Partner, KYC verification vendor (Sumsub), DeFi Protocol operators, cloud infrastructure providers, and analytics services. *** ### 2. DATA CONTROLLER The data controller responsible for your Personal Data is: **Pontech Group L.L.C-FZ** Meydan Grandstand, 6th Floor Meydan Road, Nad Al Sheba Dubai, United Arab Emirates Email: Where XPlace acts as a data processor on behalf of a Third-Party Provider (for example, transmitting KYC data to our Card Partner for card issuance purposes), the relevant Third-Party Provider acts as the data controller for that processing activity. Please refer to the applicable Third-Party Provider's privacy policy for details. *** ### 3. INFORMATION WE COLLECT #### 3.1 Information You Provide Directly We collect the following categories of information that you provide when registering for or using the Platform: | Category | Examples | Purpose | | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | | Identity & Registration Data | Full legal name, date of birth, email address, username | Account creation, authentication | | KYC / Identity Verification Data | Government-issued ID (passport, national ID, driver's license), proof of address, selfie, liveness detection / Biometric Data | AML/KYC compliance, Card Partner requirements | | Financial & Wallet Data | Wallet address(es), transaction history, Collateral positions, Credit Mode balances, membership tier | Service delivery, compliance, fraud prevention | | Payment & Card Data | Card-related information processed through our Card Partner's PCI-DSS compliant infrastructure. XPlace does not store full card numbers. | Card issuance and transaction processing | | Communications Data | Support requests, feedback, complaints, correspondence with XPlace | Customer support, dispute resolution | | Referral & Loyalty Data | Referral codes, XP balances, membership status | Loyalty program administration | #### 3.2 Information Collected Automatically When you access or use the Platform, we automatically collect: * Device information: device type, operating system, app version, device identifiers; * Network information: IP address (truncated or anonymized where required by applicable law), approximate geolocation derived from IP address; * Usage data: session activity, features accessed, clicks, page views, time spent on Platform, crash logs, and error reports; * Analytics data: aggregated and anonymized behavioral analytics; * Cookie and tracking data: as described in Section 8 below. #### 3.3 Blockchain and On-Chain Data When you interact with blockchain networks through the Platform, certain data is recorded on public blockchains and is outside XPlace's control: * Wallet addresses associated with your account are publicly visible on the Solana blockchain and other blockchain networks you interact with; * Transaction hashes, amounts, timestamps, and smart contract interactions are permanently and immutably recorded on-chain; * XPlace cannot delete, alter, or restrict access to Blockchain Data. Your right to erasure does not extend to information recorded on a public blockchain. #### 3.4 KYC and Biometric Data XPlace collects Biometric Data as part of identity verification through Sumsub (Sumsub Identity Verification Service). This may include facial recognition data and liveness detection scans collected to verify your identity against government-issued identification documents. Biometric Data is Sensitive Personal Data. It is collected solely for KYC/AML compliance purposes, processed by Sumsub under data processing agreements, and not used for any commercial, marketing, or unrelated analytical purpose. Biometric Data is retained only for the period required by applicable AML law and is then deleted or anonymized in accordance with Section 11. #### 3.5 Information We Do Not Collect XPlace does not collect: * Private keys or seed phrases — these remain solely in your control; * Card numbers, CVV codes, or sensitive card authentication data beyond what is processed by our Card Partner through PCI-DSS compliant infrastructure; * Health data, political opinions, religious beliefs, or other Sensitive Personal Data beyond Biometric Data collected for KYC purposes; * Personal data for targeted advertising or sale to third parties. *** ### 4. HOW WE USE YOUR INFORMATION We process your Personal Data only for the purposes described below and only to the extent necessary for each purpose: | Purpose | Data Used | Lawful Basis | | ----------------------------------------------------------------------- | --------------------------------------------- | ---------------------------------------------- | | Account creation and authentication | Identity data, email, wallet address | Contract performance | | KYC / AML compliance and identity verification | KYC Data, Biometric Data, wallet history | Legal obligation | | Delivering Platform services (Collateral, Credit Mode, XP, card access) | Financial data, wallet data, membership data | Contract performance | | Transaction monitoring and fraud prevention | Transaction data, IP address, behavioral data | Legal obligation; Legitimate interests | | Sanctions and geographic restriction screening | Identity data, IP address, KYC data | Legal obligation | | Customer support and dispute resolution | Communications data, account data | Contract performance; Legitimate interests | | Platform security and abuse prevention | Device data, IP address, usage data | Legitimate interests | | Analytics and Platform improvement | Aggregated / anonymized usage data | Legitimate interests | | Legal compliance and regulatory reporting | Any data required by law or regulator | Legal obligation | | Transactional and service communications | Email address, account activity | Contract performance; Consent (where required) | | Referral program and loyalty administration | Referral data, XP data, membership data | Contract performance | We do not use your Personal Data for targeted advertising, profiling for commercial purposes unrelated to the Platform, or sale to third parties. *** ### 5. LAWFUL BASIS FOR PROCESSING We process your Personal Data under the following lawful bases, consistent with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"), the EU General Data Protection Regulation ("GDPR") where applicable, and equivalent frameworks: * **Contract Performance:** Processing necessary to provide you with the Platform services you have requested, including account management, card access, Collateral, and Credit Mode functionality. * **Legal Obligation:** Processing required to comply with applicable law, including AML/CFT obligations, KYC requirements, sanctions screening, tax reporting, and regulatory record-keeping. * **Legitimate Interests:** Processing necessary for our legitimate business interests, including Platform security, fraud prevention, abuse detection, and service improvement, provided those interests are not overridden by your rights and freedoms. * **Consent:** Processing based on your freely given, specific, informed, and unambiguous consent, including for optional marketing communications where required by law. You may withdraw consent at any time without affecting the lawfulness of prior processing. Where we process Biometric Data or other Sensitive Personal Data, we rely on explicit consent and/or legal obligation as the lawful basis, as required by applicable law. *** ### 6. DATA SHARING AND DISCLOSURE We do not sell, rent, or trade your Personal Data. We share your Personal Data only in the following circumstances: #### 6.1 Card Partner We share KYC Data, identity verification results, and transaction-related data with our licensed Card Partner as required to: (a) issue and manage your XPlace Card; (b) conduct card authorization, clearing, and settlement; (c) comply with card network and regulatory requirements; and (d) perform fraud prevention and transaction monitoring. Our Card Partner acts as an independent data controller for card-related processing and is subject to its own privacy policy and applicable financial services regulations. #### 6.2 KYC Verification Vendor — Sumsub We share identity documents and Biometric Data with Sumsub (Sumsub Identity Verification Service) solely for the purpose of verifying your identity against applicable AML/KYC requirements. Sumsub acts as a data processor under a data processing agreement and is prohibited from using your data for any purpose beyond identity verification. For more information on Sumsub's data practices, please refer to Sumsub's privacy policy at sumsub.com. #### 6.3 DeFi Protocol Operators When you interact with Collateral or Credit Mode, transaction instructions and wallet addresses are transmitted to and processed by the applicable DeFi Protocol (currently Kamino Finance). Protocol operators receive only the on-chain data necessary to execute your requested transaction. As on-chain transactions are public and immutable, any data recorded on the blockchain is outside XPlace's control. #### 6.4 Infrastructure and Technology Providers We use third-party infrastructure providers including cloud hosting services, database providers, and application performance monitoring tools. These providers process Personal Data solely as data processors under our instructions and subject to data processing agreements, including for analytics, crash reporting, performance monitoring, and authentication services. #### 6.5 Legal and Regulatory Disclosure We may disclose Personal Data to government authorities, regulators, law enforcement agencies, or courts where required by applicable law, regulation, court order, or legal process. This includes disclosures required by UAE financial --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.x.place/legal/legal/xplace-privacy-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.