Overview & Our Commitment
XRP Capital Ltd. ("XRP Capital," "we," "us," or "our") is committed to protecting and respecting your privacy. This Privacy Policy describes how we collect, process, use, store, and share personal information about individuals who visit our website, create an account, or use our digital asset investment services (collectively, the "Services").
This policy applies to all users of the XRP Capital platform globally and is designed to comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection legislation.
Data Controller: XRP Capital Ltd. is the data controller responsible for the personal information you provide to us. Our registered Data Protection Officer (DPO) can be contacted at privacy@xrpcapital.com for any data-related inquiries or requests.
We encourage you to read this policy carefully in its entirety. If you have any questions or concerns about how your personal information is handled, please contact our Data Protection team using the details provided in Section 13.
Data We Collect
We collect various categories of personal information depending on how you interact with our platform. The categories and specific data points we collect include:
Information You Provide Directly
- Account Information: Full legal name, email address, phone number, date of birth, nationality, and username and password.
- Identity Verification (KYC): Government-issued identification documents (passport, national ID, driver's licence), selfie or live video verification images, and proof of address documents.
- Financial Information: Wallet addresses, banking details for withdrawals, source of funds declarations, and investment preferences.
- Communication Data: Messages sent through our contact forms, live chat transcripts, email correspondence, and support tickets.
- Tax Information: Tax identification numbers, country of tax residence, and any information required by applicable tax reporting regulations.
Information Collected Automatically
- Technical Data: IP address, browser type and version, operating system, device identifiers, time zone, and language settings.
- Usage Data: Pages visited, features used, time spent on the platform, click-through rates, and navigation paths.
- Transaction Data: Investment activity, withdrawal requests, deposit history, and portfolio performance records.
- Security Data: Login history, authentication events, session tokens, and suspicious activity flags.
Information from Third Parties
- Identity verification data from our KYC/AML service providers (e.g., Jumio, Onfido).
- Fraud and sanctions screening data from financial crime intelligence services.
- Analytics data from partners such as Google Analytics and Mixpanel.
- Referral information if you joined the platform through a partner or affiliate programme.
How We Use Your Data
We use the personal information we collect for the following specific purposes. Where required by law, we will only process your data where we have a valid legal basis to do so (see Section 4).
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and management | Name, email, password, phone | Contract performance |
| Identity verification (KYC) | ID documents, selfie, address | Legal obligation |
| Processing investments & withdrawals | Financial info, wallet addresses | Contract performance |
| Fraud prevention & security | IP, login history, device info | Legitimate interest |
| Regulatory reporting (AML/CTF) | Transaction data, KYC docs | Legal obligation |
| Customer support | Communications, account data | Contract performance |
| Platform analytics & improvement | Usage data, technical data | Legitimate interest |
| Marketing communications | Email, name, preferences | Consent |
| Tax reporting obligations | Transaction data, tax IDs | Legal obligation |
We will never sell your personal information to third parties for their marketing purposes, and we will never use your data for purposes that are incompatible with the purposes for which it was collected, without first seeking your explicit consent.
Legal Basis for Processing
Under the GDPR and UK GDPR, we must have a valid legal basis before processing your personal data. XRP Capital relies on the following legal bases:
Contract Performance
Processing necessary to enter into or perform our contract with you, including account management, processing investments, and customer support.
Legal Obligation
Processing required to comply with AML regulations, financial services laws, tax obligations, and regulatory reporting requirements in applicable jurisdictions.
Legitimate Interests
Processing for fraud prevention, platform security, analytics, and improving our services — where these interests do not override your fundamental rights and freedoms.
Consent
Where we process data for marketing communications or optional analytics cookies, we rely on your freely given, specific, and informed consent, which can be withdrawn at any time.
Where processing is based on legitimate interests, you have the right to object. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing that occurred before withdrawal.
Data Sharing & Disclosure
We do not sell, rent, or trade your personal information to third parties. We may share your personal information with the following categories of recipients, strictly as necessary and in accordance with applicable data protection law:
Service Providers & Processors
- KYC/AML Verification Providers: Identity verification companies that process your identification documents to fulfill our legal compliance obligations.
- Cloud Infrastructure: Hosting and cloud storage providers operating secure, compliant data centres (e.g., AWS, Google Cloud) bound by data processing agreements.
- Payment & Banking Partners: Financial institutions facilitating fiat deposits and withdrawals, subject to their own regulated data protection obligations.
- Analytics Platforms: Third-party analytics services used to understand platform usage and improve our product, with data anonymised or pseudonymised where possible.
- Customer Support Tools: Support ticket systems and live chat software used to manage and respond to your inquiries.
- Security & Fraud Prevention: Services used to detect, investigate, and prevent fraud, abuse, and security threats on our platform.
Legal & Regulatory Disclosure
We may disclose your personal information to governmental authorities, law enforcement agencies, financial regulators, or other competent bodies when required to do so by law, court order, or official regulatory process. This includes mandatory reporting under AML and CTF regulations and responses to lawful requests from regulatory bodies such as the FCA, SEC, or equivalent.
Business Transfers: In the event of a merger, acquisition, asset sale, or corporate restructuring, your personal information may be transferred to the acquiring entity, provided they agree to be bound by equivalent data protection standards. You will be notified of any such transfer via email or prominent notice on the platform.
Cookies & Tracking Technologies
XRP Capital uses cookies and similar tracking technologies to enhance your experience on our platform, analyze traffic, and support security features. A cookie is a small text file placed on your device when you visit our website.
Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Session management, authentication, security, and core platform functionality. Cannot be disabled. | Session / Up to 1 year |
| Performance & Analytics | Measuring site traffic, user behaviour patterns, and feature usage to improve our Services. | Up to 2 years |
| Functional | Remembering preferences such as language, currency display, and dashboard layout. | Up to 1 year |
| Marketing | Tracking conversions and displaying relevant content to you across the web. Requires your consent. | Up to 90 days |
You can manage your cookie preferences at any time by clicking the "Cookie Preferences" link in the footer of our website. Disabling certain non-essential cookies may impact the functionality and user experience of the platform. For more information, please refer to our separate Cookie Policy.
Data Security
XRP Capital implements a comprehensive, multi-layered security framework to protect your personal information from unauthorized access, loss, alteration, or destruction. Our security measures include:
Encryption
All data in transit is protected by TLS 1.3 encryption. Sensitive data at rest (including KYC documents and financial information) is encrypted using AES-256.
Access Controls
Strict role-based access control (RBAC) ensures that only authorised personnel can access personal data, on a strict need-to-know basis.
Two-Factor Authentication
All staff accounts and investor accounts are protected by mandatory two-factor authentication (2FA) using TOTP or hardware security keys.
Security Audits
We conduct regular penetration testing, vulnerability assessments, and third-party security audits to identify and remediate potential weaknesses.
Incident Response
A documented incident response plan ensures any data breach is identified, contained, and reported to relevant authorities within 72 hours as required by GDPR.
Data Minimisation
We only collect the personal data that is strictly necessary for the stated purposes and delete data securely when it is no longer needed.
Despite our best efforts, no security system is impenetrable. In the unlikely event of a data breach that affects your rights and freedoms, we will notify you promptly in accordance with our legal obligations.
Data Retention
We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements. Our standard retention periods are as follows:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 7 years | Legal / AML obligation |
| KYC / identity documents | Duration of account + 5–7 years | Regulatory compliance |
| Transaction records | 7–10 years from transaction date | Tax and AML regulation |
| Support communications | 3 years from resolution | Dispute resolution |
| Marketing data | Until consent withdrawn + 30 days | Consent-based processing |
| Analytics / usage data | Up to 26 months | Legitimate interest |
Upon expiry of the applicable retention period, or upon a valid erasure request (subject to legal retention requirements), we will securely delete or anonymise your personal information so that it can no longer be associated with you.
Your Privacy Rights
Depending on your country of residence, you may have some or all of the following rights in relation to your personal information. XRP Capital is committed to facilitating the exercise of these rights without undue delay, and always within one calendar month of receiving a verifiable request.
Right of Access
Request a copy of the personal information we hold about you, along with information about how it is processed.
Right to Rectification
Request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
Request deletion of your personal data, subject to our legal obligations to retain certain records.
Right to Portability
Receive your personal data in a structured, machine-readable format and transmit it to another controller.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes at any time.
Right to Restrict
Request that we restrict the processing of your personal data in certain circumstances.
How to Exercise Your Rights: To submit a privacy request, please email privacy@xrpcapital.com with the subject line "Privacy Rights Request." We will verify your identity before processing the request. You also have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your national supervisory authority in the EU).
Please note that some rights are subject to exceptions. For example, the right to erasure does not apply where we are required to retain your data to comply with a legal obligation or to establish, exercise, or defend legal claims.
International Data Transfers
XRP Capital operates globally and your personal information may be transferred to and processed in countries outside of the United Kingdom or the European Economic Area (EEA), including countries that may not offer the same level of data protection as your home country.
Whenever we transfer personal data internationally, we ensure that appropriate safeguards are in place to protect your information, including:
- Adequacy Decisions: Transfers to countries that the UK or EU has recognised as providing an adequate level of data protection (e.g., Canada, Japan, Switzerland).
- Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we rely on the EU or UK Standard Contractual Clauses, legally binding contracts that impose equivalent data protection standards on data recipients.
- Binding Corporate Rules: For intra-group transfers within XRP Capital's corporate structure, we have implemented Binding Corporate Rules approved by the relevant supervisory authority.
- Transfer Impact Assessments: For all high-risk international transfers, we conduct Transfer Impact Assessments to evaluate whether the receiving jurisdiction's laws and practices undermine the effectiveness of the safeguards in place.
You may request a copy of the specific safeguards applicable to any international transfer of your personal data by contacting us at privacy@xrpcapital.com.
Children's Privacy
The XRP Capital platform and Services are intended exclusively for individuals who are 18 years of age or older. We do not knowingly collect, solicit, or process personal information from children under the age of 18, or under the applicable age of majority in their jurisdiction.
Parental Notice: If you are a parent or guardian and believe that your child has provided personal information to XRP Capital, please contact us immediately at privacy@xrpcapital.com. Upon verification, we will take prompt steps to delete any personal information collected from a child under the applicable minimum age.
Our platform implements age verification during the account registration and KYC process to minimize the risk of underage users accessing the Services. If we discover that we have inadvertently collected personal data from a minor, we will delete that data without delay and take appropriate corrective action.
Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or platform functionality. When we make changes, we will update the "Last Updated" date at the top of this policy and take appropriate steps to notify you, depending on the significance of the changes.
How We Notify You of Changes
- Minor changes (e.g., clarifications, corrections): Updated date at the top of this page; no direct notification required.
- Material changes (e.g., new data uses, new sharing arrangements): Email notification to your registered email address at least 30 days before the changes take effect.
- Fundamental changes (e.g., change of data controller, significant new purposes): In-app banner, email notification, and explicit re-consent required where mandated by applicable law.
We encourage you to review this policy periodically to stay informed about how we are protecting your information. Your continued use of the Services following the effective date of any changes constitutes your acknowledgement of the updated policy.
Policy Version
This is version 2.4 of the XRP Capital Privacy Policy, superseding all previous versions.
Policy Archive
Previous versions of this policy are available upon request from our Data Protection team.
Contact Our Privacy Team
If you have questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact our dedicated Data Protection team. We are committed to addressing your inquiry promptly and thoroughly.
Data Protection Officer
privacy@xrpcapital.com
For GDPR, UK GDPR, and data rights requests.
General Support
support@xrpcapital.com
For general platform and account inquiries.
Registered Address
XRP Capital Ltd., Data Protection Team
London, United Kingdom
Response Time
We aim to respond to all privacy requests within 5 business days and resolve them within 30 calendar days.
Supervisory Authority: If you are unsatisfied with our response to a privacy complaint, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom (ico.org.uk), or your applicable national data protection supervisory authority if you are located in the EEA.