Your privacy matters to us. This Privacy Policy explains what personal data CitadelVest Pro collects, how we use it, who we share it with, and what rights you have over your information. We are committed to handling your data responsibly and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
1. Who We Are
CitadelVest Pro ("Platform," "we," "us," or "our") is a digital crypto investment platform. For the purposes of data protection law, CitadelVest Pro acts as the Data Controller in respect of the personal data of its users.
This policy applies to all users who access the Platform, whether as registered account holders or visitors to our public pages.
2. Data We Collect
We collect the following categories of personal data:
| Category |
Examples |
Purpose |
| Identity Data |
Full name, username, date of birth |
Account registration, KYC compliance |
| Contact Data |
Email address, phone number |
Communication, 2FA, notifications |
| Financial Data |
Wallet addresses, transaction history, investment records, balance information |
Platform operations, compliance |
| Identity Documents |
Government-issued ID (front/back), selfie photo |
KYC verification (AML compliance) |
| Technical Data |
IP address, browser type, operating system, device type |
Security, fraud prevention, activity logs |
| Profile Data |
Profile photo, security questions, notification preferences |
Account personalization |
| Usage Data |
Login history, pages visited, actions taken on Platform |
Security audit, fraud detection |
| Communication Data |
Support chat messages, email correspondence |
Customer support, dispute resolution |
3. How Data is Collected
We collect personal data through the following means:
- Direct submission: When you register an account, complete KYC verification, update your profile, or contact support
- Automated collection: Through your use of the Platform (login events, IP addresses, device information, session data)
- Third-party services: Payment verification via TronGrid blockchain API; geolocation data for login security via third-party IP lookup services
- Referral links: If you register via a referral link, we record the referral relationship
4. Why We Collect Your Data
We use your personal data for the following purposes:
- To create and manage your account
- To process deposits, withdrawals, and investment transactions
- To verify your identity and comply with AML/KYC regulations
- To send you transaction notifications, security alerts, and platform announcements
- To provide customer support
- To detect and prevent fraud, money laundering, and other illegal activities
- To maintain security of the Platform (activity logging, IP tracking)
- To improve our services and Platform functionality
- To comply with legal and regulatory obligations
5. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following legal bases as defined by the GDPR:
- Contractual necessity: Processing required to perform the contract with you (account management, transactions, investments)
- Legal obligation: Processing required to comply with applicable law (KYC/AML obligations, tax reporting, law enforcement requests)
- Legitimate interests: Processing for fraud prevention, platform security, and improving our services, where these interests are not overridden by your rights
- Consent: For optional communications such as marketing updates, where you have given explicit consent (which you may withdraw at any time)
6. Data Sharing & Third Parties
We do not sell your personal data to third parties. We may share your data only in the following limited circumstances:
- Service providers: Third-party providers who assist us in operating the Platform, including email delivery services (SMTP2GO, Brevo, SendGrid), SMS services (AWS SNS), and blockchain API services (TronGrid). These providers are contractually bound to protect your data and use it only for the purposes we specify.
- Legal compliance: When required by law, court order, or government authority, or when we reasonably believe disclosure is necessary to protect the rights, property, or safety of the Platform, our users, or the public.
- Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our business, your data may be transferred as part of that transaction. We will notify you prior to such a transfer.
We do not share your data for third-party marketing purposes.
7. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.
- Active accounts: Data is retained for the lifetime of your account
- Closed accounts: Transaction history, KYC documents, and activity logs are retained for a minimum of 5 years after account closure to comply with AML regulations and applicable financial record-keeping laws
- Communications: Support chat records and correspondence are retained for up to 3 years
- Security logs: Login history and IP logs are retained for up to 2 years
After the applicable retention period, data is securely deleted or anonymized.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or disclosure. These measures include:
- Passwords stored using bcrypt hashing (industry-standard one-way encryption)
- JWT-based session authentication with expiry controls
- Optional two-factor authentication (2FA) for account access
- HTTPS encryption for all data transmitted to and from the Platform
- Database access controls limiting employee access to sensitive data
- Activity logging for all security-relevant events
Despite these measures, no security system is impenetrable. In the event of a data breach that affects your rights and freedoms, we will notify you and relevant authorities as required by applicable law.
9. Cookies & Local Storage
The Platform uses browser storage technologies to enhance your experience:
- Essential functionality: Authentication tokens (JWT) stored in localStorage are essential for keeping you logged in. These are not optional — the Platform cannot function without them.
- User preferences: Dark mode settings and other display preferences are stored locally in your browser.
- Notification preferences: Push notification subscription data is stored in the database if you opt in.
We do not use third-party advertising cookies or tracking pixels. The Platform does not serve advertisements.
10. Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
- Right of access: You may request a copy of the personal data we hold about you
- Right to rectification: You may request correction of inaccurate or incomplete data. Many fields can be updated directly in your Profile and Settings pages.
- Right to erasure ("right to be forgotten"): You may request deletion of your personal data, subject to our legal retention obligations (e.g., AML law requires us to retain transaction records)
- Right to data portability: You may request your transaction data in a structured, machine-readable format (CSV export is available on the Transactions page)
- Right to restrict processing: You may request that we temporarily stop processing your data while a dispute is resolved
- Right to object: You may object to processing based on our legitimate interests
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority (e.g., the ICO in the UK, or your country's data protection authority)
To exercise any of these rights, contact us via the Support page. We will respond within 30 days.
11. International Data Transfers
Some of our third-party service providers are located outside your country of residence. Where we transfer personal data internationally (for example, to our email or SMS providers), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or the recipients' adherence to recognized data protection frameworks.
12. Children's Privacy
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a minor has created an account or submitted personal data to us, please contact us immediately so we can take appropriate action, including deletion of the data.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.