MENA Privacy Policy

HashKey Privacy Policy

(Last updated on: 4 May 2026)

HashKey Group is a comprehensive digital asset management and financial services group. It also operates globally and provides a range of services including digital asset custody and investment management. HashKey is committed to respecting and protecting your privacy. This Privacy Policy explains how HashKey collects, uses, stores, transfers, shares, or otherwise processes investors’ Personal Data in accordance with applicable data protection laws. Where services are provided to you by any entities within HashKey Group, the entity providing the service will be the data controller. This Privacy Policy applies to all such entities within HashKey Group(including Hash Blockchain Limited and HashKey MENA FZE (“HMF”), but expressly excluding HashKey Bermuda Limited which is governed by a separate Privacy Notice.

Terms used in this Privacy Policy have the following meanings:

• “HashKey” “we”, “us” or “our” should be understood as a reference to [HashKey Digital Asset Group Limited] or the other entities within the HashKey Group;
• “you” or “your” should be understood as a reference to a data subject whose Personal Data we process for the purposes described in this Privacy Policy.
• “Personal Data” refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.

For the avoidance of doubt, this Privacy Policy is not a contract and does not itself create any legal rights or obligations.

1.    How We Collect Your Personal Data

For the services and products that we provide, we are likely to ask you to provide Personal Data. If you do not provide the relevant Personal Data (or relevant Personal Data relating to persons appointed by you to act on your behalf), we may not be able to provide the information, products or services you have asked for or process your requests, applications, subscriptions or registrations, as applicable.

In relation to our website, products and services, we will collect and process the following Personal Data about you: (A) information you provide to us directly; and (B) information about you which we obtain from third parties.  It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during the period for which we hold your data.

(A)    Personal Data directly provided by you.  This includes the following information:

•  When you apply, subscribe and register for HashKey products and services or make enquiries to HashKey, we will collect Personal Data about you so that we can process your application, subscription and registration. The information you may be required to provide includes: [your name, telephone number, mobile phone number, address, email address, facsimile number, gender, date of birth, government identifiers, age, job title, bank details, interests and other information you provide via the HashKey website(s) or any other means.
   

(B)   Information that we generate when you use our products or services.  This includes:

• Information in relation to the use of our services or products, including the products or services you have applied for or subscribed to, your investment preferences.
• The information in relation to your browse of our website(s), including the type and version of browser used when you login to our website, resolution, website operating elements, IP address, web browsing information, user’s behavior and preference, statistical data (such as how many times you login to our website) what sites you visited, any documents downloaded, security incidents, prevention measures taken by the gateway, and other basic system/device information.

(C)    Information about you which we obtain from third parties.  This includes the Personal Data provided to us by third-party service providers, business partners, agencies or other publicly available sources where applicable.

2.    How We Use Your Personal Data

We may process your Personal Data in the following ways and for the following purposes:
(a)    processing your applications, subscriptions and registration for HashKey products and services; 
(b)    verifying your identity, including during account opening and authorization of investment, as well as the process of changing your information in our records;
(c)    administering your accounts and provide you with HashKey products and services.
(d)    providing you with the online services available through the HashKey's website(s), through the HashKey Exchange and/or through other telecommunication channels;
(e)    complying with any legal and regulatory obligations and/or internal processes or other information disclosure requirements to disclose information;
(f)    responding to and processing your enquiries and taking further action or or following up as required.
(g)    storing your details (and updating them when necessary) on our database, so that we can contact you in relation to the function or activities of HashKey;
(h)    improving your experience while using our services;
(i)   designing new and/or enhancing existing services, products, activities and/or other events relating to HashKey products or services;
(j)    conducting research, survey and/or analysis from time to time to better understand your needs, preferences, interests, experiences and/or habits;
(k)    subject to having obtained your consent, we may provide direct marketing information to you relating to the products and services provided by us. For example, register you for investor-related events, activities and materials; market and promote existing and future HashKey products or services; provide you with information regarding the market insights in connection with HashKey products or services;
(l)    establishing, exercising or defending any claim or potential claim brought against us;.
(m)    preventing money laundering, financing for terrorism or fraud and/or pursuant to other applicable laws or compliance requirements, which may require, among other things, your Personal Data to be screened against the relevant sanction lists and the processing of such information to check whether you have held any political office or have links with proscribed organizations;
(n)    managing risk, performing creditworthiness and solvency checks, or assessing, detecting, investigating, preventing and/or remediating fraud or other potentially prohibited or illegal activities and otherwise protecting the reputation of our services and products;
(o)    fulfilling the compliance requirements of investor suitability review, qualified investor surveys and other compliance requirements;
(p)    complying with any contract or commitment entered into or any contractual commitment entered into with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial institutions that is assumed by or imposed on us by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
(q)    enabling any due diligence and other appraisals or evaluations for actual or proposed merger, acquisition, financing transactions or joint ventures; and
(r)    any other legitimate business purposes, such as protecting you and other investors from losses, maintaining the security of your account, and protecting any of our other rights and properties or the rights and properties of us.

If we want to use your Personal Data for other purposes not covered by this Privacy Policy, we tell you about that and ensure that the use of your Personal Data complies with the applicable data protection laws.

We will only use your Personal Data when applicable data protection laws allow us to.  Depending on the nature and purposes of processing being carried out, our basis for processing may include:
(a)    we have obtained your consent;
(b)    we need to do so in order to  conclude or perform our contractual obligations with you;
(c)    we have legal and regulatory obligations that we have to discharge;
(d)    we may need to do so in order to establish, exercise or defend our legal rights or for the purpose of legal proceedings; or
(e)    the use of your Personal Data as is necessary for our legitimate interests such as:

• allowing us to effectively and efficiently manage and administer the operation of our business;
• maintaining compliance with internal policies and procedures;
• monitoring the use of our copyrighted materials;
• direct marketing;
• managing our relationship with you;
• offering optimal, up-to-date security solutions for our website, products and IT systems; and
• obtaining further knowledge of current threats to network security.
   

We may utilize automated systems, machine learning, or artificial intelligence technologies to monitor network activity, verify your identity (KYC), and detect anomalous transaction patterns to protect your account and comply with our legal and regulatory obligations.

UAE-Specific Legal Basis for Processing: Under the Federal decree by Law No. (45) of 2021 Concerning the Protection of Personal Data (“UAE PDPL”), the primary lawful basis for processing personal data is consent. However, the UAE PDPL provides specific exceptions where processing may be carried out without consent. These include: processing necessary for public interest, legal claims, employment or social protection obligations, public health, vital interests, contract performance, archiving, research or statistical purposes, and other cases specified in the UAE PDPL Executive Regulations. Legitimate interests, as recognized under the General Data Protection Regulation of the European Union (“EU GDPR”) or the General Data Protection Regulation of the United Kingdom (“UK GDPR”), are not acknowledged under the UAE PDPL and cannot be used as a basis for processing. In practice, this means that for UAE data subjects, processing should either be based on explicit consent or one of the statutory exceptions outlined above. Any reference in this Privacy Policy to “legitimate interests” for UAE purposes should be disregarded or replaced with the relevant UAE PDPL exception.

The above-mentioned legal bases may not be permitted under the data protection laws of each jurisdiction. If local law does not explicitly state that one of the above-mentioned legal bases is permitted, we will not rely on that legal basis for the processing of Personal Data in that jurisdiction. We will ensure that our processing of Personal Data complies with applicable data protection laws.

3.    How does HashKey share your Personal Data

We may share your Personal Data within HashKey Group. We only share necessary personal information subject to the purposes stated in this Privacy Policy and in accordance with applicable data protection laws.

We may also disclose your Personal Data to the following third parties:

(A)    Service providers, agents and contractors acting on our behalf.  We may outsource some services to third-party service providers, agents and contractors (such as legal, financial, management, operation, market surveillance, analytic or technical services) who work on our behalf. Therefore, we may share your Personal Data with such service providers, agents and contractors. These third parties must process the Personal Data in accordance with our contractual agreements and as only permitted by applicable data protection laws.

(B)    Governmental and judicial bodies. As required by law, such as tax reporting requirements and disclosures to regulators or to comply with a subpoena or other legal proceedings, legal actions or government agencies, when the disclosure is necessary to establish, exercise or defend our rights or protect your safety or the safety of others, investigate fraud, or respond to a government request.

(C)    Business Transfer:
(1)    If we sell our business or assets, in which case we may need to disclose your Personal Data to the prospective buyer for due diligence purposes, or if we are acquired by a third party, in which case the Personal Data held by us about you will be disclosed to the third-party buyer; and
(2)    In the event that all or part of our assets are sold or acquired by another party, or in the event of a merger, you grant us the right to assign the Personal Data collected via our services to the buyer or the new entity.
The above mentioned third parties are under an obligation to us or relevant regulators to undertake to keep the information confidential.

4.    How We Use Cookies and Similar Technologies

If you access HashKey's information or services through the HashKey website(s) or the HashKey Exchange (as applicable), you should be aware that cookies are used. Cookies are small text files which are used to record information necessary for the proper functioning of our website. For detailed information on how HashKey uses cookies and similar technologies, please refer to our Cookies Policy.

5.    Third party websites

The HashKey website(s) or the HashKey Exchange may from time to time contain links to other third party websites. These third party websites are independent from the HashKey website(s) or the HashKey Exchange and may have their own terms and conditions and privacy policies which you should review before using  their services. HashKey has no control or management over the contents of such other websites or their privacy policies and is not responsible for the contents of links or third party websites and services. You should be fully aware that the provision of such links does not constitute an endorsement, approval or any form of association by or with HashKey and your use of such third party websites and services is at your own risk.

6.    Cross-border Transfer of Personal Data

HashKey has a global business and our operations are spread around the world including such as Hong Kong SAR, Singapore, Bermuda, Dubai, the EU, the UK. As a result, we collect and transfer Personal Data on a global basis. That means that we may transfer your Personal Data to locations outside of your country. We will ensure that such transfer of your Personal Data takes place subject to this Privacy Policy (unless otherwise agreed by you) and in compliance with applicable data protection laws.

For investors located in European Economic Area (“EEA”) and UK, in case your Personal Data is transferred to countries located outside of EEA and UK, we will ensure that it will be protected in a manner consistent with legal requirements. This can be done in a number of different ways, such as:

(A)    the recipient of the Personal Data is located within a country that benefits from a full “adequacy” decision of the European Commission; 
(B)    the recipient may have adhered to binding corporate rules (only for intragroup transfers);
(C)    the recipient has signed a “model contractual clauses” approved by the European Commission, obliging it to protect your personal information; or
(D)    where the recipient is located in the United States, it is a certified member of the EU-US Data Privacy Framework.

For investors located in other jurisdictions, your Personal Data may also be transferred to other countries where an adequate level of protection is afforded and approved by the relevant data authorities (if applicable), or to countries which may not offer the same level of protection of Personal Data.  HashKey will ensure that such cross-border transfers comply with applicable data protection laws in your jurisdiction and Hashkey will put in place appropriate technical, organizational and/or contractual safeguards, to ensure that such transfer is carried out in compliance with applicable data protection laws and regulations.

You can obtain more details of the protection given to your Personal Data when it is transferred outside your jurisdiction by contacting us using the details set out under the “Contact Us” section below.

7.    Protection of Personal Data

HashKey will take reasonable and practicable steps to ensure the security of your Personal Data and to avoid unauthorized or accidental access, erasure or use for other purposes. This includes physical, technical and procedural security methods, where appropriate, to ensure that your Personal Data may only be accessed by authorized personnel.

All Personal Data provided to HashKey will be securely stored with restricted access by authorized personnel only. We utilize encryption/security software for data transmission so as to protect your data via encrypting it in a secure format to ensure its privacy and security from unauthorized access or disclosure, accidental loss, alteration or destruction.

In addition, we will adopt contractual or other means to prevent any Personal Data transferred to HashKey's data processors (i) from being kept longer than is necessary for processing of the data; and (ii) from unauthorized or accidental access, processing, erasure, loss or use, if HashKey is to engage any data processor. We will impose the mandatory contractual obligations on our data processors in compliance with applicable data protection laws in relevant jurisdiction.

Nevertheless, the transmission of information via the internet is not completely secure. Although HashKey will do its best to protect your Personal Data, HashKey cannot guarantee the security of data transmitted to the HashKey website(s). Once your Personal Data is received, HashKey will use strict procedures and security features to try to prevent unauthorized access.

If you suspect any misuse, loss of or unauthorized access to your Personal Data, please let us know immediately, following the details set out under the "Contact Us" section below.

UAE-specific provisions on Data Breach Notification: To comply with the Virtual Asset Regulatory Authority (VARA) and the VARA Data Protection Rules, HashKey will notify VARA as soon as possible and in any event within twenty-four (24) hours following notification to us of any incident affecting, or potentially affecting, Personal Data by either: (1) Any data regulator, including in the UAE; or (2) A data subject. HashKey will provide VARA with a summary of such incident report and a copy of such incident report if the relevant data regulator is located within the UAE (unless and to the extent prohibited by applicable law as demonstrated by HMF to VARA's satisfaction).

8.    Direct marketing

Where you have given consent and have not subsequently opted out, HashKey may from time to time use your Personal Data (including your name and contact details) to send you direct marketing or promotional communications such as emails containing news, promotions, events and marketing offers. The dispatch of such direct marketing communications may be undertaken by third-party service providers.

If you do not wish to receive further direct marketing or promotional materials from HashKey, you may opt out of receiving direct marketing or promotional communications by contacting HashKey by one of the communication channels set out under the "Contact Us" section below.

9.    Retention of Your Personal Data

We aim to retain your Personal Data no longer than is necessary for the fulfilment of the purposes of collection unless a longer retention period is required or permitted by applicable laws, rules and regulations. The precise length of time will depend on the type of data, nature and sensitivity of data, the purposes of processing, our legitimate business needs, and other legal requirements that may require us to retain it for certain minimum periods.

We may be required to retain certain data for the purposes of tax reporting or responding to tax queries. In other instances, there may be some other legal or risk management requirements to retain data, including where certain data might be relevant to any potential litigation.

Once we have determined that we no longer need to hold your Personal Data, we will delete it from our systems.

UAE-specific provision on Data Retention: Additionally, identity information and special categories of Personal Data may be retained for ten (10) years to comply with the VARA and other UAE regulators' record keeping requirements, as well as UAE anti-money laundering laws.

10.    Your rights

Applicable data protection laws may give you a number of legal rights (see details as follows) in relation to the Personal Data that we hold about you. Not all data protection laws are the same so not all of these rights apply in all locations. Also, some of these rights are subject to qualifications and limitations and exercising these rights may impact on the services that we can provide to you. However, we will take appropriate measures to enable you to control how we use your Personal Data where we can do that.

You have the following data subject rights:
(A)    Right to access.  You have the right to obtain information regarding the processing of your Personal Data and access to the Personal Data which we hold about you.
(B)    Right to rectification.  You have the right to request that we rectify your Personal Data if it is inaccurate or incomplete.
(C)    Right to erasure. You have the right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data, but we are legally entitled to retain it;
(D)    Right of data portability. In some circumstances, the right to receive some personal information in a structured, commonly used and machine-readable format and/or request that we transmit this information to a third party where this is technically feasible. Please note that this right only applies to Personal Data which you have provided to us.
(E)    Right to withdraw consent.  You have the right to withdraw your consent to our processing of your Personal Data. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so. For example, we may need to retain your Personal Data to comply with a legal obligation; In addition, if you withdraw your consent, this does not affect the lawfulness of the processing of your Personal Data prior to the withdrawal of your consent. Please note that if you do this, it may impact our ability to provide certain products and services to you.
(F)    Right to object and restrict processing. You have the right to object to, and the right to request that we restrict, our processing of your Personal Data in certain circumstances. There may be circumstances where you object to, or ask us to restrict, our processing of your Personal Data but we are legally entitled to continue processing your Personal Data and/or to refuse that request; and
(G)    Right to lodge a complaint. You have the right to lodge a complaint with the supervisory authority if you think that any of your rights have been infringed by us. For UAE data subjects, you may lodge a complaint with the UAE Data Protection Office.

Whenever feasible for verification, we will match the identifying information provided by you to the Personal Data already maintained by us. If, however, we cannot verify your identity from the information already maintained by us, we may request additional information.

If you would like to exercise any of these rights, or withdraw your consent to the processing of your Personal Data (where consent is our legal basis for processing your Personal Data), you can contact us by using the details set out in the "Contact Us" section below.

11.    Protection of Minors’ Personal Data

Our services and products are designed for adults only. We will not knowingly collect any Personal Data about children.

12.    Changes to the Privacy Policy

HashKey reserves the right from time to time to revise this Privacy Policy. Where any changes to this Privacy Policy are material (e.g., a new purpose for using your Personal Data), HashKey may notify you using the contact details which you have provided to HashKey and by updating and issuing the new version on the HashKey website. However, if the changes are not material subject to applicable data protection laws. HashKey has the right to decide whether or not to notify you by using the contact details you have provided to HashKey. You are advised to check the Privacy Policy periodically and pay attention to its revision (see date of update). After the publication of the new version of this Privacy Policy, your continued use of the HashKey website(s) or your continued relationship with HashKey shall be deemed to be acceptance of and consent (to the extent that consent is the relevant legal basis of processing your Personal Data) to this updated Privacy Policy, as amended from time to time.

13.    Contact Us

If you have any questions or concerns about this Privacy Policy or how HashKey processes your Personal Data, or if you would like to exercise your rights, please contact HashKey's Data Protection Officer by post or by email at dpo@hashkey.com:

• In respect of requests pertaining to HashKey Exchange: