This Privacy Policy (“Privacy Policy”) governs the collection, use, and disclosure of Personal Data and other information when you use Pitex, and regulates the legal relationship between you and Pitex (collectively referred to as “we”, “our”, “the Company”) in the field of personal data protection.
We respect and value the privacy of everyone who visits our Website or uses our Services, and we collect and use information only in ways that will be beneficial to you and in accordance with your rights under the applicable Data Protection Laws and our obligations under those laws.
This Privacy Policy forms part of our Terms of Use. Unless otherwise defined in this Privacy Policy, the terms used here shall have the same meaning as in our Terms of Use. If you do not agree with this Privacy Policy, you may not use Pitex. By using Pitex, you acknowledge that you have read, understood, and agreed to this Privacy Policy and our Terms of Use. By providing us with your personal information, you also consent to the collection, storage, processing, use, and disclosure of your Personal Data in accordance with this Privacy Policy.
1.1 Data Controller - Means a person or entity who determines the purposes for which and the manner in which any personal information is, or is to be, processed. For the purposes of this Privacy Policy, Pitex is the Data Controller of your Personal Data in accordance with the Dubai Data Protection Law No. 5 of 2020 and the VARA Rulebook on Data Protection and Confidentiality. If you have any questions regarding your data, you can contact us at: [email protected].
1.2. Data Subject (or “You”) - Means any living individual — including clients, prospective clients, and visitors — who uses Pitex services and is the subject of Personal Data.
1.3. Personal Data - Means any information relating to an identified or identifiable living individual, including but not limited to identification details, contact information, identity verification data, KYC/AML documentation, financial transaction data, and any other sensitive personal information as defined under applicable laws.
1.4. Processing - Means any operation or set of operations performed on Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, in compliance with applicable UAE laws and VARA regulatory requirements.
1.5. Third Party - Means any natural or legal person, public authority, agency, or body other than the Data Subject, Data Controller, or Data Processor, and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process Personal Data. Where Personal Data is transferred to a Third Party, such transfer shall be conducted in accordance with UAE cross-border data transfer requirements and under appropriate contractual safeguards.
1.6. Website - Means the official Pitex website operated by the Company and available at: https://pitex.com.
In accordance with the General Data Protection Regulation (GDPR), the Dubai Data Protection Law No. 5 of 2020, and the VARA Rulebook on Data Protection and Confidentiality, Pitex processes your Personal Data on the following legal bases:
2.1. Contractual Necessity – GDPR Article 6(1)(b) & VARA Requirements Processing of your Personal Data is necessary for the performance of a contract between you and Pitex, as a user of our Website and Services. This includes, but is not limited to, account creation, transaction execution, and the provision of customer support services, in compliance with the applicable requirements of the Virtual Assets Regulatory Authority (VARA), including the VARA Rulebook – Part II: Personal Data Protection and the operational and record-keeping obligations applicable to licensed Virtual Asset Service Providers in Dubai.
2.2. Legal Obligation – GDPR Article 6(1)(c) & VARA Requirements Processing of your Personal Data is necessary for compliance with legal and regulatory obligations applicable to Pitex, including:
2.3. Legitimate Interests – GDPR Article 6(1)(f) & VARA Requirements Processing of your Personal Data is necessary for the legitimate interests of both Pitex and you as the Data Subject, provided that such interests are not overridden by your fundamental rights and freedoms. Such legitimate interests are recognized under:
Specifically, legitimate interests pursued by Pitex include:
2.3.1. Ensuring the ongoing security, stability, and resilience of Pitex’s systems, infrastructure, and services, in compliance with VARA’s Information Security and Cybersecurity Standards.
2.3.2. Monitoring performance, detecting errors, preventing fraud, and enabling incident response in accordance with VARA’s Operational Risk and Incident Reporting Requirements.
2.3.3. Improving the performance, functionality, and user experience of the Pitex platform, consistent with VARA’s requirements for maintaining accurate, reliable, and user-oriented service delivery.
2.3.4. Protecting Pitex’s business operations, assets, and legal rights, including exercising or defending legal claims, in line with VARA’s governance and accountability obligations.
In accordance with the VARA Rulebook – Part II: Personal Data Protection, the Dubai Data Protection Law No. 5 of 2020, the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and the General Data Protection Regulation (GDPR), Pitex collects and processes your Personal Data for the following purposes:
3.1. Service Provision & Platform Operation Maintaining and providing you with access to the Pitex platform, our Website, and our Services, including swap, crypto-to-fiat, and custody solutions, in compliance with VARA’s operational and licensing requirements.
3.2. Service Improvement & Development Providing, maintaining, enhancing, and delivering our Website and Pitex services through our software infrastructure, while meeting VARA’s obligations for system integrity, operational resilience, and user protection.
3.3. Service Expansion Making additional Pitex services available to you, where lawful, appropriate, and in line with VARA’s licensing scope and activity-specific approvals.
3.4. Legal & Regulatory Compliance Fulfilling our legal and regulatory obligations, including compliance with our internal policies and obligations under VARA regulations, UAE Federal AML/CFT laws, and data protection requirements. This includes disclosures and timely responses to lawful requests from law enforcement authorities and/or regulators such as VARA and the Central Bank of the UAE (CBUAE), in accordance with applicable laws, rules, regulations, and judicial or governmental orders.
3.5. Communication & User Support Providing you with the information, updates, or services that you have requested. Communicating with you regarding your account, transactions, and our services, including service notifications, platform updates, and information on products or features —ensuring such communications comply with consent and marketing rules under VARA and GDPR.
3.6. Consent-Based Processing Carrying out any actions for which we have obtained your explicit consent, as well as any other purposes consistent with the original reason for which the information was collected, provided such processing remains in compliance with applicable UAE and VARA data protection requirements.
“BU KISIMA RAKİPLERİMİZDEN OLAN TRUSTEE PLUSTA
OLDUĞU GİBİ BİR TABLO EKLEMEMİZ GEREKLİ”
In accordance with the VARA Rulebook – Part II: Personal Data Protection, the Dubai Data Protection Law No. 5 of 2020, the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), and the General Data Protection Regulation (GDPR), Pitex handles the disclosure of Personal Data as follows:
4.1. General Principle We collect and process Personal Data primarily to facilitate, operate, and improve our Services, or for other purposes set out in this Privacy Policy. Any disclosure of Personal Data is strictly limited to what is necessary, proportionate, and lawful under applicable laws and VARA regulations.
4.2. Data Protection Safeguards We apply appropriate physical, technological, and organizational safeguards to protect Personal Data. Access to Personal Data is restricted to authorized personnel only, with role-based access controls in line with VARA’s Information Security and Cybersecurity Standards.
4.3. No Sale of Personal Data We do not sell your Personal Data to any Third Parties. All personal information collected is used solely for the purposes outlined in this Privacy Policy and in compliance with GDPR, PDPL, and VARA requirements.
4.4. Lawful Disclosure We may disclose Personal Data to Third Parties only where expressly permitted by applicable law, regulatory requirements, or this Privacy Policy.
4.5. Qualified Service Providers We engage qualified Third-Party providers (e.g., KYC/AML verification services, payment processors, cloud hosting providers) under written agreements to ensure secure, lawful, and compliant collection, processing, and storage of Personal Data, in line with VARA’s Third-Party Risk Management Provisions.
4.6. Consent-Based Transfers Where the transfer of Personal Data to Third Parties is not based on legal or contractual necessity, it will only occur with your explicit consent. By using Pitex, you consent to the transfer of such data to Third-Party service providers as specified in our agreements. If you do not provide such consent, you may be unable to access certain Pitex services.
4.7. Categories of Third Parties We may share your Personal Data with:
4.8. Confidentiality & Contractual Safeguards When we disclose your Personal Data to any Third Party, we take all reasonable steps to ensure they are bound by confidentiality and privacy obligations. Such disclosures are conducted in compliance with applicable legal requirements and data processing agreements, ensuring that:
4.9. No Unauthorized Sharing Your information, whether public or private, will not be exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, except as necessary to deliver the requested services, improve our services, or meet legal obligations.
In accordance with the VARA Rulebook – Part II: Personal Data Protection, the Dubai Data Protection Law No. 5 of 2020, the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), and the General Data Protection Regulation (GDPR), Pitex handles the storage, retention, and deletion of Personal Data as follows:
5.1. Retention Period We retain your Personal Data only for as long as it is necessary to fulfil the purposes for which it was collected, or as required by applicable laws and regulatory obligations, including VARA’s record-keeping requirements for licensed Virtual Asset Service Providers. Once Personal Data is no longer needed, we follow documented procedures to securely destroy, delete, erase, or anonymize it.
5.2. User-Initiated Deletion You have the right to request the deletion of your Personal Data at any time by contacting us at [email protected]. You may also withdraw your consent to processing where applicable.
5.3. Legal Retention Requirements We may store and process Personal Data for periods exceeding the original purpose of collection if retention is required by applicable laws, regulatory requirements, or for the establishment, exercise, or defense of legal claims.
5.4. Effect of Withdrawal or Deletion Withdrawal of consent and/or deletion of your Personal Data may result in your inability to continue using Pitex services, where the processing of such data is essential for service delivery or compliance with VARA licensing requirements.
5.5. Grounds for Erasure Without Undue Delay We will erase your Personal Data without undue delay where one of the following applies:
VARA regulations, or other applicable legislation.
5.6. Legal and Regulatory Retention We may retain your Personal Data where such retention is necessary to comply with a legal or regulatory obligation to which we are subject, in accordance with GDPR Article 6(1)(c), PDPL requirements, and VARA Rulebook record-keeping provisions.
In accordance with the VARA Rulebook – Part II: Personal Data Protection, the VARA Information Security and Cybersecurity Standards, the Dubai Data Protection Law No. 5 of 2020, the Federal Decree-Law No. 45 of 2021 (PDPL), the General Data Protection Regulation (GDPR), and ISO/IEC 27001 Information Security Management Standards, Pitex implements robust technical, physical, and organizational measures to safeguard Personal Data collected through our Website, mobile application, and services.
6.1. Data Security Commitment Data security is of critical importance to Pitex. To protect your Personal Data, we maintain appropriate physical, electronic, and managerial procedures designed to ensure the confidentiality, integrity, availability, and resilience of our systems and services.
6.2. Security Measures Implemented Steps we take to secure and protect your data include, but are not limited to:
6.3. User Responsibility for Security If you suspect that your Personal Data or User Account has been compromised, especially account and/or password information, please immediately lock your account and contact us at [email protected] or through our in-platform support channels.
6.4. Continuous Compliance Pitex regularly reviews, updates, and tests its security measures to ensure ongoing compliance with VARA Information Security Requirements, ISO 27001 Information Security Management Systems, UAE federal data protection laws, and international best practices.
7.1. UAE Data Residency (Default). Pitex stores and processes Personal Data exclusively within the United Arab Emirates (UAE). Primary and backup storage (including disaster‑recovery replicas) are maintained in UAE data centers. Remote access to production Personal Data from outside the UAE is prohibited.
7.2. Limited Exceptions A cross‑border transfer (including remote access from outside the UAE) will occur only if:
(a) required to comply with applicable UAE law or a binding order of a competent authority; or
(b) expressly permitted or required under Pitex’s VARA licence conditions or a written directive from VARA.
Where such an exception applies, Pitex will implement a lawful transfer mechanism and appropriate safeguards ensuring a level of protection not less than that required under PDPL, GDPR (where applicable), and the VARA Rulebooks (e.g., Standard Contractual Clauses, Binding Corporate Rules, additional technical/organizational controls).
7.3. Third‑Party Processing Constraints. Third‑party service providers engaged by Pitex must process and store Personal Data in the UAE and are contractually prohibited from onward transfers outside the UAE, unless an exception under 7.2. applies and all safeguards are in place.
7.4. Technical & Contractual Safeguards (If an Exception Applies). For any permitted cross‑border transfer, Pitex will apply encryption in transit, strict access controls, data‑minimisation, audit rights, incident reporting, and onward‑transfer restrictions, and will ensure the recipient is bound by a data processing agreement consistent with VARA, PDPL, and GDPR standards.
7.5. User Notice/Consent. Where required by law, Pitex will notify you in advance and, if necessary, obtain your explicit consent before effecting a transfer under 7.2.
In accordance with the VARA Rulebook – Part II: Personal Data Protection, the Dubai Data Protection Law No. 5 of 2020, the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), and the General Data Protection Regulation (GDPR) (where applicable), you have the following rights in relation to your Personal Data:
8.1. Right to Access You have the right to obtain confirmation as to whether or not Pitex processes your Personal Data, and, where we do, to access such Personal Data. Upon request, we will provide you with a copy of your Personal Data, in compliance with applicable data protection laws.
8.2. Right to Rectification You have the right to modify or correct your Personal Data at any time. You are responsible for ensuring the accuracy of your Personal Data, and we will update our records upon your request.
8.3. Right to Restriction of Processing You may request that we restrict the processing of your Personal Data where retention is not required by law, regulation, or VARA’s record-keeping obligations.
8.4. Right to Object & Withdraw Consent You have the right to object to the processing of your Personal Data at any time, and/or to withdraw your consent without affecting the lawfulness of processing carried out prior to such withdrawal.
8.5. Right to Erasure (“Right to be Forgotten”) You have the right to request the erasure of your Personal Data in the circumstances outlined under GDPR, PDPL, and VARA rules, including where the data is no longer necessary for the purposes collected, or where processing was unlawful.
8.6. Applicable Legal Basis For residents of the European Economic Area (EEA), our processing of your Personal Data is based on the legal grounds set out in GDPR Articles 6 and 9, and we take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.
8.7. How to Exercise Your Rights You can exercise any of your rights by contacting us at [email protected]. If you wish to know what Personal Data we hold about you, or if you want it removed from our systems (subject to legal retention requirements), please send your request to this email address.
8.8. Right to Lodge a Complaint You have the right to lodge a complaint with the relevant Data Protection Authority.
9.1. Pitex may amend, update, delete, or add to this Privacy Policy at any time, to reflect changes in our services, operational practices, regulatory requirements, or applicable data protection laws, including any new or updated rules issued by the Virtual Assets Regulatory Authority (VARA).
9.2. Any such changes will become effective upon being posted on our Website or mobile application. The “Last Updated” date at the top of this Privacy Policy indicates the latest version in force.
9.3. Where required by applicable laws, including VARA regulations and the Dubai Data Protection Law, we will notify you in advance of any material changes and, if necessary, seek your renewed consent for the processing of your Personal Data.
9.4. Your continued use of the Pitex platform, Website, and/or mobile application after the effective date of any changes constitutes your acceptance of the revised Privacy Policy and your consent to the processing of Personal Data according to the latest version. If you do not agree with any such changes, you must discontinue use of Pitex’s services.
English