PRIVACY AND SECURITY PROTECTION MANAGEMENT MEASURES FOR VIRTUAL
CURRENCY EXCHANGE DAТА
I. EXECUTIVE SUMMARY
Quantum Star's Data Protection Policy is a document with regulations
and procedures that shall be adopted to protect and secure all data
consumed, managed, and stored by the company. The policy covers all
data that Quantum Star holds for either past, current, or
prospective persons in either electronic or paper format, from when
it is created to when it is either destroyed or permanently
preserved. It provides the rules of personal data protection,
including related obligations of staff, Customers, suppliers, and
other third parties in ensuring responsible processing of personal
data.
This policy demonstrates the company's commitment to ensuring
adequate protection and privacy of personal data.
II. POLICY PURPOSE
The purpose of this policy is to provide guidelines on how the company
shall process the personal data of its staff, customers, suppliers,
and other third parties in compliance with data protection law and to
protect the customer's rights. The policy shall apply to all personal
data the company processes regardless of the format or media on which
the data is stored or to whom it relates.
Quantum Star's most important assets are the trust and confidence
required to handle information properly. Customers and potential
customers expect us to maintain their information accurately, protect
it against manipulation and errors, secure it from theft, and free it
from unwarranted disclosure. We protect the data security of our
customers and potential customers by complying with all relevant data
protection laws and regulations and ensuring our staff complies with
strict standards of security and confidentiality.
III. РОLICY SCOPE
This policy encompasses all Processing of Personal Data by staff, and
customers, each of whom is subject to this policy. Asa matter of good
practice, other organizations or agents who have access to and process
personal data on behalf ofthe company will be expected to read and
comply with this policy. The relevant service that deals with such
external third parties is responsible for ensuring that such third
parties agree in writing to abide by this policy, with support from
published procedures and guidance, and from the Company Data
Protection Team.
IV. DEFINITION OF TERMS
This policy tries as far as possible to avoid using technical terms.
However, there are some terms used in the Data Protection Policy that
it is helpful to have an understanding of in the context of data
protection compliance. To assist such understanding, we have set out a
list of key terms and their meanings below. Where these terms are used
in this policy, they should be read and applied in this context.
IV. DEFINITION OF TERMS
Person:
Refers to a natural person or legal person.
Personal data:
Refers to any information relating to an identified or identifiable
natural person.
Processing:
Refers to any operation or set of operations which may be performed
on personal data, whether or not by automated means or non-automated
means, including but not limited to collection, recording,
organization, storage, alteration, retrieval, use, disclosure by
transmission, dissemination, erasure, and destruction.
Encryption:
Transformation of information or data into any special code that
cannot be understood or used.
Data breach:
Refers to an incident in which personal data was accessed,
disclosed, or stolen without an authorization.
V. OBJECTIVE AND PRINCIPLES
5.1 Objectives
a. Ensure the confidentiality, integrity, and availability of
customer data to prevent unauthorized access, leakage, or
tampering.
b. Comply with international and local privacy protection laws and
regulations (such as GDPR, CCPA, etc.).
c. Establish trust and ensure customer transparency regarding data
usage.
5.2 Basic Principles
a. Data Minimization Principle: Only collect data necessary to
complete business needs, avoiding unnecessary information storage.
b. Security-First Principle: Design data protection solutions
centered around security technologies and policies.
c. Transparency Principle: Ensure that customers are aware of how
their data is collected, used, stored, and shared.
VI. DATA COLLECTION AND USAGE STANDARDS
6.1 Data Collection
a.Collect only essential customer information, such as identity
verification data (KYC), transaction data, and contact
information.
b.Ensure data sources are legal and obtain explicit consent from
customers.
When we collect the information from customers, staff, and other third
party we will usually identify any information that is mandatory
(i.e., information required for creating an account and enabling you
to access the features of the website and receive any services). You
may choose not to provide us with the requested data, but failure to
do so may inhibit our ability to do business with you or to respond to
your inquiries
6.2 Data Usage
a. Collected data is strictly limited to the following purposes:
- Identity verification and account management.
- Transaction records and risk control analysis.
-
Compliance with legal and regulatory requirements (e.g.,
anti-money laundering, tax reporting).
b.Do not use data for advertising or other commercial purposes
without customer consent.
Why do we collect your data and how it may be used?
Personal data is collected for the following purposes:
-
to provide you with access to the content on the website, apps, or
social media platforms;
-
to process and administer your account, to implement and effect the
requests or transactions contemplated by the forms available on our
website or any other documents you may submit to us from time to
time;
-
to design new or enhance existing products, information, and
services provided by us;
-
to communicate with customers including sending you administrative
and technical communications about any account you may have with us,
to provide technical support or notify you about future changes to
this privacy statement;
-
for statistical or actuarial research undertaken by Quantum Star,
the financial services industry, or our respective regulators;
-
for advanced data analytics, data matching, internal business, and
administrative purposes;
-
to monitor your use of the website, app, and social media platforms
and analyze the use of the website to operate, evaluate, and improve
the website and our services, understand your preferences, and
troubleshoot any problems;
-
to assist in law enforcement purposes, investigations by police or
other government or regulatory authorities and to meet requirements
imposed by applicable laws and regulations or other obligations
committed government or regulatory authorities;
-
to personalize the appearance of our websites, provide
recommendations of relevant products, information, and services, and
provide targeted advertising on our website or through other
channels;
- other purposes as notified at the time of collection; and
- other purposes directly relating to any of the above.
Unless permitted by applicable laws and regulations, we will obtain
consent from customers ifwe wish to use personal data of customers for
purposes other than those stated in this privacy statement.
Who may be provided with your personal data?
Personal data will be kept confidential but may, where permitted by
law or where such disclosure is necessary to satisfy the purpose or a
directly related purpose for which the personal data was collected,
provide such personal data to the following parties:
-
any person authorized to act as an agent of Quantum Star in relation
to the distribution of products and services offered by Quantum
Star;
-
any agent, contractor or third-party service provider (within or
outside Quantum Star) who provides administration, data processing,
telecommunications, computer, payment, debt collection or securities
clearing, technology outsourcing, call center services, mailing and
printing services in connection with the operation of Quantum Star's
business and Quantum Star's provision of services to;
-
other companies that help gather your information or communicate
with you, such as research companies and ratings agencies, in order
to enhance the services, we provide to you; and
-
government or regulatory bodies in any jurisdiction or any person to
whom a Quantum Star company must disclose data: (a) under a legal
and/or regulatory obligation in that or any other jurisdiction
applicable to that particular Quantum Star company; or (b) pursuant
to an agreement between the Quantum Star company and the relevant
government, regulatory body or other person.
6.3 Data Sharing
a. Share data only with necessary third-party service providers
(e.g., payment gateways, identity verification platforms).
Sign strict data processing agreements to ensure third parties
comply with privacy and security standards.
b. Prohibit cross-border data transfer unless required by local
laws.
VII. DATA STORAGE AND ENCRYPTION
7.1 Data Storage
a. Store customer data in highly secure databases with access
control measures to restrict permissions.
b. Conduct regular security checks on storage systems to prevent
data leaks and unauthorized access.
7.2 Data Encryption
a. Static Data Encryption: Use AES-256 or equivalent encryption
algorithms for stored data.
b. Data Transmission Encryption: Use HTTPS/TLS 1.2+ to protect
data during transmission against man-inthe-middle attacks.
c. Sensitive information (e.g., passwords, private keys) must be
encrypted using irreversible methods (e.g., bcrypt).
VIII. ACCESS CONTROL AND PERMISSION MANAGEMENT
8.1 User Access
a. User accounts must enable multi-factor authentication (MFA) to
prevent unauthorized access.
b. Implement complex password rules and regularly remind users to
update their passwords.
8.2 Internal Permissions
a. Assign minimum permissions to internal staff based on roles,
requiring approval for access to sensitive data.
b. Regularly review permission allocations and revoke unnecessary
permissions.
IX. DATA BACKUP AND DISATER RECOVERY
9.1 Data Backup
a. Regularly back up customer data and store encrypted backups
offsite.
b. Retain backup files for at least 3 months to ensure
recoverability.
9.2 Disaster Recovery
a. Develop a detailed disaster recovery plan (DRP) covering
scenarios such as data loss and system failures.
b. Conduct regular drills on recovery processes to meet recovery
time objectives (RTO) and recovery point objectives (RPO).
X. DATA LIFECYCLE MANAGEMENT
10.1 Data Retention
The retention period for customer data must comply with local
legal requirements or contract agreements, with expired data
securely destroyed.
10.2 Data Destruction
a. Use professional tools to thoroughly destroy expired or
unnecessary data, ensuring it cannot be recovered.
b. Maintain records of destruction for auditing purposes.
XI. SECURITY MONITORING AND AUDIT
11.1 Real-Time Monitoring
a. Monitor all systems and networks related to customer data in
real-time to detect abnormal activities.
b. Use Security Information and Event Management (SIEM) tools to
generate and analyze security logs.
11.2 Security Audit
a. Conduct regular audits of data access records to ensure
compliance with operational policies.
b. Engage third-party organizations for annual data security
assessments.
ХII. СОMPLIANCE AND USER TRANSPARENCY
12.1 Legal Compliance
a. Regularly update data privacy policies to comply with the
latest laws and regulations.
b. Ensure that any cross-border data transfers meet relevant
international data protection standards.
12.2 User Right to Know
a. Provide customers with clear privacy policies explaining data
collection, storage, and usage practices.
b. Offer channels for data access, correction, or deletion
requests, responding promptly to customer needs.
XIII. TRAINING AND EMERGENCY RESPONSE
13.1 Security Training
a. Regularly train employees on data privacy and security to
enhance awareness of preventive measures.
b. Ensure the development team understands the design requirements
for privacy protection.
13.2 Emergency Response
a. Establish a data breach emergency response mechanism, clearly
defining responsibilities and handling procedures.
b. In the event of a data breach, immediately notify affected
customers and report to regulatory authorities.
XIV. SUMMARY
Through these measures, the virtual currency exchange will construct a
comprehensive data privacy and security protection system, ensuring
the security and compliance of customer data while enhancing customer
trust and business stability.
XV. POLICY APPROVAL
This policy is approved by the Company's Board of Directors.
XVI. POLICY DISCLOSURE
This policy is authorized for full disclosure internally within the
Company, but is designated as Confidential and should not be disclosed
to third parties without the prior approval of the Company's director.
XVII.REVIEW OF THE POLICY
The Policy is responsible by IT Department and all propose for any
changes, amend and revise shall propose by IT Department and then
submit to the Board of director for approval.
IT Department shall regularly review of the Policy at least once in
every one years or as and when there is an update to the regulatory
requirements.