ORAX Logo

Data protection and privacy policy

ORAX CORPORATION LLC

Registered Address: Marshall Islands, Majuro, P.C. 9696, Ajeltake Road No. 1

Legal Basis: Marshall Islands Business Corporations Act; Banking Act 1987 (as amended); Anti-Money Laundering Regulations 2002 (as amended 2023); Proceeds of Crime Act; FATF Recommendations; RMI FIU Guidelines.

1. Introduction

This Data Protection and Privacy Policy (“Policy”) is issued by ORAX CORPORATION LLC(hereinafter, the “Company,” “we,” or “us”) to outline the principles and procedures for collecting, processing, storing, and protecting personal data of clients, business partners, and other data subjects (collectively referred to as “Clients” or “you”).

The Company acts as a Data Controller with respect to personal data processed in the course of providing financial and virtual asset services. This Policy aligns with applicable legislation of the Republic of the Marshall Islands (“RMI”) and recognized international best practices, including FATF Recommendations.

2. Purpose

The objectives of this Policy are to:

  • Define what personal data the Company collects and the purposes for which it is used;
  • Explain the conditions under which personal data may be shared with third parties or transferred internationally;
  • Outline Clients’ rights regarding their personal data and how these rights can be exercised;
  • Describe the Company’s data security, storage, and retention measures;
  • Provide information on how Clients can contact the Company regarding privacy-related concerns.

3. Scope

This Policy applies to:

  • All personal data processed by the Company in the course of its business operations;
  • All employees, directors, officers, contractors, and service providers engaged by the Company;
  • All clients and counterparties using the Company’s services or interacting with its systems and website.

4. Definitions

  • Data Controller: The entity that determines the purposes and means of personal data processing.
  • Personal Data: Any information relating to an identified or identifiable natural person or legal entity.
  • Processing: Any operation performed on personal data, including collection, recording, storage, use, disclosure, or erasure.
  • Profiling: Automated processing of personal data to analyze or predict aspects of a Client’s behavior, preferences, or economic status.
  • Third Party: Any natural or legal person other than the data subject, controller, processor, or those authorized by the controller or processor to process data.

5. Data Protection Officer (DPO)

The Company appoints a Data Protection Officer responsible for overseeing compliance with this Policy and applicable data protection regulations.

Contact:

Data Protection Officer

Email: office@orax-assets.com

6. Personal Data Collected

6.1 During Client Registration

For individuals:

  • Full name
  • Date of birth
  • Country of residence and tax residency
  • Email address and phone number

For legal entities:

  • Full legal name
  • Date and country of incorporation
  • Details of directors, shareholders, and ultimate beneficial owners (UBOs)
  • Corporate structure and contact details
6.2 Verification Documents (KYC/KYB)
  • Government-issued identification (passport, national ID)
  • Proof of address (utility bill, bank statement)
  • Certificates of Incorporation, Good Standing, or similar corporate documents
  • Proof of funds or source of wealth (bank statements, contracts)
  • Liveness verification (facial recognition, biometric confirmation)
6.3 Website Access and Account Login

When accessing the Company’s website or client portal, we collect:

  • Log data (IP address, login timestamps, browser type, language settings)
  • Device data (device model, operating system, unique device identifiers)

7. Use of Personal Data

Personal data is processed for the following purposes:

  • Client identification and verification in compliance with AML/CFT obligations;
  • Execution and administration of financial transactions;
  • Fraud detection, risk management, and system security;
  • Compliance with legal and regulatory requirements;
  • Communication with Clients, including support and account-related notices;
  • Marketing communications (with Client’s explicit consent).

8. Sharing Personal Data with Third Parties

The Company may share personal data only where necessary for legitimate business purposes and subject to confidentiality and security safeguards. Such third parties may include:

  • Company affiliates and subsidiaries;
  • Service providers (IT, KYC/KYB, cloud storage, legal, auditing, and analytics);
  • Business partners and financial institutions;
  • Competent public authorities, law enforcement, or regulators (where required by law).

The Company does not sell personal data to third parties.

9. International Data Transfers

Where personal data is transferred outside the RMI or to jurisdictions without equivalent data protection standards, the Company ensures appropriate safeguards, including contractual clauses, technical security measures, or reliance on adequacy decisions where applicable.

10. Clients’ Rights

Clients have the following rights regarding their personal data:

  • Right of Access: Obtain confirmation of whether personal data is processed and access relevant details.
  • Right to Rectification: Request corrections or updates to inaccurate or incomplete data.
  • Right to Erasure (“Right to be Forgotten”): Request deletion of personal data, subject to legal retention requirements.
  • Right to Restrict Processing: Request suspension of processing under specific conditions.
  • Right to Data Portability: Request a copy of personal data in a structured, machine-readable format.
  • Right to Object: Object to data processing for specific purposes, including direct marketing.
  • Right to Avoid Automated Decision-Making: Refuse profiling or automated decisions with legal or significant effects.

Requests may be submitted to the DPO via email.

11. Security Measures

The Company implements physical, technical, and organizational safeguards to protect personal data against unauthorized access, loss, or misuse, including:

  • Encrypted storage and transmission of data;
  • Role-based access controls;
  • Regular security audits and vulnerability assessments;
  • Employee training on data protection practices.

12. Data Retention

Personal data is retained for five (5) years following the termination of the client relationship or longer if required by law (e.g., for AML/CFT compliance). Data is securely deleted or anonymized after the retention period.

13. Publicly Available Sources and Third-Party Information

The Company may supplement client data with information from publicly available sources (sanctions lists, court records, regulatory disclosures) or third-party databases to fulfill AML/KYC obligations.

14. Third-Party Links

The Company’s website may contain links to third-party websites or applications. The Company is not responsible for their privacy practices, and Clients are encouraged to review the privacy policies of such third parties.

15. Minors

The Company does not provide services to individuals under 18 years of age. If it becomes known that personal data of minors is collected, such data will be deleted, and access to services will be terminated.

16. Updates to the Policy

The Company reserves the right to amend this Policy to reflect changes in legal requirements or operational practices. Updated versions will be posted on the Company’s website, with the revision date clearly indicated. Clients are encouraged to review the Policy periodically.

17. Questions and Complaints

For any questions, requests, or complaints regarding this Policy or the processing of personal data, Clients may contact:

Data Protection Officer
Email: office@orax-assets.com

Support Team
Email: office@orax-assets.com

Approval and Effective Date

This Policy has been reviewed and approved by the Board of Directors of ORAX CORPORATION LLC and is effective as of the date of approval.