Privacy Notice

This Privacy Notice describes how Xiaomi Crowd Trading Limited (the “Company,” “we”, “us”) collects and processes personal data when you use the Xiaomi Crowd Trading platform — the website, mobile applications, and any related services (collectively the “Platform”).

We are the data controller for the personal data described in this Notice. Where local law requires a representative (for example, a UK or EU representative under UK GDPR / GDPR Article 27), details are published in Company information.

This Notice should be read alongside our Terms of Service, our Cookie Notice, and any jurisdiction-specific disclosure you accept during sign-up.

We collect the following categories of personal data:

Identity and contact

• full legal name, date of birth, country of residence;
• email address, mobile phone number, postal address;
• government-issued ID number, ID document image, and a biometric selfie used solely for identity verification;
• tax-residency declarations and, where required, source-of-funds documentation.

Financial

• wallet balances, transaction history (trades, purchases, contributions, deposits, withdrawals);
• linked payment instruments (last four digits and brand only — full card numbers are tokenized by our payment processor);
• bank-account or crypto-wallet identifiers used for funding or withdrawal.

Account and device

• account credentials (password is stored as an argon2id hash; passkey public keys), session tokens, authentication factors;
• IP address, device fingerprint, operating system, browser, language, time zone;
• app usage telemetry, including page views, clicks, performance signals, and crash logs.

Communications and support

• messages you send to support, in-product chat transcripts, attachments;
• survey responses and feedback you submit.

Public information

• information disclosed publicly through Platform features — for example, opt-in copy-trading leaderboards.

We do not knowingly collect special-category personal data (such as health, religious, or political data) and ask that you do not submit such data through the Platform.

We collect personal data in three ways:

• From you directly — when you register, complete KYC, fund your wallet, place an order, contribute to a programme, contact support, or otherwise interact with the Platform.
• Automatically — through cookies, similar technologies, and server logs as you use the Platform (see Cookies, analytics, and trackers).
• From third parties — including identity-verification providers (Persona, Sumsub), broker partners, custodians, payment processors, sanctions and PEP screening providers, fraud-detection services, and Sponsor programmes.

We use personal data for these purposes:

• creating, operating, and securing your account;
• completing identity verification, KYC re-screens, and sanctions screening;
• processing deposits, trades, purchases, withdrawals, and contributions;
• maintaining accurate records of every wallet movement (the double-entry ledger);
• preventing fraud, money laundering, terrorist financing, and other illegal activity;
• providing customer support and responding to your enquiries;
• sending transactional communications (verification codes, trade confirmations, shipping updates, security alerts, impact-report digests);
• improving the Platform’s usability, reliability, and performance;
• complying with our legal, regulatory, and audit obligations;
• enforcing our Terms and pursuing or defending legal claims.

We send transactional communications by default; you may opt out of marketing communications at any time in your account settings or via the unsubscribe link in each marketing email.

Where the GDPR, UK GDPR, or a similar regime applies, our legal bases for processing your data are:

• Performance of a contract — to provide the services you sign up for and to settle transactions.
• Compliance with a legal obligation — for KYC, AML, sanctions screening, regulatory reporting, and tax obligations.
• Legitimate interests — for fraud detection, product improvement, network security, and protecting our and others’ rights. Where we rely on legitimate interests, we assess whether they are overridden by your rights and freedoms.
• Consent — for marketing communications, optional analytics, and any processing where consent is the applicable basis. You can withdraw consent at any time.

In Mainland China, processing is conducted pursuant to the Personal Information Protection Law (PIPL), with separate consent obtained for sensitive data (including ID images, biometrics, and financial information) and for cross-border transfers, as required.

We share personal data only with parties that need it. These include:

• Identity-verification providers — Persona and Sumsub, who process your ID document and selfie under their own published privacy policies;
• Broker and custodian partners — to execute and settle trades and to hold your funds in segregated accounts;
• Payment processors — to handle card, wallet, bank, and crypto on-ramp transactions;
• Shipping and fulfillment partners — for eCommerce orders;
• Sponsors — Xiaomi Technology, World Food Programme, Oxfam International, China Development Research Foundation, and Dongao Education Group, for the operation of partner programmes and (in aggregated, non-identifying form) for impact reporting;
• Cloud and infrastructure providers — including cloud hosting, observability, and email-delivery providers (currently including Mailtrap);
• Professional advisers — auditors, lawyers, and insurers, where required to operate the business;
• Authorities — regulators, law-enforcement, and courts, where legally required;
• Successors — in the event of a corporate transaction such as a merger, acquisition, or asset sale, in which case the recipient will be bound by privacy obligations no less protective than this Notice.

We do not sell your personal data and we do not share it for cross-context behavioural advertising.

Your data may be processed in countries other than the one in which you reside, including jurisdictions whose data-protection laws differ from yours. Where a transfer is to a country that has not been recognised by your regulator as providing an adequate level of protection, we rely on one or more of the following safeguards:

• European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum;
• PIPL-compliant standard contracts and security assessments where Mainland China data is involved;
• your explicit, informed consent for the specific transfer, where required.

We perform transfer impact assessments before adding new processors in third countries and keep a register of those assessments available to regulators on request.

We keep personal data only as long as needed for the purposes set out in this Notice. Default retention periods include:

• Account and KYC records — for the life of your account and for seven years after closure, to meet regulator-mandated AML record-keeping;
• Transaction records (ledger postings) — seven years after the transaction date;
• Support transcripts — three years after the last interaction;
• Analytics events — 25 months in identifiable form, then aggregated;
• Marketing preferences — until you change them.

When retention expires, data is deleted or irreversibly anonymized. We may retain certain data for longer where required to defend legal claims or where ordered by a competent authority.

Depending on your jurisdiction, you may have some or all of the following rights:

• Access — obtain a copy of the personal data we hold about you;
• Rectification — correct inaccurate or incomplete data;
• Erasure — ask us to delete your data, subject to legal retention requirements;
• Restriction — ask us to limit processing while a dispute is investigated;
• Portability — receive your data in a structured, commonly used format;
• Objection — object to processing based on our legitimate interests, including profiling;
• Withdrawal of consent — withdraw consent at any time without affecting prior lawful processing;
• Lodge a complaint — with your local data-protection authority (for the UK, the ICO; for the EU, your national DPA; for Mainland China, the Cyberspace Administration of China).

You can exercise most rights directly from your account settings. Other requests can be sent to privacy@xiaomicrowdtrading.com. We respond within 30 days; we may extend by two months where the request is complex, and will tell you within 30 days if we do.

We protect your data with administrative, physical, and technical measures appropriate to the risk. Highlights:

• TLS 1.3 for all data in transit and AES-256 for data at rest;
• field-level encryption (CSFLE) for sensitive personal data fields;
• argon2id password hashing and WebAuthn / passkey support;
• HSM-backed key custody for crypto-asset operations;
• least-privilege access controls, audited centrally;
• continuous fraud and anomaly monitoring;
• annual third-party penetration testing;
• SOC 2 Type II and ISO 27001 readiness (audit windows underway).

No system is completely secure. If we become aware of a breach that puts your rights or freedoms at risk, we will notify you and the relevant supervisory authorities within the statutory deadlines.

We use cookies and similar technologies for the following purposes:

• Strictly necessary — to keep you signed in, remember your jurisdiction, and prevent fraud;
• Performance and analytics — to understand how features are used and to improve them. We use a self-hosted analytics setup with IP truncation;
• Functional — to remember preferences such as language, density mode, and dark / light theme.

We do not use advertising or cross-context behavioural-advertising cookies. Detailed disclosures, the cookie inventory, and your consent controls are available in our Cookie Notice.

The Platform is not directed to anyone under 18 (or the higher minimum age set by your jurisdiction). We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor, we will delete it and close the account.

We may update this Privacy Notice from time to time. The current version is always at this URL with an effective date and version number. Where the change is material, we will notify you by email or in-product banner at least 30 days before it takes effect.

For privacy questions, requests, or complaints, contact us at privacy@xiaomicrowdtrading.com.

Our Data Protection Officer can be reached at dpo@xiaomicrowdtrading.com. Postal correspondence may be sent to the Company’s registered office, listed on our Company information page. You also have the right to lodge a complaint with your local data-protection authority, as described in Your rights and choices.