Effective date: 2 June 2026 · Version: 1.0

1. Introduction and scope

This Privacy Policy explains how BINIBIT S.A. (“Binibit”, “we”, “us”, “our”) collects, uses, shares and protects your personal data when you:

• create or hold a Binibit account;
• use our cryptocurrency exchange, trading, conversion and custodial wallet services and any related services we offer (together, the “Services”); or
• visit binibit.com, our mobile apps or APIs (the “Platform”).

“Personal data” means any information relating to an identified or identifiable individual. This Policy applies to customers, prospective customers, beneficial owners and authorised representatives of corporate customers, and visitors to the Platform. It does not apply to third-party services that have their own privacy policies.

This Policy is written to apply globally. Region-specific terms are in the Regional Addenda at the end. Where an Addendum conflicts with the main body, the Addendum prevails for residents of that region.

2. Who we are (data controller)

The data controller responsible for your personal data is:

BINIBIT S.A., a sociedad anónima incorporated in the Republic of Panama (Mercantile Folio No. 155781130), registered office at Global Bank Tower, 18th Floor, Suite 1801, 50th Street, Panama City, Republic of Panama.

• Data Protection Officer (DPO): dpo@binibit.com
• General privacy contact: privacy@binibit.com
• EEA and UK data subjects: you may direct GDPR / UK GDPR enquiries to our DPO at dpo@binibit.com.

3. Personal data we collect

We collect the following categories of personal data. The exact data depends on the Services you use and the legal requirements that apply to you.

a) Information you provide to us

b) Information we collect automatically

c) Information from third parties and public sources

• KYC/identity-verification and anti-fraud providers (including Sumsub — Sum and Substance Limited); credit-reference and background-check agencies.
• Sanctions, PEP and adverse-media databases (e.g. UN, OFAC/ITA consolidated lists) and public registers.
• Public blockchain data (e.g. wallet addresses, transaction IDs, amounts, timestamps) and blockchain-analytics providers.
• Payment and banking partners; Binibit affiliates and partners; and publicly available sources.

We generally do not collect special-category data other than biometric data used for identity verification (see Section 6).

4. How we collect your personal data

We collect personal data: (i) directly from you when you register, complete verification, transact or contact us; (ii) automatically through your use of the Platform (including cookies and similar technologies); and (iii) from third parties and public sources as described in Section 3(c).

5. Why we use your personal data and our legal bases

We process personal data for the purposes below. Where the EU/UK GDPR or a similar law applies, we rely on the legal bases indicated.

Where we rely on consent, you may withdraw it at any time (without affecting prior lawful processing). Where we rely on legitimate interests, we balance those interests against your rights and you may object (see Section 16).

6. Special-category, biometric and criminal-offence data

To verify your identity and meet AML obligations, we may process biometric data — for example, comparing the facial geometry extracted from your selfie or liveness video against your government-ID photograph (this verification is performed through our processor Sumsub). Where required by applicable law, we do this on the basis of your explicit consent and/or substantial public interest; if you do not provide it, we may be unable to onboard you.

We may also process information relating to criminal convictions, offences and sanctions strictly for the prevention and detection of financial crime, fraud, money laundering and terrorist financing, where permitted by law. We maintain appropriate policy documentation for such processing.

7. Automated decision-making, profiling and AI

We use automated tools, profiling and AI to: verify identity (including OCR extraction from ID documents and detection of inconsistencies), assess customer eligibility at onboarding, screen against sanctions/PEP lists on an ongoing basis, detect fraud and suspicious activity, and personalise the Services.

• Where an automated decision produces legal or similarly significant effects (e.g. refusal to onboard), you have the right to request human review, to express your point of view and to contest the decision (see Section 16).
• Outputs of AI/OCR tools used for verification are reviewed by a human to confirm accuracy.
• We do not use your personal data to train or develop general-purpose AI models.

8. How we share your personal data

We share personal data only as needed, with the following categories of recipients:

• Binibit affiliates and group companies, for the purposes described in this Policy.
• Service providers / processors: identity-verification and KYC providers (including Sumsub — Sum and Substance Limited), cloud and IT infrastructure, AML/transaction-monitoring and blockchain-analytics providers, payment processors, customer-support and communications tools, security and fraud-prevention vendors, and professional advisers. They act on our instructions under data-processing agreements. A current list of our key sub-processors is available at binibit.com/legal/subprocessors or on request.
• Financial institutions and transaction counterparties, including under the FATF “Travel Rule”, which requires us to transmit originator/beneficiary information to other Virtual Asset Service Providers (VASPs) or financial institutions for qualifying transfers.
• Regulators, courts, law enforcement and government authorities, where required by law, legal process, court order, subpoena, or to protect rights, safety and property, or to investigate violations.
• Parties to a corporate transaction (merger, acquisition, financing, insolvency or asset sale), subject to confidentiality.
• Other parties with your consent or at your direction.

We do not sell your personal data. Where we share data with partners for advertising, we offer an opt-out (see Sections 15–16 and the Regional Addenda).

9. Blockchain and on-chain data (important)

When you transact in crypto-assets, transaction data (such as wallet addresses, amounts and timestamps) may be recorded on a public blockchain. Public blockchains are decentralised ledgers that we do not control. As a result:

• on-chain records are immutable and cannot be changed, erased or anonymised by us, even following a valid erasure request;
• on-chain data is publicly accessible and may be analysed (including by us and third-party analytics providers) and potentially linked back to you.

This is an inherent feature of blockchain technology. Please consider this before transacting.

10. International data transfers

Binibit operates from the Republic of Panama and works with service providers globally, so your personal data may be transferred to, stored in, or accessed from countries other than your own, including countries that may not provide the same level of data protection. Where we transfer personal data internationally, we rely on appropriate safeguards, such as:

• adequacy decisions of the European Commission, the UK government, or other competent authority;
• EU/UK Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA);
• the EU–US / UK / Swiss Data Privacy Framework where applicable; and
• other lawful transfer mechanisms and supplementary technical and organisational measures.

You may request a copy of the relevant safeguard by contacting dpo@binibit.com.

11. How long we keep your personal data

We retain personal data for as long as necessary for the purposes set out in this Policy and for the maximum period required or permitted under the applicable laws of the jurisdictions in which we operate. Where more than one statutory period could apply, we retain for the longest applicable period. Indicative minimums:

On-chain data cannot be deleted (see Section 9). After expiry of all applicable retention periods, we securely delete or anonymise personal data.

12. Information security

We implement appropriate technical and organisational measures designed to protect personal data against loss, misuse and unauthorised access, alteration or disclosure — including encryption in transit and at rest, access controls on a need-to-know basis, network protection, monitoring, and staff training. No system is completely secure; you also play a role in protecting your account.

Your responsibilities: use a strong, unique password and two-factor authentication, keep credentials confidential, beware of phishing, and notify us immediately at support@binibit.com of any suspected unauthorised access.

13. Personal data breaches

We maintain procedures to detect, investigate and respond to personal-data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay (and, under the GDPR, within 72 hours where feasible). Where a breach is likely to result in a high risk to you, we will also inform you without undue delay, in each case as required by applicable law.

14. Cookies and similar technologies

We use cookies and similar technologies to operate the Platform, remember your preferences, provide security, measure performance, and (with consent where required) for analytics and marketing. You can manage non-essential cookies through our cookie banner / preferences manager. For details, see our separate Cookie Notice at binibit.com/legal/cookies. Where required, we honour recognised opt-out signals such as Global Privacy Control (GPC).

15. Marketing and communications

We may send you service communications (e.g. security, transaction and account notices) that you cannot opt out of while you hold an account. We send marketing communications only where permitted, and you can opt out at any time via the unsubscribe link or your account settings. We do not sell your personal data and offer an opt-out from sharing data with partners for targeted advertising.

16. Your privacy rights

Subject to applicable law, you may have the right to:

• access a copy of your personal data;
• rectify inaccurate or incomplete data;
• erase data (subject to our legal retention obligations and the on-chain limitation in Section 9);
• restrict or object to processing (including processing based on legitimate interests and direct marketing);
• data portability (receive your data in a structured, machine-readable format);
• withdraw consent at any time;
• not be subject to a solely automated decision with legal/significant effect, and to request human review; and
• lodge a complaint with your competent supervisory authority.

To exercise your rights, contact privacy@binibit.com or use the privacy tools in your account. We will respond within the timeframe required by law (generally one month under the GDPR). We may need to verify your identity before acting on a request.

17. Children

The Services are not directed to, and we do not knowingly collect personal data from, anyone under 18. If we learn that we hold data of a person under 18, we will close the account and delete the data, except where retention is required by law (e.g. to prevent re-registration).

18. Third-party services and links

The Platform may link to or integrate third-party services (e.g. payment providers, blockchain explorers). We are not responsible for their privacy practices; please review their policies.

19. Changes to this Policy

We may update this Policy from time to time. We will post the updated version at binibit.com with a new effective date and, where required, notify you of material changes. Your continued use of the Services after the effective date constitutes acceptance.

20. Languages

This Policy is provided in several languages. If there is any conflict, the English version prevails, except where local law requires the local-language version to govern.

21. How to contact us

• Data controller: BINIBIT S.A., Mercantile Folio No. 155781130, Global Bank Tower, 18th Floor, Suite 1801, 50th Street, Panama City, Republic of Panama
• DPO / privacy: dpo@binibit.com · privacy@binibit.com
• Support: support@binibit.com

Regional Addenda

These Addenda supplement the main Policy with rights and disclosures specific to certain regions and prevail over the main body for residents of the relevant region. They are written to cover the broadest reasonable set of jurisdictions; sections that do not apply to you may be disregarded.

A. Panama (home jurisdiction)

We process personal data in accordance with Law No. 81 of 26 March 2019 on the protection of personal data and its implementing Decree. You have the rights of access, rectification, cancellation, opposition and portability. The supervisory authority is the National Authority for Transparency and Access to Information (ANTAI). Requests: privacy@binibit.com.

B. European Economic Area (EEA) and United Kingdom

• Legal bases: as set out in Section 5; Article 9(2) (explicit consent / substantial public interest) for biometric data and Article 10 conditions for criminal-offence data.
• Your GDPR rights: access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and rights regarding automated decision-making (Art. 22).
• Transfers into Panama and third countries rely on SCCs, the UK IDTA, adequacy decisions and the Data Privacy Framework (Section 10).
• EEA and UK enquiries: contact our DPO at dpo@binibit.com.
• Right to complain: to your national Data Protection Authority (EEA) or the UK Information Commissioner’s Office (ICO).

C. Switzerland

We comply with the Swiss Federal Act on Data Protection (FADP). Swiss residents have rights comparable to the GDPR and may complain to the Federal Data Protection and Information Commissioner (FDPIC). Transfers rely on the Swiss SCCs / Swiss–US Data Privacy Framework where applicable.

D. United States

California (CCPA/CPRA). California residents may: know/access the categories and specific pieces of personal information collected; delete; correct; opt out of the “sale” or “sharing” of personal information and of targeted advertising; and limit the use of sensitive personal information. We do not sell personal information for money, honour Global Privacy Control (GPC) signals, and do not discriminate against you for exercising rights. To exercise, use binibit.com/privacy or email privacy@binibit.com; authorised agents may submit requests with proof of authorisation. Categories collected/disclosed/“shared”: see Sections 3 and 8. Sensitive personal information (government IDs, financial account details, precise geolocation if any, biometric data) is used only for the purposes in Sections 5–6.

Other US state laws. Residents of states with comprehensive privacy laws (e.g. Virginia, Colorado, Connecticut, Texas, Utah, Oregon and others) have comparable rights to access, correct, delete, obtain a copy, and opt out of targeted advertising, sale and certain profiling. To appeal a decision, contact privacy@binibit.com.

US financial privacy (GLBA). If you use regulated financial products, a separate Gramm-Leach-Bliley Act notice may apply — see binibit.com/legal/financial-privacy.

E. Canada (PIPEDA)

We handle personal information under PIPEDA and applicable provincial laws. We obtain consent (express or implied) appropriate to the sensitivity of the information, limit collection to identified purposes, and allow access and correction. You may complain to the Office of the Privacy Commissioner of Canada (OPC) or the relevant provincial regulator.

F. Brazil (LGPD)

We process personal data under the Lei Geral de Proteção de Dados (Law No. 13.709/2018). You have rights of confirmation, access, correction, anonymisation, portability, deletion and information about sharing. The supervisory authority is the ANPD. Our DPO (Encarregado) is reachable at dpo@binibit.com.

G. United Arab Emirates

Where applicable, processing is subject to the UAE Federal PDPL (Federal Decree-Law No. 45 of 2021) and/or the ADGM Data Protection Regulations 2021 or DIFC Data Protection Law No. 5 of 2020. Data subjects have access, rectification, erasure, restriction, portability and objection rights comparable to the GDPR. Complaints: the UAE Data Office, the ADGM Office of Data Protection, or the DIFC Commissioner of Data Protection, as applicable.

H. Singapore (PDPA)

We comply with the Personal Data Protection Act 2012, collecting, using and disclosing personal data with consent (including deemed consent) or as permitted/required by law (including the legitimate-interests and business-improvement exceptions). You may request access and correction and withdraw consent. Our DPO: dpo@binibit.com. Complaints: the Personal Data Protection Commission (PDPC).

I. Hong Kong (PDPO)

We comply with the six Data Protection Principles of the Personal Data (Privacy) Ordinance, provide data-access and correction rights, and use personal data in direct marketing only with consent. Supervisory authority: the Privacy Commissioner for Personal Data (PCPD).

J. Thailand (PDPA)

We process personal data under the Personal Data Protection Act B.E. 2562 (2019) on a lawful basis (consent or a statutory exception), honour data-subject rights, and recognise the PDPC (Thailand) as the supervisory authority.

K. Indonesia (PDP Law)

We process personal data under Law No. 27 of 2022 on Personal Data Protection, support data-subject rights, and comply with applicable cross-border transfer and breach-notification rules.

L. Australia (Privacy Act / APPs)

We handle personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988. You may access and correct your information and complain to the Office of the Australian Information Commissioner (OAIC).

M. All other jurisdictions

Where you reside in a jurisdiction with its own data-protection law not listed above, we process your personal data in accordance with that law to the extent it applies, you may exercise the rights it grants you by contacting privacy@binibit.com, and you may complain to your local supervisory authority.

© 2026 BINIBIT S.A. All rights reserved.