Privacy Policy
Effective Date: 1 July 2026
1. Introduction
This Privacy Policy explains how Tothemoon collects, uses, stores, shares and protects personal data in connection with the Tothemoon website, mobile applications, platform, account environment, crypto-asset services, payment-related functionality, customer support, compliance processes, marketing communications and other related services.
This Privacy Policy is intended to provide clear information about:
(a) who is responsible for your personal data;
(b) what personal data we collect;
(c) how and why we use personal data;
(d) the legal bases on which we process personal data;
(e) who we may share personal data with;
(f) how long we keep personal data;
(g) how we protect personal data; and
(h) the rights available to you under applicable data protection laws.
We process personal data in accordance with Regulation (EU) 2016/679, known as the General Data Protection Regulation or GDPR, and other applicable data protection laws.
This Privacy Policy applies to personal data relating to individual clients, prospective clients, website visitors, mobile application users, authorised representatives, directors, officers, beneficial owners, shareholders, employees and representatives of corporate clients, counterparties, transaction beneficiaries and other persons whose personal data we process in connection with our services.
2. Who We Are and Who Controls Your Personal Data
“Tothemoon” is the trading name and platform brand under which crypto-asset services and related platform functionality are made available.
For clients in the European Economic Area, the Tothemoon platform is operated by Brilliantscope Trading Limited, a company incorporated in Cyprus with registration number HE 424435 and registered office at 28 Oktovriou, 341, Trilogy Limassol Seafront, Flat/Office W505 (Phase A), 3106, Limassol, Cyprus. Brilliantscope Trading Limited is authorised by the Cyprus Securities and Exchange Commission as a Crypto-Asset Service Provider under Regulation (EU) 2023/1114 on Markets in Crypto-Assets.
For such clients, Brilliantscope Trading Limited acts as the data controller in relation to the personal data processed for the purposes described in this Privacy Policy.
Outside the European Economic Area, certain Tothemoon services may be provided by another Tothemoon group entity, including Tothemoon Global Inc. or another entity disclosed to you in the relevant onboarding process, product terms, legal notice or regional terms. Where another Tothemoon entity provides services to you, that entity may act as a data controller in relation to your personal data, either alone or together with Brilliantscope Trading Limited, depending on the service, jurisdiction and operational arrangement.
In this Privacy Policy, “Tothemoon”, “we”, “us” and “our” refer to the relevant Tothemoon entity that determines the purposes and means of processing your personal data.
3. Personal Data We Collect
The personal data we collect depends on how you interact with us, the services you use, your jurisdiction, your client type and our legal and regulatory obligations.
We may collect the following categories of personal data.
3.1. Identity Data
This may include your full name, date of birth, place of birth, nationality, citizenship, country of residence, residential address, identification number, passport details, national identity card details, residence permit details, tax identification number, signature, photograph and copies of identity documents.
3.2. Contact Data
This may include your email address, telephone number, postal address, country, communication preferences and customer support contact details.
3.3. Verification and KYC Data
This may include documents and information used to verify your identity, address, source of funds, source of wealth, occupation, employer, business activity, expected account activity, tax status, bank account details, payment method details, wallet ownership information and information obtained during onboarding, periodic review or enhanced due diligence.
3.4. Biometric and Liveness Verification Data
Where required for identity verification, fraud prevention or compliance purposes, we or our verification provider may process biometric data or liveness verification data, including facial images, video, facial geometry or similar information used to confirm that you are a real person and that your identity document belongs to you.
We process such data only where permitted by applicable law and only for identity verification, fraud prevention, AML/CFT compliance, account security and related compliance purposes.
3.5. Corporate Client and Representative Data
Where you act for a corporate client, we may process personal data relating to directors, officers, authorised representatives, administrators, shareholders, beneficial owners, signatories, employees, contractors and other persons connected with the corporate client.
This may include names, contact details, roles, corporate authority, ownership and control information, identification documents, proof of address, source of funds or source of wealth information and information about the corporate client’s business activity.
If you provide personal data about another person, you are responsible for ensuring that you are authorised to provide that data and, where required, that the person is informed about this Privacy Policy.
3.6. Financial and Transaction Data
This may include information about deposits, withdrawals, conversions, exchanges, orders, transfers, fiat transactions, crypto-asset transactions, account balances, payment methods, bank accounts, cards, transaction history, fees, refunds, chargebacks, reversals, wallet addresses, transaction hashes, blockchain network information, beneficiary information, originator information and other transaction-related data.
3.7. Travel Rule Data
Where crypto-asset transfers are subject to Travel Rule requirements, we may process information about the originator, beneficiary, wallet address, account number or identifier, transaction amount, crypto-asset, transfer purpose, counterparty, crypto-asset service provider and other information required by applicable law.
3.8. Compliance, Screening and Risk Data
This may include sanctions screening results, politically exposed person status, adverse media information, fraud indicators, blockchain analytics results, wallet risk indicators, transaction monitoring alerts, internal risk scores, due diligence notes, investigation records, suspicious activity analysis, source of funds analysis, source of wealth analysis and records of decisions taken for compliance, AML/CFT, sanctions, fraud prevention or regulatory purposes.
3.9. Technical and Device Data
This may include IP address, device identifiers, browser type, operating system, mobile device information, application version, language settings, time zone, login data, authentication data, security tokens, session data, cookie identifiers, crash logs, diagnostic data and other technical information.
3.10. Usage Data
This may include information about how you use the website, mobile applications, platform, account environment, products, services, pages, features, buttons, communications, preferences and settings.
3.11. Location Data
This may include approximate location derived from your IP address, device settings, login activity, transaction activity or other technical information. Where precise device location is requested, we will process it only where permitted by law and in accordance with your device permissions.
3.12. Communications Data
This may include emails, chat messages, support tickets, telephone call records, complaints, feedback, survey responses, account notices, marketing preferences and other communications with us.
3.13. Marketing and Preference Data
This may include your communication preferences, marketing consent status, campaign participation, promotion participation, referral information and information about your interaction with marketing communications.
3.14. Publicly Available and Third-Party Data
This may include information obtained from public registers, sanctions lists, PEP lists, adverse media databases, corporate registries, blockchain networks, analytics providers, payment providers, banks, crypto-asset service providers, Travel Rule providers, fraud prevention providers and other lawful sources.
4. How We Collect Personal Data
We may collect personal data:
(a) directly from you when you create an account, complete onboarding, pass verification, use the platform, submit orders, make deposits or withdrawals, contact support, participate in promotions or communicate with us;
(b) automatically when you use the website, mobile applications or platform;
(c) from corporate clients, authorised representatives or other persons who provide information about you;
(d) from identity verification, KYC, AML/CFT, sanctions screening, Travel Rule, fraud prevention and blockchain analytics providers;
(e) from banks, payment institutions, card issuers, payment processors and other payment-related providers;
(f) from blockchain networks and publicly available blockchain data;
(g) from public registers, public databases, regulatory sources, sanctions lists, PEP lists and adverse media sources;
(h) from regulators, law enforcement authorities, courts and other competent authorities where applicable; and
(i) from Tothemoon group entities, service providers and business partners where lawful and relevant.
5. How We Use Personal Data and Legal Bases
We process personal data only where we have a lawful basis to do so.
The main purposes and legal bases are set out below.
5.1. To Provide and Manage Services
We process personal data to open and manage your account, provide platform access, process transactions, maintain account records, provide custody-related functionality, process deposits and withdrawals, provide customer support, communicate with you and perform our contractual obligations.
Legal basis: performance of a contract; legitimate interests; legal obligation where applicable.
5.2. To Conduct KYC, AML/CFT, Sanctions and Regulatory Checks
We process personal data to identify and verify clients, beneficial owners and authorised representatives, conduct due diligence, perform sanctions and PEP screening, monitor transactions, assess risk, comply with AML/CFT obligations, prevent financial crime and meet regulatory expectations.
Legal basis: legal obligation; substantial public interest where special category data is processed; legitimate interests.
5.3. To Comply with Travel Rule Requirements
We process originator, beneficiary, wallet, account, transaction and counterparty data to comply with applicable requirements relating to information accompanying transfers of funds and crypto-assets.
Legal basis: legal obligation; performance of a contract where relevant; legitimate interests.
5.4. To Process Payments and Fiat Transactions
We process personal data to support deposits, withdrawals, card transactions, fiat settlement, refunds, chargebacks, payment screening, fraud prevention and payment provider requirements.
Legal basis: performance of a contract; legal obligation; legitimate interests.
5.5. To Maintain Platform Security
We process personal data to protect accounts, detect unauthorised access, prevent fraud, investigate security incidents, operate authentication tools, maintain logs, monitor suspicious activity and protect the integrity of the platform.
Legal basis: legitimate interests; legal obligation.
5.6. To Provide Customer Support and Handle Complaints
We process personal data to respond to questions, resolve issues, investigate complaints, provide statements, communicate with you and maintain support records.
Legal basis: performance of a contract; legitimate interests; legal obligation.
5.7. To Improve and Develop Services
We process usage, technical, feedback and analytics data to understand how the platform is used, improve functionality, test features, fix errors, develop products and enhance user experience.
Legal basis: legitimate interests; consent where required for non-essential cookies or similar technologies.
5.8. To Send Marketing Communications
We may process contact data, preference data and marketing interaction data to send marketing communications, product updates, promotions and other information where permitted.
Legal basis: consent, or legitimate interests where permitted by applicable law. You may opt out of marketing communications at any time.
5.9. To Meet Legal, Regulatory, Tax, Accounting and Audit Obligations
We process personal data to maintain records, respond to lawful requests, comply with reporting obligations, cooperate with regulators, auditors and authorities, manage legal claims and meet tax, accounting, corporate and regulatory requirements.
Legal basis: legal obligation; legitimate interests.
5.10. To Protect Rights and Prevent Misuse
We process personal data to enforce terms, investigate misuse, prevent prohibited activity, recover amounts owed, protect our rights, defend claims and protect clients, third parties and the platform.
Legal basis: legitimate interests; legal obligation; performance of a contract.
6. Special Category Data and Criminal Offence-Related Data
We may process special category data only where permitted by applicable law.
This may include biometric data used for identity verification and liveness checks, and limited information that may be relevant to sanctions, PEP screening, adverse media, fraud prevention, criminal offence indicators or AML/CFT compliance.
Where we process biometric data, we do so for identity verification, fraud prevention, AML/CFT compliance and platform security, and only where permitted under GDPR and applicable local law. Where required, we may request explicit consent or rely on another lawful basis available under applicable law, including processing necessary for reasons of substantial public interest.
We may process criminal offence-related data, allegations, adverse media or sanctions-related information only where permitted by applicable law and where necessary for AML/CFT, sanctions compliance, fraud prevention, legal claims, regulatory obligations or protection of the platform.
7. Automated Tools, Risk Scoring and Profiling
We may use automated tools, screening systems, blockchain analytics tools, fraud detection tools, device intelligence tools and risk scoring systems to support onboarding, identity verification, AML/CFT checks, sanctions screening, fraud prevention, transaction monitoring, Travel Rule compliance and platform security.
These tools may flag accounts, documents, devices, wallets, transactions, counterparties or activity for further review. They may result in requests for additional information, enhanced due diligence, temporary restrictions, delayed transactions, rejected transactions, account review or account closure where required or permitted by applicable law.
We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you solely on the basis of automated processing unless this is permitted by applicable law and appropriate safeguards are applied.
Where required by applicable law, you may request human intervention, express your point of view and contest a decision based solely on automated processing.
8. Who We Share Personal Data With
We share personal data only where lawful and necessary for the purposes described in this Privacy Policy.
Some recipients act as our processors and process personal data on our instructions. Other recipients, such as regulated payment service providers, banks, card issuers, crypto-asset service providers, regulators or authorities, may act as independent controllers for their own legal and regulatory purposes.
We may share personal data with the following categories of recipients.
8.1. Tothemoon Group Entities
We may share personal data with Tothemoon group entities for account administration, group operations, customer support, compliance, AML/CFT, sanctions screening, Travel Rule compliance, fraud prevention, technology, security, reporting, legal, audit, corporate governance and business continuity purposes.
8.2. Identity Verification and KYC Providers
We use identity verification and KYC providers to verify identity, perform liveness checks, process identity documents, conduct AML/CFT checks, screen for fraud and support onboarding and ongoing due diligence.
This includes Sum and Substance Ltd (Sumsub) or other verification providers used from time to time.
Data shared may include identity data, contact data, documents, photographs, liveness data, biometric data, device information, risk indicators and onboarding information.
8.3. Payment, Banking and Card Providers
We may share personal data with payment institutions, electronic money institutions, banks, card issuers, card acquirers, payment processors and related providers to process deposits, withdrawals, fiat transactions, card transactions, refunds, chargebacks, payment screening, fraud controls and settlement.
This includes Unlimit EU Ltd and other payment or card providers used from time to time.
Data shared may include identity data, contact data, account data, payment details, bank account details, card-related information, transaction information, fraud indicators and compliance information.
8.4. Travel Rule Providers
We may share personal data with Travel Rule providers to comply with requirements relating to information accompanying crypto-asset transfers.
This includes Notabene or other Travel Rule providers used from time to time.
Data shared may include originator information, beneficiary information, wallet addresses, account identifiers, transaction details, crypto-asset transfer information, counterparty crypto-asset service provider information and compliance status information.
8.5. Cloud Hosting and Infrastructure Providers
We use cloud hosting, infrastructure, storage, security and technology providers to operate and secure the platform.
This includes Amazon Web Services (AWS). Our primary cloud hosting infrastructure for EEA services is located in Frankfurt, Germany.
Data processed by such providers may include account data, technical data, transaction data, logs, communications data and other data necessary to operate and secure the platform.
8.6. Blockchain Analytics and Transaction Monitoring Providers
We may share wallet, transaction and risk-related data with blockchain analytics, transaction monitoring, sanctions screening and fraud prevention providers to assess wallet risk, transaction risk, sanctions exposure, illicit finance indicators, fraud indicators and compliance alerts.
This may include TRM Labs or other blockchain analytics providers, where used.
Data shared may include wallet addresses, transaction hashes, crypto-asset transfer data, blockchain network information, risk indicators, account identifiers and compliance review data.
8.7. Digital Asset Custody and Wallet Infrastructure Providers
We may use custody technology, wallet infrastructure, key management, transaction signing, blockchain access and settlement support providers to operate custody and transfer functionality.
This may include Fireblocks or other custody and wallet infrastructure providers, where used.
Data processed may include wallet addresses, transaction data, account identifiers, operational metadata, transfer instructions and security-related information. We do not share more personal data than is necessary for the relevant custody, wallet, transfer, security or operational purpose.
8.8. Information Security, Audit and Compliance Management Providers
We may use information security, audit, compliance management, monitoring, incident management and evidence management tools to maintain security, operational resilience, audit readiness and regulatory compliance.
Such providers process personal data only to the extent necessary for security, audit, compliance, incident response or operational purposes.
8.9. Communications and Customer Support Providers
We may use email, messaging, customer support, ticketing, notification and communication providers to send service communications, respond to support requests, manage complaints and deliver account-related notices.
8.10. Analytics, Cookies and Marketing Providers
Where permitted and subject to your cookie choices and marketing preferences, we may share limited technical, usage, device, cookie and marketing interaction data with analytics, attribution, advertising or marketing providers.
Non-essential cookies and similar technologies are used only where permitted by applicable law and, where required, based on your consent.
8.11. Data Protection Officer and Data Protection Advisers
We may share personal data with our Data Protection Officer, outsourced data protection service providers and data protection advisers where necessary to support GDPR compliance, handle data subject requests, advise on data protection matters, cooperate with supervisory authorities, monitor compliance, support data protection impact assessments, assist with data breach assessment and notification, and maintain appropriate data protection records.
This includes FAI Financial Associates International Ltd, which supports the outsourced Data Protection Officer function for Brilliantscope Trading Limited.
Data shared may include identity data, contact data, account data, communications data, request records, complaint records, compliance records, incident-related information and other personal data necessary for the relevant data protection purpose.
8.12. Professional Advisers and Auditors
We may share personal data with lawyers, auditors, accountants, consultants, insurers and other professional advisers where necessary for legal advice, audit, accounting, compliance, risk management, insurance, corporate governance, dispute resolution or legal claims.
8.13. Regulators, Authorities and Courts
We may share personal data with regulators, supervisory authorities, financial intelligence units, law enforcement authorities, tax authorities, courts, government bodies and other competent authorities where required or permitted by applicable law.
This may include CySEC, the Cyprus Office of the Commissioner for Personal Data Protection, MOKAS, tax authorities, law enforcement authorities or other competent authorities in relevant jurisdictions.
8.14. Corporate Transactions
If we are involved in a merger, acquisition, restructuring, transfer of business, sale of assets, financing, insolvency, reorganisation or similar transaction, personal data may be disclosed to potential or actual buyers, investors, advisers, successors or other relevant parties, subject to appropriate confidentiality and data protection safeguards.
9. International Transfers
We may process and transfer personal data within the European Economic Area and, where necessary, outside the European Economic Area.
International transfers may occur where we use group entities, service providers, compliance providers, support teams, technology providers, cloud providers, payment providers, Travel Rule providers, blockchain analytics providers or other recipients located outside the EEA.
Where personal data is transferred outside the EEA, we use appropriate safeguards required by applicable data protection law. These may include:
(a) an adequacy decision adopted by the European Commission;
(b) Standard Contractual Clauses approved by the European Commission;
(c) additional technical, contractual and organisational safeguards where required;
(d) Binding Corporate Rules, where applicable; or
(e) another lawful transfer mechanism permitted by applicable law.
You may contact us to request more information about the safeguards used for international transfers.
10. How Long We Keep Personal Data
We keep personal data only for as long as necessary for the purposes for which it was collected, including to provide services, comply with legal and regulatory obligations, maintain records, prevent fraud, resolve disputes, enforce agreements and defend legal claims.
Retention periods may vary depending on the type of data, purpose of processing, applicable law and regulatory requirements.
As a general rule:
(a) account data is retained for the duration of the relationship and for a period after account closure where required or permitted by law;
(b) KYC, AML/CFT, due diligence, transaction and related correspondence records are generally retained for at least five years after the end of the business relationship or after the date of an occasional transaction, and may be retained for a longer period where required or permitted by applicable law, competent authority requirement, ongoing investigation, legal proceedings or legitimate legal claim;
(c) transaction records are retained for as long as required for regulatory, accounting, tax, audit, AML/CFT, Travel Rule and legal purposes;
(d) support and complaint records are retained for as long as necessary to handle the issue and maintain appropriate records;
(e) marketing data is retained until you withdraw consent, opt out, or the data is no longer necessary for marketing purposes;
(f) technical logs and security records are retained for periods appropriate to security, fraud prevention, operational resilience and legal requirements; and
(g) cookie data is retained in accordance with our Cookies Policy and your cookie preferences.
When personal data is no longer required, we will delete, anonymise or securely archive it, unless further retention is required or permitted by applicable law.
11. Data Security
We use appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access and other unlawful or unauthorised processing.
These measures may include encryption, access controls, authentication controls, network security, monitoring, logging, staff training, internal policies, vendor due diligence, incident response procedures, backup controls, vulnerability management and other security measures appropriate to the risk.
No system, platform or transmission method is completely secure. You are also responsible for protecting your account, devices, email account, passwords, authentication methods and recovery information.
You should notify us immediately if you suspect unauthorised access, phishing, account compromise, credential theft, device compromise or other security issue affecting your account.
12. Data Breach Notification
If a personal data breach occurs, we will assess the breach and take appropriate steps in accordance with applicable law.
Where required, we will notify the relevant supervisory authority within the applicable statutory timeframe.
Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, unless an exception applies under applicable law.
13. Cookies and Similar Technologies
We use cookies and similar technologies to operate the website and platform, remember preferences, maintain security, analyse usage, improve services and support marketing where permitted.
Essential cookies are necessary for the operation, security and functionality of the website or platform.
Non-essential cookies, including analytics, advertising or similar technologies, are used only where permitted by applicable law and, where required, based on your consent.
You can manage your cookie preferences through the cookie banner, cookie settings or other tools made available on the website. You can also control cookies through your browser settings, although disabling certain cookies may affect the functionality of the website or platform.
For more information, please see our Cookies Policy.
14. Marketing Communications
We may send you marketing communications, product updates, campaign information, promotions or similar communications where permitted by applicable law.
Where required, we will rely on your consent. You may withdraw consent or opt out of marketing communications at any time by using the unsubscribe link in the relevant communication or by contacting us.
We may continue to send service, legal, security, transaction and account-related communications even if you opt out of marketing communications.
15. Your Rights
Subject to applicable law and any legal limitations, you may have the following rights in relation to your personal data:
(a) the right to access your personal data;
(b) the right to request correction of inaccurate or incomplete personal data;
(c) the right to request erasure of personal data;
(d) the right to request restriction of processing;
(e) the right to object to processing based on legitimate interests;
(f) the right to object to direct marketing;
(g) the right to data portability;
(h) the right to withdraw consent where processing is based on consent;
(i) rights relating to automated decision-making where applicable; and
(j) the right to lodge a complaint with a supervisory authority.
These rights are not absolute. We may need to retain or continue processing certain personal data where required or permitted by law, including for AML/CFT, sanctions, Travel Rule, tax, accounting, audit, regulatory, security, fraud prevention or legal claims purposes.
To exercise your rights, please contact us using the details in Section 20.
We may need to verify your identity before responding to a request. We will respond within the timeframe required by applicable law.
16. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes applicable data protection law.
For Brilliantscope Trading Limited, the relevant supervisory authority is the Office of the Commissioner for Personal Data Protection in Cyprus.
You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work or place of the alleged infringement.
17. Children
The platform and services are not intended for persons under the age of 18.
We do not knowingly collect personal data from persons under 18. If we become aware that we have collected personal data from a person under 18, we may delete the data and close or restrict the relevant account, unless further retention is required or permitted by law.
18. Links to Other Websites
The website, mobile applications or platform may contain links to third-party websites, applications or services.
We are not responsible for the privacy practices, content or security of third-party websites, applications or services. You should review the privacy policy of any third-party website, application or service before providing personal data.
19. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, products, technology, legal requirements, regulatory obligations, data processing practices, service providers or business operations.
Where required by applicable law, we will notify you of material changes by email, platform notice, website notice or other appropriate means.
The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised.
20. How to Contact Us
If you have questions about this Privacy Policy, our data protection practices or your rights, you may contact us at:
Data Protection Officer / Data Protection Contact
Email: dpo@tothemoon.com
Brilliantscope Trading Limited has outsourced its Data Protection Officer function to FAI Financial Associates International Ltd, a Cyprus-based data protection service provider. Communications sent to dpo@tothemoon.com may be reviewed by, or shared with, our outsourced Data Protection Officer and data protection advisers where necessary to handle your request, comply with data protection law or perform the DPO function.
Postal Address
Brilliantscope Trading Limited
28 Oktovriou, 341, Trilogy Limassol Seafront, Flat/Office W505 (Phase A),
3106, Limassol, Cyprus
For general support questions, you may contact us at:
support@tothemoon.com