Last Updated: March 2026
This Privacy Policy ("Policy") has been prepared by CRYPEXCH TECHNOLOGIES PRIVATE LIMITED ("Company," "we," "our," or "us"), the corporate entity that owns, develops, and operates the digital asset trading platform marketed under the brand name Sikkaa Exchange ("Platform"). The Company is incorporated under the laws of the Republic of India bearing Corporate Identification Number U63999PN2025PTC241988, with its registered office at S. No. 14/10, Sai Park, Shop No. 02, Haveli, Nanded, Pune 411041, Maharashtra, India.
The purpose of this Policy is to explain, in clear and comprehensive terms, exactly what personal information we collect from you, the reasons for which we collect it, the legal basis on which we are permitted to collect and use it, how long we retain it, with whom we share it, and what rights you hold over your own data. We believe that transparency about data practices is a fundamental component of building trust with our users, and this Policy reflects our commitment to that principle.
This Policy applies in its entirety to every individual who accesses or uses any part of the Sikkaa Exchange ecosystem. This includes but is not limited to: visitors to our website at sikkaaexchange.com, registered account holders who have completed the Know Your Customer (KYC) verification process, users of our mobile application (whether on iOS or Android platforms), users who access our services via any application programming interface (API), and any individual who communicates with us through our customer support channels, email correspondence, or live chat systems.
This Policy is incorporated by reference into, and forms part of, our Terms of Service and should be read alongside our Risk Disclosure Policy. In the event of any inconsistency or conflict between this Privacy Policy and our Terms of Service with respect to any data protection matter, this Privacy Policy shall take precedence and govern.
By accessing our Platform, creating an account, or transacting with us in any manner, you confirm that you have read, understood, and agreed to the terms of this Privacy Policy. If you do not agree with any part of this Policy, you must immediately discontinue use of the Platform and may request closure of your account by writing to us at support@sikkaaexchange.com.
Governing Legal Framework
This Policy has been drafted to comply with the Information Technology Act, 2000 and the
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011; the Digital Personal Data Protection Act, 2023 (DPDP Act);
the Prevention of Money Laundering Act, 2002 (PMLA) and its associated rules and FIU-IND
guidelines; and the applicable obligations of a Virtual Digital Asset Service Provider
(VDA-SP) registered with the Financial Intelligence Unit of India (FIU-IND).
For the purposes of the Digital Personal Data Protection Act, 2023 and any other applicable data protection legislation, the "Data Fiduciary" or "Data Controller" responsible for your personal data is CRYPEXCH TECHNOLOGIES PRIVATE LIMITED. We are a private limited company incorporated under the Companies Act, 2013, bearing the Corporate Identification Number U63999PN2025PTC241988. Our registered office is situated at S. No. 14/10, Sai Park, Shop No. 02, Haveli, Nanded, Pune 411041, Maharashtra, India.
We operate the Sikkaa Exchange platform, which provides users with the ability to deposit Indian Rupees (INR), convert INR into USDT (Tether) and other Virtual Digital Assets (VDAs) at a fixed spread rate, execute digital asset trades through an API connection to an underlying trading infrastructure, and withdraw the resulting INR amounts back to their registered Indian bank accounts. This model positions us as a broker of digital asset services rather than a direct exchange, and our users interact exclusively with our platform rather than directly with the underlying liquidity infrastructure.
We operate as a Virtual Digital Asset Service Provider (VDA-SP) as defined under the notifications and circulars issued by the Ministry of Finance, Government of India, under the Prevention of Money Laundering Act, 2002. As a VDA-SP, we are in the process of obtaining and maintaining registration with the Financial Intelligence Unit — India (FIU-IND), and our data collection and processing practices are shaped in significant part by the regulatory obligations that flow from that registration, including mandatory KYC, transaction monitoring, and reporting obligations.
All queries, complaints, and requests relating to your personal data and privacy rights should be directed to our designated Grievance Officer at support@sikkaaexchange.com. We are committed to responding to all data-related queries within thirty (30) business days of receipt, and to acknowledging receipt of your communication within three (3) business days.
We collect different categories of personal data depending on the nature and depth of your engagement with our Platform. The breadth of data we collect is shaped by our obligation to operate a compliant digital asset trading environment in India, and specifically by the requirements of the Prevention of Money Laundering Act, 2002, the Income Tax Act, 1961 (Section 194S — TDS deduction obligations), and the guidelines of FIU-IND. Below we describe each category of data in detail.
3.1 Identity and Know Your Customer (KYC) Data
We collect comprehensive identity information from every user as a mandatory precondition to
account activation. This is not discretionary — Indian law requires us to verify the
identity of every individual who transacts on our platform. The identity data we collect
includes your full legal name exactly as it appears on your government-issued identity
document; your date of birth; your nationality and country of residence; your Permanent
Account Number (PAN), which is mandatory for all Indian residents and is used for TDS
reporting purposes; your Aadhaar number, of which we store only the last four digits after
masking — we do not store the full twelve-digit Aadhaar number under any circumstance; a
live selfie photograph taken through our KYC interface, used for facial liveness
verification and identity matching, and which is not retained in our systems after the
verification is complete; and, for users who are required to complete enhanced KYC, a copy
of a passport or Voter Identification Card.
3.2 Contact and Account Credentials
When you register on our Platform, we collect your email address, your mobile phone number,
and the residential address you provide. Your email address is used for all transactional
communications including deposit confirmations, withdrawal notifications, TDS certificates,
and regulatory alerts. Your mobile number is used for one-time password (OTP) authentication
during login and for high-security actions such as withdrawal initiation. We store your
password exclusively in an irreversibly hashed format using industry-standard bcrypt hashing
— we never store or have access to your plain-text password. We also collect and store your
security configuration, including your two-factor authentication (2FA) settings, backup
verification options, and the history of devices and IP addresses used to access your
account.
3.3 Financial and Transaction Data
To process deposits and withdrawals, we collect and store your Indian bank account number
and IFSC code, and where applicable your UPI Virtual Payment Address (VPA). Every financial
transaction conducted on or through our Platform is recorded comprehensively in our systems.
This includes the INR amount deposited and the corresponding USDT amount credited, the
conversion rate applied at the time of the transaction, the USDT amount withdrawn and the
corresponding INR amount paid out, the date and time of each transaction, the unique
transaction reference number (UTR) provided by the banking system, the USDT wallet address
to which or from which any external transfer was made, and the current and historical
balance of your USDT wallet on our Platform. This transaction data is essential for our
statutory TDS deduction and reporting obligations, our AML transaction monitoring
obligations, and our own reconciliation and fraud prevention processes.
3.4 Technical and Device Data
Each time you access our Platform — whether through the website or the mobile application —
our systems automatically collect certain technical data. This includes your Internet
Protocol (IP) address, which we use to determine your approximate geographic location for
fraud detection and sanctions screening purposes; the type of device you are using to access
the Platform, including the device model, operating system version, and hardware
identifiers; the browser you are using, including its version and configuration; a device
fingerprint, which is a composite identifier derived from the technical characteristics of
your device; the date and time of every login; the duration of your sessions; and navigation
patterns within the application. We also collect crash reports and error logs automatically
when the application encounters a fault, which help us diagnose and correct technical
issues.
3.5 Compliance and Risk Assessment Data
As a regulated financial services provider, we generate and maintain an internal risk
profile for every user. This includes the result of the sanctions and watchlist screening
conducted at the time of account opening and periodically thereafter; the AML risk score and
risk tier assigned to your account based on your transaction behaviour, geography, and other
risk indicators; any source-of-funds declarations you provide when required; your status as
a Politically Exposed Person (PEP) or close associate of a PEP; records of any suspicious
activity flags generated by our transaction monitoring systems; and the history of your KYC
tier, including any upgrades or downgrades and the reasons for those changes.
3.6 Customer Support and Communication Data
When you contact us for any reason — whether to report a problem, query a transaction,
request account assistance, or provide feedback — we retain a complete record of that
interaction. This includes all messages sent through our in-app support chat, all email
correspondence sent to or received from support@sikkaaexchange.com, all documents or
screenshots you attach to support tickets, and all notes made by our support team in the
course of resolving your query. We retain this data to ensure continuity of support, to
detect patterns of fraud or abuse, and to demonstrate the steps taken to resolve your
concerns in the event of a regulatory inquiry.
What We Do Not Collect
We do not collect or store your full twelve-digit Aadhaar number (only the last four digits
after official masking). We do not collect, store, or have access to your plain-text
password under any circumstance. We do not collect credit card or debit card data, as we use
only UPI and bank transfers for INR transactions. We do not collect full biometric data —
our selfie liveness check is used only for identity verification and is not permanently
retained in our biometric database.
Every use we make of your personal data has a defined purpose and a corresponding legal basis. We do not use your data for any purpose beyond those described in this Policy, and we do not repurpose data collected for one function for an entirely unrelated function without informing you.
4.1 Account Creation and User Onboarding
We use your identity data, contact data, and KYC documents for the purpose of creating and
activating your account on our Platform. This processing is necessary for the performance of
a contract between you and us — specifically, the contract constituted by your acceptance of
our Terms of Service. Without this processing, we simply cannot provide you with a trading
account. The mandatory KYC component of this process is additionally required by law and
cannot be waived regardless of the amount you intend to transact.
4.2 Processing Deposits and Withdrawals
Your bank account details, UPI ID, and transaction data are used to process your INR
deposits and withdrawals. This processing is necessary for the performance of our contract
with you. When you deposit INR, your bank credentials are used to verify the payment and to
credit the corresponding USDT amount to your wallet at the applicable conversion rate. When
you withdraw, your bank credentials are used to send the INR payout to your account after
converting your USDT at the applicable rate and deducting the statutory TDS amount.
4.3 KYC, AML, and Regulatory Compliance
This is one of the most significant data processing activities we undertake, and it is
driven entirely by our statutory obligations as a VDA-SP registered under the PMLA. We use
your full identity data — including PAN, name, date of birth, address, and nationality — to
conduct mandatory Know Your Customer verification, to screen your profile against domestic
and international sanctions lists and politically exposed persons databases, and to conduct
ongoing monitoring of your transaction behaviour for signs of money laundering, terrorist
financing, or other financial crime. This processing is not subject to your consent and
cannot be disabled. It is a legal obligation, and your continued use of our Platform
constitutes your acknowledgment that this processing will occur.
4.4 Tax Compliance — TDS Deduction and Reporting
We are legally required under Section 194S of the Income Tax Act, 1961, to deduct Tax
Deducted at Source (TDS) at the rate of one percent (1%) on the full consideration value of
every Virtual Digital Asset (VDA) transaction conducted on our Platform. We use your PAN
card number for the purpose of reporting this TDS to the Income Tax Department of India,
crediting the deducted amount to your Form 26AS on the income tax portal, and issuing the
quarterly TDS certificate (Form 16A) to you. This processing is a direct legal obligation
and cannot be opted out of.
4.5 Fraud Prevention and Platform Security
We use your technical data — including your IP address, device fingerprint, login patterns,
and session behaviour — for the purpose of detecting and preventing fraud, account takeover,
suspicious login attempts, and other threats to platform security. We also use your
transaction history to identify patterns that are inconsistent with normal legitimate
trading activity. This processing is carried out on the basis of our legitimate interest in
maintaining a secure and trustworthy trading environment for all users. We have assessed
this legitimate interest against the potential impact on your privacy rights and have
determined that the processing is proportionate and necessary.
4.6 Customer Support
We use your account data and communication records to respond to your support queries,
investigate complaints, resolve disputes, and provide you with accurate and helpful
assistance. This processing is necessary both for the performance of our contract with you
and for our legitimate interest in operating a professional and responsive support function.
4.7 Marketing Communications
We send marketing communications — such as new product announcements, promotional offers,
and platform updates — only where you have given us your explicit and informed consent to do
so. You may withdraw your consent at any time by clicking the unsubscribe link included in
every marketing email, or by sending a written request to support@sikkaaexchange.com. The
withdrawal of consent for marketing communications will not affect any other aspect of your
account or the services available to you.
Under the Digital Personal Data Protection Act, 2023 and applicable data protection principles, every processing activity we conduct must rest on one of a defined set of legal bases. The four bases on which we rely are described below.
Contractual Necessity: The largest category of our data processing — including account creation, deposit and withdrawal processing, and trade execution — is necessary for the performance of the contract we enter into with you when you accept our Terms of Service. Without this processing, we cannot deliver the service you have contracted us to provide.
Legal Obligation: As a VDA-SP operating in India under the Prevention of Money Laundering Act, 2002, and as an entity with TDS deduction obligations under the Income Tax Act, 1961, a significant portion of our data processing is not discretionary — it is legally mandated. We cannot refuse or reduce this processing in response to a user request, because doing so would put us in breach of Indian law. Applicable laws include the PMLA and its associated rules, the FIU-IND guidelines, the Income Tax Act (Section 194S), the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023.
Legitimate Interest: For processing activities such as fraud prevention, platform security monitoring, session analysis, and product analytics, we rely on our legitimate interest in operating a secure, reliable, and well-functioning platform. We always ensure that this interest does not override your fundamental rights and freedoms, and we apply a proportionality assessment to every processing activity falling under this basis.
Consent: We rely on your freely given, specific, informed, and unambiguous consent for marketing communications only. You may withdraw this consent at any time without consequences to your account or trading access. Consent is never used as the legal basis for any processing that is otherwise mandated by law.
Important Note on PMLA Data and Your Right to Erasure
Your identity documents, KYC records, and full transaction history collected for AML and
compliance purposes are subject to a mandatory statutory retention obligation under Section
12 of the Prevention of Money Laundering Act, 2002. We are legally required to retain this
data for a minimum period of five years from the date of account closure. Your right to
erasure under the DPDP Act, 2023, does not apply to data that we are required by law to
retain. Any request to delete KYC or transaction data before the statutory period has
elapsed will be declined, and we are legally unable to comply with such a request.
The data we collect and process for the purpose of Know Your Customer verification, Anti-Money Laundering monitoring, and compliance with the Prevention of Money Laundering Act, 2002, is subject to a distinct and more stringent set of rules than other categories of personal data. This section describes those rules in detail.
6.1 Mandatory KYC — No Exceptions
Every individual who creates an account on Sikkaa Exchange is required to complete a minimum
level of KYC verification before any deposit, trade, or withdrawal can be processed. This
requirement is not a matter of our business policy — it is a direct and non-negotiable legal
obligation imposed on us as a Reporting Entity under the PMLA. Failure to complete KYC will
result in your account remaining in a restricted state with no transactional capabilities.
We cannot grant any exceptions to this requirement regardless of the amount being transacted
or the duration of your relationship with the Platform.
6.2 Sanctions Screening and Watchlist Checking
At the time of account registration, and on a periodic basis thereafter, we run your name,
date of birth, nationality, and PAN number through a range of domestic and international
sanctions screening databases. These include the United States Office of Foreign Assets
Control (OFAC) Specially Designated Nationals and Blocked Persons (SDN) list; the United
Nations Security Council Consolidated Sanctions List; the European Union Consolidated List
of Sanctions; the UK HM Treasury's Financial Sanctions List; the Monetary Authority of
Singapore (MAS) sanctions list; the FIU-IND designated persons and entities list; and any
other list required by applicable law or our risk management framework. If your profile
generates a positive match against any of these lists, your account will be suspended
pending investigation, and we will take such further action as is required by law, which may
include reporting the match to FIU-IND and freezing your account balance.
6.3 Suspicious Transaction Reports
As a registered Reporting Entity under the Prevention of Money Laundering Act, 2002, we are
legally obligated to file a Suspicious Transaction Report (STR) with FIU-IND within seven
(7) days of becoming aware of any transaction that we have reasonable grounds to suspect is
related to money laundering, terrorist financing, or any other predicate offence under the
Schedule to the PMLA. Critically, the law prohibits us from informing the user — you — that
an STR has been filed about your account or any of your transactions. This is a statutory
gag provision, and we cannot override it even if we wished to. The filing of an STR does not
constitute an accusation, a finding of guilt, or any formal allegation against you. It is a
mandatory regulatory filing that we are required to make whenever specific triggers are met.
6.4 TDS Deduction and Income Tax Reporting
Under Section 194S of the Income Tax Act, 1961, we are designated as the "person responsible
for paying" in the context of Virtual Digital Asset transfers, which makes us legally
obligated to deduct one percent (1%) TDS on the full consideration received from every VDA
transfer conducted on our Platform, deposit that amount with the Income Tax Department of
India by the seventh (7th) of the following month, file the quarterly TDS return in Form 26Q
by the due dates prescribed by the Income Tax Department, and issue a quarterly TDS
certificate in Form 16A to you within fifteen (15) days of filing the TDS return. Your PAN
is used specifically for this purpose — to ensure the TDS we deduct is correctly attributed
to your income tax account with the government and reflected in your Form 26AS.
6.5 Sharing Data with FIU-IND and Law Enforcement
We may be required to share your personal data, transaction records, KYC documents, and
compliance reports with FIU-IND, the Income Tax Department, the Enforcement Directorate, or
other law enforcement and regulatory authorities, either proactively as part of our
mandatory reporting obligations or in response to a lawful demand, notice, or court order.
We are not required to obtain your consent before making such disclosures, and we are not
permitted to notify you in advance of any disclosure made in connection with an STR or
active investigation.
We retain different categories of personal data for different periods, determined by a combination of statutory requirements, contractual obligations, and our legitimate operational needs. We do not retain data for longer than is necessary for the purpose for which it was collected, subject always to the minimum retention periods imposed by Indian law.
Your KYC documents and identity verification records — including PAN, Aadhaar details, selfie verification data, and address proof — are retained for a minimum period of five years from the date of account closure. This is a mandatory statutory obligation under Section 12 of the PMLA. Even if you request deletion of your account, this category of data cannot be erased until the five-year statutory period has elapsed.
Your complete transaction history — every deposit, withdrawal, trade, and internal transfer — is similarly retained for a minimum of five years from the date of each transaction under the PMLA. In addition, TDS-related records including the details of every TDS deduction and the corresponding Form 26Q filing and Form 16A issued are retained for a minimum of seven years from the end of the financial year in which the transaction occurred, in accordance with the income tax record-keeping obligations.
Any Suspicious Transaction Reports or Cash Transaction Reports filed with FIU-IND are retained for the period required by FIU-IND guidelines, which is a minimum of five years from the date of the report, and remain accessible to FIU-IND throughout that period.
Your account data — including login history, session records, 2FA configuration, and account preferences — is retained for the duration of your account and for a further two years following account closure, to enable us to respond to any post-closure disputes, fraud investigations, or regulatory inquiries.
Customer support communications, including all emails, chat messages, and ticket records, are retained for a period of three years from the date the support interaction was closed. Server access logs and technical security logs are retained on a rolling twelve-month basis. Marketing preference records are retained until you withdraw your consent, at which point they are deleted within thirty days.
The Digital Personal Data Protection Act, 2023 (DPDP Act) confers a number of important rights upon you as a "Data Principal" (i.e., the individual whose data is being processed). We are committed to enabling you to exercise these rights in a straightforward and timely manner. All requests to exercise your data rights should be sent to support@sikkaaexchange.com.
9.1 Right to Access Your Personal Data
You have the right to request a copy of the personal data that we hold about you. Upon
receiving a verified request, we will provide you with a summary of the categories of data
we hold, the purposes for which it is being processed, and a copy of the data itself in a
readable format. We will respond to access requests within thirty (30) days. We may ask you
to verify your identity before processing your request to ensure that we do not
inadvertently disclose your data to an unauthorised party.
9.2 Right to Correction
If you believe that any personal data we hold about you is inaccurate, incomplete, or out of
date, you have the right to request that we correct it. Requests to correct identity-related
data (such as name or date of birth) may require you to submit updated official
documentation as part of the KYC re-verification process. We will complete the correction
within thirty days of receiving sufficient documentation.
9.3 Right to Erasure
You have the right to request that we delete your personal data. However, this right is
expressly subject to our legal obligations under the PMLA, the Income Tax Act, and other
applicable laws. We cannot delete your KYC documents, your transaction history, or your TDS
records before the statutory minimum retention periods have elapsed. We can, however, delete
operational data (such as marketing preferences, non-essential cookies, and support tickets
beyond our standard retention period) upon request, subject to any overriding legitimate
interest.
9.4 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and
machine-readable format, and to have that data transmitted to another controller where
technically feasible. We will fulfil portability requests within thirty days of a verified
request.
9.5 Right to Withdraw Consent
Where our processing is based on your consent — specifically for marketing communications —
you may withdraw that consent at any time with immediate effect. You can do this by clicking
the unsubscribe link in any marketing email, adjusting your notification preferences in the
app settings, or writing to us at support@sikkaaexchange.com. Withdrawal of consent will not
affect the lawfulness of any processing carried out before the withdrawal.
9.6 Right to Grievance Redressal
If you have a complaint about how we are handling your personal data, or believe we are in
breach of our data protection obligations, you have the right to lodge a formal grievance
with our designated Grievance Officer at support@sikkaaexchange.com. We will acknowledge
your grievance within three business days and provide a substantive response within thirty
days. If you remain unsatisfied with our response, you may escalate your complaint to the
Data Protection Board of India, once the Board is operationally constituted under the DPDP
Act, 2023.
9.7 Right to Nominate
Under the DPDP Act, 2023, you have the right to nominate another individual to exercise your
data rights on your behalf in the event of your death or incapacity. You may designate a
nominee at any time by submitting a nomination form through our support portal or by writing
to support@sikkaaexchange.com.
The security of your personal data is a matter of paramount importance to us. We have implemented a comprehensive suite of technical and organisational security measures designed to protect your data against unauthorised access, accidental loss, destruction, or disclosure. These measures are reviewed and updated regularly to keep pace with evolving threats and best practices.
All data transmitted between your device and our servers is encrypted in transit using Transport Layer Security (TLS) version 1.2 or higher, which is the industry-standard protocol for securing data in transit over the internet. All data stored on our servers — including your personal information, transaction records, and KYC documents — is encrypted at rest using AES-256 encryption, which is the highest-grade symmetric encryption standard currently available. Your password is never stored in any recoverable format; we use the bcrypt hashing algorithm with an appropriate cost factor to store a one-way hash of your password, meaning that even our own technical staff cannot determine your password from what is stored in our systems. Sensitive fields such as Aadhaar details and bank account numbers are additionally encrypted at the database level using field-level encryption.
Access to your personal data within our organisation is strictly limited to employees and contractors who have a genuine operational need for that access. We operate a role-based access control (RBAC) system, which means that each team member is granted only the minimum level of access necessary for their specific job function. All internal access to user data is logged, and these logs are reviewed regularly for anomalies. Our team members are required to sign confidentiality agreements and undergo regular training on data protection obligations.
We require all users to enable two-factor authentication (2FA) for any high-security action on the Platform, including initiating withdrawals, changing linked bank accounts, modifying 2FA settings, and requesting password resets. We strongly recommend using an authenticator application — such as Google Authenticator or Authy — rather than SMS-based 2FA, as authenticator apps are not vulnerable to SIM-swap attacks, which are a known attack vector in the cryptocurrency industry.
We conduct regular third-party penetration testing and vulnerability assessments of our platform. Identified vulnerabilities are assigned a severity rating and remediated within Service Level Agreement (SLA) timelines proportionate to their severity — critical vulnerabilities are addressed on an emergency basis, while lower-severity issues are tracked and resolved within defined timelines. We also operate a responsible disclosure programme through which security researchers can report vulnerabilities they discover.
Your Responsibility in Account Security
Your account security depends not only on our technical measures but also on the steps you
take to protect your own credentials. You should use a strong, unique password for your
Sikkaa Exchange account that is not used for any other service. You should never share your
password, 2FA codes, or OTPs with any person under any circumstances — including individuals
who claim to be Sikkaa Exchange staff, who will never ask for these credentials. If you
receive a suspicious communication purporting to be from Sikkaa Exchange, please report it
to us immediately at support@sikkaaexchange.com. You should also verify that you are always
accessing the Platform through the correct URL: sikkaaexchange.com.
The Sikkaa Exchange Platform is strictly designed for and intended to be used by individuals who are at least eighteen (18) years of age. We do not knowingly collect, process, or store personal data belonging to children or minors under the age of eighteen. Our KYC verification process, which requires a valid PAN card, acts as an effective age gate — PAN cards cannot be issued to individuals below the age of eighteen, ensuring that minors are screened out at the point of registration.
This restriction is also expressly required by our broker agreement with our underlying trading infrastructure provider, which mandates that every end client must be at least eighteen years of age. If we become aware, or have reasonable cause to believe, that a minor has successfully created an account on our Platform or has had personal data submitted to our systems, we will take immediate steps to close that account, remove all associated personal data from our systems to the fullest extent permitted by law, and where appropriate, notify the relevant guardians or authorities.
If you are a parent or legal guardian and believe that your child has provided personal information to Sikkaa Exchange without your consent, we ask you to contact us immediately at support@sikkaaexchange.com. We will investigate promptly and take appropriate remedial action.
We may update or revise this Privacy Policy from time to time to reflect changes in applicable law, changes in our business operations, the introduction of new features or services on the Platform, or in response to guidance issued by data protection authorities. We are committed to keeping you informed of any changes that materially affect how we process your personal data.
When we make changes to this Policy, we will take the following steps to ensure you are informed. We will update the "Version" number and "Effective Date" shown at the top of this document to reflect the revised version. For material changes — that is, changes that significantly affect your rights or our use of your data — we will notify you by email to the registered email address on your account at least fourteen (14) days before the new version takes effect, and we will display a prominent notification banner on the Platform's homepage and within the application.
Your continued use of the Platform after the effective date of any updated version of this Policy will be treated as your acceptance of the revised terms. If you do not agree with the changes, you must stop using the Platform and may request account closure before the effective date by contacting us at support@sikkaaexchange.com. For changes that are required by law — such as changes mandated by new regulations, court orders, or FIU-IND guidelines — we may implement those changes immediately and provide notice as soon as is reasonably practicable.
We take our privacy obligations seriously and are committed to resolving any concerns you may have about how we handle your personal data. If you have any questions about this Privacy Policy, wish to exercise any of your data rights, or have a complaint about our data practices, please contact our designated Grievance Officer using the details below. Please note that by law, we are required to designate a Grievance Officer under the Information Technology Act, 2000, and the DPDP Act, 2023.
Grievance Officer Contact Details
Designation: Grievance Officer and Data Protection Officer
Company: CRYPEXCH TECHNOLOGIES PRIVATE LIMITED
Brand: Sikkaa Exchange
Registered Office: S. No. 14/10, Sai Park, Shop No. 02, Haveli, Nanded, Pune 411041, Maharashtra, India
Email: support@sikkaaexchange.com
Response Time: Acknowledgement within 3 business days; substantive response within 30 days.
Governing Law: This Policy is governed by the laws of the Republic of India. Disputes shall be subject to the exclusive jurisdiction of the courts at Pune, Maharashtra.
Last Updated: March 2026 — Version 1.0
If you are dissatisfied with the outcome of your grievance, you may escalate the matter to the Data Protection Board of India, once it is operational under the DPDP Act, 2023, or to such other authority as may be designated under applicable law. For matters specifically relating to AML reporting or suspicious activity, the relevant regulatory authority is the Financial Intelligence Unit — India (FIU-IND), accessible at fiuindia.gov.in.