Privacy Policy

Last updated: 2 December 2025

1. About Choton Group Limited

This Privacy Policy explains how Choton Group Limited ("Choton Group", "we", "us", "our") handles personal data in connection with our services (the "Services").

Choton Group Limited is a company incorporated in Hong Kong with its registered office at:

Shop B, G/F, Southorn Centre, 138 Hennessy Road, Wan Chai, Hong Kong

References to "you" or "your" mean any individual using the Services, whether on their own behalf or on behalf of a business.

2. Scope of this Policy

This Privacy Policy applies when you:

• Visit or use our website and any pages we operate;
• Access our online platforms, dashboards or APIs;
• Interact with us via forms, written correspondence or other channels;
• Take part in our marketing campaigns, surveys or events.

This Policy does not apply to third-party websites, applications or services that we do not control, even if you access them via our Services. Those third parties have their own privacy terms.

3. Personal data we collect

The types of personal data we collect depend on how you engage with us and which Services you use. They may include:

3.1 Identification and contact details

• Full name, date of birth and nationality;
• Residential or business address;
• Government-issued identification details where required for onboarding or compliance.

3.2 Account and profile information

• Account identifiers or usernames;
• Profile information, preferences and settings;
• Information and documents you or your organisation provide for KYC/KYB and due diligence.

3.3 Transaction and financial information

• Transaction details (such as amount, currency, counterparties, date and time);
• Information relating to payment instructions and beneficiaries;
• Settlement, reconciliation and other records associated with your use of the Services.

3.4 Technical and usage data

• IP address, browser type, device identifiers and operating system;
• Approximate location derived from your IP address;
• Log data, pages visited, time spent on pages and other usage analytics.

3.5 Marketing and communication data

• Your marketing and communication preferences;
• Records of enquiries, feedback, requests or complaints;
• Responses you provide when participating in surveys or campaigns.

3.6 Information from third parties

Where permitted, we may also receive personal data from:

• Business customers, partners, financial institutions and payment providers;
• Identity verification, fraud-prevention and compliance service providers;
• Public sources and official lists, including sanctions and watch lists.

4. Legal bases for processing

Where data protection law (for example in the EU or UK) requires a legal basis for processing, we generally rely on one or more of the following:

• Performance of a contract — to provide the Services and perform our obligations to you or your organisation;
• Compliance with legal obligations — to satisfy KYC/AML, sanctions, tax, reporting and other regulatory requirements;
• Legitimate interests — to operate, maintain and improve the Services, manage risk, prevent fraud, protect our rights and defend claims;
• Consent — where we rely on your consent (for example for certain marketing communications or non-essential cookies), you may withdraw it at any time.

5. How we use personal data

We use personal data for the following purposes:

Providing and operating the Services

• Creating and managing user accounts;
• Processing transfers, payments and related instructions;
• Providing customer and technical support.

Risk, compliance and security

• Conducting identity and business verification, KYC/KYB and risk assessments;
• Screening and monitoring transactions for fraud, financial crime and sanctions compliance;
• Investigating suspicious activity and managing incidents.

Improving our Services and user experience

• Analysing how our website and platforms are used;
• Maintaining, testing and enhancing performance, stability and usability;
• Developing and refining features, products and service offerings.

Communicating with you

• Sending service-related messages, including transaction updates, security alerts and changes to our terms;
• Sharing information about our Services where permitted by law and in line with your preferences;
• Managing invitations to events, webinars or surveys.

Legal, regulatory and business purposes

• Responding to lawful requests from regulators, public authorities or courts;
• Exercising or defending legal claims;
• Supporting audits, compliance reviews and corporate transactions.

6. How we share personal data

We may share personal data with:

• Affiliates and group entities — for internal administration, risk management and efficient service delivery;
• Service providers — such as cloud hosting, IT support, analytics, identity verification and compliance providers acting on our instructions;
• Business partners and financial institutions — including banks, payment providers and others involved in processing transactions;
• Professional advisers — including auditors, legal advisers and consultants where reasonably necessary;
• Public authorities and regulators — where required by law, regulation or legal process, or to protect our rights or the rights of others;
• Parties to corporate transactions — in connection with a merger, acquisition, restructuring or other similar event, subject to appropriate safeguards.

We do not sell personal data as a standalone business model.

7. International transfers

Because we may work with partners and providers in other jurisdictions, personal data may be processed outside the country where you are located. Where this occurs, we take steps required by applicable law to help ensure an appropriate level of protection, which may include contractual safeguards or other recognised transfer mechanisms.

8. Data retention

We retain personal data only for as long as reasonably necessary to:

• Provide and support the Services;
• Comply with legal, regulatory, tax and accounting obligations (which may require data to be kept for a defined number of years after our relationship ends);
• Resolve disputes and enforce our rights.

When personal data is no longer needed for these purposes, we will delete it or irreversibly anonymise it in line with our policies and applicable law.

9. Your rights

Depending on your location and the applicable law, you may have some or all of the following rights:

• To request access to the personal data we hold about you;
• To request correction of inaccurate or incomplete data;
• To request deletion of your personal data, subject to our legal and regulatory obligations to retain certain records;
• To object to or request restriction of certain processing activities;
• To withdraw consent where processing is based on your consent;
• To request that certain personal data be provided to you or another controller in a structured, commonly used and machine-readable format (data portability).

You can exercise these rights by contacting us through the channels indicated on our website or by writing to our registered office. We may need to verify your identity before responding.

You may also have the right to lodge a complaint with your local data protection authority.

10. Cookies and similar technologies

We use cookies and similar technologies on our website to:

• Support core site functionality and security;
• Remember your settings and improve your experience;
• Measure performance and understand how visitors use our site;
• Help deliver relevant content or advertising where permitted.

You can review and manage your cookie choices at any time through our cookie preferences tool on the website. Further information on the categories of cookies used and your options is provided within that tool and in this Policy.

11. Security

We maintain technical and organisational measures designed to protect personal data against unauthorised access, misuse, loss or destruction. These measures may include:

• Network and infrastructure security controls;
• Access management, authentication and role-based permissions;
• Logging, monitoring and incident response procedures;
• Contractual safeguards and due diligence for our service providers.

No system can be guaranteed to be completely secure. You are responsible for keeping your account credentials confidential and for informing us promptly if you suspect any unauthorised access to your account.

12. Children’s data

Our Services are not directed at individuals under 18 years of age, and we do not knowingly collect personal data from such individuals. If you believe that a child has provided personal data to us, please contact us so that we can take appropriate action, which may include deleting the data where required.

13. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and, where appropriate, provide additional notice via our website or other channels.

Your continued use of the Services after any changes take effect will indicate that you have read and understood the updated Policy.

14. Contact

If you have questions or concerns about this Privacy Policy or how we handle personal data, you can contact us using the details provided on our website or by writing to:

Choton Group Limited
Shop B, G/F, Southorn Centre
138 Hennessy Road, Wan Chai
Hong Kong