We sincerely thank you for choosing and trusting RONKB Exchange (hereinafter referred to as "this platform" or "we"). We fully understand the importance of personal information protection to you and will strictly comply with relevant laws, regulations, and industry standards to provide you with compliant, reasonable, necessary, and secure information processing services. Before using this platform's services, please carefully read and fully understand all the terms of this Privacy Policy. If you have any questions or objections to any terms of this Privacy Policy, please suspend your use of the Platform's services. By continuing to access, use, or register for the Platform, you acknowledge that you have fully understood and agreed to all the terms of this Privacy Policy and voluntarily accept all its terms and conditions. 1.Scope of Application and User Definition Applicable Entities: All natural persons and legal entities who register, log in, browse, or use the products and services of this platform This policy applies regardless of whether you access this platform via a website, app, PC client, API interface, or through third-party authorized login. Applicable Regional Regulations: Compliant with international laws and regulations such as the EU GDPR, US CCPA, and California CPRA. Users in different regions may enjoy different exclusive rights depending on their location. Updates and Version Control: This policy takes effect upon publication. Any future changes to the policy or services will be announced 30 days in advance. 2.Terminology Definitions Personal Information: Data that can identify a natural person either alone or in combination with other information. Sensitive Information: Includes ID numbers, financial account numbers, facial/fingerprint recognition, biometric data, geolocation, etc. Processing: Any operation or set of operations performed on personal information, such as collection, use, storage, transmission, deletion, etc. User: Refers to natural persons or legal entities who register, log in, browse, purchase, or transact on this platform Data Controller: The entity that determines the purpose and means of processing information, i.e., this exchange Data Processor: A third party that processes data on behalf of the Data Controller in accordance with its instructions Cryptocurrency: A digital asset generated using blockchain technology and encryption algorithms, such as BTC, ETH, etc. Cookies: Small text files used to record user preferences, login status, and device information to help the platform optimize the user experience AML: Anti-Money Laundering Policy, aimed at preventing activities that generate illicit gains through illegal means 3. Types and Sources of Information Collection 3.1 Information You Provide Voluntarily Registration information: Email address, phone number, password, invitation code, country/region Identity verification: Full name, ID number/passport number, issuing authority, photo ID, address proof Payment details: Bank/payment account information, deposit amount, transaction history Transaction Behavior: Currency traded, amount, time, order type, transaction ID Customer service interactions: Question content, feedback content, audio/video recording records Survey and Questionnaire Completion: Risk preference survey, investment experience, personal preferences 3.2 System-Collected Information Device information: Device model, operating system, browser, resolution Network logs: IP address, access time, page URL, source platform, Referer Operation logs: Click paths, operation times, error logs, abnormal behavior Cookies and similar tracking technology data 3.3 Third-party collection Third-party identity verification: Authorized facial recognition, ID verification Third-party KYC/PAY providers Supplementary information provided by public channels or partners, such as risk ratings, national blacklist information 4.Core Functionality and Implementation Guidelines Transaction Account Service System User registration and authentication support, fund deposit and withdrawal management, transaction order matching services Security and compliance control mechanisms Implement anti-money laundering monitoring, fraud risk warning, abnormal operation identification, and asset security protection system Product Iteration Optimization Plan Functional usage data analysis, interface interaction improvements, transaction process optimization, and system stability upgrades Customer service support system Consultation and response services, real-name authentication assistance, transaction dispute mediation, and complaint handling mechanisms Market Operations Management Module Recommendation Reward Programs, Targeted Member Marketing, and Tiered Customer Service System Development Compliance with Legal Obligations Cooperation with regulatory authorities in reviews, judicial investigations, and other legal procedures 5. Additional Safeguards for Sensitive Information Usage Scenario Control: Collected only during real-name authentication, anti-money laundering verification, and major transactions, with prior notification Encryption and transmission: TLS 1.3, AES-256, RSA key management Access Logging and Traceability: Access logs are retained for each access, supporting security audits Retention and Release Principles: Data is retained for the minimum necessary period and deleted or anonymized upon expiration Data Masking Technology: Dynamic masking and field truncation are applied to display scenarios to ensure that sensitive fields cannot be fully restored in non-essential scenarios Access control: Implement a least privilege access authorization strategy; sensitive database operations require dual review and dynamic token-based two-factor authentication Emergency response mechanism: Establish a graded response plan for data breach incidents, including system circuit breakers, traceability blocking, and a 72-hour reporting process to regulatory authorities Regular assessment and updates: Conduct quarterly encryption algorithm strength tests and key rotation drills, and update the protection system in accordance with international standards 6. Cookies and Network Tracking Mandatory Cookies: Login authentication, session management, and security protection Optional Cookies: Preference settings and statistical analysis; users can choose to enable or disable them to balance privacy protection and user experience Performance Analysis Cookies: Google Analytics and platform-developed statistical tools are used to optimize page loading speed and improve system response efficiency. Data collection is transparent, and users can view and manage their personal tracking data at any time. Marketing Cookies: Used by advertising platforms for precise targeting of user groups to improve ad conversion rates. Users have the right to opt out to ensure their personal information is not misused Management instructions: Users can manage or disable these cookies in their browser or app settings, which may affect certain features and functionality 7.Data Retention and Deletion Guidelines Transaction Records: In accordance with international anti-money laundering and tax regulations, the minimum retention period is 7 years Customer Identity Verification Documents: The basic retention period is set at 5 calendar years Security logs and event records: Maintained for a storage period of no less than 12 months Marketing Data: Strictly retained within the validity period of the marketing campaign Account Closure Request Handling Mechanism: After verifying the authenticity of the user's identity, the platform will automatically trigger the data deletion process The results of the operation will be processed and feedback provided within 30 business days, with data deletion executed after transaction verification Data required to be retained by legal regulatory requirements are not subject to this provision 8. Cross-border and Third-party Sharing Reasons for cross-border data transmission: To comply with global high-availability architecture, improve access speed, and ensure secure backup Security Measures: Standard contract terms, data security assessments, encryption technology, and two-way authentication mechanisms to ensure data transmission security Third-party sharing principles: Limited to necessary business cooperation, strict review of the qualifications of cooperation partners, clear definition of the scope of data use and responsibility allocation, regular audits of the data protection measures of cooperation partners to ensure that user privacy is not infringed Termination of data sharing: Upon termination of cooperation, data sharing shall be immediately ceased, and data return or destruction procedures shall be executed to ensure no residual risks remain 9. User Rights In compliance with GDPR/CCPA/PIPL regulations, users are granted the following rights: Access Right – Log in or contact customer service to request a copy of personal information Right to Review – Verify the accuracy of personal data and request correction of any errors; Data portability – Request a copy of personal data in a standard format for transfer to other services. Transparency Right – Obtain detailed information about data processing; Right to Object to Automated Decision-Making and Profiling – Object to decisions based solely on automated processing that significantly affect your rights and interests. Right to rectification – Real-time modification of non-sensitive data in the personal center Right to erasure – Delete unnecessary or illegal data, subject to identity verification Restriction of processing – Object to unreasonable processing or choose to restrict processing to identity verification only Right to withdraw consent – Withdraw marketing/promotional authorization Data portability – Export data where technically feasible Right to Lodge a Complaint – File a complaint with this platform or the relevant regulatory authority 10. Security Assurance Mechanisms Physical and Network Isolation: Deploy industrial-grade multi-layer firewall systems, adopt a VPC architecture to achieve tenant-level network isolation, implement physical disk encryption isolation for core data, and enforce independent access channel control for critical business systems Penetration Testing and Vulnerability Scanning: A professional red-team and blue-team security team conducts monthly penetration tests, integrates an automated vulnerability scanning platform for real-time monitoring, and annually engages CNVD-certified institutions to perform comprehensive security assessments. High-risk vulnerabilities are resolved within 12 hours. Emergency Response System: Deploy an intelligent log analysis system to enable 24/7 threat detection, establish a five-level security incident classification mechanism, and assign a dedicated SOC team to execute the golden 72-hour incident response process, including incident tracing, root cause analysis, and system reinforcement standard operations Employee Control Security: Implement biometric + dynamic token two-factor authentication, establish an RBAC job permission matrix system, conduct quarterly security awareness training and phishing defense drills for all employees, and conduct annual background checks for key positions. Third-party audit: Certified by the British Standards Association ISO27001 information security management system, completed SOC 2 Type II service organization control audit, implemented annual GDPR compliance review, and audit report covering all 138 security control points Disaster Recovery and Recovery System: Construct a same-city dual-active + off-site three-center architecture, achieve RPO ≤ 15 seconds/RTO ≤ 5 minutes for core business systems, conduct quarterly full business continuity drills, and implement 256-bit AES encryption for critical data storage 11. Protection of Minors The platform strictly adheres to relevant regulations and only provides services to individuals aged 18 or older. Users must actively verify their age during registration and use. If the system detects or receives reports of minors using the platform, the platform reserves the right to take measures such as refusing registration, restricting functions, or deleting relevant information, and may require users to provide valid identity proof within three business days. For accounts that cannot provide valid proof or are verified to belong to minors, the platform will immediately terminate services and permanently ban the account. If a guardian discovers that a minor is using the platform without authorization, they may submit a request for account deletion via the official customer service email, along with proof of legal guardianship. The platform will continue to improve its youth protection features and content filtering mechanisms to fulfill its social responsibilities as an internet company. 12. Third-Party Service Links The platform may embed third-party content (such as videos, music, charts, or investment tracking services). Such services will process data in accordance with their own privacy policies. The platform only reminds users to be aware of the risks and assumes no responsibility. 13. Marketing Promotion and Commercial Information Promotional content formats: email notifications, SMS messages, platform pop-ups Obtaining authorization and control: Users may select authorization during registration or unsubscribe at any time. Profiling and Recommendation System: Generate personalized recommendations based on behavior and interests Associated Databases: Merge behavioral data with transaction characteristics for limited profiling, which is not shared externally 14. Employee and Partner Compliance Oversight Internal employees: Sign non-disclosure agreements (including specific terms such as confidentiality period and scope of application), restrict information access based on job responsibilities (implement graded permission management and access approval processes) External Partners: Sign data protection agreements (specifying data encryption requirements and usage restrictions), and conduct audits of channel partners (including annual routine audits and random spot checks, involving third-party security institutions) Non-compliance clauses: Breach compensation (calculated at 1.5 times actual losses), clear data leakage penalty mechanisms (including tiered fine standards and retention of legal recourse rights), and concurrent establishment of a non-compliance incident rectification notice system and internal accountability mechanisms 15. Compliance Audit and Risk Control Inspection 【Implementation Standards】 Every quarter, the legal and compliance department shall lead the data security team to conduct a DPIA special audit, focusing on key areas such as personal data collection authorization agreements, data transfer path encryption records, and third-party data sharing anonymization logs. 【Monitoring System】Relying on an intelligent transaction monitoring system to scan abnormal capital flows in real time, establish a dynamic customer risk rating database, implement a double-check mechanism for high-risk areas, and report suspicious transaction disposal ledgers to the anti-money laundering monitoring and analysis center every six months 【Review Mechanism】Establish a cross-departmental compliance committee to update the list of 42 regulatory obligations annually, with a particular focus on environmental, social, and governance (ESG) areas, and verify key indicators such as the accuracy of carbon emissions data reporting, the implementation rate of labor rights protection in the supply chain, and the completeness of green financial product information disclosure. Data Security Grade Protection Assessment 【Implementation of Grade Protection】Conduct Grade 3 information security assessment for core business systems, focusing on 18 technical control points including distributed storage encryption modules, biometric database firewalls, and disaster recovery center data restoration drills, to ensure compliance with information security grade protection assessments and reviews 16. Policy Change Notification Mechanism The platform shall conduct a comprehensive review of current policies at least once a year and make necessary revisions in accordance with laws and regulations, industry standards, and business operational requirements. Routine clause adjustments shall be announced through the platform and take effect automatically upon publication. If there are major adjustments to user rights and obligations (including but not limited to changes to the service agreement, restructuring of privacy terms, changes to core function ownership, etc.), the platform will publish a change notice through three channels 30 calendar days in advance: the official website announcement board, bound email, and personal account in-app messages. Important revisions will be marked with red underlines, and the reasons for the revisions will be explained in blue annotation boxes. If users continue to log in to their accounts, use core features, or complete at least one valid interaction after the effective date of the revisions, they shall be deemed to have fully read and explicitly accepted the updated policy terms. If there are any objections, users may submit a written objection through the online appeal channel within 7 working days. If no feedback is received by the deadline, it shall be deemed that the new agreement has been accepted. 17. Dispute Resolution The laws of the jurisdiction where the platform is registered shall apply. If negotiations fail to resolve the dispute, both parties agree to submit the dispute to the court with jurisdiction over the platform's registered location for resolution through litigation. It is strongly recommended that disputes be resolved through mediation mechanisms in each region whenever possible. 18. Contact Us and Designated Contact Person For any questions, complaints, or inquiries regarding information, please contact us via the following methods: Email: [email protected] For more information, please refer to the "Contact Us" page on the platform. Supplement: We reiterate that RONKB Exchange is committed to protecting users' personal privacy and data security to the highest standards. Through this Privacy Policy, we aim to provide you with a comprehensive understanding of how we handle and protect your information, enabling you to make informed and confident choices when using our platform services. As the regulatory environment evolves and our platform technology and services continue to update, our privacy policy will also be adjusted and optimized as appropriate. We commit to notifying you in advance of any major changes in a reasonable manner, ensuring you have sufficient time to read, understand, and decide whether to continue using our services. By continuing to use the platform, you indicate that you have understood and accepted the latest version of the privacy policy. We encourage you to review this policy periodically and welcome your feedback on our data processing practices, including requests to access, correct, restrict, or delete your personal data. You may contact us through the official customer support channel, and we will respond in accordance with applicable laws.