Privacy Policy

The controller of your personal data is USDX ("we", "us"), reachable at legal@usdx.ar.

USDX complies with Argentina Law 25.326 on Personal Data Protection and its regulatory decree 1558/2001, as well as AAIP Resolution 60/2016 on international data transfers.

We collect the following personal data:

• Account: email, full name, profile picture (via Google OAuth).
• Contact: phone (optional for Users, required for Merchants).
• KYC (Merchants only): ID/Passport (front and back), tax ID, address, selfie with liveness, document name, date of birth.
• Commercial (Merchants): legal name, business type, trade volume, exchanges used, public profile URLs, P2P experience.
• Usage: IP, browser, OS, pages visited, timestamps.
• Transaction data (when trading is enabled): orders, balances read via connected Exchange APIs.
• P2P operations: orders created, amounts, status, counterparties, payment method used and state-change audit.
• P2P chat content: messages exchanged within each order and attachments (payment receipts). Kept encrypted with restricted access for moderation and dispute resolution.
• Exchange API keys: stored encrypted with AES-256-GCM under a master key that never leaves the server. USDX cannot operate them without the master key.
• Communications: emails exchanged with the USDX team.

We do not store sensitive data in the sense of art. 2 Law 25.326 (sexual orientation, political, religious or union affiliation, health, biometrics beyond those required for KYC).

We use your data to:

• Create and manage your account.
• Verify your identity (KYC — Merchants only).
• Provide the Service, including order execution and portfolio display.
• Communicate with you (onboarding, transactional notifications, support).
• Prevent fraud and comply with regulatory obligations (Law 25.246 UIF, applicable CNV and BCRA rules).
• Improve the Service via aggregated, anonymized usage analytics.
• Comply with tax and legal obligations.

We process your data based on:

• Your express consent upon creating an account.
• Contract performance (these Terms) and pre-contractual measures (Merchant application).
• Compliance with legal obligations (KYC/AML, UIF reporting).
• Legitimate interest in preventing fraud, operating and improving the Service.

USDX uses the following processors, who only access your data to provide contracted services:

• Supabase Inc. (US) — database, auth, KYC document storage.
• Vercel Inc. (US) — website and API hosting.
• Resend (US/EU) — transactional email delivery.
• Didit (Spain/EU) — identity verification (KYC), facial biometrics, liveness.
• Google LLC (US) — OAuth authentication.
• Cloudflare Inc. (US) — CDN, DNS, corporate email routing.
• Functional Software Inc. d/b/a Sentry (US/Germany) — application error monitoring with anonymized stack traces. Does not process operation content or KYC data.

All processors are subject to data-processing agreements and adopt appropriate technical and organizational measures.

Some processors are located outside Argentina, so your data may be transferred internationally. USDX ensures compliance with local law and uses guarantee mechanisms (standard contractual clauses, privacy certifications) where applicable.

We keep your data as long as necessary to fulfill the stated purposes, and in any event:

• Account data: while your account is active. On deletion we erase within 30 days except where retention is legally required.
• KYC data: minimum 5 years from the last operation (Law 25.246 UIF).
• Transaction data: minimum 10 years under tax regulations.
• Technical/security logs: 12 months.

As a data subject you have the right to:

• Access: know what data we process about you.
• Rectify: correct inaccurate or incomplete data.
• Delete/Erase: when applicable.
• Object: object to processing on justified grounds.
• Portability: obtain a structured copy.

To exercise these rights, write to legal@usdx.ar. We respond within 10 business days.

You may also file a complaint with the Agencia de Acceso a la Información Pública (AAIP), located at Av. Pte. Julio A. Roca 710, 2nd floor, Buenos Aires.

We implement industry-grade security measures:

• TLS 1.3 in transit.
• AES-256 at rest for KYC documents and Exchange API keys.
• Mandatory MFA for critical operations.
• Least-privilege access with audit logging.
• Daily automated backups with 30-day retention.

We use cookies and similar technologies. See our Cookie Policy for details.

USDX is intended exclusively for users over 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us to have it removed.

We may update this policy. Changes will be published here with the indicated date. Substantial changes will be notified via email.

Data Protection Officer (DPO): legal@usdx.ar

General: hola@usdx.ar