PRIVACY NOTICE

Under this Agreement, when referring to Disruptive Exchange, we are referring to Disruptive Exchange S. de R.L. de C.V., a company duly incorporated under the laws of the United Mexican States; we may also refer to ourselves as "We" or "Us."

When referring to the User or You, it means the individual, group, or legal entity using the services of Disruptive Exchange.

At Disruptive Exchange, we take the privacy of our clients, collaborators, suppliers, associates, partners, agents, and related individuals very seriously, and consider it one of the guiding principles of our Code of Ethics and Compliance Manual.

This document is also an integral part of the document entitled "Terms and Conditions," which can be reviewed on our website https://disruptivex.mx/. Therefore, by accessing, using, or downloading any of the services accessible or connectable with the Site, or by creating or using a user account or clicking "Accept," you agree to be subject to those Terms and Conditions and to this Privacy Notice.

We continuously train our employees on data protection, require our suppliers and subcontractors to protect the data we manage, and have a legal team to address and monitor compliance with regulations in this matter.

Preliminaries

According to this policy, you will have certainty about how we collect, use, store, process, share, and transfer your Personal Data, as well as the mechanisms available to you to exercise your rights of access, rectification, opposition, and cancellation of your personal data.

At any time, you can request a copy of this notice, which will be sent to your personal email at the time of the request, ensuring that these conditions were in effect when you received the email. This policy does not apply to third-party websites, applications, or online services that are not owned or controlled by us, regardless of whether they link to services with computing functions of Disruptive Exchange.

Collection

When using our online services, we may collect your personal information when:

• You register to create a user account on our online services, in which case you provide your information directly in the registration forms that are strictly necessary to provide the services you contract with us.

  When registering your account, we will only collect your email address and a password, which together will form the credentials to access our services. Additionally, we may collect your mobile phone number, to which we will send two-factor authentication messages to enhance the security level of your account.

• To use our services and comply with the Anti-Money Laundering and Counter-Terrorism Financing Laws applicable, you must complete a Know Your Customer (KYC) profile. In this form, depending on the type of customer, we may ask for additional data, such as: Last name, Middle name, Full name without abbreviations, Gender, Date of birth, Place of birth, Country of birth, Nationality, Voter ID, Home address in the country of residence, including street name, avenue, or road, duly specified, Exterior number, and, where applicable, interior number, Neighborhood or urbanization, City or population, Federal entity, state, province, department, or similar political division, if applicable Postal code, Country, Occupation, Profession, Activity or business type, Unique Population Registry Code (CURP), Digitalized handwritten signature, Contact phone number, Account number, Standardized Banking Code (CLABE) at the Financial Entity or SWIFT code of the Foreign Financial Entity, Cryptocurrency wallets, Customer's consent to act on their own behalf or on behalf of others, as applicable.

  In the case of companies, the following additional information may be requested digitally: Company name or business name, Commercial activity or purpose,Nationality,Tax ID number,Address, including street name, avenue, or road, duly specified,Exterior number, and, where applicable, interior number,Neighborhood or urbanization,City or population,Federal entity, state, province, department, or similar political division, if applicable Postal code,Country,Home address phone number,Date of incorporation,Last name,Middle name,Full name of the administrator or administrators, director, general manager, or legal representative who, with their signature, can bind the legal entity to enter into the transaction, Ownership structure or social parts, as applicable.

  Additionally, depending on your profile, you may be requested to provide digitally: A document or testimony or certified copy of the public instrument proving the legal existence of the company, Tax Identification Number, Proof of address, Official identification.

  Our computer system may also perform identity document validations, for which it may collect real-time video of your person to verify your identity.

• When conducting transactions such as buy or sell orders, we may collect information about the amounts of these transactions and location data, device information from which you connect, and connectivity data.

• Additionally, we may obtain information from other sources such as merchants, third parties, data providers, credit bureaus, and those authorized by law.

• When you request technical support or clarifications, we will also collect contact information, the information you provide, and multimedia you send to provide the assistance you require.

Purpose

The personal data we collect from the User, whether through direct or indirect means, will be used for the following purposes that are necessary for your contractual relationship with Disruptive Exchange, arising from this Agreement.

The processing of the User's personal data may be related to the provision of contractual services, sending or receiving Cryptocurrencies or money, compliance with legal obligations or resolutions from competent authorities, billing, customer service, technical service, technical support, handling of personal records (KYC), sending anti-money laundering reports, statistics, management, feeding, and administration of applications and electronic media; marketing, contacting data subjects through any means of communication; as well as modifications to existing legal relationships between Disruptive Exchange and the User.

In addition, Disruptive Exchange may process the User's personal data for other purposes such as notifying communications, sending any type of communication, notices, or messages, or for advertising purposes. Disruptive Exchange may use previously collected sensitive personal data for the provision of the services it provides, which may be transferred to third parties for the purposes of the services provided, in terms of this Agreement.

The User's personal, financial, and asset data that require express consent under applicable law will only be used for the contractual relationships entered into with Disruptive Exchange. If the User does not exercise their right to object to the processing of their personal data in its financial and asset aspects, it will be understood that the User gives Disruptive Exchange their express consent for its use and even transfer. These transfers will take place exclusively with financial institutions to fulfill our contractual obligations, as well as tax authorities and/or those that provide legal grounds and motivation for their actions.

Retention

Disruptive Exchange retains your personal data to comply with legal, regulatory, and contractual obligations, even for longer periods than required by law. In the event of closure, suspension, or cancellation of accounts, we may hide your data but still retain it. The minimum retention period for your data will be 10 years unless there is a legal obligation to the contrary, a request from you, or a mandate from an authority; this period will be computed from the last transaction we perform together.

We will implement the strictest security measures at our disposal to protect your personal data as if they were our own. There are force majeure conditions beyond Disruptive Exchange's control that can compromise our storage systems and expose your personal data, such as war, emergency, accident, fire, earthquake, flood, storm, industrial strike, epidemic, pandemic, communication failures, cyberattacks, and power line failures, hurricanes, and any other circumstance beyond the control of Disruptive Exchange. In such cases, it will not be considered that Disruptive Exchange has failed to fulfill its obligations to protect your personal data.

Processing

Disruptive Exchange may process your personal data for the purpose of making payments, receiving payments, sending or receiving Cryptocurrencies, authenticating the user, establishing connections, communicating with third-party services, verifying your identity, sending notifications, even commercial ones, updating your information, creating statistics, improving our systems, evaluating their functionality, preventing risks, responding to your requests or those of third parties, complying with requirements of authorities or legal matters, marketing products or services, conducting marketing activities, personalizing your experience on our services, observing user behavior, and/or fulfilling our contractual and legal obligations.

Disruptive Exchange will retain the User's data for a reasonable period to process the requests you make, in addition to complying with the applicable contractual or legal provisions.

Your data will be protected by administrative, technological, and physical protection measures to the greatest extent possible by Disruptive Exchange, to prevent any damage, loss, alteration, destruction, unauthorized use, disclosure, or processing. However, due to causes beyond Disruptive Exchange's control, third parties may compromise the measures employed by Disruptive Exchange, and there may be force majeure or unforeseeable circumstances in which personal data may be vulnerable. In such cases, Disruptive Exchange will not be responsible for any damages or harm caused to the data subject, and the User is aware of and accepts these risks.

Disruptive Exchange's technological services may use systems to monitor user behavior, and the User expressly agrees to this purpose.

Sharing and Transfer

Occasionally, Disruptive Exchange may share or transfer your data or other information about you with third parties.

These actions can be carried out among suppliers, subcontractors, affiliates, partners, and agencies of Disruptive Exchange, in order to fulfill contractual obligations that we have with you or third parties, prevent legal risks, improve resource availability, enhance the services we offer you, and improve your user experience.

Your personal information may travel through public nodes or be shared or transferred to providers who provide services to us, in turn, to fulfill the services we provide you. In these cases, you agree to comply with the privacy policies of third parties.

Additionally, we may share and transfer your personal data with financial institutions to execute the transactions you order, perform commercial acts, obtain approvals, move resources, and send Cryptocurrencies to wallets.

Disruptive Exchange may also share information with third parties with whom it conducts transactions through our services to fulfill the orders you place on our systems. In these cases, the shared information will include: name, transaction identification number, amounts, descriptions, information to prevent legal risks, statistical data, and information necessary for the transaction you order. Eventually, we may share your information collected in KYC forms with authorities requesting it or with financial institutions that require it to verify banking transactions.

When you request to connect our services with other platforms, you authorize the sharing or transfer of your personal data.

We inform you that your personal data may be shared within and outside the country with entities other than us: Competent authorities, insurance companies, legal, financial, and stock market providers, and in general any other entity necessary to comply with the terms of this agreement and its related instruments. This is due to the legal relationships between Disruptive Exchange and the user or the recipients of the personal data, considering that it will be the recipient's obligation to maintain the confidentiality of their personal data and comply with the provisions of this privacy notice, except as otherwise provided by law.

Therefore, if the user does not express their objection to the transfer of their personal data under the terms and for the purposes of this agreement, it will be understood that the user grants Disruptive Exchange authorization for the transfer. Under applicable law, the data controller may be required to transfer the data subject's personal data to competent authorities upon duly founded and motivated request.

The transfer of your data may be international when required to comply with our legal and contractual obligations and provide you with the service in the most optimal way.

Cookies

When using Disruptive Exchange's online services, we and our providers may use cookies and other tracking technologies (collectively, "Cookies") to identify you as a user and personalize your online experience, the services you use, other online content, and advertisements.

Cookies may also be used to prevent risks, adjust promotions, perform marketing tasks, or conduct marketing.

You can limit cookies on your device, but this may affect or disable certain services we provide.

Exercise of Rights

The user can, at any time, access, rectify, cancel, or object to the processing of their personal data collected for these purposes individually or collectively, through the means established to exercise their rights. If the user does not object to it within a period of five natural days, counted from the moment their personal data are collected in any physical or electronic form, it will be understood that they have granted their consent.

The user may exercise their rights at any time and autonomously, following the procedures provided in this policy.

Access to your data refers to knowing what personal data we have about the user, what they are used for, and the conditions of use that the data controller gives them; correction is carried out when the user's personal data are not up to date, are inaccurate, or incomplete; the request for cancellation may be exercised when the user believes that their personal data are not being used properly; and opposition is aimed at preventing the use of their data for specific purposes.

To exercise any of these rights, the data subject must send an email for that purpose to the email address legal@disruptivex.mx, clearly indicating which procedure they wish to carry out, on which specific data, the means to receive notifications and responses, and, if applicable, the means of reproduction in which they wish their personal data to be made available, in the case of exercising access to them, for which a corresponding and justified charge may apply. To verify the identity of the user or, where appropriate, the personality of their legal representative, an official copy or digitized document confirming this may be attached, and Disruptive Exchange may require verification through biometric authentication processes.

At any time, the user can revoke the implicit or explicit consent granted to Disruptive Exchange for the processing of their personal data; however, it is important to note that due to legal requirements or requests from competent authorities, it may not always be possible to immediately fulfill the revocation request, until the corresponding obligation is completed. If the mentioned revocation prevents Disruptive Exchange from continuing to provide the contracted services, it will be entirely the user's responsibility and may result in breaches of the contract that are subject to compensation. The procedure to submit your revocation request will be the same as indicated in the preceding paragraph.

Amendments

Disruptive Exchange may amend this Privacy Notice at its discretion in accordance with legal or contractual needs or for the better provision of services.

When this document is amended, the previous one will be repealed, and the new one will enter into force upon publication. The user is obligated to constantly review this agreement to observe any modifications it undergoes, and it is understood that as long as the user continues to use Disruptive Exchange's services, they agree with the current privacy policy.

Acceptance

By clicking the acceptance box provided for this purpose or by using any of the services offered by Disruptive Exchange, the user expresses: a) That they have read and understand the scope of the processing of their personal data; b) That they expressly grant their consent for the transfer of their data in accordance with this agreement and the corresponding contractual relationships; c) That they are aware of and accept the means to exercise their rights and the revocation procedure with Disruptive Exchange; d) That they understand and accept the amendment process of this policy.

This document was updated on September 29, 2023.