Privacy Policy
| Entity | Archway Finance JSC, incorporated in Bulgaria under company number 207778041 |
|---|---|
| Publication URL | https://archway.finance/privacy-policy |
| Version status | Version 1.3, 18 June 2026 |
| Related Terms | Terms of Service approved by legal for publication at https://archway.finance/terms-of-service |
1. Who we are and what this Privacy Policy covers
This Privacy Policy explains how Archway Finance JSC (Archway, we, us or our) collects, uses, shares and protects personal data when you visit our website, use our online services, apply to become a client, use our principal crypto-asset exchange services, contact us, or otherwise interact with us.
Archway is the controller of the personal data described in this Privacy Policy, unless we tell you otherwise in a specific notice. This means that we decide why and how that personal data is processed.
This Privacy Policy applies to website visitors, prospective clients, Retail Clients, Business Clients, authorised users, directors, beneficial owners, representatives, Business Partner Payers involved in approved Business Client flows, support contacts, complainants and other individuals whose personal data we process in connection with our services.
Capitalised terms used in this Privacy Policy may have the meaning given to them in our Terms of Service where the context relates to the Services.
2. Other Archway legal notices
You should read this Privacy Policy together with the legal notices that apply to the relevant service or interaction.
| Legal notice | URL |
|---|---|
| Terms of Service | https://archway.finance/terms-of-service |
| Cookie Notice | https://archway.finance/cookie-policy |
| Regulatory Information | https://archway.finance/legal/regulatory-info |
| Complaints | https://archway.finance/legal/complaints |
| Contact | https://archway.finance/legal/contact |
| Whistleblowing | https://archway.finance/legal/whistleblowing |
3. Personal data we collect
The personal data we collect depends on who you are, the service you request, your client type, your jurisdiction, the transaction flow, the checks required by law and the controls that apply to the relevant activity. We do not ask for more personal data than we reasonably need for the relevant purpose.
| Category | Examples | Typical source |
|---|---|---|
| Account, contact and access data | Name, email address, phone number, account identifiers, authentication details, authorised-user details, IP address and records of account access. | You, your authorised users, our systems and service providers. |
| Identity verification and KYC/KYB data | Date of birth, nationality, residential address, identity document data, photograph, selfie or liveness data where used, proof of address, signature, company registration details, business address, constitutional documents, directors, authorised representatives, ownership charts, beneficial owners and controller information. | You, Business Clients, authorised representatives, reliable public or official registers, identity verification providers and screening providers. |
| Financial-crime, sanctions and risk data | Sanctions, PEP and adverse-media screening results, source-of-funds and source-of-wealth information, risk ratings, transaction purpose, expected activity, jurisdiction, fraud/scam indicators, alert outcomes and compliance case notes. | You, screening and analytics providers, public sources, counterparties, banks, CASPs/VASPs, payment providers and our compliance teams. |
| Order, transaction and settlement data | Quotes, Orders, assets, amounts, fees, spreads, timestamps, transaction identifiers, bank account identifiers, wallet addresses, blockchain transaction hashes, settlement status, reconciliation information, invoices, contracts and accounting records. | You, your bank/payment provider, blockchain networks, CASPs/VASPs, Business Partner Payers where approved, Archway systems and service providers. |
| Business Client and Business Partner Payer data | Information about the Business Client, the disclosed Business Partner Payer, the commercial relationship, payer jurisdiction, source wallet or sending CASP/VASP, invoice, contract, order or equivalent commercial rationale and information required for AML/CFT, sanctions, KYT, Travel Rule, fraud and risk controls. | Business Clients, Business Partner Payers, counterparties, CASPs/VASPs, blockchain networks and screening or analytics providers. |
| Travel Rule and wallet information | Originator and beneficiary information, wallet ownership or control evidence, source wallet information, destination wallet information, CASP/VASP information and blockchain analytics outputs where required or available. | You, Business Clients, Business Partner Payers, CASPs/VASPs, blockchain networks and analytics providers. |
| Communications, support and complaints | Emails, messages, chat transcripts, support tickets, complaint details, call or video recordings where used, survey responses and records of our responses. | You, support channels, complaint channels and service providers. |
| Website, device, cookie and usage data | IP address, device and browser information, cookie identifiers, local storage and session storage data, consent choices, page views, clickstream data, referrer data, campaign parameters and similar online identifiers. | Your browser/device, our website/app, cookie tools, analytics providers and marketing providers where enabled and consented to where required. |
| Marketing preferences | Communication preferences, consent or opt-out records, campaign interaction metrics and information about the source of a sign-up or enquiry. | You, our website/app, marketing tools and communication providers. |
| Security, audit and legal records | Security logs, access logs, audit trails, incident records, legal-hold records, regulatory correspondence, dispute records and evidence needed to demonstrate compliance. | Archway systems, staff, service providers, auditors, advisers, regulators, courts or law-enforcement authorities. |
4. How we collect personal data
- directly from you when you apply, onboard, use the Services, submit an Order, contact support, make a complaint, change your details or exercise a data right;
- from Business Clients, authorised users, directors, beneficial owners, representatives and disclosed Business Partner Payers where a Business Client flow requires it;
- from identity verification, KYB, sanctions, PEP, adverse-media, fraud, blockchain analytics, wallet-screening, banking, payment, CASP/VASP, support, hosting, logging and other service providers;
- from public or official sources, company registers, blockchain networks and other sources we use to verify information, assess risk, monitor transactions or comply with law; and
- automatically from your browser or device through cookies, local storage, session storage, pixels, SDKs, logs and similar technologies, as described in our Cookie Notice.
5. Why we use personal data and our lawful bases
We use personal data only where we have a lawful basis. More than one lawful basis may apply to the same data depending on the context.
| Purpose | What this means | Typical lawful basis |
|---|---|---|
| Provide the Services and manage our relationship | To receive applications, onboard clients, manage accounts and authorised users, provide Quotes, process Orders, settle transactions, communicate with you and provide support. | Contract necessity; legitimate interests in operating the business and supporting clients. |
| Client type, eligibility and onboarding controls | To determine whether we can support a Retail Client, Business Client, asset, jurisdiction, transaction flow, limit or wallet/bank account. | Contract necessity; legal obligations; legitimate interests in risk management and service integrity. |
| KYC, KYB, AML/CFT, sanctions, PEP, adverse-media, fraud and Travel Rule controls | To verify identity, verify legal entities, identify beneficial owners and controllers, screen persons and wallets, monitor transactions, assess source of funds/wealth, detect suspicious activity and comply with legal and regulatory duties. | Legal obligations; legitimate interests in preventing crime, sanctions breaches, fraud and misuse of the Services. |
| Business Partner Payer flows for Business Clients | To assess approved inbound Business Partner Payer crypto-asset flows, verify the commercial rationale, screen payer/source information and document the relationship, without providing transfer, remittance or custody services. | Contract necessity for the Business Client relationship; legal obligations; legitimate interests in risk, fraud and compliance controls. |
| Transaction, settlement, accounting and recordkeeping | To process Orders, record ownership/payment/delivery steps, reconcile transactions, issue invoices, maintain operational records and meet tax, accounting, AML/CFT, MiCA and audit requirements. | Contract necessity; legal obligations; legitimate interests in accurate records and dispute management. |
| Security, resilience and fraud prevention | To protect accounts, systems and data, monitor access, investigate incidents, prevent abuse, debug errors, maintain service reliability and preserve evidence. | Legal obligations; legitimate interests in security, operational resilience and service integrity. |
| Complaints, disputes and legal claims | To handle complaints, support requests, investigations, legal claims, regulatory enquiries and evidence production. | Legal obligations; legitimate interests in resolving disputes and protecting legal rights. |
| Marketing and communications | To send service messages, regulatory or operational notices, and marketing communications where permitted. You can opt out of marketing communications. | Contract necessity for service messages; consent or legitimate interests for marketing, depending on the channel and applicable law. |
| Cookies, analytics and advertising | To operate the website/app, remember preferences, measure usage, improve services and, where enabled and consented to, measure or deliver advertising. | Strictly necessary cookies: legitimate interests/service necessity. Non-essential cookies and similar technologies: consent where required. |
6. Automated tools, screening and human review
We may use automated tools and service providers to support identity verification, fraud checks, sanctions/PEP/adverse-media screening, wallet screening, blockchain analytics, transaction monitoring and security monitoring. These tools help us identify matches, alerts, risk indicators and inconsistencies.
Automated outputs are used as part of our controls. Where an alert, match or risk indicator may materially affect onboarding, transaction processing, suspension or refusal, Archway applies review and escalation processes appropriate to the risk and legal requirement. We may not be able to explain detailed control logic where doing so would breach law, prejudice an investigation, reveal controls or create tipping-off risk.
7. Business Partner Payers and third-party data
For Retail Clients, Archway does not accept third-party payer flows unless separate approved product terms are adopted. For Business Clients, Archway may accept an inbound Business Partner Payer crypto-asset flow only where the flow has been expressly approved and passes Archway’s AML/CFT, sanctions, PEP, adverse-media, KYT, Travel Rule, fraud, scam, operational and risk controls.
Where a Business Client asks Archway to accept a disclosed Business Partner Payer flow, we may process personal data about the Business Partner Payer and relevant individuals connected to that payer. This may include identity, business, relationship, transaction, wallet, source, jurisdiction, invoice, contract and screening information. We process that data to assess and document the approved Business Client transaction, not to provide a transfer, custody, payment or remittance service to the Business Partner Payer.
If you are a Business Client, you are responsible for giving any required privacy information to individuals whose personal data you provide to us, unless we provide that information directly or another legal basis applies.
8. Blockchain data
Blockchain networks are generally public, global and difficult or impossible to alter. Wallet addresses, transaction hashes and on-chain activity may be personal data where they can be linked to an identifiable person.
We avoid placing unnecessary personal data on-chain. However, transactions may be visible on public blockchains and may be processed by validators, node operators, analytics providers, wallet providers and other participants outside Archway’s control.
9. Who we share personal data with
We share personal data only where necessary or permitted for the purposes described in this Privacy Policy. Recipients may include:
- Archway staff and authorised contractors on a need-to-know basis;
- identity verification, KYB, sanctions, PEP, adverse-media, fraud, blockchain analytics, Travel Rule, wallet, banking, payment, CASP/VASP, cloud, hosting, logging, security, customer support, communications, analytics and marketing providers;
- banks, payment institutions, CASPs/VASPs, wallet providers, blockchain networks and counterparties where needed to process or investigate a transaction or comply with law;
- professional advisers, auditors, insurers and outsourced service providers;
- regulators, financial intelligence units, tax authorities, law-enforcement authorities, courts, dispute-resolution bodies and other competent authorities where required or permitted; and
- successors or counterparties to a corporate restructuring, merger, sale, financing or similar transaction, subject to appropriate confidentiality and legal controls.
Where a service provider processes personal data on our behalf, we require appropriate contractual protections, including processor terms where required by GDPR. Where a recipient acts as an independent controller, it is responsible for its own use of personal data.
10. International transfers
We are based in Bulgaria and primarily design our processing around the European Economic Area where feasible. Some service providers, counterparties, blockchain networks or authorities may process personal data outside the EEA.
Where GDPR transfer rules apply, we use appropriate transfer safeguards such as adequacy decisions, standard contractual clauses, transfer risk assessments and additional measures where required. Public blockchain processing may be global and may not operate like a conventional international transfer controlled by Archway.
11. Security and confidentiality
We use organisational and technical controls designed to protect personal data against unauthorised access, loss, alteration, disclosure or misuse. These controls include access controls, role-based permissions, authentication controls, logging, monitoring, vendor governance, staff training, incident response and retention/deletion controls.
No online service is completely risk-free. You must keep your account credentials, devices, email accounts, wallets and authentication factors secure and promptly notify us if you suspect compromise.
12. How long we keep personal data
We keep personal data only for as long as needed for the purposes described in this Privacy Policy, including to provide the Services, comply with law, meet AML/CFT, MiCA, tax, accounting, complaints, audit and security requirements, resolve disputes, enforce terms and preserve evidence.
Typical retention periods include the following. Actual retention may be longer where required by law, legal hold, investigation, audit, dispute, regulator request or another documented exception.
| Record type | Typical retention |
|---|---|
| Customer onboarding and account data | Normally 5 years after the end of the business relationship. |
| KYC/KYB/UBO and screening evidence | At least 5 years after the end of the business relationship. |
| Transactions, settlement and reconciliations | Normally 10 years after transaction completion. |
| Customer support tickets and communications | Normally 5 years after ticket or account closure. |
| Complaints records and evidence | Normally 5 years after complaint closure, subject to legal holds or regulatory requirements. |
| Operational application logs | Normally 180 days, with some error-monitoring records retained for shorter periods. |
| Security audit logs | Normally at least 12 months. |
| Cookie consent and analytics records | Cookie consent records are normally retained for 13 months; analytics records may be retained for up to 26 months where enabled. |
| Marketing consent and opt-out evidence | For the duration of the consent or relationship and then as needed to evidence consent or opt-out. |
| Backups | Backups expire on their configured schedule. If data is deleted from production systems, it is not always selectively removed from backups, but restored data is re-checked against deletion and retention rules. |
13. Your data protection rights
Subject to applicable law, you may have the right to request access to your personal data, rectification, erasure, restriction, portability, objection to processing, and withdrawal of consent where processing is based on consent.
A request to delete an account or erase personal data does not always mean that all records can be deleted immediately. Where Archway must retain records for AML/CFT, MiCA, transaction, accounting, tax, complaint-handling, security, audit, legal-hold or regulatory reasons, we may retain and restrict the relevant records while deleting or anonymising personal data that is no longer required.
Before disclosing, deleting or changing personal data, we may need to verify your identity and authority. You can submit privacy requests through the contact channels published at https://archway.finance/legal/contact.
14. Cookies and similar technologies
We use cookies, local storage, session storage, pixels, SDKs and similar technologies to operate our website and app, maintain security, remember preferences, support wallet and login functionality, provide customer support, measure usage and, where enabled and consented to where required, conduct analytics and advertising measurement.
You can find more information and update available choices in our Cookie Notice at https://archway.finance/cookie-policy.
15. Marketing communications
We may send marketing communications where permitted by law. You can opt out of marketing communications by using the unsubscribe or preference mechanism in the message, by changing available account preferences, or by contacting us through the channels published on our website.
Even if you opt out of marketing, we may still send service, transactional, legal, security or operational communications.
16. Personal data breaches
If a personal data breach occurs, Archway assesses the incident, contains the issue where possible, preserves evidence and determines whether notification to a supervisory authority or affected individuals is required. Where notification is required, we will notify the relevant authority and/or affected individuals in accordance with applicable law.
17. Complaints and supervisory authority
If you are unhappy with how we handle your personal data or a data rights request, please contact us first so we can try to resolve the issue.
You may also have the right to lodge a complaint with a data protection supervisory authority. For Archway’s default setup in Bulgaria, the relevant authority may be the Bulgarian Commission for Personal Data Protection, unless another authority applies in a cross-border case.
You can also use Archway’s complaints page where the matter relates to the Services: https://archway.finance/legal/complaints
18. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our services, systems, legal obligations or processing activities. The current version is intended to be published at https://archway.finance/privacy-policy. Where required, we will provide additional notice of material changes.
19. Contact
General contact details are published at https://archway.finance/legal/contact. Please use those channels for privacy questions, data rights requests and other enquiries, unless a specific channel is provided to you.
Whistleblowing reports or concerns should be submitted through the dedicated whistleblowing page where applicable: https://archway.finance/legal/whistleblowing.