Privacy Policy

Plumex.io

Document Control (Privacy Policy)

  • Document: Privacy Policy (Consumers)
  • Version: 1.0
  • Effective date: 16 December 2025
  • Data controller (intended): LMLP consulting, s.r.o. (Czech Republic), IČO 22380949; Spojovací 2604/48, Praha 3, 130 00, Czech Republic
  • Covered domains / services: plumex.io + any official Plumex app(s) (if applicable)
  • Language: English
  • Jurisdiction (intended): Czech Republic / EU GDPR

This Privacy Policy explains how we collect, use, share, and protect personal data when you use the Plumex Platform.

1. Contact

Privacy contact: privacy@plumex.io 

Postal address: LMLP consulting s.r.o., Spojovací 2604/48, Žižkov, 130 00 Prague 3, Czech Republic.

If you contact us on behalf of a company, we may also process business contact details (see Section 3).

2. What personal data we process

We process different categories of personal data depending on how you interact with the platform:

2.1 Data you provide

  • Account and profile data: name, email, phone number, password/credentials (hashed), language and preferences.
  • Identity verification (KYC/KYB) data (where required): identity data (name, date of birth, nationality), government ID document data (type/number/validity), facial image/selfie for liveness/identity matching (where used), proof of address, and information required for AML/CTF checks (e.g., PEP/sanctions declarations, source-of-funds/source-of-wealth prompts).
  • Support and communications: messages, emails, chat logs, complaint details, call recordings (if used and permitted).

2.2 Data we generate or observe

  • Transaction and usage data: deposits/withdrawals, swaps, wallet addresses, transaction IDs, timestamps, fees, limits and risk signals.
  • Security and device data: IP address, device identifiers, login events, session identifiers, browser/user-agent, security logs.
  • Compliance and risk data: screening results, fraud indicators, risk ratings, alerts and case notes.

2.3 Business contact data (B2B)

  • Name, work email/phone, role, employer, and communications with your organisation.

3. Why we process personal data (purposes)

  • Provide and operate the platform and customer support.
  • Identity verification and AML/CTF compliance (KYC/KYB, sanctions/PEP screening, transaction monitoring where required).
  • Security, fraud prevention, and protecting accounts and systems.
  • Process transactions and maintain accurate records (including audit and dispute management).
  • Improve product performance and user experience (analytics only where appropriately enabled/consented).
  • Send service communications (e.g., security notices, changes to terms) and, where applicable, marketing communications based on your choices.

4. Lawful bases (GDPR)

We rely on one or more of the following lawful bases, depending on the context:

  • Contract: to provide the services you request and perform the user agreement.
  • Legal obligation: to comply with AML/CTF, sanctions, tax/accounting, and other applicable laws.
  • Legitimate interests: to secure the platform, prevent fraud, improve services, and manage business operations (balanced against your rights).
  • Consent: for non-essential cookies/trackers and optional marketing where required.

Where we rely on legitimate interests, you can object (see Section 10).

5. How we share personal data

We share personal data only as necessary to provide the services, comply with law, and protect the platform.

5.1 Service providers (processors)

We use vetted service providers under contract, including:

  • Sumsub — identity verification and related verification tooling (processor).
  • SIMPLIFYLABS LTD — licensed software components used within the operating model, where applicable (processor/service provider).
  • Hosting, infrastructure, monitoring and security vendors (processor).
  • Customer support tooling providers (processor).

5.2 Legal and compliance disclosures

  • Regulators, law enforcement, courts or competent authorities where required by law or to protect rights.
  • Professional advisors (legal, accounting, audit) subject to confidentiality.

5.3 Corporate transactions

  • In the event of a merger, acquisition, or asset sale, data may be shared subject to confidentiality and lawful safeguards.

6. International transfers

Your personal data is primarily processed in the European Economic Area (EEA). Some providers may process data outside the EEA. Where international transfers occur, we use appropriate safeguards such as EU Standard Contractual Clauses or rely on adequacy decisions where applicable. You can request information about safeguards by contacting us.

7. Security

We implement technical and organisational measures designed to protect personal data, including access controls, encryption in transit where applicable, logging/monitoring, and vendor due diligence. No method of transmission or storage is 100% secure.

8. Data retention

We keep personal data only as long as necessary for the purposes described in this policy and as required by law.

Data type

Typical retention approach (high-level)

AML/CTF and KYC records

Retained for the period required by applicable AML law (often up to 10 years after the end of the relationship/transaction).

Account and transaction records

For the duration of your account and a reasonable period thereafter for audits, disputes and legal claims.

Support and complaints

For the period needed to resolve the matter and for audit/defence of claims.

Security logs

For a limited period appropriate to security monitoring and incident response.

Where feasible, we anonymise or aggregate data instead of retaining identifiable personal data.

9. Cookies and similar technologies

We use cookies and similar technologies to operate the Websites, maintain security, remember preferences, and—where enabled—perform analytics and marketing measurement. For details about categories, vendors, retention, and how to manage preferences, please see our Cookie Policy and use Cookie Settings on the Websites.

10. Your rights

Depending on applicable law, you may have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Delete data (where applicable).
  • Restrict processing in certain circumstances.
  • Object to processing based on legitimate interests.
  • Data portability (for data processed by automated means on the basis of consent or contract).
  • Withdraw consent at any time (where processing is based on consent).

You may also lodge a complaint with the relevant supervisory authority.

11. Automated decision-making and profiling

We use automated tools to support fraud prevention, sanctions screening and transaction risk monitoring. These tools may generate risk indicators and alerts. We apply governance and controls intended to ensure meaningful human review for decisions that have legal or similarly significant effects, where required by law. You may contest a decision by contacting us.

12. Children

The platform is not intended for children. If you believe a child has provided personal data to us unlawfully, please contact us so we can take appropriate steps.

13. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date indicates when changes were made. If changes are material, we may notify you via the platform or email.