Privacy Policy

1. Our privacy commitment

Bitaroo Pty Ltd ABN 11 629 701 953 (Bitaroo, we, us) is committed to protecting your personal information.

We collect, use, and disclose the minimum personal information required to: • provide and secure our services
• meet obligations under Australian laws and regulatory requirements, including AML/CTF obligations
• prevent fraud and misuse We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.We do not sell personal information. We do not permit our service providers to use customer personal information for their own marketing or profiling.

2. Scope

This policy applies to personal information we handle when you use our website, apps, and services.

3. What we collect

Depending on how you use our services, we may collect:

Identity and verification (KYC/AML):
• name, date of birth, residential address
• government-issued identification details and verification results Contact and account information:
• email address, optional phone number
• account login credentials and security settings Transaction and payments:
• records of deposits, withdrawals, transactions, and account activity
• bank account details needed to process payments (where applicable) Technical and security data:
• IP address, device identifiers, operating system, browser data
• access logs, security events, and fraud signals We may also collect personal information from third-party identity verification providers where necessary to meet compliance obligations. We collect sensitive information only where required or permitted by law, where necessary to prevent fraud, verify identity, meet system security requirements, or where you choose to provide it.

4. How we use personal information

We use personal information only for:

• onboarding and identity verification
• providing services, including processing transactions and supporting account operations
• securing accounts, preventing fraud, and maintaining platform and app integrity
• customer support, troubleshooting, and communications required to operate the service
• meeting legal and regulatory obligations, including responding to lawful requests We may send product or service updates. You can opt out of marketing at any time. We do not disclose KYC documents to upstream service providers except where strictly necessary to meet compliance, security, or legal obligations.

5. Bitcoin and blockchain activity

Bitcoin transactions occur on a public blockchain. We do not attempt to link on-chain activity to your identity beyond what is necessary for compliance, risk management, and security.

6. When we disclose personal information

We disclose personal information only where strictly necessary, and only the minimum information required, to:

• service providers who help us operate the platform (for example, identity verification or customer support tooling)
• payment system operators and financial institutions (where relevant)
• regulators, law enforcement, courts, or other authorised bodies where required by law, or where otherwise permitted and, following reasonable review, we consider the request justified and appropriately limited in scope Service providers are required to handle personal information only on our instructions and to implement appropriate security controls.

7. Overseas disclosures

Some service providers may process or store personal information outside Australia.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles, and we apply appropriate contractual and security safeguards.

8. Cookies and analytics

We use cookies and similar technologies for:

• essential site functionality and security
• preventing fraud and abuse
• measuring performance and improving user experience You can manage cookies through your browser settings. Some cookies are necessary for the site to function securely.

9. Data security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, including access controls, encryption, and monitoring.

10. Data retention

We retain personal information only for as long as necessary for the purposes described in this policy, including compliance and security.

Where AML/CTF record-keeping obligations apply, we retain relevant customer identification and transaction records for at least 7 years after we stop providing designated services or as otherwise required by law. When information is no longer required, we take reasonable steps to delete or de-identify it.

11. Notifiable Data Breaches

If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

12. Access, correction, and complaints

You may request access to, or correction of, personal information we hold about you, except where providing access would be unlawful, unreasonable, or would compromise security, fraud prevention, or the integrity of our systems.

If you have a privacy complaint, contact us first and we will respond within a reasonable time. If you are not satisfied, you can complain to the OAIC.