Privacy Policy

Privacy Policy – Coinbox

Last Updated: April 7, 2026

Coinbox Ltd. (Company Number: 517137105) ("Coinbox", "the Company", or "we") respects the privacy of our users and is committed to protecting the personal information collected about them while using the Coinbox platform, mobile app, and website (collectively: the "Services").

The purpose of this policy is to explain what personal data we collect, how we use it, who we share it with, and your rights regarding this information — in accordance with the Protection of Privacy Law, 5741-1981 (Israel), the Protection of Privacy Regulations (Information Security), 5777-2017, and the EU General Data Protection Regulation (GDPR), to the extent they apply to you.

1. Information We Collect

When you open an account and use the Services, we collect the following types of information:

1.1 Information You Provide Directly

  • Identifying Information (KYC/AML): Full name, ID or passport number, date of birth, residential address, ID photo, and a selfie. (Note: Biometric data from the selfie is used strictly for one-time verification against your ID and is not retained in our databases).
  • Contact Information: Email address and phone number.
  • Financial Information: Bank account details, income details and Source of Wealth, and cryptocurrency wallet addresses.
  • Service Inquiries: Content of messages sent to us via email, chat, or phone, including call recordings (subject to prior notice).

1.2 Information Collected Automatically

  • Technical and Device Information: IP address, browser type and operating system, unique device identifier (Device ID), device type and model, app version, interface language, and time zone.
  • Location Information (IP): Approximate geographic location derived from IP addresses to detect suspicious activity and prevent fraud. We do not collect precise GPS location.
  • Usage and Interaction Data: Pages viewed, screens opened, login/logout times, actions taken on the platform (e.g., viewing assets, initiating a purchase), and session duration.
  • Transaction Data: History of purchases, sales, deposits, withdrawals, and conversions performed on the platform.
  • Cookies and Tracking: Cookies, pixels, and web tags.
  • Diagnostic Data: Crash reports, performance data (like load times), system errors, and memory usage.

1.3 Information Collected from Third Parties

  • Identity Verification Providers: KYC service providers send us identity verification results, Politically Exposed Person (PEP) checks, and sanctions checks.
  • Financial Service Providers: Trading infrastructure providers send us transaction execution data.
  • Public and Commercial Databases: For due diligence and anti-money laundering purposes.

2. Purposes of Using the Information

We use the information for the following purposes:

Purpose Relevant Information Legal Basis
Account Opening & Services — Registration, identity verification, executing transactions, and digital asset custody Identifying info, Contact info, Financial info Contract Performance
Regulatory Compliance — Complying with the Prohibition on Money Laundering Law (2000) and Capital Markets Authority directives Identifying info, Financial info, Transaction data Legal Obligation
Security & Fraud Prevention — Login verification, detecting suspicious activity, preventing unauthorized access Technical info, Device ID, IP address Legitimate Interest
UX Improvement — Analyzing usage patterns, fixing bugs, UI improvements Usage data, Diagnostic data Legitimate Interest
Service & Support — Handling inquiries, documenting service calls Service inquiries, Contact info Contract Performance
Tax Reporting — Withholding tax at source under Israeli laws Identifying info, Transaction data Legal Obligation
Marketing & Communication — Sending operational updates, marketing offers, and product updates Contact info Consent

3. Sharing Information with Third Parties

Coinbox does not sell your personal information and does not share it for third-party advertising purposes. We may share your information with the following entities, strictly to the extent necessary for the specified purposes:

  • Identity Verification (KYC) Providers: Name, ID documents, and selfie — to verify your identity per regulatory requirements.
  • Trading Infrastructure Providers: Transaction details and account identifier — to execute buy, sell, and conversion operations.
  • Digital Asset Custody Providers: Wallet addresses and transfer details — to store and transfer digital assets.
  • Hosting and Cloud Infrastructure Providers: All encrypted information — to operate the Services.
  • Analytics and Diagnostic Providers: Device ID, usage data, and crash reports — to improve user experience and fix issues.
  • Customer Relationship Management (CRM) Providers: Name, email, phone, and account status — to provide service and support.
  • Law Enforcement and Regulatory Authorities: Any information required by a court order or competent authority.
  • Professional Advisors: Lawyers, accountants, and auditors — relevant info as needed.

4. Third Parties in the App and Website — SDKs and Services

The following details the main provider types integrated into the app and website, and the data they may collect:

  • Analytics and Usage Tracking Tools: Device ID, usage events, and app version.
  • Crash Reporting and Stability Tools: Device ID, technical information on crashes, and device state.
  • Built-in Identity Verification Module: ID and selfie (processed on the verification provider's servers).

We select providers that meet strict data protection standards and restrict shared information to the absolute minimum required.

5. Transferring Information Outside Israel

We may transfer your information to servers located outside Israel (e.g., cloud services in Europe and the US, trading infrastructure, and identity verification servers). We ensure your information is afforded adequate protection under applicable law, including through:

  • Appropriate contractual agreements with each provider.
  • Recognized protection mechanisms such as Standard Contractual Clauses (SCCs) for European providers.
  • Data encryption in transit (TLS) and at rest.

6. Information Security

We implement advanced technical and organizational security measures to protect your information, including:

  • End-to-end encryption (TLS 1.2+).
  • Encryption at rest within cloud infrastructures.
  • Two-Factor Authentication (2FA) for account logins.
  • Least Privilege access control policies.
  • Ongoing security tests and vulnerability checks.

However, no system is completely immune, and therefore the Company cannot guarantee absolute security.

7. Data Retention and Deletion

7.1 Retention Periods

Data Type Retention Period Explanation
Identification Documents (KYC) At least 5 years from termination of relationship Prohibition on Money Laundering Law (2000)
Transaction Data At least 7 years from transaction date Tax and reporting requirements
Crash Reports & Performance Up to 12 months Platform performance improvement
General Analytics Data Up to 26 months Platform analytics settings
Marketing Contact Info Until consent is withdrawn At your request

7.2 Data Deletion

At the end of the relevant retention period, the information will be deleted or anonymized, unless its retention is required for active legal proceedings or other statutory obligations.

8. Account Deletion

You can request the deletion of your account at any time. We provide a clear, accessible deletion mechanism directly within the platform:

In the App:

  1. Log into your account → open Settings (profile icon) → Security.
  2. Tap on "Delete Account" at the bottom of the screen.
  3. Confirm → complete Two-Factor Authentication (2FA) → confirm again.

On the Website:

  1. Log into your account → Settings → Security.
  2. Click on "Delete Account" at the bottom of the page.
  3. Complete 2FA (if enabled) and confirm.

Direct Request:

You may also submit a deletion request without logging into the app by contacting us via our Data Deletion page.

What Deletion Means:

  • Your account will be permanently closed, and you will not be able to log in.
  • Note: Information we are legally required to retain (e.g., KYC documents and transaction data for AML purposes) will be stored securely according to the periods listed in Section 7.1, after which it will be permanently deleted. This info will not be used for any other purpose besides regulatory compliance.
  • Your remaining personal information (not legally required to be retained) will be deleted or anonymized within 30 business days.

Alternatively, you may send a deletion request to: privacy@coinbox.co.il.

9. Your Rights

Subject to applicable law (Protection of Privacy Law for Israelis, GDPR for EU residents), you may have the following rights:

  • Right to Access — review the personal data stored with us.
  • Right to Rectification — request correction of inaccurate or incomplete info.
  • Right to Erasure — request deletion of info (subject to regulatory retention obligations under Section 8).
  • Right to Restrict Processing — limit how we use your information.
  • Right to Object — object to processing based on legitimate interest.
  • Right to Data Portability — receive a copy of your structured data (GDPR).
  • Withdraw Marketing Consent — you may opt out of marketing updates via the "unsubscribe" link in any message or by contacting us.

To exercise your rights, contact us at: privacy@coinbox.co.il. We will respond within 30 days, as per applicable law. We may ask to verify your identity before processing the request.

10. Cookies

We use cookies to optimize the platform, analyze usage, and for security purposes. For full details, see our Cookie Policy. You can adjust your browser settings to reject cookies, though this may impair site functionality.

11. Minors

Our Services are not intended or authorized for minors under the age of 18. We do not knowingly collect personal info from minors. If we discover a minor's info was collected, the account will be suspended and info deleted immediately. If you suspect a minor provided us info, contact us immediately: privacy@coinbox.co.il.

12. Tracking and Do Not Track

We do not use data collected from the Services for tracking users across third-party apps/websites (Tracking as defined by Apple's App Tracking Transparency framework). We do not share information with third-party advertisers or data brokers.

13. Push Notifications

If you grant consent, we will send push notifications related to your account activity — e.g., transaction confirmations, security alerts. You can disable these anytime via your device settings.

14. Policy Changes

We reserve the right to update this policy from time to time. We will notify you of material changes via a prominent notice in the app, website, or email. Continued use of the Services after notice denotes acceptance of the updated policy.

15. Contact Details

For any questions, requests, or to exercise your rights, contact us at:

© 2026 All rights reserved to Coinbox Ltd.