Privacy Policy

How we collect, process, store, and protect your personal and financial information on the Portal.

1. Introduction

Welcome to ApexAora. The financial products and core wallet infrastructure provided through www.apexaora.com (the “Portal”) are operated by ApexAora Innovations (the “Operator”, “we”, “us”, or “our”). The underlying technological infrastructure is provided by our affiliated technology partner, Apex Aora Innovations Limited (the “Technology Provider”).

As the data controller for your financial and personal data, the Operator is committed to safeguarding your information and maintaining the highest standards of privacy. This Privacy Policy describes our practices regarding the collection, processing, storage, and protection of your information.

By accessing the Portal and registering an account, you acknowledge that you have read, understood, and accepted the practices described in this Privacy Policy. If you do not agree with this Policy, please discontinue use of the Portal immediately.

2. Data Controller

The sole data controller responsible for all personal data processed under this Privacy Policy is the Operator:

ApexAora Innovations

For all privacy-related enquiries, data rights requests, or compliance matters, please contact us at:

3. Information We Collect

To provide secure, mathematically validated ledger services and comply with applicable regulatory standards, we collect the following categories of personal data:

  • Identity and Verification Data: Full name, date of birth, nationality, country of residence, government-issued identification documents (passport, national ID, or driver’s licence), and any other documentation required for Know Your Customer (KYC) compliance.
  • Contact Information: Email address, physical address, phone number, and preferred communication channel.
  • Financial and Transactional Data: Bank account details, cryptocurrency wallet addresses, deposit logs, withdrawal histories, transaction reference IDs, and records of account balances managed through our double-entry ledger.
  • Account and Security Data: Encrypted passwords (utilising bcrypt hashing), referral codes, OTP verification records, account preferences, and communication logs with our administrative team.
  • Technical and Usage Data: IP addresses, browser types, device identifiers, session tokens, and system audit logs that record every administrative or user action on the Portal in an immutable, append-only trail.

4. How We Collect Your Data

We gather your personal information through the following means:

  • Direct Submission: Information you provide when registering for a private account, submitting KYC documentation, initiating a deposit or withdrawal, or contacting our support team.
  • Automated Collection: Through the use of secure session tokens (JWT with httpOnly cookies) and system audit logs that track interactions with the Portal.
  • Administrative Imports: Through batch Excel pipeline uploads managed by authorised administrators for deposit reconciliation and balance adjustments, which may include your email address and transaction reference data.

5. How We Use Your Information

We process your personal data strictly for legitimate business and compliance purposes, including:

  • Service Delivery: Creating and managing your investor account, maintaining the double-entry ledger, processing withdrawal requests, and executing deposit reconciliations.
  • Security and Integrity: Preventing double-spend race conditions, securing your data with industry-grade encryption, and maintaining an immutable audit trail of all ledger activities.
  • Regulatory Compliance: Conducting internal KYC/AML verification, adhering to applicable financial regulations in the United Kingdom and the United Arab Emirates, and meeting any applicable tax reporting obligations.
  • Communication: Sending OTP codes for account registration, administrative notifications, investment performance updates, and responses to support enquiries.
  • Service Improvement: Analysing usage patterns to enhance Portal functionality and user experience.

6. Legal Basis for Processing

We process your personal data on the following legal grounds:

  • Performance of Contract: Account creation and service delivery.
  • Legal Obligation: KYC/AML verification, regulatory and tax compliance.
  • Legitimate Interests: Security, fraud prevention, and service improvement.
  • Consent: Marketing communications, where applicable and where you have provided explicit consent.

7. Data Sharing and Disclosure

We prioritise the confidentiality of your financial data. We do not sell, rent, or trade your personal information to third parties for their own commercial purposes. We may disclose your data only in the following limited circumstances:

  • Service Providers: To trusted technology infrastructure and security partners who assist in operating the Portal, subject to strict confidentiality and data processing agreements. Each provider receives only the data necessary for their specific function.
  • Legal Obligations: To regulatory authorities, law enforcement agencies, or courts when mandated by UAE law, or when necessary to protect our legal rights and the security of the Portal.
  • Internal Administration: Among authorised system administrators who require access to process deposits, approve accounts, and manage withdrawal pipelines.

8. International Data Transfers

The Operator is based in the United Arab Emirates. The Technology Provider is based in the United Kingdom. Where personal data is accessed by authorised staff or processed by service providers across these or other jurisdictions, we apply appropriate technical and organisational safeguards consistent with applicable data protection requirements to ensure your data remains protected.

9. Data Retention

We retain your personal and financial data only for as long as necessary to fulfil the purposes outlined in this Policy, or as required by applicable laws and regulations. The following retention periods apply:

  • Identity and Verification Data: 5 years from account closure.
  • Transaction and Investment Records: 5 years from account closure.
  • KYC/AML Documentation: 5 years from account closure.
  • Communications and Support Records: 3 years.
  • Technical and Audit Log Data: Retained indefinitely as part of our immutable ledger integrity commitment.

Where required by law, regulation, or ongoing legal proceedings, data may be retained for longer periods. Upon expiry, data is securely deleted or anonymised.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Portal, maintain secure sessions, and remember your preferences. The following types of cookies are used:

  • Strictly Necessary Cookies: Session authentication, security tokens, and language preferences.
  • Analytics Cookies (Consent Required): Used to understand how visitors interact with the Portal. These are only activated upon your consent.
  • Functionality Cookies: Theme and display preferences stored locally in your browser.

You may withdraw your consent to non-essential cookies at any time by clearing site data in your browser or contacting us at csd@apexaora.com.

11. Data Security Measures

ApexAora employs rigorous technical and organisational security measures to protect your personal data, including:

  • Industry-grade bcrypt hashing for all stored passwords.
  • Short-lived JWT access tokens with httpOnly cookie refreshes to prevent session hijacking.
  • An immutable, append-only system audit log for all database adjustments.
  • Optimistic concurrency controls to prevent race conditions during financial transactions.

While no digital system is entirely immune to threats, we continuously apply and update industry best practices to protect your data.

12. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request corrections to inaccurate or incomplete information.
  • Request the deletion of your data, subject to our legal and regulatory retention obligations.
  • Restrict or object to certain data processing activities.
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, please submit a written request to ceo@apexaora.com. We will respond within a reasonable timeframe in accordance with applicable law.

13. Automated Decision-Making

We may utilise automated processes for KYC/AML screening and fraud detection. Where such automated processing has a significant effect on you, you may request a human review of the decision by contacting us at csd@apexaora.com.

14. Children’s Privacy

Our Portal and services are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has submitted personal data, we will take immediate steps to delete it.

15. Third-Party Links

The Portal may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those external sites. We encourage you to review the privacy policies of any third-party sites you visit.

16. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our technological infrastructure, regulatory environment, or business practices. Material changes will be communicated via the Portal or email. The “Last Updated” date at the top of this document will reflect the most recent revision.

17. Contact Us

For any privacy-related enquiries, data rights requests, or compliance matters, please contact the Operator:

ApexAora Innovations

This Privacy Policy is governed by the laws of the United Arab Emirates.