Back to Home
Privacy Policy
1. Introduction
Xepeng (referred to as "we", the "Platform", or "Xepeng") is a platform for trading crypto assets, providing non-custodial/custodial wallets, and other blockchain-related services. This Privacy Policy explains how we collect, use, store, disclose, and protect your Personal Data in accordance with Law No. 27 of 2022 on Personal Data Protection ("PDP Law"), relevant Bappebti regulations, and international standards.
2. Definitions
Personal Data: Any information about an identifiable individual (for example: name, national ID, selfie, wallet address, on-chain transactions, etc.).
User: An individual or legal entity who registers for and uses Xepeng's Services.
3. Personal Data We Collect
a. At registration and during KYC (required under Bappebti Regulation No. 8/2021):
- Full name, place and date of birth, gender
- National ID number (KTP/NIK), photo of ID, selfie holding ID
- Residential address and proof of address (e.g., utility bill)
- Phone number, email, occupation, source of funds
- Facial biometric data (for liveness verification)
b. Transaction & blockchain-related data:
- Public wallet addresses and on-chain transaction history
- IP address, device fingerprint, geographic location
- Transaction volumes, crypto asset balances
c. Automatically collected data (cookies, analytics, tracking):
- Activity logs, login timestamps, browser/OS type
- In-app behavior data (clickstream)
4. Legal Bases for Processing
We process Personal Data based on the following legal grounds:
- Your explicit consent (Article 13 PDP Law)
- Our legitimate interests (e.g., fraud detection, AML/CFT measures)
- Legal obligations (reporting to PPATK, Bappebti, Kominfo, etc.)
- Performance of a contract (providing wallet and trading services)
5. Purposes for Using Data
We use Personal Data to:
- Verify identity (KYC/AML)
- Prevent money laundering and terrorism financing
- Execute buy/sell orders for crypto assets
- Send transaction, security, and promotional notifications (promotions sent only with separate consent)
- Perform internal analytics and product development
- Fulfill reporting obligations to Bappebti and PPATK
6. Disclosure of Personal Data
We may share Personal Data with:
- KYC/AML service providers (e.g., Sumsub, Onfido)
- Partner exchanges and liquidity providers
- PPATK, Bappebti, OJK, the Police, or other authorities when required by law
- External auditors and legal advisors
- Parties involved in mergers, acquisitions, or asset sales
We do not sell your Personal Data.
7. Cross-Border Data Transfers
Personal Data may be processed on servers located outside Indonesia (for example, Singapore or AWS Tokyo). Transfers occur only to countries with adequate protection levels or under standard contractual clauses and with your consent where required.
8. Data Security
We implement technical and organizational measures including:
- AES-256 encryption for data at rest and TLS 1.3 for data in transit
- Cold storage for private keys when custodial services are used
- Two-factor authentication (2FA), withdrawal whitelists, and anti-phishing codes
- Regular penetration testing by certified third parties
9. Data Subject Rights (Article 16 PDP Law)
You have the right to:
- Access, correct, update, or delete your Personal Data
- Withdraw consent (withdrawal may result in account closure)
- Object to or request restrictions on processing
- Request data portability
To exercise these rights, send a request to privacy@xepeng.id. We will respond within 72 hours.
10. Data Retention
- KYC data: retained for 10 years after account closure (in line with Bappebti regulations)
- Transaction data: retained for 5–10 years to meet applicable financial reporting and anti-money-laundering requirements (e.g., PPATK rules)
After the retention period, data will be anonymized or securely destroyed.
11. Cookies & Tracking Technologies
We use essential, functional, and analytics cookies and tools (e.g., Google Analytics, Mixpanel). You may opt out of non-essential cookies via the app's settings.
12. Changes to This Policy
Material changes will be communicated by email and an in-app pop-up at least 14 days before they take effect.
13. Contact