Aureo raises $1.1M USD pre-seed investment. Read full announcement
Aureo

Aureo's privacy policy and personal data processing policy

Last revised: October 19, 2025

1. Identity and address of the Controller

Swapido S.A.S. de C.V., hereinafter “Aureo” or “we”, with address to hear and receive notifications at Sandbox Business Center, World Trade Center San Salvador Torre II, El Mirador Street, Escalón Colony, San Salvador, El Salvador, is responsible for the processing of your personal data. This Privacy Notice is issued in compliance with the current Federal Law on the Protection of Personal Data Held by Private Parties.

2. Personal data we collect

By the very nature of distributed ledger technologies ("DLTs") and blockchains, all transactions you make are permanently and immutably recorded, and Aureo is not able to modify, reverse, or delete such transactions. Your consent to this privacy notice implies your acceptance of this fact and its implications, as well as your acceptance of the fact that your rights to rectification, erasure, and objection (referred to below) will be limited to data that has not been recorded on a DLT or blockchain.

We collect the following categories of personal data from you (hereinafter the “Holder”):

  • Identification data: name(s), surname(s), date of birth, state of birth, nationality, gender, occupation, Unique Population Registry Code (CURP) or equivalent, Federal Taxpayer Registry (RFC) or equivalent, copy of current official identification (INE, passport or other), and electronic signature.

  • Contact information: full address, telephone number, and email.

  • Data patrimonial and financial: source of funds, bank account statement or receipt, Standardized Banking Code – CLABE, card number, bitcoin address or invoice, and history of transactions made on the platform.

  • Blockchain Traceability: all information that results from or is derived from the use of decentralized blockchains, specifically the Bitcoin network, including - but not limited to - your cryptographic address or public key, the bitcoin balance associated with that address, the history of transactions made to or from that address, the addresses with which you have interacted in the past and your transaction profile.

  • Biometric data (sensitive): Photograph or video of your face (for identity verification processes).

  • Regulatory status data: If you are a Politically Exposed Person (PEP) or a close relative/close associate of a PEP, this may be collected through a questionnaire at the time of account opening.

  • Technical data for using the platform: IP address, device or browser identifiers, device type, operating system, geolocation (if applicable, for account security), connection times, and actions performed within your account.

3. Purposes of data processing

The personal data we collect is used for the following purposes: primary purposes, which are necessary to offer you our services for buying and selling, custody and payments with Bitcoin:

  • Identity verification and authentication: Confirm your identity and validate the authenticity of your official documents and biometrics, in compliance with legal provisions.

  • Account opening and management: Create your user account, allow you to access the platform, associate payment methods, generate and manage your electronic file, and offer you the available features and tools.

  • Transaction operation: Process your instructions to buy, sell, send, or receive Bitcoin or fiat currency, execute your payments or collections, and reflect your balances and transactions on the platform.

  • Fraud prevention and security: Monitor your activities and transactions to detect potential unauthorized transactions, fraud, illicit, or unusual uses; implement security measures (e.g., two-factor authentication, anti-fraud algorithms) and, if necessary, block activities that violate our policies or the law.

  • Compliance with legal and regulatory obligations: Comply with applicable legislation. This includes formally identifying you, compiling and maintaining a KYC file, reporting to the competent authorities any transactions that must be reported due to exceeding thresholds or being considered unusual, and responding to requests or requests from administrative or judicial authorities.

  • Customer Service and Support: Respond to your requests for information, questions, clarifications, complaints, or any messages you send us via our official channels (email, support chat, call center), follow up, and resolve them.

  • Service Communications: Send you important non-marketing service-related notifications, such as transaction confirmations, account activity alerts, notices of changes to our terms and conditions or this privacy notice, security updates, maintenance, or technical issues, etc.

Additionally, if you consent, we will use your data for the following purposes: secondary purposes (optional), which are not essential for the main service but help us provide you with better service:

  • Marketing and promotions: To send you promotional, advertising, or marketing communications about our products or services, or offers from our business partners (e.g., referral programs, bonuses, new financial products) via email, push notifications, or other means.

  • Advertising Personalization: To analyze your characteristics and behaviour on the platform, to personalize or offer you products, services, or content aligned with your interests. For example, to show you investment opportunities in the app that may be relevant based on your transactional profile.

  • External studies and surveys: Occasionally, to invite you to participate in satisfaction surveys or market research conducted by contracted third parties to understand your opinion and improve our processes.

  • Service improvement and internal analysis: Analyze your use of the platform, transactions, and preferences to improve the quality, functionality, and user experience of our services; this may include statistical analysis, satisfaction surveys, or internal market research..

If you do not wish us to process your data for any of the secondary purposes described above, you can object or revoke your consent at any time (see sections 6 and 7 below). Refusal to use for secondary purposes does not affect the provision of our primary services.

4. Limitation of the use or disclosure of your data

We undertake to process your personal data only for the purposes indicated. To limit the use or disclosure of your personal data, you can use the following means:

  • Opting out of promotional communications: If you no longer wish to receive promotional emails or marketing messages, you can unsubscribe using the unsubscribe mechanism included in such emails (for example, an "unsubscribe" link) or by sending a request directly to our privacy contact email. We will process your request within no more than 5 business days.

Additionally, we maintain internal policies and controls to ensure that only authorized personnel access your data for legitimate purposes. No disclosure to third parties will be made except as described in this notice and as permitted by law.

5. Transfers of personal data

The personal data collected by Aureo will be securely transferred to the country of destination in accordance with applicable data protection regulations and this Agreement. Once your data is no longer required for legal compliance or account maintenance, it will be anonymized to prevent any individual from being identified. We take extensive measures to ensure that all personal data is protected with the same level of care we apply to the protection of our own confidential business information.

In the normal course of our operations, we may transfer some of your personal data to third parties, national or foreign, in the following cases and under the appropriate confidentiality and security conditions:

  • Affiliated and subsidiary companies: We may share your information with parent companies, affiliates, subsidiaries or members of our same corporate group that operate under their own internal processes and policies, whether inside or outside El Salvador (including, but not limited to Soluciones Tecnologicas Nagumatech, S.A.P.I. de C.V.). These transfers are made for purposes consistent with those described herein, such as operational support, technical support, payment processing, corporate statistical analysis, compliance with AML/CFT obligations, or centralized data storage.

  • Compliance with contractual relationships with third parties: If we mediate third-party services or offer services jointly or in collaboration with other companies, we share the necessary data with said third parties to fulfill the provision of the agreed service, under appropriate confidentiality measures.

  • Business partners and alliances: In case of carrying out promotions or joint alliances with other companies in the digital asset industry, we may share basic identifiers and transactional data necessary to validate the promotion or administer the partnership. We always ensure that these third parties use the information for the agreed-upon purpose and properly protect it. If any such transfer does not fall within a legal exception, we will request your explicit prior consent.

  • Authorities and legal obligations: We may transfer your personal data without requiring your consent to government authorities, regulatory, or judicial authorities that request it in the exercise of their legal functions, or to comply with any law or legal requirement. Examples include authorities in anti-money laundering reports, judicial authorities ordering information through a valid warrant, among other cases provided for by law. Only the relevant information requested will be disclosed, on a case-by-case basis.

  • Corporate transactions: In the event of a merger, acquisition, asset sale, restructuring, or other similar event involving Aureo, the transfer of personal data to the third-party recipient will be limited to the evaluation and completion of the transaction, and the third-party recipient will be contractually required to maintain at least the same level of protection as this notice. If the transaction is executed, the third party (or the new resulting entity) assumes the data protection obligations with respect to the transferred information, and we will notify Data Subjects by updating this notice accordingly.

We will refrain from selling, leasing, or renting your personal data to any third party not mentioned above. If, for any reason, we need to transfer your personal data for a purpose other than those mentioned above, we will notify you and, if required by law, obtain your prior consent.

6. Means to exercise your ARCO Rights

You, as the Data Owner, or your duly accredited legal representative, may exercise your rights at any time for Access, Rectification, Cancellation and Opposition (ARCO) regarding the personal data we have about you. This means: (i) knowing what data we have about you and the details of the processing (Access); (ii) request the correction of data that is incomplete, inaccurate or outdated (Rectification); (iii) request the elimination or deletion of your data from our databases when you consider that they are not being processed in accordance with the law or are no longer necessary (Cancellation); and/or (iv) oppose the use of your data for specific purposes (Opposition).

To exercise any of these rights, please follow the following procedure:

  • Send a written request via email to our Privacy Area at the address: legal@aureobitcoin.com.

  • The application must contain and be accompanied by the following:

    • Your full name (and, where applicable, that of his/her legal representative), attaching the document that proves the representation.

    • Identity document (legible copy of INE, passport) – if acting through a representative, include the representative's identification and corresponding power of attorney or public instrument.

    • Clear and precise description of the personal data with respect to which you seek to exercise the ARCO right in question, what right you wish to exercise (Access, Rectification – indicating the corrections to be made and providing supporting documentation – Cancellation or Opposition – specifying which processing you oppose) and add the description of the reasons that support or justify the exercise of the right.

      • For example: “I request that my last name be corrected; it should read ‘González’ instead of ‘Gonzales’” or “I object to the processing of my data for marketing purposes.”

    • Any other item or document that makes it easier to locate your data in our systems (e.g., registered email, customer number, approximate registration date).

Our Privacy Department will acknowledge receipt of your request and, in accordance with the law, will have a maximum period of 20 days to inform you of the decision taken, counting from the date we receive your complete request. If the request is appropriate, we will execute it within 15 days following the date we communicate our response. If we require additional information to address your request, we will request it within 5 days of receiving it, and you will have 10 days to provide it; otherwise, the request will be considered unsubmitted.

We will deliver the information to you via email, which will be accompanied by the corresponding attachments. The Access obligation will be fulfilled when we make your personal data available to you or by issuing simple copies, electronic documents (PDF) or other means. For Deletion, please note that we will first apply a block to your data, and we will subsequently delete it from our files, as described in point 8 (Data Retention).

Negative or limitation: We may deny access, rectification, cancellation, or objection in whole or in part in the cases permitted by law, for example, when: you are not the owner or do not have the legal authority to do so; your data is not in our database; there are legal obligations to retain certain data (e.g., we cannot delete data that we must maintain by provision of the LFPIORPI); or the requested rectification is not appropriate because the information is correct and up-to-date, among others. In any case, we will inform you of the reason for our decision. Likewise, you have the right to revoke your consent for the processing of your data at any time, following the procedure in the section

7. Means to revoke consent

In those cases where you have given us your consent to process your personal data (for example, consents given during registration for secondary purposes), you may revoke it later if you wish.

To revoke your consent, please submit a request following the same procedure described in section 6 above, clearly stating that you wish to revoke your consent and specifying the processing or purpose for which you are revoking it (for example, "I revoke my consent to the use of my data for advertising purposes"). Within a maximum of 20 days, we will inform you of the reason for the revocation and take appropriate action if so. If your request is successful, we will stop processing your data for those purposes.

8. Data retention period and deletion

Your personal data will be processed and stored as long as there is a contractual and/or service relationship with you, and subsequently for the period established by applicable laws. In particular, the data collected for compliance with the SPECIAL LAW FOR THE PREVENTION, CONTROL AND PUNISHMENT OF MONEY LAUNDERING, FINANCING OF TERRORISM AND FINANCING OF THE PROLIFERATION OF WEAPONS OF MASS DESTRUCTION (EL SALVADOR) and/or the FEDERAL LAW FOR THE PREVENTION AND IDENTIFICATION OF OPERATIONS WITH ILLICIT PROCEEDS (MEXICO) must be kept for a minimum of 15 years counted from the end of the relationship or the completion of the relevant transaction. After this period, we will proceed to securely delete them.

Once the corresponding purposes have been fulfilled, and there is no legal obligation to retain your data, we will proceed to block it and eventually delete it from our databases. This means that your data will be isolated and access restricted only for potential legal liability (e.g., responding to authorities or defending rights in court) during the applicable statutory limitation periods. After these periods, we will delete your data from our systems by secure deletion or media destruction, as applicable.

In summary, we will delete your personal data when: i) you exercise your right to erasure and there is no legal impediment to doing so; ii) it is no longer necessary for the purposes set out in this Notice and no longer requires its retention by law; or iii) a competent authority so directs.

9. Use of tracking technologies/cookies

Our platform can use “cookies” and similar tracking tools to obtain data about your interaction with our online services. Cookies are text files that are automatically downloaded to your device when you visit a specific web page, which allow the server to remember information about your browser and usage patterns. Usage data that we may collect through cookies or other technologies (such as web beacons, pixels, tags) includes: your IP address, browser type, preferred language, access times, pages visited, sections clicked and device identification.

This use of technologies is primarily for the purposes of improving user experience, analyzing the performance of our platform, and, in some cases, for advertising purposes. For example, we use cookies to keep you logged in, to remember your language preferences, and to compile statistics about app traffic and usage (e.g., via Google Analytics, which helps us understand which features are most frequently used). We may also use third-party cookies (such as the Facebook Pixel) for remarketing purposes so that we can serve you relevant advertising on other sites based on your interaction with our platform.

You can disable the use of cookies at any time by adjusting your internet browser settings to reject or delete them. However, doing so may cause certain features of the platform to not function optimally.

10. Changes or updates to this Privacy Notice

This Privacy Notice may be modified, changed, or updated due to new legal requirements; our own needs for the products or services we offer; changes in our business model; or for other reasons. We reserve the right to make such changes at any time.

In the event of a significant change to this Notice, we will notify you through the means of contact that we have registered, through pop-ups, banners or alerts on the website or application. The most recent version of this Notice will always be available at https://www.aureobitcoin.com/es/privacy-policy. We encourage you to periodically review this Privacy Notice on our website to stay informed about how we protect your information.

11. Contact and questions

If you have any questions or comments regarding the handling of your personal data or the content of this Privacy Notice, you can contact us at any time:

  • Email: legal@aureobitcoin.com

  • Physical address: Sandbox, World Trade Center San Salvador Tower II, Calle El Mirador, Escalón, San Salvador, El Salvador

Our Privacy Officer will respond to your inquiries promptly.

12. Data protection authority for users in Mexico

If you are a user in Mexico and you consider that your right to the protection of personal data has been violated by any conduct of ours or our managers, or you suspect any violation of the provisions of the Law, you may file a complaint or report before the competent supervisory authority in Mexico. As of 2025, the authority in this matter is the Secretariat of Anti-Corruption and Good Government, specifically through the Personal Data Protection Directorate (Note: Until specific regulations are issued by this Secretariat, complaints may be filed with the National Institute for Transparency, Access to Information and Protection of Personal Data - INAI). For more information, you can consult the official website https://www.gob.mx/buengobierno or contact the authority directly.

I confirm that I have read and understood this Privacy Notice and consent to the processing of my personal data as indicated, except for secondary purposes where I have expressed my objection.

13. Communication in case of a security incident in El Salvador

For users in El Salvador, any security incident that has violated the Client's personal data will be communicated to the affected user and to the State Cybersecurity Agency ("ACE") within 72 hours of discovering the security incident.