AML/KYC CUSTOMER CLAIMS PORTAL PRIVACY NOTICE

Effective Date: July 13, 2024

Last Updated: January 22, 2025

SCOPE AND OVERVIEW

We at FTX Trading Ltd. and the FTX Recovery Trust (and any of their respective successors), together with our non-debtor affiliates that determine, whether alone or jointly with another, the purposes and means of the processing of personal data under applicable laws (collectively, "FTX," "we," "us" or "our") have created this AML/KYC Customer Claims Portal ("Portal") Privacy Notice (this "Privacy Notice") to explain how your personal data is used and shared.

This Privacy Notice applies to all personal data, including sensitive personal data that is collected from FTX customers who submit information to FTX for (i) Know-Your-Customer ('KYC") and Anti-Money Laundering ("AML") customer identification and fraud prevention purposes, (ii) tax purposes and (iii) administration purposes through the Customer Claims Portal in order to enable customer claims and distributions to be processed and monitored.

COLLECTION AND PURPOSE OF PROCESSING PERSONAL DATA

In connection with the processing and monitoring of claims and distributions, FTX or its third-party vendors may collect certain categories of personal data (i) for administrative or tax purposes, (ii) to prevent fraud and money laundering or (iii) to verify your identity. We collect data that you provide to us directly, when you use our Portal and services, and from other sources such as third-party services and organizations, as described below. We will also use your personal data for assessing and calculating what, if any, rebate you might be entitled to from your account holdings.

A. Information You Provide to Us Directly

We may collect the following personal data that you provide to us.

  • Identification information: First and last name, date and place of birth, gender, phone number, email, address and proof of address, government identification number (including Social Security number, driver's license number and passport number), nationality, citizenship, and any other information necessary to verify your identity to comply with our regulatory obligations under financial crime prevention or anti-money laundering laws;
  • Institutional information: If you are an institutional customer, we may collect your institution's legal name, Employer Identification number (or comparable number issued by a government), and identification information for all material beneficial owners;
  • Financial information: Bank account information, transaction history, trading data and/or tax identification, source of funds/wealth;
  • Biometric Data: photos of a face (including selfie images) and photo or scan of a facial image on the identification document and, in some cases, any video footage;
  • Transaction information: Information about the transactions you make using our services, holdings, transaction amounts and, where applicable, the name of any transaction recipients;
  • Employment information: Your job title, office location, source of income, whether you are a politically exposed person (PEP);
  • Tax information: Information that you provide in connection with the completion of the Internal Revenue Service Forms W-8 and W-9; and
  • Correspondence: Information you provide to our customer support teams.

B. Information Collected Automatically (Use of Cookies)

We may collect personal data automatically when you use our Portal:

Automatic Data Collection. We may collect certain information automatically when you use our Portal, such as your Internet Protocol (IP) address, Media Access Control (MAC) address, cookie identifiers, mobile carrier, and other unique identifiers, browser or device information, location information (including approximate location derived from IP address), and Internet service provider.

We use different types of cookies which allows us to improve our Portal and helps it to run effectively (please refer to our Cookie Policy on this site). We may also automatically collect information regarding your use of our services, such as pages that you visit before, during and after using our services, information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our services.

Please note, however, that without cookies some features may not function correctly and/or you may not be able to use all of the features of our Portal.

The Portal is not designed to respond to "do not track" signals received from browsers.

C. Information Collected from Other Sources

We may obtain information about you from other sources, including through third-party services and organizations. For example, personal data may be checked in multiple databases, including international politically exposed persons, individuals subject to economic sanctions, country-specific sanctions lists (e.g., OFAC, European Union, HM Treasury), criminal lists, and financial lists. In addition, your information may be screened against other media and news sources. The personal data you provide, we collect from you, or we receive from third parties will be used to prevent fraud and money laundering, and to verify your identity.

COLLECTION AND PURPOSE OF PROCESSING SENSITIVE PERSONAL DATA, INCLUDING BIOMETRIC DATA

FTX or its third-party vendors may collect certain information, including a photo or video of a face or a photo or scan of a face on an identification card that is used to analyze numerical facial features and create a scan of facial geometry ("Biometric Data") along with technical data, such as software and hardware attributes of the camera used to take the photo or video; a unique identifier, such as an Applicant ID; and geolocation data, such as IP addresses and general geographic location (e.g., city, country) from a device. Processing Biometric Data for the purpose of uniquely identifying a natural person is considered Sensitive Personal Data under applicable laws. Depending on the jurisdiction where you are located, additional categories of personal data may be treated as Sensitive Personal Data, such as government-issued identification documents, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, among others.

FTX collects Biometric Data to authenticate an individual's identity as part of FTX's KYC and AML customer identification and fraud prevention processes. This may include automated processing of Biometric Data to verify your identity by checking and comparing the Biometric Data with information previously collected from other sources.

LEGAL BASIS FOR PROCESSING PERSONAL DATA

FTX may process personal data to comply with various legal and regulatory KYC, AML or tax obligations. In addition, FTX may process personal data in accordance with the legitimate interest of safeguarding FTX against inadvertently dealing with the proceeds of criminal activities or assisting in any other unlawful or fraudulent activities (for example, terrorism financing). FTX may also use your personal data to fulfil our legitimate interests to respond to your communications, inquiries and requests. Furthermore, FTX may process personal data for substantial public interest reasons, such as to prevent, detect and report fraud, money laundering and other offences.

FTX may also process Sensitive Personal Data, including Biometric Data, as described in the Consent form below. In addition to processing Sensitive Personal Data pursuant to the Consent clause, FTX may also process Sensitive Personal Data to comply with various legal and regulatory KYC and AML obligations. Furthermore, FTX may process Sensitive Personal Data for substantial public interest reasons, such as to prevent, detect and report fraud, money laundering and other offences.

PERSONAL DATA SHARING

FTX will not sell or share any personal data, including Sensitive Personal Data, and will not disclose or disseminate any personal data, including Sensitive Personal Data, to anyone other than (i) distribution agents that are appointed by FTX for the purposes of processing distributions in connection with your claim, (ii) third party vendors who are not authorized by FTX to use or disclose the information except as necessary to perform services on FTX's behalf or comply with legal requirements, (iii) as required by law or pursuant to a valid warrant or subpoena, (iv) to exercise or defend FTX's legal rights, (v) as necessary or appropriate to prevent physical harm or suspected or illegal activity or (vi) in the event FTX sells or transfers all or a portion of FTX's business or assets (including, without limitation, in the event of a merger, acquisition, joint venture, reorganization, divestiture, dissolution or liquidation) to the successor of such business or assets.

INTERNATIONAL TRANSFERS

Personal data, including Sensitive Personal Data, will be stored on servers in the United States. In certain circumstances, FTX may transfer personal data, including Sensitive Personal Data to another jurisdiction that is different from the jurisdiction in which it may have been originally collected.

Where applicable, FTX will implement appropriate technical and contractual safeguards commensurate with the requirements of the jurisdiction from which the personal data is exported to ensure the adequate protection of personal data, including Sensitive Personal Data. This which may include, depending on the applicable jurisdiction, the use of standard contractual clauses or reliance on a derogation applicable to the specific scenario of the data transfer.

DATA SECURITY

FTX uses commercially reasonable procedures and measures to protect the personal data, including Sensitive Personal Data it collects from accidental or unauthorized loss, misuse, damage, modification, access or disclosure. These measures include physical, technical, and administrative safeguards to ensure the confidentiality and integrity of your personal data. FTX will securely dispose of any personal data, including Sensitive Personal Data that is no longer necessary to be retained as permitted or required by applicable law or as necessary for FTX to meet its operational obligations.

DATA RETENTION

FTX retains personal data, including Sensitive Personal Data collected pursuant to this Privacy Notice until the initial purpose of obtaining such personal data, including Sensitive Personal Data has been satisfied after which time FTX will securely destroy the personal data, including Sensitive Personal Data. FTX retains Biometric Data collected pursuant to this Privacy Notice until the initial purpose of obtaining such Biometric Data been satisfied or within 3 years of the last interaction with FTX, whichever comes first.

In some circumstances, FTX may be required to store your personal data, including Sensitive Personal Data for longer periods of time, for instance where FTX is required to do so in accordance with legal, regulatory, tax or accounting requirements, as well as to resolve disputes, enforce our agreements, prevent fraud or for other legitimate purposes. In that case, FTX will follow the retention periods required by law after which time FTX will securely destroy the personal data, including Sensitive Personal Data.

CHILDREN'S INFORMATION

This Portal is intended for a general audience, is not directed to children under 13 years of age and FTX does not knowingly collect personal data, including Sensitive Personal Data from children under the age of 13. If FTX becomes aware that it has collected personal data, including Sensitive Personal Data from a child under the age of 13, it will promptly delete the information, unless legally obligated to retain such information. If you believe a child under the age of 13 may have provided personal data, including Sensitive Personal Data, please contact us as specified below in this Privacy Notice.

LINKS TO OTHER WEBSITES

The Portal may contain links to other external, third party websites. We are not responsible for the privacy or other practices of any third parties or the content of other websites. We recommend that you review the privacy and other practices of these third parties and websites.

INDIVIDUAL RIGHTS AND HOW TO EXERCISE THEM

Depending on the applicable data protection laws or regulations, individuals may have the following rights with respect to personal data, including Sensitive Personal Data:

  • To request access to personal data, and be provided with it in permanent form.
  • To request correction of personal data that is inaccurate or incomplete.
  • To request deletion of personal data to the extent permitted by law.
  • To request the restriction of the processing of personal data.
  • To object to the processing of personal data based on legitimate interests or for direct marketing purposes.
  • To request that FTX return the personal data or, where technically feasible, have it transferred to a third party.
  • To request that we disclose to you:
    • the categories of personal data we have collected about you,
    • the categories of sources from which the personal data is collected,
    • the business or commercial purpose for collecting or selling the personal data,
    • the categories of third parties with whom we have shared the personal data, and
    • the specific pieces of personal data we have collected about you.
  • To not be subject to a decision based solely on automated processing based on profiling or otherwise that has a legal or significant effect.
  • To not receive discriminatory treatment for the exercise of any of the foregoing rights.

For further information, or to exercise the rights listed above, please contact FTX at dataprivacy@ftx.com.

You may designate an authorized agent to make a request on your behalf pursuant to this Privacy Notice or applicable law. Prior to completing a request made by such an authorized agent, we require that you provide your authorized agent with written permission to submit such a request and require that you or your authorized agent provide us with a copy of such written permission. In addition to the rights above, individuals may also be entitled to appeal our decisions with regard to their requests by contacting us at dataprivacy@ftx.com or lodge a complaint with the competent supervisory authority in the appropriate jurisdiction.

General Data Protection Regulation (GDPR) – European Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), FTX has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

  • by sending an email to EDPO at EDPO@ftx.com. Please note that the information that you provide in this email will be transferred to a country outside of the European Economic Area (EEA) for purposes related to the handling of your request to exercise your rights under the GDPR. This country may not have equivalent data protection laws to the EEA or benefit from an adequacy decision by the EU Commission. By submitting your personal data, you are agreeing to this transfer and processing.
  • by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

    • UK General Data Protection Regulation (GDPR) - UK Representative

    Pursuant to Article 27 of the UK GDPR, FTX has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

  • by sending an email to EDPO UK at EDPO@ftx.com. Please note that the information that you provide in this email will be transferred to a country outside of the United Kingdom (UK) for purposes related to the handling of your request to exercise your rights under the GDPR. This country may not have equivalent data protection laws to the UK or benefit from an adequacy decision. By submitting your personal data, you are agreeing to this transfer and processing.
  • by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

    • FADP Article 14 Representative

    Pursuant to Article 14 of the Federal Act on Data Protection (the "FADP"), FTX Trading Ltd has appointed EDPO Switzerland as its Representative in Switzerland. You can contact EDPO Switzerland regarding matters pertaining to the FADP:

  • by sending an email to EDPO Switzerland at EDPO@ftx.com. Please note that the information that you provide in this email will be transferred to a country outside of Switzerland for purposes related to the handling of your request to exercise your rights under the FADP. This country may not have equivalent data protection laws to Switzerland or benefit from an adequacy decision. By submitting your personal data, you are agreeing to this transfer and processing.
  • by writing to EDPO Switzerland at Rue de Lausanne 37, 1201 Geneva, Switzerland

    • You may designate an authorized agent to make a request on your behalf pursuant to this Privacy Notice or applicable law. Prior to completing a request made by such an authorized agent, we require that you provide your authorized agent with written permission to submit such a request and require that you or your authorized agent provide us with a copy of such written permission. In addition to the rights above, individuals may also be entitled to appeal our decisions with regard to their requests by contacting us at dataprivacy@ftx.com or lodge a complaint with the competent supervisory authority in the appropriate jurisdiction.

    CALIFORNIA RESIDENTS

    In the past twelve months we have collected, and in the future we will continue to collect, the categories of personal information listed in the section above entitled "COLLECTION AND PURPOSE OF PROCESSING PERSONAL DATA " from the sources described in that section. This includes the following categories of personal information set out in the CCPA: identifiers, personal information described in Section 1798.80 of the California Civil Code, Biometric Information, Internet or other electronic network activity information, geolocation data, professional or employment-related information and sensitive personal information.

    We use your personal data for a number of "business purposes" as defined in the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations (the "CCPA"), as modified by the California Privacy Rights Act (the "CPRA"). These business purposes include, without limitation:

    • Performing services, including, without limitation, maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services;
    • Auditing related to a current interaction with the consumer;
    • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
    • Debugging to identify and repair errors that impair existing intended functionality;
    • Short-term, transient use;
    • Undertaking internal research for technological development and demonstration; and
    • Undertaking activities to verify or maintain the quality or safety of a service and to improve, upgrade, or enhance the service.

    We do not sell (as defined in the CCPA) personal data and have not done so in the past twelve (12) months. We do not share personal data for cross-contextual behavioral advertising purposes.

    You may exercise your rights under the CCPA with respect to your personal information as set forth in the "INDIVIDUAL RIGHTS AND HOW TO EXERCISE THEM" section of this Privacy Notice. We will not discriminate or retaliate against you if you choose to exercise any of your rights under the CCPA. We are permitted, however, to charge you a reasonable fee to comply with your request.

    CONSEQUENCES OF FAILURE TO PROVIDE PERSONAL DATA

    Where FTX asks you to provide personal data on a mandatory basis, FTX will inform you of this at the time of collection. Providing the necessary personal data during the KYC and AML process is essential for FTX to fulfil its legal and regulatory obligations. Failure to provide the required personal data may result in certain consequences, including (i) inability to process your claim through FTX's AML/KYC Customer Claims Portal; and (ii) you could be deemed in non-compliance with legal requirements.

    CHANGES TO THE PRIVACY NOTICE

    FTX may update this Privacy Notice from time to time to reflect changes in its practices or applicable laws and regulations. The updated version will be made available on our Portal and website, and we encourage you to review it periodically.

    CONTACT DETAILS

    If you have any questions concerning this Privacy Notice, please contact FTX at dataprivacy@ftx.com or by writing to:

    FTX Trading LTD.
    125 Broad Street
    New York, New York 10004-2498
    Attention: FTX Mail Room