Privacy Policy

1. Introduction

eXchange1 (“we”, “us”, “our”) is committed to protecting the confidentiality and integrity of your personal data. This Privacy Policy describes, in a clear and structured manner, how we collect, use, disclose and safeguard your personal data when you use our online trading platform, mobile applications, web portal and any related services (collectively, the “Services”).

This Policy applies to personal data relating to individuals located in India whose data we process, including in connection with services offered into India from outside the country. Where other data protection regimes such as the EU General Data Protection Regulation (GDPR) apply, we supplement this Policy with jurisdiction‑specific information as required.



2. What we mean by “personal data”

“Personal data” means any information relating to an identified or identifiable individual. An individual is identifiable if the person can be recognised directly (for example, by name) or indirectly (for example, through an account number or device identifier combined with other data).

In this Policy, “you” refers to the individual whose personal data we handle in connection with the Services. We determine why and how this data is processed for our platform and therefore assume responsibility for those decisions, even where we rely on service providers to carry out certain activities on our behalf.



3. Categories of personal data we collect

The exact information we collect will depend on the nature of your relationship with us, the Services you use and the choices you make. Broadly, we process the following categories of personal data:



3.1 Identity and contact information

  1. Full name and, where relevant, title;
  2. Contact details such as email address and mobile number;
  3. Residential or correspondence address;
  4. Basic demographic information required for account opening (for example, date of birth, nationality).

3.2 Account and transactional information

  1. Account identifiers, login‑related information and profile details;
  2. Trade orders, execution details, positions, balances and related transaction history;
  3. Payment‑related information (for example, masked payment instrument details and transaction references) to facilitate deposits, withdrawals and fee collection, in line with regulatory expectations for financial entities.

3.3 Device, network and technical information

  1. Device type, operating system and application version;
  2. Device‑specific identifiers (such as IMEI, equivalent IDs or advertising identifiers where used);
  3. Network‑related identifiers such as IP address and MAC address;
  4. Technical logs, diagnostic data and performance metrics to maintain stability and security.

3.4 Usage and interaction data

  1. Information about how you navigate and interact with the Services (for example, screens visited, features used, clicks and scrolls);
  2. Session timestamps and duration;
  3. Referrer information, such as whether you accessed the platform from a particular link or campaign.

3.5 Cookies and similar technologies

  1. Identifiers and other information stored in cookies, SDKs, pixels and similar technologies that help us recognise your browser or device, keep you signed in, remember your preferences, measure usage and, where applicable, support marketing activities.

3.6 Communications and support records

  1. Content of your emails, messages and tickets submitted via our help centre;
  2. Records of chat or voice interactions with our support teams, where permitted by law;
  3. Responses to surveys and structured feedback exercises.

3.7 Compliance and verification data

  1. Identity documentation and information required for “know your customer” (KYC) processes;
  2. Information obtained for anti‑money‑laundering, counter‑terrorist financing and sanctions screening checks;
  3. Regulatory and tax‑related information that we must collect, maintain and report under applicable financial‑sector and anti‑money‑laundering frameworks.


4. Why we use your personal data

We process your personal data only for purposes that are clearly defined, legitimate and proportionate. The principal purposes are as follows:



4.1 Account establishment and lifecycle management

  1. To create, activate and administer your account, including identity verification where required;
  2. To maintain and update your profile information and preferences;
  3. To maintain and update your profile information and preferences;
  4. To authenticate you when you log in and to manage session security.

4.2 Provision of trading and platform services

  1. To receive, process and execute your trade orders;
  2. To facilitate deposits, withdrawals and fee payments through supported channels;
  3. To provide confirmations, statements, notifications and other communications relating to your use of the platform.

4.3 Risk management, security and fraud prevention

  1. To monitor accounts and transactions for indicators of fraud, abuse or suspicious behaviour;
  2. To detect, investigate and mitigate potential threats to the security and integrity of the Services;
  3. To apply internal controls, checks and alerts that are commonly expected in regulated financial environments.

4.4 Client support and dispute resolution

  1. To respond to your requests for information or assistance;
  2. To handle grievances and complaints, including investigation and communication of outcomes;
  3. To manage and resolve disputes relating to trades, account activity or use of the Services.

4.5 Service quality, analytics and product development

  1. To analyse aggregated usage patterns and performance metrics in order to improve user experience;
  2. To test new features or changes in a controlled manner and measure their impact;
  3. To compile statistical insights that do not identify individual users but help guide platform development.

4.6 Communications and engagement

  1. To inform you about material updates to the Services or this Policy;
  2. To send, where permitted, information on new products, features, market insights or promotions that may be relevant to you;
  3. To solicit feedback through surveys or similar channels to better understand client expectations.

4.7 Legal, regulatory and governance requirements

  1. To comply with obligations under financial‑sector statutes, tax laws, anti‑money‑laundering and sanctions regimes, and other applicable legal frameworks;
  2. To respond to lawful directions, notices and requests from regulators, supervisory bodies, enforcement agencies and courts;
  3. To exercise or defend legal claims, manage incidents and maintain appropriate records for audit and governance purposes.



5. Cookies and similar technologies

We make use of cookies and comparable technologies on our websites and applications. These technologies serve several functions, such as maintaining your login session, remembering your preferences and providing aggregated usage analytics.


In particular, we may use:

  • Strictly necessary technologies, which are essential to deliver core functionality such as secure login, order placement and protection against fraudulent activity;
  • Preference technologies, which store your settings (for example language or display preferences) to streamline subsequent
  • Analytics technologies, which help us understand how the platform is accessed and used so that we can improve performance and usability;
  • Marketing and measurement technologies, where used, which support the delivery and assessment of communications that may be of interest to you.

Through our cookie and preference tools, you can exercise choice in relation to non‑essential technologies. Disabling certain categories may limit some convenience or personalisation features but will not generally prevent you from using core trading functions, provided those functions do not rely on the disabled technologies.




6. Children’s personal data

Our Services are designed for use by adults. We do not intentionally offer trading accounts to individuals below 18 years of age and do not knowingly process children’s personal data for behavioural profiling or targeted advertising purposes. Where the law requires parental or guardian involvement for any processing of a young person’s data, we will implement appropriate measures to verify and record such involvement. If we become aware that a minor has provided personal data or accessed the Services without the necessary safeguards, we will take reasonable steps to restrict further access and delete or anonymise the data, subject to any obligations to retain certain records for regulatory reasons.




7. Data retention

We retain personal data only for as long as it is genuinely needed for the purposes set out in this Policy or for as long as applicable laws and regulatory guidelines require. Retention periods differ depending on the category of data and the context in which it was collected.


By way of illustration:

  • Transaction and KYC records are typically retained for multi‑year periods prescribed under financial‑sector and anti‑money‑laundering frameworks, in order to support regulatory reporting and investigations.
  • Customer support and complaint‑handling records are retained for a duration that enables effective follow‑up, supervisory review and defence of potential legal claims.
  • Data processed solely for optional analytics or marketing is retained in line with your preferences and deleted or anonymised when no longer required.

Once the relevant retention criteria are no longer satisfied, we endeavour to erase personal data in a secure manner or to irreversibly de‑identify it so that it can no longer be linked to you.




8. Information security and incident handling

We implement a layered information security framework covering organisational, technical and physical controls to protect personal data against unauthorised access, alteration, disclosure or destruction.


Measures include, where appropriate:

  • encryption of data in transit and, for sensitive categories, at rest;
  • access controls and authentication mechanisms based on roles and “need to know” principles;
  • segregation of environments and strong network‑security configurations;
  • logging, monitoring and alerting for anomalous activity; and
  • periodic security testing and risk assessments, aligned with sectoral expectations.

If we detect an incident that materially affects the confidentiality, integrity or availability of personal data, we will follow an internal incident‑management procedure that includes containment, investigation, remediation and documentation. Where required by Indian data protection rules, we will also notify the competent authority and inform affected individuals of the incident and of steps they may reasonably take to mitigate any adverse impact.




9. How and with whom we share personal data

We do not trade in or sell your personal data. However, in operating our business and complying with our obligations, we may share personal data with carefully selected third parties, subject to appropriate safeguards.



9.1 Service providers and professional advisers

  1. Technology and infrastructure providers (for example, cloud hosting, data centres and communications services);
  2. Payment service providers and banking partners;
  3. KYC and screening vendors, analytics providers and customer support providers;
  4. External auditors, legal advisers and consultants.

These parties are engaged under contractual arrangements that require them to act only on our instructions, apply appropriate security controls and maintain confidentiality.


9.2 Group companies

  1. Affiliated entities that assist with operations, risk and compliance functions, or consolidated reporting, under intra‑group arrangements that preserve the level of protection described in this Policy.

9.3 Public authorities and counterparties

  1. Regulators, supervisory bodies and enforcement agencies, when disclosure is mandated by law or reasonably required for regulatory cooperation;
  2. Court or tribunal systems, where data is required for the conduct of proceedings;
  3. Other parties where disclosure is necessary to establish, exercise or defend legal claims, or to protect the rights and safety of our users, our staff or third parties

9.4 Corporate transactions

  1. Prospective or actual acquirers and their advisers in the context of mergers, acquisitions, reorganisations or similar corporate events, subject to commitments that personal data will continue to be handled in a manner compatible with this Policy or under an equivalent standard of protection.



10. Cross‑border data transfers

Given the international nature of modern financial and technology services, personal data processed in connection with our platform may be stored or otherwise handled on systems located outside India, for example in European data centres or other jurisdictions where we or our service providers operate.


Where personal data is transferred outside India, we take steps to ensure that:

  • such transfers are in line with applicable Indian rules on permissible destinations; and
  • the recipient is bound by contractual or other commitments to respect standards of privacy and security that are broadly comparable to those described in this Policy.

If we detect an incident that materially affects the confidentiality, integrity or availability of personal data, we will follow an internal incident‑management procedure that includes containment, investigation, remediation and documentation. Where required by Indian data protection rules, we will also notify the competent authority and inform affected individuals of the incident and of steps they may reasonably take to mitigate any adverse impact.




11. Your privacy rights

Individuals whose personal data we process in India enjoy certain rights intended to promote transparency and control over their data.


These include, in particular:

  • Right to information and access – the ability to ask what categories of personal data we hold about you, how we use it, and with whom it is usually shared.
  • Right to correction and updating – the ability to request that inaccurate, incomplete or misleading personal data be corrected or completed, and that certain data be updated so that it remains accurate and relevant.
  • Right to request erasure in appropriate cases – the ability to request deletion of personal data that is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent and there is no overriding legal requirement to continue retaining it.
  • Right to raise grievances – the ability to lodge complaints regarding our handling of your personal data and to receive an appropriate response within a reasonable timeframe.
  • Right to nominate – the ability to appoint another person who may exercise these rights on your behalf in the event of your death or incapacity, subject to applicable formalities.

Where other regimes such as GDPR apply, additional rights (for example, data portability or certain rights to object) may be available and will be explained in the relevant local documentation.


Exercising your rights

  • Where self‑service tools are available within your account, you may use them to view, download or update specific information;
  • For other requests, you may contact us using the details provided in the “Contact us” section below, clearly indicating the nature of your request.

We may seek reasonable information to verify your identity before acting on your request, and will endeavour to respond within timelines consistent with applicable law and regulatory guidance.




12. Consent and your choices

For certain types of processing – particularly marketing communications, non‑essential analytics and some cookie uses – we rely on your consent or on clear indications from you that you wish to proceed. We aim to present choices in a granular, understandable way so that you can decide which uses you are comfortable with.


You can, at any time :

  • withdraw consent to receive marketing communications by using the “unsubscribe” or preference links in our messages, or by adjusting your profile settings;
  • adjust cookie and analytics settings via our cookie banner or in‑app tools;
  • contact us to indicate that you no longer wish certain optional processing activities to continue.

Where you withdraw consent, we will cease the relevant processing within a reasonable period, except to the extent limited retention is required by law (for example, to demonstrate that we respected your preferences) or to enforce our rights. Withdrawing consent may affect our ability to provide certain features, but will not affect the lawfulness of processing carried out prior to the withdrawal.




13. Complaints and escalation

We encourage you to raise any privacy‑related concerns directly with us so that we have an opportunity to address them.


  • Upon receiving a complaint, we will acknowledge it, review the underlying circumstances and provide a response setting out our position and any remedial steps we consider appropriate.
  • If you remain dissatisfied after our response, you may have the option to pursue the matter before the competent authority responsible for overseeing data protection and privacy in India, in accordance with the procedures and conditions that authority has published.



14. Third‑party websites and services

The Services may contain links or integrations that connect you to websites, applications or services operated by third parties. We do not control, and are not responsible for, how those third parties handle personal data once you leave our environment.

You are encouraged to review the privacy policies of such third‑party services before providing any personal data to them, so that you understand how your data will be used and the choices available to you.




15. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our Services, internal practices, or the legal and regulatory landscape. Substantive changes will be communicated in an appropriate manner, which may include notices on our website or app, emails or other direct communications.

Where applicable law requires fresh consent for material changes affecting how your personal data is used, we will seek such consent before implementing those changes in relation to your data.




16. Contact us

If you have any questions, requests or concerns about this Privacy Policy or our handling of personal data, you may contact us using the details below:

  • Privacy & Legal: legal@eXchange1.com
  • Grievance contact for India: grievance@eXchange1.com
  • Postal address: 91 Springboard Business Hub Pvt Ltd, Plot No. D-5 Road No. 20, Marol Midc, Andheri East, Chakala Midc, Mumbai, Mumbai, Maharashtra, India, 400093.

We aim to respond to all bona fide privacy requests promptly and in a manner consistent with applicable data protection standards and the expectations outlined in leading Indian legal and regulatory analyses of the current data protection regime.