Privacy Policy

About This Policy

1. Introduction and Who We Are

This Privacy Policy ("Policy") describes how PressX Global Corporation ("PressX", "we", "us", or "our") collects, uses, shares, retains, and protects information about you when you access or use the PressX platform, including our website at pressx.com, our mobile applications, our cryptocurrency exchange services, our prediction markets platform, and all related services (collectively, the "Services"). PressX Global Corporation is a corporation incorporated under the laws of the Republic of Panama, registered under Public Deed Number 1,848 dated January 27, 2026, before the Third Notary of the Panama Circuit, with its registered office care of PARALELAW (CUR: PJ-0025059674-08548), San Francisco, 74th Street, Midtown Building, 16th Floor, Office 1601, Panama City, Republic of Panama.

PressX acts as the data controller in respect of personal data processed under this Policy. Where we use third-party service providers to process personal data on our behalf, those providers act as data processors under our instruction. Where third parties collect and process your personal data for their own independent purposes, they act as separate data controllers, and their own privacy policies apply.

Please read this Policy carefully. By using our Services, you acknowledge that you have read and understood how we process your personal data as described here. If you do not agree with this Policy, you must not use our Services.

2. Scope of This Policy

This Policy applies to all individuals who interact with PressX, including registered account holders using our cryptocurrency exchange, users who connect wallets to access our prediction markets platform, visitors to our website, applicants for employment, and any other person whose personal data we process in connection with the operation of our business.

This Policy does not apply to the data practices of third-party services, payment partners, or blockchain networks that you interact with independently. Where our Services contain links to or integrations with third-party platforms, those platforms are governed by their own privacy policies.

THIS POLICY IS INCORPORATED INTO AND FORMS PART OF PRESSX'S TERMS AND CONDITIONS, AVAILABLE AT PRESSX.COM/LEGAL. CAPITALISED TERMS NOT DEFINED IN THIS POLICY HAVE THE MEANINGS GIVEN TO THEM IN THE TERMS AND CONDITIONS.

3. Changes to This Policy

We may update this Policy from time to time to reflect changes in our data practices, applicable law, or our Services. If we make material changes that adversely affect your rights, we will use reasonable efforts to provide at least fourteen (14) days' notice by email to your registered address, by in-app notification, or by prominent posting on our website, before the changes take effect. Non-material updates will be effective upon posting. Where a change is required urgently to address an imminent security threat, comply with a legal obligation that takes effect immediately, or respond to a regulatory direction that prohibits advance disclosure, we may implement the change immediately and provide notice as soon as permitted, and in any event within seventy-two (72) hours of the change taking effect. Once a new version of this Policy takes effect, it governs all ongoing relationships between PressX and its users going forward, including existing account holders. The version of this Policy currently displayed at pressx.com/privacy is the version applicable to all active relationships. We will always display the effective date of the current version at the top of this page and at pressx.com/privacy. For the avoidance of doubt, this Policy constitutes a privacy notice describing how we process your data. Where applicable law requires your consent as a legal basis for specific processing activities (such as marketing communications or non-essential cookies), that consent will be sought separately and specifically — your acknowledgement of this Policy does not itself constitute consent to any such processing.

Data We Collect

4. Information You Provide to Us

We collect information that you actively provide when you register for an account, use our Services, or communicate with us. This includes:

4.1 Account Registration and Identity Verification

To use our cryptocurrency exchange services, you are required to complete identity verification (KYC). In this context we collect: your full legal name; date of birth; nationality and country of residence; government-issued photo identification (such as a passport, national identity card, or driving licence), including the document number, issuing country, and expiry date; proof of residential address (such as a utility bill or bank statement); a selfie or liveness check photograph for document verification; source of funds information; and, where applicable, information relating to your status as a politically exposed person (PEP) or your relationship to one.

4.2 Prediction Market Access

To access our prediction markets via Web3 wallet connection, no account registration or identity documents are required upfront. However, if your activity triggers our AML thresholds as described in our Terms and Conditions, we may request identity information as set out in Section 4.1. In all cases, we collect your wallet address when you connect to our platform.

4.3 Financial Information

We collect information necessary to process your transactions, including bank account details or card information provided for fiat deposits and withdrawals (payment card data is handled by our PCI-DSS compliant payment processors — we do not store full card numbers); cryptocurrency wallet addresses; transaction history; deposit and withdrawal records; and trading and position history on both the exchange and prediction markets.

4.4 Communications

When you contact us for support, compliance, or legal purposes, or when you submit feedback, we collect the content of your communications, your contact information, and any attachments or evidence you provide. We may also collect records of any disputes, complaints, or enforcement actions relating to your account.

4.5 Voluntary Information

You may optionally provide profile information, preferences, or referral details. Participation in surveys, promotions, or beta programmes may involve collection of additional information, which will be disclosed at the time of collection.

5. Information We Collect Automatically

When you access or use our Services, we and our third-party service providers automatically collect certain technical and usage information:

5.1 Device and Technical Data

We collect your IP address; device identifiers (including device fingerprint); browser type, version, and language; operating system; screen resolution; time zone; referral URL; and the pages, features, and content you access on our platform, together with timestamps of your interactions.

5.2 Usage and Behavioural Data

We collect information about how you use our Services, including trading patterns, order types, session duration, search queries, and feature usage. This data is used to improve our platform, detect fraud and market manipulation, and personalise your experience.

5.3 Location Data

We collect your approximate geographic location derived from your IP address for the purpose of enforcing geographic restrictions and detecting potential circumvention of those restrictions. We do not collect precise GPS-level location data as part of our standard Services. If a future feature requires device-level location access, we will request your explicit permission, describe the specific purpose at the time of the request, and this Policy will be updated to describe how that data is collected, used, retained, and with whom it is shared before any such feature is made available. IP-derived location data is retained in accordance with the device and technical data retention period in Section 14.

5.4 Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar technologies to collect information about your browser sessions and interactions with our Services. Please see Section 16 for full details of our cookie practices.

6. Information From Third Parties

We may receive information about you from third parties in the following circumstances:

6.1 Identity Verification Providers

We use regulated third-party identity verification and KYC providers to verify the identity documents you submit. These providers return verification results, risk scores, and flags to us. The data we receive is used for compliance, fraud prevention, security, and risk management purposes in connection with the operation of our Services. We do not use KYC verification data for marketing or advertising purposes.

6.2 Sanctions and AML Screening

We use third-party services to screen your identity, wallet addresses, and transaction counterparties against international sanctions lists, PEP databases, adverse media sources, and blockchain intelligence databases. Information returned by these services informs our risk assessment and compliance decisions.

6.3 Payment and Banking Partners

Our third-party fiat banking and payment partners may share information about your payment transactions with us for the purposes of: processing deposits, withdrawals, and Payment Reversals; transaction authorisation and settlement; fraud screening and alerts relating to payment activity; AML and sanctions holds or flags triggered by your payment activity; and compliance screening required by the payment partner under their own regulatory obligations. We do not control the data practices of independent payment partners acting as separate data controllers; their collection and use of your payment data is governed by their own privacy policies.

6.4 Publicly Available Information

We may collect publicly available information about you from public records, news media, or other open sources where relevant to our AML, fraud prevention, or compliance obligations.

7. Blockchain and On-Chain Data

PressX operates services that interact with public blockchain networks. Blockchain transactions are publicly recorded and inherently transparent. Information you submit to a blockchain — including wallet addresses, transaction amounts, and timestamps — is permanently and publicly visible on the relevant blockchain network and cannot be deleted by PressX or anyone else.

We collect on-chain data associated with wallet addresses that interact with our platform, including transaction history, token balances, and counterparty wallet addresses, using blockchain analytics tools. This data is used for AML monitoring, fraud detection, and sanctions screening. While wallet addresses are pseudonymous, they may be linked to your identity if you have completed identity verification on our platform or if such a link is established through transaction analysis or third-party intelligence sources.

How We Use Your Data

8. Purposes and Legal Bases for Processing

We process your personal data only where we have a valid legal basis to do so, and in accordance with the following data protection principles: (i) data minimisation — we collect only what is adequate, relevant, and limited to what is necessary for the purposes described; (ii) accuracy — we take reasonable steps to ensure that the personal data we hold is accurate and, where necessary, kept up to date, and we will promptly correct inaccurate data when brought to our attention; (iii) storage limitation — we do not retain personal data for longer than necessary for the purposes for which it was collected, as set out in Section 14; and (iv) integrity and confidentiality — we implement appropriate technical and organisational measures to protect personal data against unauthorised processing and accidental loss, as described in Section 15. We do not collect personal data speculatively or in excess of what is required to deliver our Services and meet our legal obligations. The legal bases we rely on are set out below. Users in the European Economic Area (EEA), United Kingdom, and Switzerland have the right to object to processing based on legitimate interests, as described in Section 18.

8.1 Contract Performance

We process the following categories of data because processing is necessary to provide our Services to you under our Terms and Conditions: account registration and verification data; KYC and identity documents (exchange users); wallet connection data (prediction market users); transaction data; fiat deposit and withdrawal processing; trading history; fee calculation and deduction; provision of account statements and history; and communications relating to your account, disputes, or transactions.

8.2 Legal Obligation

We process the following data because we are required to do so under applicable law, including AML, CTF, sanctions, tax, and financial regulation: identity verification and KYC data; source of funds information; sanctions and PEP screening records; transaction monitoring records and suspicious activity reports (SARs); Travel Rule originator and beneficiary information; data retained for regulatory reporting; and records required by court orders or law enforcement requests. Where our legal obligations require us to process special categories of personal data — in particular, biometric data collected as part of identity verification (liveness checks) — we rely on Article 9(2)(g) GDPR (processing necessary for reasons of substantial public interest under applicable AML and financial crime prevention law) as the additional legal basis for that processing, in conjunction with our obligations under applicable AML, KYC, and financial regulation. Where required by applicable law, we also rely on the explicit consent of the data subject as a supplementary basis for biometric processing.

8.3 Legitimate Interests

We process certain data on the basis of our legitimate interests, where those interests are not overridden by your privacy rights: fraud detection and prevention (including card testing, account takeover, and transaction fraud); payment reversal and chargeback investigation and handling, including sharing transaction evidence with payment processors, card networks, and banks for the purpose of representment in chargeback disputes; debt recovery and collections in connection with negative balances, Payment Reversals, and erroneous credits; setoff and netting of amounts owed across your PressX accounts and products; market manipulation and integrity monitoring; platform security and access control; improvement of our Services through usage analytics; network and information security; risk management; defending legal claims and litigation; and communicating with you about material changes to our Services. Before relying on legitimate interests, we conduct a balancing assessment to ensure that our interests do not override your fundamental rights. You may request a copy of our legitimate interests assessment for any specific processing activity by contacting privacy@pressx.com.

8.4 Consent

Where we rely on your consent — for example, for certain marketing communications or the placement of non-essential cookies — we will ask for your explicit agreement. You may withdraw your consent at any time, and withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, contact privacy@pressx.com or use the unsubscribe mechanism in any marketing email.

9. Marketing and Communications

• 9.1Service Communications: We will send you transactional and service-related communications that are necessary for the performance of our contract with you and the administration of your account. These include account confirmation and security alerts, transaction receipts and notifications, identity verification requests, notices of changes to our Terms, Privacy Policy, or fee schedule, compliance-related communications, and responses to your support requests. Under applicable law, these communications are classified as transactional or service messages and may be sent without separate marketing consent. However, to the extent that applicable law in your jurisdiction requires consent for any specific category of electronic communication, we will seek that consent separately. These communications cannot be fully opted out of while your account is active, as they are necessary to operate and secure your account.
• 9.2Marketing Communications: With your consent (where required by applicable law), we may send you promotional communications about new features, products, prediction market events, and offers. You may opt out at any time by clicking the unsubscribe link in any marketing email, by adjusting your notification preferences in your account settings, or by contacting privacy@pressx.com. We will process opt-out requests as promptly as practicable and in all cases within ten (10) business days. EEA, UK, and Swiss users exercising their absolute right to object to direct marketing under GDPR Article 21(2) will have that objection actioned immediately upon receipt, as required by that provision — the ten (10) business day window above applies to general opt-out requests only and does not limit or defer the Art 21(2) absolute right.
• 9.3No Sale of Data for Marketing: PressX does not sell your personal data to third-party advertisers or data brokers for marketing purposes. We do not permit third parties to use your personal data for their own marketing purposes without your explicit consent.

10. Automated Decision-Making and Profiling

We use automated systems to assess compliance risk, detect fraud, and enforce geographic restrictions. These systems analyse transaction patterns, device data, wallet behaviour, and identity information to generate risk scores and compliance flags. In some cases, automated decisions may result in: your account being flagged for enhanced review; a withdrawal hold being applied; a transaction being blocked or rejected; or your access to certain services being restricted.

Where a significant decision affecting your rights or access to Services is made by an automated system, you have the right to request human review of that decision by contacting compliance@pressx.com. PressX will use reasonable efforts to acknowledge your request within two (2) business days and to provide a substantive response within ten (10) business days of receipt, though in complex cases involving ongoing regulatory or law enforcement proceedings these timescales may be extended, with notice to you. Where the automated decision results in an account suspension or withdrawal restriction, PressX will treat the review as a priority matter. This right does not apply where the decision is necessary for the performance of a contract with you, is required by applicable law, or is based on your explicit consent. The outcome of the human review will be communicated to you in writing.

Data Sharing and Transfers

11. Who We Share Your Data With

We do not sell your personal data. We share your personal data only as described below:

11.1 Service Providers and Data Processors

We engage third-party service providers to assist with the operation of our Services. These providers process your data only on our behalf and under our instructions. We enter into written Data Processing Agreements (DPAs) with all processors as required by GDPR Article 28 and equivalent applicable law. These agreements require processors to: implement appropriate technical and organisational security measures; process data only on our documented instructions; assist us in fulfilling our obligations to data subjects; delete or return data at the end of the service relationship; and provide us with all information necessary to demonstrate compliance. The categories of service providers we use are: KYC and identity verification providers; AML and sanctions screening providers; blockchain analytics companies; cloud infrastructure and hosting providers; payment and banking partners; customer support platform providers; fraud detection and cybersecurity vendors; and data analytics and product improvement providers. These categories constitute the recipients (or categories of recipients) of your personal data for the purposes of your rights under applicable data protection law. If you wish to obtain the names of specific processors currently engaged in a particular category, you may request this by contacting privacy@pressx.com.

11.2 Regulators, Law Enforcement, and Legal Process

We may disclose your personal data to regulatory authorities, financial intelligence units, law enforcement agencies, courts, or other government bodies where: (a) we are required to do so by a legal obligation, court order, or lawful regulatory direction; (b) disclosure is necessary for the prevention, investigation, detection, or prosecution of criminal offences, or the execution of criminal penalties; (c) disclosure is necessary to protect the vital interests of you or another person; or (d) we are permitted to do so under applicable AML, CTF, or sanctions law, including for the purpose of filing suspicious activity reports (SARs). In all cases we apply a proportionality assessment before voluntarily disclosing personal data. We are legally prohibited from notifying you if a SAR has been filed in connection with your account (tipping-off prohibition).

11.3 Travel Rule Counterparties

Where required by the FATF Travel Rule or equivalent applicable regulation, we may share originator and beneficiary information (including name, wallet address, and account number) with the virtual asset service provider (VASP) receiving or sending funds in connection with your transfer. This sharing is a legal obligation and cannot be opted out of.

11.4 Professional Advisors

We may share information with our legal advisors, auditors, accountants, and insurers, subject to appropriate professional confidentiality obligations, for the purpose of obtaining professional advice and managing our legal, financial, and insurance affairs.

11.5 Business Transfers

In the event of a merger, acquisition, reorganisation, sale of assets, or insolvency proceeding involving PressX, your personal data may be transferred to the acquiring or successor entity. We will notify affected users of any such transfer that results in a material change to how your data is processed within thirty (30) days of the transfer completing, in accordance with Section 3 and our obligations under GDPR Articles 13 and 14. See Section 13 for full details of our obligations in this context.

11.6 With Your Consent

We may share your data with third parties for purposes not described in this Policy where we have your explicit prior consent.

11.7 Credit Reference Agencies

PressX does not currently share your personal data with credit reference agencies for credit assessment purposes. If this practice changes, we will update this Policy and provide appropriate notice in accordance with Section 3.

12. International Data Transfers

PressX is incorporated in Panama and processes data in multiple jurisdictions, including through cloud infrastructure providers whose servers may be located in the European Economic Area, the United States, and other countries. When we transfer personal data from the EEA, the United Kingdom, or Switzerland to countries that are not deemed to provide an adequate level of protection under applicable data protection law, we implement appropriate safeguards to protect your data, including:

• –Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner's Office, as applicable;
• –Binding Corporate Rules, where applicable;
• –Transfers to recipients in countries that have received an adequacy decision from the relevant data protection authority; or
• –Other legally permitted transfer mechanisms, including where the transfer is necessary for the performance of our contract with you or for the establishment, exercise, or defence of legal claims.

You may request further information about the transfer mechanisms we use and obtain copies of relevant documentation by contacting privacy@pressx.com. In addition to implementing the safeguards above, and consistent with the requirements following the Court of Justice of the European Union's judgment in Schrems II (C-311/18), PressX carries out Transfer Impact Assessments (TIAs) before transferring personal data under Standard Contractual Clauses to assess whether the legal framework in the destination country provides a level of protection essentially equivalent to that guaranteed within the EEA or UK. Where a TIA indicates that additional safeguards are required, we implement those safeguards before the transfer proceeds.

13. Sale of Business

If PressX or any part of our business is acquired by or merged with another entity, or if PressX enters insolvency proceedings, your personal data may form part of the assets transferred. In such circumstances: (a) we will provide notice to affected users as soon as reasonably practicable and no later than thirty (30) days following the transfer; (b) PressX will use contractual means to require any acquiring entity to either honour the commitments made in this Policy or to provide you with a new privacy notice before using your data in a materially different way — however, PressX cannot guarantee compliance by an independent acquirer acting outside our control after a completed transfer, and the acquirer's own privacy obligations to you will be governed by the applicable transaction documents and law; (c) where the transfer results in a material change to how your data is processed, the acquiring entity will be required by applicable law to provide you with a new privacy notice and, where required, obtain fresh consent; and (d) you retain the right to exercise your privacy rights as described in Section 17 at any time, including against the acquiring entity as the new data controller.

Data Retention and Security

14. How Long We Keep Your Data

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, to provide our Services, and to comply with our legal, regulatory, and contractual obligations. Specific retention periods are as follows:

• 14.1Account and Identity Data: We retain account registration data and KYC identity documents for a minimum of five (5) years following the closure of your account, or such longer period as required by applicable AML, CTF, or financial regulation in any jurisdiction relevant to your activities. In many jurisdictions, AML law requires us to retain identity records for five years from the end of the business relationship.
• 14.2Transaction Records: We retain records of all transactions for a minimum of five (5) years from the date of the transaction, consistent with our obligations under applicable AML and tax law, and as required by our Terms and Conditions.
• 14.3Compliance Records: Records of compliance investigations, SAR filings, sanctions checks, and AML risk assessments are retained for a minimum of five (5) years or such longer period as required by applicable law or as directed by a competent authority.
• 14.4Communications and Support Records: We retain records of your communications with our support, legal, and compliance teams for a minimum of three (3) years, or longer where relevant to an ongoing dispute, investigation, or legal claim.
• 14.5Marketing Data: Where you have consented to marketing communications, we retain your contact preferences and marketing history until you withdraw your consent. In accordance with our accountability obligations under GDPR Article 7(1), we also retain a record of the consent itself — including the date, method, and specific scope of consent given — for a period of three (3) years following the withdrawal of consent or the closure of your account, whichever is later, in order to demonstrate compliance. If you opt out, we will also retain a record of your opt-out to ensure we do not contact you again.
• 14.6Security and Log Data: System logs, access records, and security incident data are retained for a minimum of five (5) years in accordance with our Terms and Conditions.
• 14.7Biometric Data: Biometric templates and match scores are retained by our KYC vendor for a maximum of ninety (90) days following identity verification, in accordance with Section 20.4. Identity photographs submitted for KYC are retained for a minimum of five (5) years following account closure, consistent with AML retention obligations. See Section 20.4 for the full biometric destruction schedule.
• 14.8Deletion, Anonymisation, and Pseudonymisation: At the end of the applicable retention period, we will securely delete or fully anonymise your personal data, unless further retention is required by a legal hold, regulatory direction, or ongoing investigation. For the avoidance of doubt, "anonymised" data means data that has been irreversibly processed such that you cannot be identified from it, directly or indirectly, whether by PressX or any other party. Data that has been pseudonymised — that is, processed such that it can no longer be attributed to you without the use of additional information held separately — remains personal data and continues to be subject to this Policy and applicable data protection law for as long as PressX holds the key that could re-identify it. Anonymised data, once genuinely anonymised, falls outside the scope of data protection law and may be retained indefinitely for analytics, research, or service improvement purposes, provided the anonymisation is irreversible.

15. Security of Your Data

We implement and maintain technical and organisational security measures designed to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. Our security measures include:

• –Industry-standard encryption of data in transit (TLS) and data at rest;
• –Offline cold storage for the substantial majority of customer digital assets in air-gapped wallets with multi-signature controls, in accordance with our custody standards published in our Terms and Conditions;
• –Multi-factor authentication requirements for account access;
• –Role-based access controls limiting employee access to personal data to those with a legitimate need;
• –Regular security assessments, penetration testing, and vulnerability management;
• –Security incident response procedures with a 72-hour notification obligation as described in our Terms and Conditions; and
• –Employee training on data protection and security obligations.

No security system is impenetrable. We cannot guarantee that personal data will never be accessed, disclosed, altered, or destroyed in a breach of our security measures. In the event of a personal data breach, PressX will: (a) notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons, as required by GDPR Article 33 and equivalent applicable law — this regulatory notification obligation is separate from and in addition to any obligation to notify affected users; (b) notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with our Terms and Conditions and GDPR Article 34; and (c) maintain a record of all personal data breaches, regardless of whether notification to a supervisory authority is required. You are responsible for maintaining the security of your own account credentials and for promptly notifying us at security@pressx.com if you suspect unauthorised access to your account.

Cookies and Tracking

16. Cookies, Pixels, and Similar Technologies

16.1 What We Use

We use cookies (small text files stored on your device), web beacons, tracking pixels, local storage, and similar technologies to operate and improve our Services. These technologies allow us to recognise your browser, remember your preferences, maintain your session, detect fraud, and understand how users interact with our platform.

16.2 Categories of Cookies

• 16.2.1Strictly Necessary: These cookies and technologies are essential for our website and Services to function and cannot be disabled. They enable core features including: account login and session management; security controls and CSRF protection; geographic restriction enforcement; and fraud detection and prevention tools that are technically necessary to protect the security and integrity of the platform and its users. Because these technologies are strictly necessary for security and the operation of the Services, they do not require your consent and are placed automatically on your device when you access our platform.
• 16.2.2Functional: These cookies enable enhanced features and personalisation, such as remembering your language preference, display settings, and trading interface customisation. You may disable these cookies, but doing so may affect the functionality of our platform.
• 16.2.3Analytics and Performance: We use analytics cookies to collect aggregated, anonymised data about how users interact with our Services, including page views, session duration, and navigation paths. This data helps us identify and fix technical issues and improve our platform. Analytics cookies are placed only with your prior consent where required by applicable law (including ePrivacy Directive requirements for EEA and UK users). You may withdraw consent at any time via our cookie settings.

16.3 Third-Party Cookies

Some cookies on our platform are set by third-party providers, including analytics providers and fraud detection vendors. These third parties process data in accordance with their own privacy policies. We do not permit third-party advertising cookies on our platform.

16.4 Managing Cookies

You can manage cookies through your browser settings. Most browsers allow you to block, delete, or restrict cookies. Please note that blocking strictly necessary cookies will prevent you from using our Services. You can also manage your cookie preferences — including withdrawing or modifying your consent to analytics cookies — through our cookie consent management tool, accessible at pressx.com/cookies or via the cookie settings link displayed in our website footer and in the cookie consent banner shown on your first visit. For users in the EEA, UK, or other jurisdictions where consent is required by the ePrivacy Directive or equivalent law, we will present a cookie consent interface before placing any non-strictly-necessary cookies, and your consent will be recorded with a timestamp. You may withdraw or change your cookie consent at any time through the same tool. Withdrawing cookie consent does not affect the lawfulness of any cookie processing that took place before withdrawal.

Your Rights

17. Your Privacy Rights

Regardless of your location, you have the following baseline rights in respect of your personal data that PressX holds:

• 17.1Access: You have the right to request a copy of the personal data we hold about you, together with information about how we use it.
• 17.2Correction: You have the right to request correction of inaccurate or incomplete personal data.
• 17.3Deletion / Erasure: You may request deletion (erasure) of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis for processing; (c) you object to processing based on legitimate interests and there are no overriding legitimate grounds; (d) the data has been processed unlawfully; (e) deletion is required to comply with a legal obligation; or (f) the data relates to a child and was collected in connection with information society services. Please note that we are required by law to retain certain data for extended periods as described in Section 14, and deletion requests may be refused or partially fulfilled where retention is legally required, particularly under AML, CTF, tax, or financial regulation.
• 17.4Objection: You may object to processing of your personal data based on our legitimate interests. We will consider your objection and stop the processing unless we have compelling legitimate grounds that override your interests.
• 17.5Withdrawal of Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• 17.6Portability: Where processing is based on contract or consent and is carried out by automated means, you may: (a) request a machine-readable copy of the personal data you have provided to us in a structured, commonly used format (such as CSV or JSON); and (b) request that we transmit that data directly to another controller where technically feasible. This right covers only data you have actively provided to us and does not extend to data derived or inferred by PressX from that input.
• 17.7Complaint: You have the right to lodge a complaint with a relevant data protection supervisory authority if you believe we have processed your personal data unlawfully.

To exercise any of these rights, contact privacy@pressx.com with your full name, account identifier, and a description of your request. We will respond within one (1) month of receipt, as required by GDPR Article 12(3) and equivalent applicable law. Where requests are complex or numerous, we may extend this period by a further two (2) months, in which case we will notify you within the first month and explain the reason for the extension. We may need to verify your identity before acting on a request. We will not charge a fee for reasonable requests, but may charge a reasonable administrative fee for requests that are manifestly unfounded, excessive, or repetitive.

18. Rights of EEA, UK, and Swiss Users

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR), the UK GDPR, or the Swiss Federal Act on Data Protection (nFADP), as applicable, provides you with additional rights and protections.

• 18.1Data Controller and Privacy Contact: PressX Global Corporation is the data controller for personal data processed under this Policy. PressX has assessed its obligations under GDPR Article 37 regarding the mandatory designation of a Data Protection Officer (DPO). PressX currently relies on external data protection counsel and a dedicated privacy function as its primary accountability mechanism. Our designated privacy contact for all data protection matters — including requests from supervisory authorities — is reachable at privacy@pressx.com. If applicable law requires PressX to formally designate a DPO, PressX will do so and update this Policy accordingly. You may contact our privacy team at privacy@pressx.com for any data protection queries, including those concerning our accountability arrangements.
• 18.2Legal Bases: We process your personal data only on the legal bases described in Section 8. Where we rely on legitimate interests, we maintain a record of our legitimate interests assessment, which you may request by contacting privacy@pressx.com.
• 18.3Right to Restriction: In addition to the rights in Section 17, you have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where our processing is unlawful but you prefer restriction over deletion.
• 18.4Absolute Right to Object to Direct Marketing and Profiling: Under GDPR Article 21(2), you have an absolute right to object at any time to processing of your personal data for direct marketing purposes, including profiling carried out for direct marketing purposes. This right is unconditional and cannot be overridden by our legitimate interests. Upon receiving your objection to direct marketing, we will immediately cease processing your personal data for that purpose. To exercise this right, contact privacy@pressx.com or use the unsubscribe mechanism in any marketing communication.
• 18.5Automated Decisions: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Where we make such decisions, you may request human review as described in Section 10. This right does not apply where the automated decision is necessary for contract performance, is required by law, or is based on explicit consent.
• 18.6Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk). The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

19. Rights of California and US State Residents

If you are a resident of California or another US state with applicable privacy legislation, you may have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), or equivalent state law.

• 19.1Right to Know: You have the right to request information about the categories of personal data we have collected about you, the purposes for which we use it, and the categories of third parties with whom we share it.
• 19.2Right to Delete: You have the right to request deletion of personal data we have collected, subject to certain exceptions, including where retention is required for legal compliance, to complete a transaction, or to protect against fraud or illegal activity.
• 19.3Right to Opt Out of Sale or Sharing: PressX does not sell your personal data to third parties, and does not share it for cross-context behavioural advertising purposes. You therefore do not need to submit a Do Not Sell or Share request, but you may contact privacy@pressx.com to confirm this.
• 19.4Right to Correct: You have the right to request correction of inaccurate personal data we hold about you.
• 19.5Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. We will not deny you access to our Services, charge you a different price, or provide a different level of service because you exercised a right under applicable state privacy law.
• 19.6Authorised Agent: You may designate an authorised agent to submit privacy requests on your behalf. We will require written authorisation and may require you to verify your identity directly.
• 19.7Contact for US Requests: To exercise your rights, contact privacy@pressx.com. We will respond within forty-five (45) days, with one possible extension of a further forty-five (45) days where reasonably necessary, with notice.
• 19.8Right to Limit Use of Sensitive Personal Information (CPRA): Under the California Privacy Rights Act (CPRA), California residents have the right to direct PressX to limit its use and disclosure of Sensitive Personal Information (SPI) to uses necessary to perform the Services or as otherwise permitted by the CPRA. "Sensitive Personal Information" under the CPRA includes: financial account information; biometric information processed for the purpose of uniquely identifying you; and contents of private communications. PressX collects and uses SPI (specifically, financial account and biometric KYC data) only to the extent necessary to provide our Services, comply with legal obligations, and prevent fraud. We do not use or disclose SPI for inferring characteristics about you, for advertising, or for purposes beyond those required to deliver the Services. You may submit a request to limit use of your SPI at privacy@pressx.com. PressX will not discriminate against you for exercising this right.

Special Topics

20. Biometric Data Notice

PressX collects and processes biometric data as part of its identity verification process for cryptocurrency exchange users. This section provides the additional notice required by applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA) and equivalent US state laws.

20.1 What Biometric Data We Collect

As part of our KYC identity verification process for exchange users, we or our third-party KYC providers may collect and process: a liveness-check photograph or video to confirm that you are a live person and match your identity document; facial geometry or a biometric template derived from that photograph, used solely for identity matching; and a match confidence score. We do not collect fingerprints, voiceprints, retinal scans, or other biometric identifiers beyond those described here.

20.2 Purpose of Biometric Processing

We process biometric data solely for: verifying your identity for account onboarding; complying with AML, KYC, and financial regulation; and detecting and preventing identity fraud and impersonation. We do not use biometric data for advertising, profiling, or any purpose beyond identity verification and fraud prevention.

20.3 Who Handles Your Biometric Data

Biometric processing is performed by regulated third-party KYC vendors acting as our data processors under written Data Processing Agreements. These vendors are contractually prohibited from using your biometric data for any purpose other than providing identity verification services to PressX. PressX itself does not store raw biometric templates. We receive and retain only the verification result, match confidence score, and the photograph submitted as part of your identity verification record, in accordance with Section 20.4.

20.4 Biometric Retention and Destruction Schedule

Biometric data is retained only as long as necessary. PressX contractually requires its KYC vendors to comply with the following schedule: (a) biometric templates and match scores generated solely for liveness checking must be deleted within ninety (90) days of completing your identity verification, unless a longer period is required by law or an active fraud investigation — PressX verifies vendor compliance with this requirement through its data processing agreements; (b) the identity photograph submitted for KYC is retained within PressX's records as part of your identity verification file for a minimum of five (5) years following account closure, consistent with AML retention obligations under applicable law, and is securely deleted or irreversibly anonymised at the end of that period. All biometric data is destroyed using industry-standard secure deletion methods that render recovery infeasible. This destruction schedule is posted at pressx.com/privacy and will be updated whenever our practices materially change.

20.5 Biometric Consent

Before collecting any biometric data — and prior to any biometric capture taking place — PressX or our KYC vendor will present you with a specific biometric data notice that identifies: (i) the specific biometric data being collected; (ii) the purpose and length of collection; and (iii) whether the data will be shared with any third parties. You will be asked to provide your separate, written or electronic informed consent before any biometric collection begins. This consent is captured independently of your acceptance of our Terms and Conditions and this Policy, is recorded with a timestamp, and constitutes written informed consent as required by the Illinois Biometric Information Privacy Act and equivalent state laws. No biometric data will be collected if you decline to provide this consent, though declination will prevent us from completing identity verification and may affect our ability to provide exchange services to you. You may withdraw consent at any time by contacting privacy@pressx.com. Where biometric data is held under a legal obligation basis in addition to consent (for example, as required by AML/KYC regulation), withdrawal of consent alone does not require us to delete data that we are legally obliged to retain — we will notify you of any such obligation at the time of your request.

20.6 Jurisdictional Carve-Out (BIPA / US States)

Biometric identity verification may not be available, or may be conducted differently, for users in jurisdictions where applicable biometric law imposes requirements that cannot be met through our current processes. If you are a resident of Illinois, Texas, Washington, or any other US state with specific biometric privacy legislation, you have rights under those laws in addition to those described in this Policy. To exercise those rights, contact privacy@pressx.com. PressX reserves the right to restrict or modify the biometric collection process for users in such jurisdictions and will notify affected users of any alternative verification process.

21. Children's Privacy

Our Services are not directed at, and are not intended for use by, individuals under the age of 18 (or the age of legal majority in your jurisdiction, if higher). We do not knowingly collect personal data from minors. If you are a parent or guardian and you believe that your child has provided personal data to us, please contact privacy@pressx.com immediately and we will take steps to delete the relevant data. Where we become aware that a user is a minor, we will terminate access and delete the account and associated data in accordance with our Terms and Conditions.

22. Blockchain Transparency and Pseudonymity

PressX's prediction markets and certain exchange features interact with public blockchain networks. You should be aware of the following:

• 22.1Public Ledger and PressX-Held Copies: Transactions recorded on a public blockchain are visible to anyone with access to the network. This includes wallet addresses, transaction amounts, token types, and timestamps. The blockchain ledger itself is outside PressX's custody and control — we cannot modify or delete records stored on the blockchain. However, PressX may independently store and process copies of on-chain data and derived analytics (including wallet address transaction histories, counterparty associations, and risk scores) within our own systems. These PressX-held copies and derived analytics may constitute personal data where they are linked or linkable to an identified or identifiable individual, and are subject to this Policy and applicable data protection law, including our retention obligations in Section 14.
• 22.2Pseudonymity is Not Anonymity: While blockchain wallet addresses do not inherently identify you by name, they may be linked to your identity by PressX (through our KYC process or AML analytics), by third-party blockchain analytics firms, or by other means. You should not assume that on-chain activity connected to your wallet is anonymous.
• 22.3Analytics Disclosure: PressX uses third-party blockchain analytics tools that analyse public on-chain data to assess the risk profile of wallet addresses. This analysis may result in a wallet being restricted or blocked based on its transaction history with illicit actors, even if you personally are not involved in illicit activity. If your wallet is blocked as a result of third-party analytics, you may contact compliance@pressx.com to request a review. PressX will use reasonable efforts to acknowledge your review request within two (2) business days and to provide a substantive decision within fifteen (15) business days. PressX will notify you of the outcome and basis for the decision in writing, to the extent permitted by applicable law.

23. Third-Party Links and Services

Our platform may contain links to third-party websites, applications, or services, including blockchain explorers, analytics tools, and external liquidity providers. This Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you use in connection with PressX. PressX is not responsible for the privacy practices or content of third-party services.

24. Employment Applicant Privacy

Section 2 of this Policy states that it applies to individuals who apply for employment at PressX. This section provides the additional notice required for that processing.

• 24.1Data Collected from Applicants: In connection with recruitment and employment applications, PressX collects: your name, contact details, and professional profile; your CV, cover letter, work history, qualifications, and references; information disclosed during interviews or assessments; background check results where permitted by applicable law and with appropriate notice; and immigration and right-to-work documentation where required.
• 24.2Purposes: We use applicant data for: evaluating your application and suitability for the role; conducting background and reference checks where applicable; communicating with you about your application; complying with employment and immigration law obligations; and defending legal claims arising from the recruitment process.
• 24.3Legal Bases: We process applicant data on the basis of: pre-contractual necessity (to take steps at your request prior to entering an employment contract); legal obligation (right-to-work and similar checks); and legitimate interests (assessing candidate suitability and managing the recruitment pipeline). Where background checks involve special category data, we rely on explicit consent and, where applicable, substantial public interest grounds.
• 24.4Retention: If your application is unsuccessful, we will retain your application data for a period of twelve (12) months following the conclusion of the recruitment process. During this period we may contact you about future suitable roles where we have obtained your consent to do so, or where our legitimate interest in efficient recruitment is not overridden by your interests — you may opt out of such contact at any time by contacting privacy@pressx.com. Regardless of contact preferences, we retain the data for the twelve-month period to enable us to defend any legal claim arising from the recruitment process, after which it will be securely deleted. If you are appointed, your application data will be transferred to your employee file and retained in accordance with our separate internal HR privacy notice.
• 24.5Recipients: Applicant data may be shared with: hiring managers and interviewers; background check providers (where applicable, with your consent); and external recruitment agencies acting on our behalf under written agreements.

Contact

25. How to Contact Us

If you have any questions about this Policy, wish to exercise your privacy rights, or want to raise a concern about how we handle your data, please contact us using the following details:

• 25.1Privacy Enquiries: privacy@pressx.com — For all data subject requests, questions about this Policy, and general privacy enquiries.
• 25.2Compliance and AML: compliance@pressx.com — For wallet screening disputes and AML-related enquiries.
• 25.3Security Incidents: security@pressx.com — To report suspected account compromise or platform security issues.
• 25.4Legal and Regulatory: legal@pressx.com — For legal notices, regulatory enquiries, and law enforcement requests.
• 25.5Registered Address: PressX Global Corporation, c/o PARALELAW (CUR: PJ-0025059674-08548), San Francisco, 74th Street, Midtown Building, 16th Floor, Office 1601, Panama City, Republic of Panama.

We aim to respond to all privacy enquiries within thirty (30) calendar days. Where a request is complex or we receive a high volume of requests, we will notify you of the extension and provide a revised response date. Responses will be provided electronically unless you specifically request otherwise.

EU/UK Representative and US State Rights

26. EU and UK Representative — Article 27 GDPR

PressX Global Corporation is incorporated in Panama and is not established in the European Economic Area or the United Kingdom. Under Article 27 of the GDPR and the equivalent UK GDPR provision, a controller not established in the EEA or UK that offers goods or services to, or monitors the behaviour of, data subjects in those territories must appoint a representative there. PressX is in the process of completing its territorial assessment to confirm whether this obligation is triggered. Given that pressx.com is publicly accessible in the EEA and UK, PressX acknowledges that this obligation is likely applicable and is treating the appointment as a priority compliance matter. PressX commits to appointing an EU representative and/or UK representative, as required, and to publishing their full contact details in this Policy and at pressx.com/privacy within ninety (90) days of the effective date of this Policy (i.e., by May 31, 2026), or as soon as practicable. Until such appointment is confirmed and published, EEA and UK data subjects may contact PressX directly at privacy@pressx.com and legal@pressx.com for all data protection matters. PressX will engage with all such requests in good faith and in accordance with GDPR obligations. This section will be updated promptly upon confirmation of the representative appointment.

27. US State Privacy Rights — Appeals Process

Several US state privacy laws — including those of Colorado, Connecticut, and Virginia — require businesses to provide a mechanism for consumers to appeal a denial of a privacy rights request. If PressX declines to fulfil all or part of your privacy rights request, we will notify you in writing of the grounds for refusal within the applicable response window. To appeal a refusal, submit a written appeal to privacy@pressx.com with the subject line 'Privacy Rights Appeal' within thirty (30) days of receiving our refusal notice. PressX will review the appeal and respond within forty-five (45) days of receipt. If your appeal is denied, we will provide the reasons and, where required by applicable law, information about how you may submit a complaint to your state attorney general or relevant supervisory authority. This appeals process is available to all users regardless of US state of residence.

28. CPRA / CCPA — Notice at Collection: Data Categories

The following summarises the categories of personal information PressX collects, the sources and purposes of collection, recipient categories, whether the category constitutes Sensitive Personal Information (SPI) under the CPRA, and the applicable retention period. This is provided in accordance with the CCPA as amended by the CPRA, and as a general transparency disclosure for all users.

Definitions

29. Definitions

The following capitalised terms have the meanings set out below wherever they appear in this Policy:

• 29.1Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, including by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their identity.
• 29.2Processing: Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
• 29.3Data Controller: The entity that determines the purposes and means of processing personal data. PressX is the data controller for personal data processed under this Policy.
• 29.4Data Processor: An entity that processes personal data on behalf of a data controller, under the controller's instructions.
• 29.5Consent: A freely given, specific, informed, and unambiguous indication of a data subject's agreement to the processing of their personal data.
• 29.6Legitimate Interests: A legal basis for processing personal data where the processing is necessary for the genuine interests of the data controller or a third party, and those interests are not overridden by the fundamental rights and freedoms of the data subject.
• 29.7Special Categories of Data: Particularly sensitive personal data including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person's sex life or sexual orientation. PressX processes biometric data (specifically, liveness check photographs and facial geometry) as part of its identity verification process for exchange users, as disclosed in Section 20.
• 29.8KYC: Know Your Customer — the process of verifying the identity of users to comply with AML and financial crime prevention law.
• 29.9AML: Anti-Money Laundering — laws and procedures designed to prevent the use of financial systems for money laundering.
• 29.10GDPR: The General Data Protection Regulation (EU) 2016/679, as applicable, and including the UK GDPR as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018.
• 29.11SAR: Suspicious Activity Report — a report filed with a financial intelligence unit under applicable AML law where a financial institution suspects that a transaction or account is connected to money laundering, terrorist financing, or other financial crime.
• 29.12BIPA: The Illinois Biometric Information Privacy Act (740 ILCS 14), which regulates the collection, use, storage, and destruction of biometric identifiers and information.
• 29.13Payment Reversal: Has the meaning given in the PressX Terms and Conditions — any chargeback, reversal, recall, return, rejection, or other invalidation of a fiat payment.
• 29.14Services: All products, features, and services provided by PressX, as described in the Terms and Conditions.
• 29.15Terms and Conditions: The PressX Terms and Conditions, available at pressx.com/legal, which are incorporated into and form part of the overall agreement between you and PressX.