Last revised: 22 July 2020


This privacy policy (hereinafter – the “Privacy Policy”) governs the manner in which KOOPAL platform (hereinafter – the “KOOPAL”, “we”, “us”, “our”) collects, uses, processes, stores and discloses information received from users of our website’s https://Koopal.comhttps://exchange.koopal.com (“Website”) in order to provide you with services available through the Website (hereinafter – the “Services”).

We respect the privacy of all users of the Website and ensure that Personal Data of the consumers is treated confidentially and in compliance with applicable laws and regulations.

This Privacy Policy applies to the Website, the Services and products offered by KOOPAL (whenever you use Services through the Website or mobile application or by corresponding with us - for example by email or by filling massaging form on the Website).

We assume that you have carefully read this document and accepted it. If you do not agree with this Privacy Policy, then you should refrain from using our Website, mobile application and/or Services or opening an Account. This Privacy Policy is an integral part of our User Agreement.

What is GDPR, who is under compliance?

The General Data Protection Regulation (“GDPR”) is EU privacy and data protection law. It calls for more granular privacy guardrails in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.

This Regulation applies to the processing of Personal Data wholly or partly by automated means and to the processing other than by automated means of Personal Data which form part of a filing system or are intended to form part of a filing system. Generally, The GDPR requirements apply to all companies, institutions, and organizations that process Personal Data.

Processing Personal Data is a broad concept under the GDPR

The GDPR governs how Personal Data of individuals may be processed by organizations. “Personal Data” and “processing” are frequently used terms in the legislation, and understanding their particular meanings under the GDPR illuminates the true reach of this law:

Personal Data is any information relating to an identified or identifiable individual. This is a very broad concept because it includes any information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal Data is not just a person’s name or email address. It can also encompass information such as financial information or even, in some cases, an IP address. Moreover, certain categories of Personal Data are given a higher level of data protection because of their sensitive nature. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about person’s sex life or sexual orientation, and criminal record information (including Personal Data about criminal offences or alleged offences).

Processing of Personal Data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults Personal Data is considered processing.

The GDPR can apply to organizations located outside the EU

The GDPR is relevant to any globally operating company, not just those located in the EU. Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.

Personal Data collection and usage

We will collect, store and use your Personal Data for the purposes set in this Privacy Policy. 

We have identified the types of Personal Data we may use about you and how and why we will use them in the table below.

What Personal Data we may collect

How we may use your Personal Data

Personal Data that our customers give us to register with us:

- your contact details including: your name, address, email address, and telephone number(s);

- your identification details, including your date of birth, gender, country of residence.

We may use this Personal Data to:

- process your registration request;

- on-board you as a customer;

- provide our products and services;

- manage and administer our services including your account with us;

- communicate with you about your account and our services, including informing you of our products and services;

- send personalized offers of services and products.

Know Your Client (KYC) Personal Data from you, third parties and/or publicly available sources including:

- passport or other government-issued identity document;

- your photography;

- documents establishing your source of funds;

- results of KYC or Politically Exposed Person (PEP) checks, including information collected by our suppliers;

- other Personal Data if provided during passing KYC/compliance/verification procedures (including additional), etc.

We may use this Personal Data to:

- carry out regulatory checks and meet our obligations to our regulators;

- help us ensure that our customers are genuine and to prevent and detect fraud, money laundering and other crime (such as terrorist financing and offences involving identity theft).

Personal Data you provide as part of your account with us including:

- your password;

- your account and marketing preferences.

We may use this Personal Data to:

- provide our services to you;

- manage and administer your account with us;

- communicate with you regarding your account and our services.

Personal Data relating to your use of our Services including:

- your orders, instructions to us;

- your transactions using your account(s), including your account(s) in third-party bank(s), financial institution(s), payment card details, etc., the amount, originator or beneficiary, and time/date of the transfers you make and receive;

- information about the digital device through which you access our services, such as device type, operating system, screen resolution, unique device identifiers, the mobile network system;

- IP address;

- date and time of log-in and requests;

- Personal Data in your correspondence with us, by email, telephone, messaging, texts, on-line chats, via social media, or otherwise;

- whether you've clicked on links in electronic communications from us, including the URL clickstream to our website;

- Personal Data that you provide in response to our surveys.

We may use this Personal Data to:

- provide our services to you;

- manage and administer our services and systems;

- check if you are in a location or using a device consistent with our records in order to help prevent fraud;

- develop and improve our services based on analyzing this information, the behaviors of our users and the technical capabilities of our users;

- improve our services to better suit the behaviors and technical capabilities of the users of our service;

- answer any issues or concerns;

- monitor customer communications for quality and training purposes.

Personal Data that we collect from third parties in order to be able to register you as a customer or to provide services to you:

- Personal Data related to payments to or from your accounts with us, provided by payment processing services, banks, card schemes and other financial services firms;

- Personal Data from credit reference agencies or fraud prevention agencies.

We may use this Personal Data to:

- provide our services to you;

- manage and administer our services and systems;

- help us to prevent and detect fraud.

Personal Data that we collect through your use of our website (whether or not you have registered for our services) including:

- device information such as operating system, unique device identifiers, the mobile network system;

- hardware and browser settings;

- date and time of visits;

- the pages you visit, the length of the visit, your interactions with the page (such as scrolling, clicks and mouse-overs), methods to browse away from our website, and search engine terms you use;

- IP address.

We may use this Personal Data to:

- develop new services based on the information being collected, the behaviors of our users and the technical capabilities of our users;

- identify issues with the website, including website security, and user's experience of it;

- monitor the way our website is used (including locations it is accessed from, devices it is accessed from, understanding peak usage times and analyzing what functionality and information is most and least accessed), where our customers have come from online (such as from links on other websites or advertising banners), and the way in which our website is used by different users groups;

- do statistical analysis and research with the purpose of better understanding the breakdown of our customers, their use of our services, and what attracts our customers to our services.

Personal Data that we collect from individuals representing organizations such as our corporate customers and suppliers, including:

- names, roles, and contact details of individuals working for organizations;

- other Personal Data regarding such individuals;

- any Personal Data contained in correspondence with those individuals.

We use this Personal Data to:

- build relationships with other organizations;

- provide marketing communications to these individuals;

- improve our services and develop new services based on the preferences and behaviors of these individuals;

- obtain services for our business.

Direct Marketing

Please note that you if you have given explicit consent for marketing communications, this can be withdrawn at any time. You can also unsubscribe from our marketing communications.

Please be aware that from time to time we may need to contact you regarding operational issues or to adhere to the performance requirements of our contract with you. These will not be marketing communications and we will operate under legitimate interests in order to contact you for these reasons.

Legal requirements

We need to collect certain types of Personal Data for compliance with legal requirements relating to our anti-fraud and Anti-Money Laundering / Countering Financing of Terrorism/ Know Your Customer obligations. If this Personal Data is not provided, we cannot agree to provide a service to you.

Your Personal Data may also be processed if it is necessary on reasonable request by a law enforcement or regulatory authority, body or agency or in the defense of a legal claims. We will not delete Personal Data if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.



Last revised: 22 July 2020

The Anti-Money Laundering, Countering Financing of Terrorism and Know Your Customer Policy (hereinafter - the "AML Policy") of KOOPAL is designated to prevent and mitigate possible risks of KOOPAL being involved in any kind of illegal activity.

Money laundering is defined as:

1) the conversion or transfer of property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions;

2) the acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein;

3) the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such an activity.

Money laundering also means participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the activities referred to above.

Terrorist financing is defined as the financing and supporting of an act of terrorism and commissioning thereof as well as the financing and supporting of travel for the purpose of terrorism

Both international and local laws and regulations require KOOPAL to implement effective internal procedures and mechanisms to prevent money laundering, terrorist financing, drug and human trafficking, proliferation of weapons of mass destruction, corruption and bribery and to take action in case of any form of suspicious activity from its Users.

AML Policy covers the following matters:

- internal controls 

- compliance officer;

- training of personal;

- verification procedures;

- monitoring, risk assessment and risk-based approach;

- AML program audit.

Internal Controls

We have designed a structured system of internal controls in order to comply with applicable Anti-Money Laundering, Countering Financing of Terrorism (hereinafter - the "AML") laws and regulations, including, but not limited to:

- establishing customer's identity and verifying the information provided;

- establishing special regime for dealing with customers which are politically exposed persons (PEP);

- the identification of unusual activity and facilitating the reporting of suspicious activity (SAR);

- record keeping of customer documentation and transactional history.

Compliance Officer

The Compliance Officer is the person, duly authorized by KOOPAL, whose duty is to develop and enforce the effective implementation of the AML. The Compliance Officer is required to report any violations of the AML procedures and is responsible for collecting and filing SARs.

It is the Compliance Officer’s responsibility to supervise all aspects of KOOPAL’s anti-money laundering and counter-terrorist financing measures, including but not limited to:

- establishing and updating internal policies and procedures for the completion, review, submission and retention of all reports and records required under the applicable laws and regulations;

- collecting Users' identification information and verifying the information provided; implementing a records management system for appropriate storage and retrieval of documents, files, forms and logs;

- collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident; investigating any unusual, suspicious activity;

- reporting to the appropriate authorities in the event of suspicion of money laundering or terrorist financing; providing law enforcement with information as required under the applicable laws and regulations;

- periodic submission of written statements on compliance with the requirements arising from law to the management board;

- organization of the training of employees;

- performance of other duties and obligations related to compliance with the requirements of law; updating risk assessment regularly.

The Compliance Officer is entitled to interact with law enforcement, which are involved in prevention of money laundering, terrorist financing and other illegal activity.


All employees receive a full AML training, along with a job‐specific guidance. Training is conducted at least once every twelve (12) months to ensure that trainees are informed and act in compliance with all applicable laws and regulations. Employees pass additional training if necessary (if new law or regulation is adopted, if required by law, etc.) New employees pass relevant training before commencing to work. Training program is updated regularly to reflect current laws and regulations.

Verification Procedures 

KOOPAL establishes its own customer verification procedures within the standards of AML frameworks.

KOOPAL carries out due diligence and KYC checks before entering business relations with customer, client, contractor.

In the process of due diligence and KYC and in order to open an account, person’s identity, information about a person provided and documents submitted have to be verified and checked against sanctions and watch lists, including PEP list. KOOPAL uses special tools, structured system of verification and check for that.

Regarding legal entities (their owners/shareholders/beneficiaries, etc.), KOOPAL carries out special enhanced due diligence, KYC, compliance procedures.

KOOPAL ensures specific enhanced identification, KYC, due diligence, compliance procedure for customers referenced as PEP, whatever their place of residence.

Monitoring, risk assessment and risk-based approach

KOOPAL carries out customer’s transactions monitoring, risk‐assessment and suspicious activity detection. For that purpose, it uses specially developed system, including using a high-performance tool.

KOOPAL uses risk-based approach to combating/preventing money laundry and/or financing terrorism.

To assist in determining the level of AML due diligence to be exercised with regard to the customer, a compliance risk profile is calculated first of all on entry into relations (Low, Medium, High), and is then recalculated routinely.

AML compliance ensures that an ongoing transaction monitoring is conducted to detect transactions which are unusual or suspicious compared to the customer profile.

Determination of the unusual nature of one or more transactions essentially depends on a subjective assessment, in relation to the knowledge of the customer (KYC), their financial behavior and the transaction counterparty.

If a transaction is inconsistent with a customer’s known personal usual activities or personal habits, this transaction may be considered suspicious. Data and transaction monitoring tools are used to identify unusual/uncommon patterns of customer’s activity. After review and investigation, it is Compliance Officer’s decision whether to file a SAR or not.

Once a SAR is filed with a relevant agency, a copy of filing documentation is maintained. SAR filing is confidential and only the KOOPAL’s employees involved in the investigation and reporting process will be aware of its existence.

All records are retained for no less than (5) years and are available upon official request by an authorized examiner, regulator, or law enforcement agency.

Any KOOPAL staff member must inform the Compliance Officer of any atypical transactions which they observe and cannot attribute to a lawful activity or source of income known of the customer.

AML audit

The Compliance Officer is responsible for conducting AML audit at least annually. Other audit demands are set in internal policies and procedures.

We apply due diligence measures, in particular:

- upon establishment of a business relationship;

- upon verification of information gathered while applying due diligence measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered earlier while updating the relevant data;

- upon suspicion of money laundering or terrorist financing;

- in some other cases, including in other exact cases prescribed by law and in cases of identifying “red flags” in accordance to internal procedures.

Preservation of data

We retain the originals or copies of the documents, which serve as the basis for identification and verification of persons, and the documents serving as the basis for the establishment of a business relationship no less than five years after termination of the business relationship.

We retain the documents prepared with regard to a transaction on any data medium and the documents and data serving as the basis for the notification obligations for no less than five years after making the transaction or performing the duty to report.

Our monitoring of a business relationship includes, in particular:

- checking of transactions made in a business relationship in order ensure that the transactions are in concert with our knowledge of the customer, its activities and risk profile;

- regular updating of relevant documents, data or information gathered in the course of application of due diligence measures;

- identifying the source and origin of the funds used in a transaction;

- paying more attention to transactions that a likely to be linked with money laundering or terrorist financing, including to complex, high-value and unusual transactions and transaction patterns that do not have a reasonable or visible economic or lawful purpose or that are not characteristic of the given business specifics;

- paying more attention to the business relationship or transaction whereby the customer (or payment provider, etc. of the customer) is from a high-risk third country or a country or territory specified by law as country or jurisdiction with factor(s) increasing the geographical risk.