PRIVACY POLICY AND PERSONAL DATA PROCESSING OF CASHALOT.ONE

1. General Provisions
1.1. This Policy defines the procedure for processing, storing and protecting personal data of users of the website cashalot.one.
1.2. Personal Data Operator: CASHALOT.
1.3. The User provides active consent to this Policy by means of a mandatory checkbox when creating an Order.
1.4. The following definitions are used in this Policy:
1.4.1 Personal data – any information relating to a directly or indirectly identifiable individual (user).
1.4.2 Processing – any action (operation) or set of actions performed with personal data, including collection, recording, systematization, accumulation, storage, clarification, use, transfer (provision, access), blocking and deletion.
1.4.3 Operator – a person organizing and/or performing the processing of personal data.
1.4.4 User – an individual using the Operator's services.

2. Categories of Processed Data
2.1. Contact data: e-mail, Telegram ID, and other contacts provided by the User.
2.2. Order data: amounts, payment details (within the data entered by the User), TxID, cryptocurrency wallet addresses, communication with support.
2.3. Technical data: IP, user-agent, cookies, date/time of antifraud metrics; type of action performed on the Website (click, cursor hover, etc.); last visit and activity; screen resolution; type of the User's device; User location; User language; operating system language, device language and browser language; information about device theme (day/night mode); HTML element class that receives the click.
2.4. KYC/SoF data: identity verification documents of the User, the User’s photograph as biometric personal data; address confirmation; User's card details; statements/receipts/explanations and other confirmations of the source of funds.

3. Purposes of Personal Data Processing
3.1. Providing website functionality and execution of Orders.
3.2. AML/KYC/SoF control, fraud prevention, ensuring security of Users and transactions.
3.3. User support, consideration of claims and dispute resolution.
3.4. Compliance with lawful requests from authorized authorities where legal grounds exist.

4. Legal Basis for Personal Data Processing
4.1. User consent.
4.2. Execution of the User Agreement (public offer) and provision of services.
4.3. Legitimate interests of the Operator in ensuring security, preventing fraud and complying with AML procedures.

5. Transfer of Personal Data to Third Parties
5.1. The Operator may transfer personal data to third parties only to the extent necessary for the purposes specified in this Policy, including:
5.1.1. upon lawful request of competent authorities;
5.1.2. processors under contract (hosting providers, email/chat providers, infrastructure contractors) strictly to the extent necessary for operation;
5.1.3. AML analyzers – to the extent of addresses/TxID/technical parameters required for verification.
5.2. The Operator does not provide paid access to Users’ personal data and does not disclose such data to third parties except in cases specified in clause 5.1 of this Policy.

6. Personal Data Retention Periods
6.1. Order data and logs: 36 months.
6.2. KYC/SoF materials: 5 years.
6.3. In case of a claim/dispute, storage may be extended until the dispute is resolved.
6.4. Upon expiration of the retention period, personal data shall be destroyed.

7. Secure Collection and Protection of Data
7.1. Data transfer is performed through secure channels (HTTPS/TLS).
7.2. KYC/SoF materials are accepted only through secure channels/forms/personal accounts (if available), and access to them is restricted.
7.3. Access of the Operator’s employees to data is granted based on roles under the “need to know” principle only to the extent necessary for proper performance of their duties.
7.4. Access to KYC/SoF materials and key operations is logged.
7.5. Data storage protection measures are applied (including encryption/backup control where applicable) as well as data minimization (only necessary data is requested).
7.6. The User is responsible for ensuring the security of their devices and accounts.

8. User Rights
8.1. The User has the right to request information about data processing, correction, updating, clarification and deletion (if there are no legal grounds for retention).
8.2. Withdrawal of consent is possible through contacting support; however, the use of the service may be restricted if processing is necessary for AML/security/Order execution.

9. Operator Contact Information
9.1. For questions regarding personal data processing, the User may contact the Operator at: support@cashalot.one