CONSENSO ADVISORY LLC Privacy Policy

Last Updated: June 1, 2026

Important Notice

CONSENSO ADVISORY LLC (hereinafter referred to as "the Company", "we", "us", "our") deeply understands the importance of personal information to you and will make every effort to protect the security of your personal information. The Company is committed to maintaining your trust in us and adheres to the following principles to protect your personal information: the principle of consistency between rights and responsibilities, the principle of clear purpose, the principle of choice and consent, the principle of minimum necessity, the principle of ensuring security, the principle of openness and transparency, and the principle of subject participation.

This Privacy Policy (hereinafter referred to as "this Policy") is a related policy of the CONSENSO ADVISORY LLC Terms of Service and is the unified privacy clause of the Company. It applies to all services provided by the Company through our official website, mobile application, and other digital interfaces (hereinafter collectively referred to as the "Platform"), including but not limited to deposit and withdrawal of digital assets and fiat currency, currency swap transactions, and related auxiliary services.

Please read the entire content of this Policy carefully before using the Company's services. If you do not agree with or cannot understand any content of this Policy, please do not register an account or use any of the Company's services. By registering an account, accessing the Platform, or using the services, you indicate that you have read, understood, and fully accepted this Policy.

This Policy will help you understand the following:

• How the Company collects and uses your personal information
• How the Company uses cookies and similar technologies
• How the Company stores and protects your personal information
• How the Company shares, transfers, and publicly discloses your personal information
• Your rights regarding personal information
• How the Company handles minors' personal information
• Special statement for California residents
• How this Policy is updated
• Dispute resolution
• How to contact the Company

I. How We Collect and Use Your Personal Information

The services we provide rely on your personal information to operate. When you choose to use the Company's services, you need to provide us with or allow us to obtain your personal information.

(A) Information You Voluntarily Provide to Us

When you register an account, use the Company's services, or communicate with us, we may collect the following information that you voluntarily provide:

• Identity Verification Information: Name, date of birth, nationality, type and number of government-issued identification documents (such as passports, ID cards, driver's licenses, etc.), images of identification documents, tax identification information, proof of address, etc. Such information is mainly used to meet Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) compliance requirements.
• Contact Information: Email address, mobile phone number, mailing address, etc.
• Account Information: Login password, fund password, two-factor authentication (2FA) settings, etc.
• Financial Information: Bank account information, proof of source of funds, transaction records, asset balances, investment experience, financial status, and risk tolerance assessment information, etc.
• Transaction Information: Detailed information of deposit, withdrawal, and swap transaction instructions you submit, including but not limited to transaction time, transaction amount, trading pair, receiving address, etc.
• Communication Records: Correspondence records between you and the Company's customer service team, including emails, online chat records, telephone recordings, etc.

(B) Information We Automatically Collect

When you access the Company's Platform or use the services, we may automatically collect the following technical information:

• Device Information: IP address, device identifier, operating system version, browser type and version, screen resolution, etc.
• Usage Information: Login time, access duration, clickstream data, page interaction information, function usage, etc.
• Log Information: Automatic log records of our Platform servers, including the time and date you access the Platform, pages visited, referring URL, error logs, etc.
• Location Information: Approximate geographic location inferred from your IP address. If you authorize the provision of precise location information, we may optimize the services accordingly.

(C) Information Obtained from Third Parties

To the extent permitted by applicable laws and regulations, we may obtain your information from the following third-party sources:

• Identity Verification Service Providers: To complete the compliance identity verification process, we may obtain verification result information from third-party identity verification service providers.
• Sanctions Lists and Compliance Databases: To fulfill compliance obligations, we query sanctions lists issued by government agencies, Politically Exposed Persons (PEP) databases, and other public or commercial compliance data sources.
• Blockchain Networks: Due to the transparency of digital asset transactions, we may obtain public on-chain transaction information related to your account addresses from blockchain networks.
• Affiliated Third-Party Service Providers: Such as payment processing institutions, banking partners, etc., who may provide us with transaction status information when you use related functions.

(D) Purposes for Which We Use Your Personal Information

We process your personal information only when necessary for the following purposes:

• Providing Services and Performing Contracts: Processing your account registration, deposit, withdrawal, swap transaction and other instructions; maintaining account security and preventing unauthorized access; providing customer support and after-sales service.
• Fulfilling Compliance Obligations: Conducting identity verification, transaction monitoring, risk assessment, and reporting to regulatory authorities in accordance with applicable anti-money laundering, counter-terrorist financing, sanctions screening and other laws and regulations.
• Service Improvement and Analysis: Analyzing Platform usage, optimizing user experience, fixing technical issues, and preventing fraud and cybersecurity risks.
• Legal Compliance and Rights Protection: Complying with court orders, regulatory requirements, or mandatory provisions of applicable laws; establishing, exercising, or defending legal claims; investigating or responding to potential illegal activities.
• Communication and Notification: Sending you service notifications, security reminders, policy updates, and product information that may be of interest to you (you may opt out of marketing communications at any time).

(E) How We Process Sensitive Personal Information

Sensitive personal information refers to personal information that, if leaked, illegally provided, or abused, may endanger personal and property safety, easily lead to damage to personal reputation, physical and mental health, or discriminatory treatment, including but not limited to ID numbers, personal biometric information, bank account numbers, property information, transaction information, and location tracks.

The Company processes your sensitive personal information only in the following circumstances:

• As necessary to fulfill statutory compliance obligations such as anti-money laundering and counter-terrorist financing;
• As necessary to provide the digital asset financial services you actively request;
• Other circumstances explicitly permitted by laws and regulations.

Before processing sensitive personal information, we will inform you of the purpose, method, and scope of processing and obtain your separate consent (except as otherwise provided by laws and regulations).

II. How We Use Cookies and Similar Technologies

• Cookies: When you access the Company's Platform, we may collect your usage preferences, login status, and other information through cookies to provide a smoother and safer browsing experience.
• Functions and Purposes: We use session cookies (which expire after you close your browser) to maintain your login status; we use persistent cookies (which remain on your device for a longer period) to record your preference settings and security tokens.
• Your Choices: You can refuse or delete cookies through your browser settings, but please note that disabling cookies may cause some functions of the Platform to not work properly.
• Other Tracking Technologies: We may use web beacons, pixel tags, and similar technologies to analyze Platform traffic and user behavior patterns. This information is anonymous statistics and does not directly identify your personal identity.

III. How We Store and Protect Your Personal Information

(A) Storage Location

The personal information you provide may be transferred to and stored in the United States and other countries or regions where the Company's affiliates or their service providers are located. The data protection laws of these countries may differ from those of your country. By using the Company's services, you consent to the cross-border transfer of your personal information as described in this Policy. In such cases, we will take appropriate technical, organizational, and contractual safeguards (such as standard contractual clauses) to ensure that your personal information receives an equivalent level of protection as required by applicable laws.

(B) Storage Period

We will retain your personal information for no longer than necessary to achieve the purposes for which it was collected, unless laws and regulations require or allow a longer retention period. Generally:

• Account information is retained continuously while you hold a valid account;
• The retention period for transaction records and compliance-related information shall meet applicable anti-money laundering, tax, and other regulatory requirements (usually not less than five years after account closure);
• We may retain relevant information until the relevant matters are resolved only when required for legal disputes or regulatory investigations.

When information retention is no longer necessary, we will anonymize or securely destroy the information.

(C) Data Protection Measures

We adopt industry-standard security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction, including but not limited to:

• Transmission Encryption: The website and application use TLS/SSL encryption protocols to protect the security of data during transmission.
• Storage Encryption: Personal information stored at rest is protected by AES-256 or equivalent strength encryption.
• Access Control: A strict internal permission management system that grants employees access rights based on the "minimum necessary principle" and records all access logs.
• Technical Protection: Deploy multi-layer security protections such as firewalls, intrusion detection systems (IDS), and anti-malware systems.
• Security Audits: Regular security vulnerability scans and penetration tests to continuously improve security measures.
• Personnel Management: Regular data security and privacy protection training for employees and signing of confidentiality agreements.

Despite the above measures, please note that no method of transmission over the Internet or electronic storage is 100% absolutely secure. You should properly safeguard your account password and two-factor authentication information and avoid disclosing them to any third party. The Company will never ask you for your account password or verification code for any reason.

(D) Security Incident Response

In the unfortunate event of a personal information security incident, we will, in accordance with the requirements of applicable laws and regulations, promptly inform you of the basic situation of the security incident, the possible impact, the disposal measures taken or to be taken, suggestions for you to independently prevent and reduce risks, and remedial measures after becoming aware of the security incident. We will inform you of the incident handling situation by email, Platform announcement, or other means; if it is difficult to inform you one by one, we will issue a public announcement. At the same time, we will proactively report the handling of the security incident in accordance with the requirements of regulatory authorities.

IV. How We Share, Transfer, and Publicly Disclose Your Personal Information

(A) Sharing

We will not share your personal information with any third party outside the Company except in the following circumstances:

• Sharing to Provide Requested Services: We may share necessary information with third-party service providers who assist us in providing services (such as identity verification service providers, payment processing institutions, cloud storage service providers, blockchain node service providers, data analysis service providers, etc.). These service providers are only permitted to process your personal information to the extent necessary to provide services to us and are contractually bound to protect the security of your information.
• Sharing with Affiliates: Based on business operation needs, we may share your personal information with the parent company, subsidiaries, and affiliates of CONSENSO ADVISORY LLC. When affiliates process your information, they will comply with this Policy and adopt the same level of security protection measures.
• Sharing Required by Law: When laws, regulations, legal procedures, or government mandatory requirements require us to disclose your personal information, we will share necessary information with relevant law enforcement agencies, regulatory authorities, courts, or other government departments in accordance with the law.
• Protecting the Legitimate Rights and Interests of the Company and Users: In reasonably necessary circumstances, we may share your information with relevant institutions to detect, prevent, and address fraud, security vulnerabilities, technical issues, or respond to potential illegal activities.
• Corporate Transactions: If the Company is involved in transactions such as mergers, acquisitions, asset sales, financing, or bankruptcy liquidation, your personal information may be transferred as part of the transaction assets. We will notify you in advance through Platform announcements or emails and require the new holder to continue to abide by the terms of this Policy, unless you agree otherwise.
• Other Circumstances with Your Explicit Consent: With your explicit authorization and consent, we may share your information within the authorized scope.

We do not sell your personal information to any third party. Without your explicit consent, we will not use your personal information for other purposes not directly related to the purpose of collection.

(B) Transfer

We will not transfer your personal information to any company, organization, or individual except in the following circumstances:

• After obtaining your explicit consent;
• In transactions involving the transfer of personal information such as company mergers, acquisitions, or bankruptcy liquidation, we will require the new holder to continue to abide by the terms of this Policy; if the new holder changes the purpose or method of personal information processing, we will re-obtain your consent.

(C) Public Disclosure

We will not publicly disclose your personal information except in the following circumstances:

• After obtaining your explicit consent;
• As required by law or regulation;
• Statistical information that has been anonymized with security measures and cannot be reverse-identified to a specific individual.

(D) Special Nature of Blockchain Networks

Please pay special attention: The transaction records of your digital asset deposit, withdrawal, and transaction operations on the Company's Platform (including but not limited to your blockchain address, transaction amount, transaction time, etc.) will be recorded on the corresponding blockchain network. A blockchain network is a public distributed ledger, which is immutable once recorded and generally available for anyone to query. Due to the public nature of blockchain networks, we cannot control or prevent third parties from accessing these on-chain records. Before using the services, you should fully understand and voluntarily assume the public risk of personal information and transaction records caused by the inherent characteristics of blockchain technology.

V. Your Rights Regarding Personal Information

In accordance with applicable laws and regulations, you have the following rights regarding your personal information. We will make every effort to protect the exercise of your rights.

(A) Right of Access and Rectification

You have the right to access and review the personal information we collect about you and to request correction or supplementation when you find that the information is inaccurate or incomplete.

(B) Right to Erasure

In the following circumstances, you may submit a request to us to delete your personal information:

• The purpose for which we processed the personal information has been achieved, cannot be achieved, or is no longer necessary;
• You withdraw your consent, and we have no other legal basis to continue processing;
• You have successfully exercised your right to object to processing;
• Our processing of personal information violates applicable laws and regulations;
• Other circumstances stipulated by laws and regulations.

Please note: Even if you request the deletion of information, we may still need to retain necessary personal information (including but not limited to transaction records, identity verification records, etc.) within the period permitted by law to fulfill legal and regulatory obligations such as anti-money laundering, tax declaration, and dispute resolution.

(C) Right to Restriction of Processing

In specific circumstances (such as when you dispute the accuracy of the information, the processing behavior is illegal, etc.), you have the right to request us to restrict the processing of your personal information.

(D) Right to Data Portability

To the extent required by applicable law, you have the right to receive the personal information you provided to us in a structured, commonly used, and machine-readable format and to transmit that information to another data controller (where technically feasible).

(E) Right to Withdraw Consent

For information processing based on your consent, you have the right to withdraw your consent at any time. After withdrawing consent, we will no longer process the corresponding information. However, please note that withdrawing consent does not affect the legality of information processing behaviors based on consent before the withdrawal, and may also result in you being unable to continue using some or all of the services that rely on such information.

(F) Right to Object

In specific circumstances, you have the right to object to our processing of your personal information based on legitimate interests, including refusing to receive direct marketing communications.

(G) Right to Complain

You have the right to file a complaint with the data protection regulatory authority in your jurisdiction regarding our personal information processing practices.

How to Exercise Your Rights

If you wish to exercise any of the above rights, please contact us through the contact information at the end of this Policy. To verify your identity, we may require you to provide necessary information to confirm that you are the rightful owner of the relevant information. We will respond to your request within the time limit prescribed by applicable law (usually within 30 days after receiving a fully verified request), except as otherwise provided by laws and regulations. The exercise of the above rights is free of charge unless the request is manifestly unfounded or excessive.

VI. How We Handle Minors' Personal Information

The Company's services are only available to individuals who are at least 18 years old and have full civil capacity.

We will not knowingly collect personal information from minors under the age of 18. If you are a minor, please do not register an account or use any of the Company's services.

If we discover that we have inadvertently collected personal information from a minor, we will immediately take reasonable measures to delete such information from our records and cancel the relevant account. If you are the guardian of a minor and believe that we may have incorrectly collected the minor's information, please notify us immediately through the contact information at the end of this Policy.

For users who are 18 years old or older but have not reached the legal age of majority in their jurisdiction, you confirm that you have reached the minimum age allowed to use the Company's services under the laws of your jurisdiction and use the services under the guidance of your legal guardian.

VII. Special Statement for California Residents

This section applies only to "California residents" as defined by the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA), hereinafter referred to as "CCPA").

(A) Categories of Personal Information We Collect

In the past 12 months, we may have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, mailing address, email address, IP address, government-issued identification numbers (such as passport, driver's license numbers), account names, etc.
• Protected Characteristics Under California or Federal Law: Age (40 years and older), citizenship status, etc. (only as required for compliance).
• Commercial Information: Records of products or services purchased, obtained, or considered, other consumption history or tendencies.
• Biometric Information: Facial images or audio recordings collected during the identity verification process (only in cases where you explicitly provide and consent).
• Internet or Other Electronic Network Activity Information: Browsing history, search history, information about your interaction with the Platform (such as clickstream data).
• Geolocation Data: Approximate location inferred from IP address.
• Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information: Customer service call recordings.
• Inferences Drawn from the Above Information: Inferences reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.

(B) Categories of Sources of Information

We collect personal information from the following categories of sources:

• You directly;
• Identity verification service providers and compliance databases;
• Technical information automatically recorded by our Platform;
• Public records of blockchain networks;
• Other third parties authorized by you.

(C) Purposes of Use

The business or commercial purposes for which we collect personal information are detailed in Part I of this Policy.

(D) Sale and Sharing of Personal Information

As defined by the CCPA, we do not "sell" personal information and have not sold personal information in the past 12 months. Regarding the "sharing" of personal information (meaning the disclosure of personal information to third parties for cross-context behavioral advertising): We do not currently use your personal information for such purposes.

(E) Rights of California Residents

Under the CCPA, California residents have the following rights:

• Right to Know: Request us to disclose detailed information about the collection, use, disclosure, sale, or sharing of your personal information.
• Right to Delete: Request the deletion of your personal information collected by us (subject to statutory exceptions).
• Right to Opt-Out: If we sell personal information or use it for cross-context behavioral advertising, you have the right to opt out of such processing. We do not currently engage in such activities.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your CCPA rights (such as being denied service or charged different prices).

(F) How to Exercise Your Rights

California residents may submit requests through the contact information at the end of this Policy. To verify your identity, we may require you to provide your name, email address, and account-related information. If you designate an authorized agent to submit a request on your behalf, the agent must provide a signed authorization from you and undergo identity verification.

Financial Incentive Programs: We do not currently offer financial incentive programs that require additional notice under the CCPA.

VIII. Note on Do Not Track

"Do Not Track" (DNT) is a privacy preference signal supported by some browsers. Because the technical implementation and interpretation of DNT signals have not been unified by different organizations, the Company does not currently respond to DNT signals. You can manage your cookie and tracking preferences through your browser settings.

IX. How This Policy Is Updated

The Company reserves the right to revise this Policy from time to time. Any changes to this Policy will be notified to you in the following ways:

• Publish the new version of the Privacy Policy in a prominent position on the Platform and update the "Last Updated" date;
• For material changes (such as fundamental changes to processing purposes or methods), we will send you a prominent notice by email or Platform pop-up before the changes take effect.

Material changes include but are not limited to: major changes in the service model; significant adjustments to the purpose or method of personal information processing; changes in the main objects of personal information sharing, transfer, or public disclosure; significant changes in the way you exercise your information rights; changes in the contact information for personal information protection affairs.

If you do not agree with the revised Policy, you should stop using the Company's services and cancel your account. Your continued use of the services after the changes take effect shall be deemed as your understanding and agreement to be bound by the revised Privacy Policy.

X. Dispute Resolution

Any dispute arising from or related to this Privacy Policy shall first be resolved through friendly negotiation between the parties; if negotiation fails, either party shall have the right to submit the dispute to the American Arbitration Association (AAA) for arbitration in accordance with its Commercial Arbitration Rules in effect at the time the arbitration is filed. The place of arbitration shall be New York City, New York, United States. The arbitral award shall be final and binding on both parties. Arbitration shall replace the right to file a lawsuit in court or have a jury trial.

The parties agree to arbitrate on an individual basis and waive the right to resolve disputes through class actions, representative actions, joint actions, or any other similar manner. Without the written consent of the other party, neither party may consolidate or join arbitration claims with those of any other party or person.

Unless otherwise provided by law, each party shall bear its own attorneys' fees, expert fees, and other arbitration-related costs, and arbitrator fees and administrative fees of the arbitration institution shall be shared in accordance with AAA rules.

This dispute resolution clause is consistent with the arbitration agreement in the Company's Terms of Service. If there is any inconsistency between this Policy and the Terms of Service regarding dispute resolution, the Terms of Service shall prevail.

XI. How to Contact the Company

If you have any questions, comments, or requests regarding this Policy, or wish to exercise your privacy rights, please contact us through the following methods:

Platform Support: [Platform URL or Help Center Link]

Data Protection Officer: Privacy Officer, CONSENSO ADVISORY LLC

Generally, we will complete identity verification and respond within 30 calendar days after receiving your request. If your request is complex or submitted in large numbers, the response time may be extended to 60 calendar days, and we will notify you in writing of the extension period and reasons.

If you are dissatisfied with the way we handle your personal information, you have the right to file a complaint with the data protection regulatory authority in your jurisdiction. We will take your privacy concerns seriously and strive to resolve disputes in a fair and timely manner.

Appendix: Applicable Laws and Compliance Framework

This Privacy Policy complies with the following main legal frameworks:

• U.S. Gramm-Leach-Bliley Act (GLBA) and its Privacy and Safeguards Rules
• U.S. Fair Credit Reporting Act (FCRA) and its Identity Theft and Data Disposal Rules
• Section 5 of the U.S. Federal Trade Commission Act (FTC Act) (prohibiting unfair or deceptive acts or practices)
• U.S. Children's Online Privacy Protection Act (COPPA)
• U.S. Bank Secrecy Act (BSA) and related financial privacy obligations
• U.S. California Consumer Privacy Act (CCPA/CPRA)
• New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
• New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500)