FCE
What we provide
Broker-Dealer Services in Virtual Assets OTC Desk Institutional-Grade Brokerage
Company
About Us Partners
Company news
Sign In
FCE
Broker-Dealer Services in Virtual Assets OTC Desk Institutional-Grade Brokerage
About Us Partners
Company news
Sign In

Data Privacy & Protection Policy – First Crypto

Effective Date: 2025-07-01 | Version: 1.0

1. Policy Statement

At First Crypto ("the Company/Firm", "We" and "Our"), we are dedicated to safeguarding the confidentiality, integrity, and availability of personal data entrusted to us. We uphold the highest standards of data privacy and are fully compliant with the UAE Personal Data Protection Law (PDPL) and all other applicable data protection regulations. This Data Privacy and Data Protection Policy articulates our principles and practices concerning the collection, processing, storage, and disclosure of personal data across all our operations.

By using our services, you acknowledge and agree to the terms set out in this policy, including how we collect and use your information. This policy may be updated from time to time, and any material changes will be communicated through our official website and, where applicable, via direct notification such as email.

This policy applies to all personal data processed by First Crypto, covering data relating to clients, employees, contractors, job applicants, and visitors to our website. It governs all data processing activities across the organization, whether carried out electronically or manually.

It applies to every department within First Crypto and forms part of our broader compliance and governance framework, ensuring consistent adherence to legal requirements, industry best practices, and internal standards related to data protection and records management.

2. Cross-Border Compliance and Data Management

In addition to compliance with the UAE Personal Data Protection Law (PDPL), First Crypto acknowledges its obligation to adhere to all other applicable data privacy laws, including sector-specific or free zone regulations within the UAE, as well as foreign data protection laws in jurisdictions where its services or processing activities may extend. This includes, but is not limited to, compliance with laws governing data storage, data residency, and cross-border data transfers. First Crypto ensures that personal data is stored securely and transferred lawfully, employing appropriate safeguards and contractual mechanisms where required by applicable legislation.

2.1 Third-Party Websites and External Links

First Crypto's website may contain links to third-party websites that operate independently and are not under our control. We do not endorse or assume responsibility for the privacy practices, content, or security of these external sites. Users are strongly encouraged to review the privacy policies of any third-party services they access before submitting personal data or engaging with their platforms.

3. Data Governance and Oversight Framework

The Company is committed to protecting the privacy and security of Personal Data by implementing a formalised Data Privacy and Protection Compliance Programme. This programme ensures compliance with all applicable data protection laws, including the UAE Personal Data Protection Law (PDPL), as well as any international data privacy regulations relevant to First Crypto's operations.

3.1 Compliance Programme

First Crypto has developed and implemented a written compliance programme that establishes a consistent framework for safeguarding Personal Data across its operations. The programme includes policies, controls, and processes to ensure the lawful, fair, and transparent processing of data and the continuous improvement of our data protection practices.

This programme is regularly reviewed to reflect changes in legal requirements, business activities, and technological advancements.

3.2 Appointment of a Data Protection Officer (DPO)

The Company has appointed a Data Protection Officer in accordance with Article 11 of the PDPL and other applicable laws. The DPO is a suitably qualified and experienced individual, and may also serve as the Chief Information Security Officer (CISO), provided that doing so does not compromise independence or objectivity.

The DPO is responsible for:

Organizational Management

A dedicated internal function, under the DPO's leadership, is responsible for managing and safeguarding Personal Data. This includes the implementation of policies, procedures, systems, and controls proportionate to the risk profile of the data being processed.

Compliance Oversight

Ensuring ongoing compliance with all relevant data protection laws, including Article 11 of the UAE Personal Data Protection Law (PDPL), as well as specific requirements issued by VARA and any other applicable regulators.

Risk Assessment

Conducting periodic data protection risk assessments to identify vulnerabilities and implement corrective measures to mitigate risks effectively.

Policy Review and Updates

Maintaining up-to-date data protection policies through regular reviews and updates, ensuring continued alignment with emerging legal standards and global best practices.

Employee Support and Training

Delivering comprehensive data protection training programmes, including onboarding and refresher sessions, and serving as a point of support for employees seeking guidance on data-related matters.

Reporting and Briefing

Providing senior management with regular briefings on the organization's data protection posture, compliance performance, and any regulatory developments.

Incident Management

Coordinating the response to any data breach or incident involving Personal Data, including timely notifications to VARA, other relevant data regulators, and affected individuals in accordance with applicable law.

Technical Advice

Advising management and relevant teams on technical and organizational measures to enhance the security and resilience of data protection infrastructure.

Handling Requests and Complaints

Receiving, reviewing, and responding to complaints and requests related to Personal Data, in line with statutory obligations and internal procedures.

Data Access Requests

Facilitating and responding to Data Subject Access Requests (DSARs) in a prompt, secure, and transparent manner, ensuring individual rights are upheld.

Contractual Compliance

Reviewing agreements with Data Processors and third-party vendors to verify that data protection obligations are clearly articulated and contractually binding.

Establishment of a Dedicated Data Protection Function

The Firm has established an internal function responsible for the oversight, management, and protection of Personal Data. This function ensures that data processing activities are carried out in line with legal requirements and the company's risk profile. The Company acts as the data controller responsible for the protection of your personal data. If you have any inquiries, concerns, or specific requests related to your personal data, you are welcome to reach out to our DPO at tech@fce.global.

Key responsibilities include:

Developing and maintaining data protection policies and internal controls.

Conducting periodic risk assessments and internal audits

Providing staff training and awareness programmes

Managing data subject access and rights requests

Implementing incident response plans for data breaches

4. Personal Data We Collect and How It Is Used

At First Crypto, we collect various types of personal data depending on the nature of our relationship with you and the services you use. The data we collect helps us meet legal obligations, provide efficient services, and enhance your overall experience.

When you register with us or use our services, we may collect:

Personal identification information, including your full name, date of birth, nationality, and identification document details.

Contact details such as your phone number, email address, and residential address.

Financial information, including net wealth and sources of wealth or income, as required for regulatory compliance.

Data Collected Through Service Interactions

We may also collect personal data when you interact with our services, such as:

Data provided during wallet creation, including username and public key.

Communication data, including emails and customer support inquiries.

Responses from surveys, feedback, and other engagement channels, which help us improve our services.

Sensitive Personal Data

In certain instances, such as when you use our identity verification services, we may collect sensitive personal data, including biometric data (e.g., live facial images). This data is only collected with your explicit consent or where required by law.

Data from Third-Party Sources

We may obtain personal data from third parties, including external platforms and verification services, if you access our services through a third-party application or platform.

Failure to provide necessary personal data, as requested by law or for service execution, may result in our inability to offer certain services, and we will notify you if this occurs.

5. Use and Disclosure of Personal Data

At First Crypto, we are committed to the responsible use and protection of personal data. The information we collect is used strictly for legitimate business, legal, and operational purposes in accordance with applicable data protection laws.

Use of Personal Data

Your personal data may be processed for the following purposes:

Provision and Enhancement of Services

To provide you with access to our products and services, manage your account, and improve the quality and functionality of our offerings based on user activity, preferences, and feedback.

Customer Support and Communication

To interact with you regarding your account, respond to queries, deliver updates, and communicate important service-related information such as transaction confirmations, system maintenance notices, or security alerts.

Security and Fraud Prevention

To protect your data and our systems by detecting, investigating, and mitigating risks related to fraudulent transactions, account misuse, or security threats. This includes the application of advanced authentication protocols and monitoring tools.

Legal and Regulatory Compliance

To fulfill our obligations under applicable laws and regulations, including Know Your Customer (KYC), Anti-Money Laundering (AML), and counter-terrorism financing requirements. This may involve due diligence, identity verification, and transaction monitoring.

Performance Monitoring and Improvement

To assess platform performance and optimize user experience through analytics, usability studies, surveys, and feedback mechanisms.

Marketing and Promotions

To notify you about new products, features, or services that may be of interest, provided you have not opted out. Communications may include newsletters, product updates, or promotional offers.

Sharing Your Personal Data

We maintain a strict approach to data sharing and do not disclose personal data to third parties except in the following limited circumstances:

Legal or Regulatory Requirements

When required by applicable law, court order, or request from regulatory authorities, including disclosures to government bodies and law enforcement agencies.

Service Providers and Affiliates

With third-party vendors or affiliated companies who provide essential operational services on our behalf—such as data storage, identity verification, or transaction processing—subject to strict contractual obligations ensuring confidentiality and compliance.

Protecting First Crypto and Others

To safeguard the rights, property, or safety of First Crypto, its users, or others, including in connection with legal claims, enforcement of terms, or investigation of unlawful activity.

5.1 Confidential Information Management

First Crypto is committed to maintaining the confidentiality, integrity, and proper use of all client-related information, in accordance with applicable laws, regulatory requirements, and industry best practices. In support of this commitment, the Company has implemented robust internal policies and procedures that govern the collection, processing, use, and safeguarding of confidential information.

Protection of Confidential Information

First Crypto takes all reasonable and appropriate measures to ensure the ongoing confidentiality of all information related to its clients, their associated records, and property. These measures include the implementation and enforcement of comprehensive internal policies, procedures, and technical safeguards designed to protect the sensitive nature of any information shared with the Company—whether under a formal confidentiality agreement or otherwise.

Purpose-Limited Use

All confidential client information received by First Crypto is used strictly for the purpose for which it was provided. Such use remains at all times subject to the terms of any applicable confidentiality agreements, which are aligned with relevant legal and regulatory standards. The Company ensures that all such agreements are duly reviewed and accepted in accordance with applicable laws.

Staff Awareness and Certification

First Crypto ensures that all relevant staff members:

Are appropriately familiarised with the Company's internal policies concerning the handling and protection of confidential information; and

Are made aware of the applicable requirements outlined under the relevant regulatory frameworks.

To reinforce compliance and accountability, First Crypto periodically certifies its staff's adherence to these internal confidentiality policies.

Controlled Access and Disclosure

Confidential information is not shared internally within First Crypto or externally with any third party unless such disclosure is absolutely necessary for the performance of Virtual Asset (VA) Activities directly related to the information in question. Any such disclosure is subject to strict need-to-know principles and is controlled through role-based access measures and internal approval procedures.

Prohibition on Improper Use

Under no circumstances will First Crypto or its staff use or disclose confidential information for the purpose of trading Virtual Assets—whether for the benefit of the Company, any of its employees, or any external party. Such misuse constitutes a serious violation of internal policy and will trigger appropriate disciplinary and/or legal action.

Regulatory Access and Data Breach Notification

In line with its commitment to transparency and regulatory cooperation, First Crypto has established protocols to ensure that relevant information related to its data handling practices is readily accessible to competent authorities, and that any incidents involving personal data are reported in a timely and compliant manner.

5.2 Regulatory Access to Information

First Crypto will take all necessary measures—including but not limited to providing required notifications, incorporating appropriate contractual provisions, and obtaining requisite consents—to ensure that regulatory authorities have full access to information related to the Company's compliance with applicable data privacy and protection requirements, irrespective of the location in which such data is stored.

Access to this information will be provided in the form and within the timelines communicated by the relevant authority. First Crypto's internal governance mechanisms ensure that such requests are treated with the highest priority and responded to in a timely, accurate, and transparent manner.

Incident Notification Protocol

In the event of any incident that affects or may potentially affect personal data, First Crypto is committed to ensuring timely notification to all relevant parties. Specifically:

The Company will notify the competent regulatory authority without undue delay and, in any case, within twenty-four (24) hours of having notified either:

A data protection or supervisory authority (including those based in the United Arab Emirates); or

The impacted Data Subject(s);

of the occurrence of such an incident.

Alongside the notification to the regulatory authority, First Crypto will provide a summary of the incident report, and, where the relevant data regulator is located in the UAE, a full copy of the report—unless such disclosure is legally restricted. In such cases, the Company will provide a formal justification and evidence of the legal restriction upon request.

5.3 Core Principles Governing Personal Data Processing

First Crypto upholds the highest standards of data protection by embedding fundamental privacy principles into all data processing activities. These principles serve as the foundation of our approach to lawful, secure, and responsible data management.

Lawfulness, Fairness, and Transparency

We process personal data only when there is a clear legal basis to do so, ensuring that all processing activities are fair and transparent. Data subjects are informed of the purpose, scope, and legal justification for the use of their data through accessible privacy notices and clear consent mechanisms.

Purpose Specification and Limitation

Data is collected and used strictly for defined, legitimate, and clearly communicated purposes. We prohibit the use of personal data for unrelated purposes unless additional consent is obtained, and we routinely review datasets to ensure ongoing relevance and alignment with stated objectives.

Data Accuracy and Quality

We take proactive measures to ensure that personal data remains accurate, complete, and up to date. Individuals are provided mechanisms to review and request corrections to their data at any time.

Data Minimisation

Only the personal data strictly necessary to fulfill the specified purpose is collected. We conduct regular data minimisation reviews to eliminate the retention of excessive or redundant information.

Storage Limitation and Retention

Personal data is retained only for as long as necessary to fulfil its intended purpose or comply with legal requirements. Our Data Retention Schedule ensures structured disposal and secure deletion of outdated records.

Integrity and Confidentiality

We apply robust technical and organisational measures—such as encryption, role-based access control, and intrusion detection systems—to preserve the confidentiality, integrity, and availability of personal data throughout its lifecycle.

Demonstrable Accountability

First Crypto actively demonstrates its compliance with these principles through regular internal audits, employee training, data protection impact assessments, and comprehensive documentation of processing activities.

6. Employee Training and Awareness on Data Privacy & Protection

First Crypto recognises that maintaining a strong data protection culture begins with informed and well-trained personnel. To this end, we have implemented a structured and continuous training programme to ensure all employees understand their responsibilities and comply with applicable data protection laws, including the UAE Personal Data Protection Law (PDPL) and relevant VARA requirements.

Comprehensive Induction Training

All new employees receive thorough onboarding training covering core data protection principles, regulatory obligations, and internal procedures to ensure immediate awareness of privacy responsibilities from day one.

Specialised Role-Based Training

Employees in roles involving access to or processing of personal data—such as compliance, IT, customer support, and operations— receive advanced and targeted training tailored to their specific functions and the sensitivity of the data they handle.

Regular Refresher Sessions

To ensure continued competence and regulatory alignment, First Crypto conducts periodic refresher courses for all staff. These sessions incorporate updates to legal requirements, evolving risks, and internal policy changes.

Ongoing Awareness Initiatives

We promote a culture of accountability through continuous awareness campaigns, including newsletters, briefings, and reminders, aimed at reinforcing best practices in data protection and information security.

This layered approach ensures our workforce remains informed, vigilant, and capable of upholding the highest standards of data privacy and security.

7. Regulatory Cooperation and Data Breach Notification

The Firm acknowledges the critical importance of regulatory transparency and swift action in matters relating to data protection. In accordance with applicable regulations, First Crypto is committed to ensuring that the Virtual Assets Regulatory Authority (VARA) has timely and unrestricted access to all relevant data necessary to assess our compliance with the data protection requirements outlined in the VARA Technology and Information Rulebook.

Facilitating Regulatory Access

To uphold this commitment, First Crypto will:

Take all reasonable and necessary steps to ensure VARA has access to any information related to our data protection obligations, irrespective of where such data is stored (including cloud environments, third-party platforms, or offshore servers)

Incorporate appropriate contractual provisions, provide necessary notifications, and obtain all required consents—whether from employees, service providers, or clients—to facilitate such access

Provide requested information in the manner and within the timelines specified by VARA, in full cooperation with their regulatory oversight

7.1 Incident Reporting and Notification to VARA

First Crypto will notify VARA within twenty-four (24) hours of any notification it makes regarding a data incident that affects or may potentially affect Personal Data, in either of the following scenarios:

Notification to a data protection authority, whether within the UAE or abroad; or

Notification to a Data Subject, as required under applicable law.

Such notification to VARA will include:

A summary of the incident and actions taken

A copy of any official report submitted to the relevant data regulator (where the regulator is based in the UAE), unless prohibited by applicable law

Justification for non-disclosure where legal restrictions apply, as demonstrated to VARA's satisfaction

8. Data Register

To ensure transparency and ongoing compliance, First Crypto maintains a Personal Data Register that tracks and manages all personal data processing activities. This register provides a comprehensive record of the nature and purpose of each data processing activity, specifying the types of personal data processed and ensuring that only necessary information is handled. It also identifies the categories of individuals whose data is processed, along with the sources of the data.

The register outlines the retention periods for each data category, ensuring compliance with legal and regulatory requirements. In accordance with VARA's rulebook, records are retained for a minimum of 8 years. Additionally, the register details the security measures implemented to protect personal data, such as encryption and access controls. It also includes information on data transfers, both within and outside the organization, ensuring that all transfers comply with relevant data transfer regulations.

9. Data Privacy and Protection Policy Review and Maintenance

To ensure compliance with evolving legal, regulatory, and industry requirements, this policy is reviewed and updated regularly.

To stay aligned with changing legal and regulatory frameworks, First Crypto conducts a comprehensive review of this Data Privacy and Data Protection Policy:

Annual Reviews: A formal review is carried out each year to ensure the policy remains relevant and effective in meeting our obligations.

Ad-Hoc Reviews: Reviews may also be triggered as necessary due to changes in business operations, technological advancements, or new regulatory guidelines.

The DPO leads the review process, working closely with relevant departments to assess and update the policy. This collaborative approach ensures that our data protection practices remain robust and comprehensive.

Once the policy has been reviewed and updated, all employees are promptly notified of the changes. This ensures that every team member is aligned with the latest data protection standards and practices, promoting a unified approach to safeguarding personal data.

Our proactive approach reflects First Crypto's ongoing commitment to continuously improve our data privacy practices, ensuring we remain adaptable to regulatory shifts and technological advancements.

FCE

Secure digital asset access for retail, qualified, and institutional clients.

Company
  • About Us
Legal
  • Terms and Conditions
  • Regulatory Disclosures
  • Privacy Policy
  • Complaints
First Crypto (FCE) is licensed and regulated by the Dubai Virtual Assets Regulatory Authority (VARA) to provide Virtual Asset Broker-Dealer services (License No. VL/26/04/004, dated 24 April 2026). FCE operates from Boulevard Plaza Tower 1, Office 1702, Sheikh Mohammed Bin Rashid Boulevard, Dubai, United Arab Emirates.
First Crypto Exchange L.L.C operates an Information Security Management System certified to ISO/IEC 27001:2022 by BSCIC Certifications Pvt. Ltd. (Certificate No. BN25272/22695). The certification covers Crypto Broker-Dealer Services, including Trade Execution & Settlement, Wallet & Treasury Management, Customer Account Management, Digital Asset Transaction Processing, and the supporting IT infrastructure and information assets.
Virtual Assets are high-risk products and may be subject to significant price volatility. You may lose some or all of the value of your investment.