Privacy Policy

Information We Collect

We collect information to provide, maintain, and improve our services. The categories of data we collect include:

Personal Identification Information

When you create an account, complete a transaction, or contact us, we may collect: full name, email address, phone number, postal address (including Chicago, IL area), date of birth, government-issued identification (for KYC/AML compliance), and proof of residence.

Financial and Transaction Data

To process trades and comply with financial regulations, we collect bank account details, cryptocurrency wallet addresses, transaction history, trading volumes, deposit/withdrawal records, and related financial information.

Technical Usage Data

We automatically collect: IP address, browser type and version, operating system, device identifiers, pages visited, time spent on pages, referring URLs, and similar technical data through cookies and analytics tools.

Communication Data

If you contact our support team via email at [email protected] or through our contact form, we retain records of those communications, including any attachments or screenshots you provide.

How We Use Your Information

We use the collected information for the following purposes:

• To verify your identity and comply with anti-money laundering (AML) and know-your-customer (KYC) regulations required by US federal and Illinois state law.
• To process your cryptocurrency trades, deposits, withdrawals, and account management requests.
• To communicate with you about your account, transactions, and platform updates.
• To detect, prevent, and address fraud, security incidents, and illegal activities.
• To improve our platform, develop new features, and personalize your experience.
• To send you relevant notifications, promotional materials (with your consent), and regulatory updates.
• To comply with legal obligations, court orders, and regulatory requests from US authorities.

Legal Basis for Processing (US & Illinois Compliance)

Under the California Consumer Privacy Act (CCPA), Illinois Personal Information Protection Act, and other applicable US privacy laws, we process your personal data based on the following lawful grounds:

• Contractual necessity: Processing required to execute trades, manage your account, and deliver the exchange services you requested.
• Legal obligation: Processing necessary to comply with federal securities laws, FinCEN regulations, Illinois money transmitter licensing requirements, and anti-money laundering statutes.
• Legitimate interests: Processing for fraud prevention, network security, platform improvement, and direct marketing (where you have not opted out).
• Consent: Processing for certain cookies, marketing communications, and sensitive data categories where you have given explicit consent.

Data Sharing and Third-Party Disclosures

We do not sell your personal information to third parties. However, we may share your data with the following categories of recipients under strict contractual agreements:

• Financial regulators: FinCEN, SEC, Illinois Department of Financial and Professional Regulation (IDFPR), and other authorities as required by law.
• Banking partners: US-based financial institutions that process fiat currency deposits and withdrawals (e.g., JPMorgan Chase, Bank of America).
• KYC/AML service providers: Third-party identity verification vendors such as Jumio and Onfido for compliance screening.
• Cloud infrastructure providers: Amazon Web Services (AWS) hosting our servers in US East (N. Virginia) region.
• Analytics and security tools: Cloudflare for CDN and DDoS protection, and Google Analytics (anonymized IP mode) for usage analysis.
• Legal and audit professionals: External law firms and auditors bound by confidentiality agreements.

All third parties are contractually prohibited from using your data for any purpose other than the specific services they provide to us, and they must maintain equivalent data protection standards.

Data Retention and Storage

We retain your personal information only as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. Specific retention periods include:

• Account data: Retained for the duration of your account activity plus five (5) years after closure, as required by US anti-money laundering regulations.
• Transaction records: Retained for seven (7) years in compliance with IRS recordkeeping requirements and securities laws.
• Communication logs: Retained for three (3) years from the date of the last interaction.
• Technical logs: Retained for twelve (12) months, after which they are anonymized or deleted.

Your data is stored on encrypted servers located within the United States, primarily in AWS US East (N. Virginia) data centers. We implement physical, electronic, and procedural safeguards including AES-256 encryption at rest, TLS 1.3 in transit, and multi-factor access controls.

Your Rights Under US Privacy Laws

Depending on your state of residence, you may have the following rights regarding your personal information. We honor all applicable rights under the California Consumer Privacy Act (CCPA), the Illinois Personal Information Protection Act, and other state privacy laws.

Right to Access

You have the right to request a copy of the personal information we hold about you, including the categories of data collected, sources of collection, business purpose for collection, and categories of third parties with whom we share your data.

Right to Rectification

If your personal information is inaccurate or incomplete, you may request that we correct or update it. You can also update certain account information directly through your profile settings on our platform.

Right to Deletion

You may request that we delete your personal information, subject to certain exceptions such as compliance with legal obligations, fraud prevention, or completion of transactions. We will evaluate your request and notify you of any applicable exceptions.

Right to Opt-Out of Sale

We do not sell your personal information as defined by the CCPA. However, if our practices change in the future, we will provide you with a clear opt-out mechanism and update this policy accordingly.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. This means we will not deny services, charge different prices, or provide a different level of service based on your privacy choices.

Right to Data Portability

Upon request, we will provide your personal information in a structured, commonly used, and machine-readable format (such as CSV or JSON) to facilitate transfer to another service provider.

How to Exercise Your Rights

To submit a privacy rights request, please contact our Data Protection Officer using one of the following methods:

• Email: Send your request to [email protected] with the subject line "Privacy Rights Request"
• Web form: Visit our Contact page and select "Privacy Request" from the subject dropdown
• Mail: Write to us at Andes Wave LLC, Attn: Privacy Officer, 233 S Wacker Dr Suite 3500, Chicago, IL 60606, USA

We will acknowledge receipt of your request within 5 business days and respond substantively within 45 days. If we need additional time, we will notify you in writing. You may designate an authorized agent to make a request on your behalf; we will require verification of the agent's authority.

Cookies and Tracking Technologies

Our website uses cookies, web beacons, and similar tracking technologies to enhance your experience, analyze traffic, and support our security operations. For detailed information about the types of cookies we use and how to manage your preferences, please see our separate Cookie Policy.

In summary, we use the following categories of cookies:

• Essential cookies: Required for platform functionality, including authentication, session management, and security features.
• Analytics cookies: Help us understand how users interact with our platform (Google Analytics with IP anonymization enabled).
• Functional cookies: Remember your preferences and settings for a personalized experience.
• Marketing cookies: Used only with your explicit consent to deliver relevant advertisements and measure campaign effectiveness.

You can manage cookie preferences through your browser settings or by using our cookie consent tool available on your first visit. Disabling certain cookies may affect platform functionality.

Children's Privacy

Our platform is not intended for individuals under the age of 18 (or the age of majority in Illinois, which is 18). We do not knowingly collect personal information from minors. If we become aware that a minor has provided us with personal data without verifiable parental consent, we will take steps to delete that information promptly.

Parents or guardians who believe their child has submitted personal data to us should contact us immediately at [email protected] so we can investigate and remove the data.

International Data Transfers

Loopring Exchange primarily stores and processes data within the United States. If you access our services from outside the US, your information may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate.

We ensure that any international transfers comply with applicable data protection laws through appropriate safeguards, including Standard Contractual Clauses (SCCs) where required. By using our platform, you consent to the transfer of your data to the United States and other jurisdictions as described in this policy.

Security Measures

We implement comprehensive technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security framework includes:

• Encryption: All data in transit is encrypted using TLS 1.3 protocols. Data at rest is encrypted using AES-256 encryption standards.
• Access controls: Strict role-based access controls (RBAC) and multi-factor authentication for all employees and contractors with access to personal data.
• Network security: Enterprise-grade firewalls, intrusion detection systems, and 24/7 monitoring through our security operations center.
• Regular audits: Annual third-party security audits, penetration testing, and SOC 2 Type II compliance assessments.
• Incident response: A documented incident response plan that includes notification to affected users and relevant authorities within 72 hours of confirmed breach, as required by Illinois law.
• Employee training: Mandatory annual privacy and security training for all staff handling personal information.

Despite these measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but will promptly notify you of any data breach that affects your personal information in accordance with applicable law.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will notify you through one or more of the following methods:

• Posting the updated policy on this page with a revised "Last updated" date at the top
• Sending an email notification to the primary email address associated with your account
• Displaying a prominent notice on our platform at least 30 days before significant changes take effect

We encourage you to review this Privacy Policy periodically. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with a material change, you may close your account and discontinue use of our platform.

Contact Information

If you have any questions, concerns, or complaints regarding this Privacy Policy or our data handling practices, please contact us:

• Data Protection Officer: [email protected]
• General inquiries: [email protected]
• Phone: +1 312 847 6293 (Monday–Friday, 9:00 AM – 6:00 PM CST)
• Mail: Andes Wave LLC, Attn: Privacy Officer, 233 S Wacker Dr Suite 3500, Chicago, IL 60606, USA

You also have the right to lodge a complaint with the Illinois Attorney General's office or the Federal Trade Commission (FTC) if you believe your privacy rights have been violated. We encourage you to contact us first so we can address your concerns directly.

Data Breach Notification Policy

In compliance with Illinois Personal Information Protection Act (815 ILCS 530/) and other applicable US laws, Loopring Exchange maintains a comprehensive data breach response plan. In the event of a breach involving your personal information, we will:

• Notify affected individuals without unreasonable delay, and within 72 hours of confirmation of the breach.
• Provide a description of the nature of the breach, the types of data involved, and the approximate number of affected individuals.
• Inform you of measures we have taken or will take to mitigate the impact of the breach.
• Offer guidance on steps you can take to protect yourself from potential harm, such as monitoring your accounts or placing a fraud alert on your credit file.
• Report the breach to relevant state and federal authorities, including the Illinois Attorney General and, where applicable, the FTC.

Notifications will be delivered via email, through a notice on our website, or by other reasonable means depending on the urgency and available contact information.

Automated Decision-Making and Profiling

Loopring Exchange uses automated systems for certain operational decisions, including:

• Risk scoring: Automated assessment of transaction patterns to detect potential fraud or money laundering activity. This may result in temporary account restrictions pending manual review.
• KYC verification: Automated document verification and identity matching using third-party services. If automated verification fails, your application is routed for manual review by our compliance team.
• Trading limits: Algorithmic determination of withdrawal and trading limits based on account age, transaction history, and verification level.

You have the right to request human review of any automated decision that significantly affects you. To request a manual review, please contact our support team at [email protected] with the subject "Automated Decision Review." We will respond within 15 business days with the outcome of the review and any corrective actions taken.

Do Not Track Signals

Our platform does not currently respond to "Do Not Track" (DNT) signals sent by web browsers, as there is no consistent industry standard for interpreting such signals. However, we respect your privacy choices through other mechanisms, including our cookie consent tool and the privacy rights described in this policy. We will monitor developments in DNT standards and update our practices accordingly.

Third-Party Links and Services

Our website and platform may contain links to third-party websites, services, or applications that are not owned or controlled by Loopring Exchange. This includes links to blockchain explorers, wallet providers, and regulatory authorities. This Privacy Policy applies solely to information collected by us. We are not responsible for the privacy practices of third parties, and we encourage you to review their privacy policies before providing any personal information.

We may also integrate third-party APIs and widgets (such as live cryptocurrency price feeds) that may collect your IP address and browsing information. These third parties have their own privacy policies governing the use of your data, and we recommend reviewing them.

California Privacy Rights (CCPA)

If you are a resident of California, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information. This section describes those rights and how to exercise them.

Under the CCPA, you have the right to:

• Know what personal information we collect, use, share, and sell about you (we do not sell personal information).
• Request deletion of your personal information, subject to certain exceptions.
• Opt out of the sale of your personal information (we do not sell personal information).
• Non-discrimination for exercising your CCPA rights.
• Request a copy of the specific pieces of personal information we have collected about you in the preceding 12 months.

To exercise your CCPA rights, please submit a verifiable request using the contact methods listed in the "How to Exercise Your Rights" section above. We will confirm receipt within 10 business days and respond within 45 days. You may make up to two requests per 12-month period.

Illinois-Specific Privacy Rights

As a platform operating in Chicago, Illinois, we comply with the Illinois Personal Information Protection Act (PIPA) and the Illinois Biometric Information Privacy Act (BIPA). Under Illinois law, you have the following additional protections:

• Notification of breach: We will notify you in the most expedient time possible and without unreasonable delay if we discover a breach of your personal information, consistent with Illinois law requirements.
• Biometric data: We do not collect biometric information (such as fingerprints or facial recognition data) for authentication purposes. If we implement such measures in the future, we will obtain your written consent and comply fully with BIPA requirements, including data retention and destruction policies.
• Data security safeguards: We implement reasonable security measures to protect your personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, as required by Illinois law.
• Disposal of records: When we dispose of records containing personal information, we do so by shredding, erasing, or otherwise modifying the data to make it unreadable or undecipherable, in compliance with Illinois record disposal requirements.

If you believe we have violated any Illinois privacy law, you may file a complaint with the Illinois Attorney General's office at www.illinoisattorneygeneral.gov or contact their Consumer Fraud Bureau at 1-800-386-5438.

Nevada Privacy Rights

If you are a resident of Nevada, you have the right to opt out of the sale of your personal information under Nevada Revised Statutes Chapter 603A. We do not sell your personal information as defined by Nevada law. If you wish to submit a request regarding the sale of your personal information, please contact us at [email protected] with the subject "Nevada Privacy Request."

Financial Privacy and Regulatory Disclosures

As a cryptocurrency exchange platform, Loopring Exchange is subject to federal and state financial privacy regulations, including the Gramm-Leach-Bliley Act (GLBA) and state money transmitter laws. Under these regulations:

• We collect personal information necessary to provide financial services and comply with regulatory requirements, including anti-money laundering (AML) and counter-terrorism financing (CTF) obligations.
• We do not disclose non-public personal information about our customers to non-affiliated third parties except as permitted by law, such as to process transactions, maintain accounts, or respond to legal process.
• We provide this Privacy Policy to you at the time of account establishment and annually thereafter, as required by GLBA privacy notice provisions.
• You have the right to opt out of certain information sharing with non-affiliated third parties. If our practices change to include such sharing, we will notify you and provide a reasonable opportunity to opt out before your information is shared.

Our platform is registered as a money services business (MSB) with the Financial Crimes Enforcement Network (FinCEN) and complies with all applicable Bank Secrecy Act (BSA) requirements. For more information about our regulatory compliance, please see our Legal Notice page.

Data Protection Officer

Loopring Exchange has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable privacy laws. Our DPO serves as the primary point of contact for privacy-related matters, including data subject requests, regulatory inquiries, and privacy impact assessments.

You can reach our DPO directly:

• Email: [email protected]
• Phone: +1 312 847 6293 (extension 221)
• Mail: Andes Wave LLC, Attn: Data Protection Officer, 233 S Wacker Dr Suite 3500, Chicago, IL 60606, USA

Our DPO reports directly to senior management and operates independently to ensure objective oversight of our data protection practices.

Data Subject Access Request Procedure

To ensure the security of your personal information, we require verification of your identity before processing any data subject access request (DSAR). Our verification process includes:

• Matching the information in your request against the data we have on file, including your name, email address, and account details.
• Requesting additional verification documents if the initial information is insufficient, such as a copy of your government-issued ID (with sensitive numbers redacted).
• Contacting you through the email address associated with your account to confirm the request's authenticity before processing.

We will process your DSAR within 45 days of receiving a verifiable request. If we cannot meet this timeline due to complexity or volume of requests, we will notify you in writing and provide an estimated completion date, which will not exceed an additional 45 days. All DSAR responses are provided free of charge, unless the request is manifestly unfounded or excessive, in which case a reasonable administrative fee may be charged.

Recordkeeping and Documentation

We maintain comprehensive records of our data processing activities as required by applicable law. Our documentation includes:

• Records of all personal data collected, including categories of data subjects, types of data, and purposes of processing.
• Logs of data access requests received and our responses, including timestamps and outcomes.
• Documentation of data breach incidents, including root cause analysis, remediation steps, and notifications sent.
• Contracts with data processors outlining processing instructions, security measures, and audit rights.
• Privacy impact assessments (PIAs) for new processing activities that involve high-risk data handling.

These records are retained for a minimum of five years and are made available to regulatory authorities upon request, as required by Illinois and federal law.

Marketing Communications and Opt-Out

With your consent, we may send you promotional communications about our services, new features, industry news, and special offers. You have the right to opt out of receiving marketing communications at any time. To unsubscribe, you can:

• Click the "Unsubscribe" link at the bottom of any marketing email we send.
• Adjust your communication preferences in your account settings under the "Notifications" section.
• Send an email to [email protected] with the subject "Marketing Opt-Out" and include your registered email address.

We will process your opt-out request within 10 business days. Please note that even after opting out of marketing communications, you will continue to receive transactional and service-related messages, such as trade confirmations, account updates, and security alerts, which are necessary for the operation of your account.

Social Media and Public Forums

Loopring Exchange maintains profiles on social media platforms including Twitter, LinkedIn, and YouTube. When you interact with us on these platforms, you do so subject to the privacy policies of those platforms. We may collect information you make publicly available, such as your username, comments, and likes, but we do not use this data for purposes beyond responding to your inquiries and improving our services.

If you choose to participate in our community forums or comment sections, please be aware that any information you disclose in these public areas becomes publicly visible. We recommend that you do not share sensitive personal information such as your account details, wallet addresses, or financial information in public forums. We are not responsible for the privacy of any information you choose to disclose publicly.

Data Retention Schedule Summary

The following table summarizes our standard data retention periods for different categories of personal information:

After the retention period expires, personal data is securely deleted or anonymized for analytical purposes. Anonymized data is retained indefinitely but cannot be linked back to any identifiable individual.

Training Data and Machine Learning

Loopring Exchange may use aggregated, anonymized data to train machine learning models for fraud detection, risk assessment, and platform optimization. We do not use your personal information for training purposes without first removing all direct and indirect identifiers. The anonymization process includes:

• Removal of names, email addresses, phone numbers, and account identifiers.
• Generalization of location data to city or regional level only.
• Aggregation of transaction data into statistical patterns that cannot be reverse-engineered to individual users.
• Differential privacy techniques to prevent re-identification through inference attacks.

If we develop new features or services that require processing your personal information beyond the purposes described in this policy, we will obtain your consent or provide a lawful basis before doing so. You may opt out of having your anonymized data used for model training by contacting our DPO, though this will not affect data already anonymized and incorporated into production models.

Dispute Resolution and Complaints

If you believe we have violated your privacy rights or failed to comply with applicable data protection laws, we encourage you to raise your concern with us directly. Our dispute resolution process includes the following steps:

1. Informal resolution: Contact our support team at [email protected] with a description of your concern. We will respond within 5 business days and attempt to resolve the issue informally.
2. Formal complaint: If informal resolution is unsuccessful, you may submit a formal written complaint to our Data Protection Officer at the address listed above. We will acknowledge receipt within 3 business days and provide a full written response within 30 days.
3. Regulatory escalation: If you are unsatisfied with our response, you may file a complaint with the Illinois Attorney General's Office (100 W Randolph St, Chicago, IL 60601, 1-800-386-5438) or the Federal Trade Commission (600 Pennsylvania Ave NW, Washington, DC 20580, 1-877-382-4357).

We commit to resolving all privacy complaints fairly and transparently. No adverse action will be taken against any user for filing a privacy complaint in good faith.

Special Provisions for Cryptocurrency Transactions

Due to the nature of blockchain technology, certain data related to cryptocurrency transactions is inherently public and immutable. Please be aware of the following:

• Blockchain transparency: Cryptocurrency transactions are recorded on public blockchains (e.g., Ethereum, Loopring L2). Wallet addresses, transaction amounts, and timestamps are visible to anyone. This is a fundamental property of decentralized networks and cannot be altered or deleted by Loopring Exchange.
• Off-chain data: We minimize the amount of personal information recorded on-chain. Where possible, we use layer-2 solutions and off-chain order books to protect your privacy.
• Wallet addresses: Your deposit and withdrawal wallet addresses are stored in our systems for compliance and operational purposes. These are treated as personal information under this policy.
• Smart contract interactions: When you interact with Loopring's smart contracts, your wallet address and transaction data become part of the public blockchain record. We recommend using separate wallets for trading and personal holdings to enhance privacy.

We cannot delete or modify data that has been recorded on public blockchains. If you have concerns about blockchain transparency, we encourage you to review our educational resources on privacy-preserving trading practices available on our Services page.

Glossary of Key Terms

For clarity, we define the following terms used throughout this Privacy Policy:

• Personal information: Any information that identifies, relates to, describes, or could reasonably be linked to a specific individual, including but not limited to name, email, address, IP address, and financial account details.
• Processing: Any operation performed on personal information, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or deletion.
• Data controller: Loopring Exchange (Andes Wave LLC), which determines the purposes and means of processing personal information.
• Data processor: Third-party service providers that process personal information on our behalf under written instructions.
• Data subject: The individual to whom the personal information relates.
• Consent: Freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal information.
• De-identification: The process of removing or modifying personal identifiers so that the information cannot reasonably be used to identify an individual.

These definitions are consistent with their usage under the CCPA, Illinois PIPA, and other applicable US privacy laws.

Vulnerability Disclosure and Security Research

Loopring Exchange welcomes responsible security research and maintains a vulnerability disclosure program. If you discover a security vulnerability that could affect user data or platform integrity, we encourage you to report it to us confidentially. Our commitment to you:

• We will acknowledge receipt of your report within 48 hours and provide an initial assessment within 5 business days.
• We will investigate all legitimate reports and take appropriate remediation actions promptly.
• We will not pursue legal action against researchers who follow responsible disclosure practices, including avoiding data access beyond what is necessary for demonstration and not publicly disclosing vulnerabilities before we have had reasonable time to address them.
• We may recognize researchers in our security acknowledgments page (with permission) for significant contributions.

To report a security issue, please email our security team at [email protected] with the subject "Vulnerability Report." Please do not use public forums or social media to disclose vulnerabilities before we have resolved them.

Privacy Policy Updates and Version History

We maintain a version history of this Privacy Policy to ensure transparency about changes over time. Major updates are summarized below:

Archived versions of previous Privacy Policies are available upon request by contacting our DPO at [email protected]. We encourage you to review the current version each time you use our platform.

Jurisdiction and Governing Law

This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of the State of Illinois and applicable federal United States laws, without regard to conflict of law principles. Any legal action or proceeding relating to this Privacy Policy shall be brought exclusively in the federal or state courts located in Cook County, Illinois.

If you are accessing our platform from outside the United States, you do so on your own initiative and are responsible for compliance with local laws. We make no representation that our platform or this Privacy Policy complies with the laws of any country outside the United States. By using our services, you consent to the transfer and processing of your data in the United States as described in this policy.

This policy is written in English. Any translations are provided for convenience only. In the event of a conflict between the English version and a translated version, the English version shall prevail.

Acknowledgment and Acceptance

By creating an account on Loopring Exchange or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. You explicitly consent to the collection, use, and disclosure of your personal information as described herein.

If you do not agree with any part of this Privacy Policy, you should not create an account or use our services. Continued use of our platform after the effective date of any policy updates constitutes your acceptance of those changes.

For questions or concerns about this Privacy Policy, please contact our Data Protection Officer at [email protected] or write to us at Andes Wave LLC, 233 S Wacker Dr Suite 3500, Chicago, IL 60606, USA.