At XSettle, we take privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, who we share it with, and what rights you have. The Cookie Policy at the end of this document covers the cookies and similar technologies we use on our website.
This Policy applies to visitors to xsettle.com and to the individual directors, beneficial owners, authorised signatories, and representatives of our business clients who provide personal data as part of our onboarding and ongoing compliance process.
The data controller is XSL AG, registered in Switzerland, operating as XSettle. Our address is Blegistrasse 7, 6340 Baar, Canton Zug, Switzerland. If you have any questions about how we handle your personal data, or if you want to exercise your rights, please contact us at privacy@xsettle.com.
We process personal data in accordance with the Swiss Federal Act on Data Protection — the nDSG, which came into force on 1 September 2023 — and, where we handle personal data of individuals in the European Economic Area, the EU General Data Protection Regulation (GDPR). Both laws give individuals meaningful rights over their personal data, and we are committed to honouring those rights in practice, not just on paper.
The data controller for all personal data processed in connection with xsettle.com and our services is XSL AG, registered in the Swiss Canton of Zug. Our address is Blegistrasse 7, 6340 Baar, Canton Zug, Switzerland. We are a member of VQF, the self-regulatory organisation supervised by FINMA, and operate as a Swiss financial intermediary under Art. 2(3) of the Swiss Anti-Money Laundering Act (AMLA).
If you have any questions about how we handle your personal data, or if you want to exercise any of your rights, you can reach us at privacy@xsettle.com. We aim to respond to all privacy-related enquiries within 30 calendar days.
If you feel your concern has not been addressed, you have the right to contact the Swiss Federal Data Protection and Information Commissioner (FDPIC), whose website is www.edoeb.admin.ch. If you are based in the EU, you can also contact the data protection authority in your member state of residence.
When you visit xsettle.com, our servers automatically log some technical information: your IP address, browser type and version, operating system, the pages you visit, and the time of your visit. This happens automatically and is necessary to keep the website running and secure. We also use analytics tools to understand how visitors use the site — which pages are most useful, how people navigate, and where they come from. Analytics data is aggregated and pseudonymised where applicable; we are not building profiles of individual website visitors.
If you contact us through a form on the site, by email, or through another channel, we collect your name, your organisation and role, your email address or phone number, and the content of your message. We use this only to respond to you and, where relevant, to follow up about our services.
XSettle is a regulated Swiss financial intermediary. Under the Anti-Money Laundering Act, we have a legal duty to verify the identity of the people who own and control the businesses we work with. For the directors, beneficial owners, authorised signatories, and key representatives of our client entities, this means we collect: full name, date of birth, nationality, and a copy of a government-issued identity document such as a passport. We also collect proof of residential address, professional details including role and qualifications, and for significant beneficial owners, a declaration of source of wealth.
Where identity verification is conducted by video or online identification in accordance with applicable AML/CFT obligations and FINMA guidance, we process the relevant document imagery, including the machine-readable zone (MRZ) of the identity document and, where required, a facial image. Where biometric or document imagery processing is required to complete legally mandated identity verification procedures, the processing is necessary for compliance with applicable AML/CFT obligations. Where consent is required under applicable law for specific processing operations, we will request it separately.
We also run screening checks on these individuals against international sanctions lists and politically exposed person (PEP) databases. These are a legal requirement and are repeated throughout the relationship, not just at the start.
Once a client account is active, we process transaction data — settlement flow records processed in connection with regulated payment flows, Treasury Instructions, currency conversion records, and account statements. XSettle acts solely as a technical and operational treasury orchestrator; Client Settlement Funds are held exclusively with licensed banking partners and are not accepted as public deposits within the meaning of the Swiss Banking Act. Where clients use stablecoin conversion, we also process the associated blockchain wallet addresses and on-chain transaction records. We update screening records on an ongoing basis and retain all correspondence relating to the business relationship, as required by Swiss AMLA.
We use personal data only for the purposes we have described, and only to the extent necessary for each purpose.
We use the identity information, address data, and document imagery we collect to verify the identity of the people who own and control our client entities. This is a legal obligation under Swiss AMLA and VQF SRO Regulations, and it is the primary reason we hold most of the personal data in our compliance files.
We screen individuals associated with our clients against applicable international sanctions lists and PEP databases. This is required by Swiss AMLA Art. 6 and is carried out both at onboarding and on an ongoing basis throughout the relationship.
We monitor settlement flows through our platform for AML/CFT red flags — unusual patterns, unexpected counterparties, volumes inconsistent with the client's stated profile. This is an ongoing legal obligation and uses transaction data and, where applicable, blockchain analytics data.
Where we carry out video or online identification to verify identity, we process biometric data including document imagery and in some cases facial images. Where biometric or document imagery processing is required to complete legally mandated identity verification procedures under Swiss AMLA and applicable FINMA guidance, the legal basis for this processing is compliance with a legal obligation. Where consent is required under applicable law for specific processing operations, we will request it separately.
We use the contact information you provide through the website or other channels to respond to your enquiry and, where relevant, to discuss becoming a client. This is done on the basis of our legitimate interest in communicating with potential business partners.
We use your data to operate the platform, process Treasury Instructions and coordinate the movement of Settlement Funds held with our licensed banking partners, and provide reporting. XSettle acts solely as a technical and operational treasury orchestrator and does not accept public deposits within the meaning of the Swiss Banking Act. This processing is necessary for the performance of the service agreement between us.
We use analytics cookies and server logs to understand how xsettle.com is used and to maintain its security and performance. For non-essential analytics, we rely on your consent given through the cookie banner. For security-related logging, we rely on our legitimate interest in protecting the site and its users.
We retain records of our business relationships — all KYB/CDD files, transaction records, screening results, and correspondence — for 10 years after the end of the relationship, as required by Swiss AMLA Art. 7. This legal obligation applies regardless of any other consideration.
How long we keep personal data depends on the category of data and the legal obligations that apply to it.
Almost all personal data we hold about the representatives and owners of client entities falls within our AMLA obligations. Swiss AMLA Art. 7 requires us to retain all AML/CFT-related records — including KYB files, identity documents, screening results, transaction records, and correspondence — for 10 years following the termination of the business relationship or completion of the transaction, whichever occurs later. This 10-year requirement is a non-negotiable legal obligation that overrides any request for earlier deletion.
For biometric data collected during video or online identification — such as document imagery and MRZ scans — the retention period is also 10 years following the termination of the business relationship, as required by AMLA and FINMA Circular 2016/7.
Website server logs and IP addresses are retained for up to 12 months, or less where our legitimate interest no longer applies. Analytics cookie data is retained for between 12 and 24 months, depending on the tool and configuration. Contact and enquiry data from individuals who do not become clients is kept for 12 months from the last communication.
When any retention period expires, the data is permanently deleted using a secure and documented deletion procedure. We log each deletion event and retain those logs for three years.
We do not sell personal data. We do not share it for advertising or commercial purposes. We share it only in the circumstances described below.
As a regulated financial intermediary, we are legally required to share information with supervisory bodies and law enforcement in certain circumstances. This includes SRO VQF, FINMA, the Money Reporting Office Switzerland (MROS), Swiss courts, and — where required by law or treaty — foreign competent authorities. We do not have a choice about these disclosures. Swiss law specifically prohibits us in some cases from notifying you that a disclosure has been made, particularly in connection with suspicious transaction reports.
To provide our treasury services, we work with licensed banking partners with whom Client Settlement Funds are held. XSettle acts as a technical and operational treasury orchestrator; it does not itself hold or receive client funds and does not accept public deposits within the meaning of the Swiss Banking Act. These banks receive the client information necessary to operate those accounts. Where stablecoin conversion is involved, we share the identifying information required by the FATF Travel Rule (FATF Recommendation 16) with the regulated crypto exchanges and VASPs we route conversions through.
We use specialist third-party providers for identity verification, sanctions screening, document management, and blockchain analytics. These providers act as data processors under our instruction and are bound by data processing agreements requiring them to maintain appropriate security and to use the data only for the purposes we specify. Key providers include: SumSub (Sum and Substance Ltd), our identity verification and KYC platform, which processes personal data including identity documents and biometric data on our behalf — SumSub's own privacy notice is available at sumsub.com/privacy-notice-service/; and blockchain analytics providers for virtual asset transaction screening, which may be based in the United States. Our primary technology infrastructure uses Amazon Web Services (AWS): client data is stored in the AWS Europe (Zurich) region (eu-central-2) to satisfy FINMA requirements for data residency in Switzerland, while certain processing operations utilise the AWS Europe (Frankfurt) region (eu-central-1). Where data is transferred outside Switzerland in connection with these services, appropriate safeguards are in place as described in the International Data Transfers section below.
Where we need legal, audit, or compliance advice, we may share relevant information with external advisers who are bound by professional confidentiality obligations.
If XSettle is acquired, merges, or transfers its business to a regulated successor, personal data may be transferred as part of that transaction, subject to the same confidentiality and security standards that apply today.
Switzerland is recognised by the EU Commission as providing an adequate level of data protection, so transfers between Switzerland and the EEA do not require additional safeguards beyond that recognition.
Our primary data storage is located in Switzerland (AWS Europe — Zurich region, eu-central-2) in order to satisfy FINMA requirements for data residency. Certain processing operations — including some infrastructure and operational services — utilise the AWS Europe (Frankfurt) region (eu-central-1) in Germany, which is within the EEA. Transfers within the EEA from Switzerland are covered by Switzerland's adequacy recognition.
Some third-party service providers are located outside Switzerland and the EEA. In particular: our identity verification provider SumSub (Sum and Substance Ltd, registered in Cyprus) processes data including identity documents and biometric data; and blockchain analytics providers used for virtual asset transaction screening may be based in the United States. For transfers to these and other recipients in countries that do not benefit from an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) or their Swiss equivalent under the nDSG transfer mechanism, together with any supplementary measures required to ensure an equivalent level of protection. Transfers to regulatory authorities required by law — such as information provided to MROS or in response to international law enforcement requests — are justified by the applicable legal obligation and do not require standard transfer mechanisms. If you would like to know what safeguards apply to a specific transfer, please write to us at privacy@xsettle.com.
Swiss nDSG and EU GDPR give individuals meaningful control over their personal data. We take these rights seriously. Here is what each right means in practice at XSettle, and where any limitations apply.
You can ask us what personal data we hold about you, why we hold it, and where it came from. We will provide a clear summary within 30 days of receiving a valid request. In rare cases we may need to withhold specific details — for example, where disclosure would compromise an active AML investigation or another individual's rights — but we will always tell you if this applies.
If any data we hold about you is inaccurate or out of date, you can ask us to correct it. We will process the correction as quickly as we can and let you know if there is any reason we are unable to make a particular change.
You can ask us to delete your personal data. At XSettle, however, this right is significantly limited by our legal obligations under Swiss AMLA. Almost all the personal data we hold about the representatives and owners of our client entities falls within the mandatory 10-year retention period. We cannot delete that data during the retention period, regardless of the request. We will always be honest with you about this and explain the specific legal basis that applies. Once a retention period has expired, data is deleted as a matter of routine.
Where EU GDPR applies, you may ask us to restrict processing to storage only — for example, while you are challenging the accuracy of your data, or where processing is unlawful but you prefer restriction to deletion. Restrictions do not override AMLA retention obligations.
You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate a compelling legitimate reason to continue. Processing for AML/CFT compliance is based on a legal obligation rather than legitimate interests, so objections cannot override it — but for other processing activities, we will consider your objection carefully and respond to you.
Where GDPR applies and we process your data by automated means based on your consent or a contract, you can ask for a copy of your data in a structured, machine-readable format. AML/CFT processing is based on legal obligation and falls outside this right, but for other categories we will accommodate reasonable portability requests.
Where we process your data on the basis of consent — for example, for analytics cookies — you can withdraw that consent at any time. This does not affect the lawfulness of processing that already took place before you withdrew consent, and it does not give rise to a right to delete data that we are otherwise legally required to keep.
Send your request to privacy@xsettle.com with 'Data Rights Request' in the subject line. Please include your name, your organisation if relevant, and enough context for us to identify the data you are asking about. We will respond within 30 calendar days. If we need more time or more information, we will tell you promptly.
If you believe we have not handled your personal data correctly, you can complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch. If you are based in the EU, you can also complain to the data protection authority in your member state of residence.
We protect personal data with a combination of technical and organisational measures. Personal data is encrypted in transit and, where appropriate, encrypted at rest using industry-standard controls. Access is role-based — staff can access only the data they genuinely need for their work. KYB files and compliance records are held in a secure, access-controlled document management system hosted in Switzerland.
We conduct regular security reviews, keep our systems up to date, and require all third-party processors to maintain equivalent security standards under data processing agreements. Our backups are encrypted and tested regularly.
If a personal data breach occurs that is likely to create a risk for affected individuals, we will notify the FDPIC without undue delay and as soon as practicable in accordance with applicable Swiss data protection law (nDSG Art. 24), and notify the affected individuals directly where the risk is serious.
We review this Privacy Policy at least once a year. If we make significant changes — for example, if we start processing new categories of personal data or sharing it with new categories of recipients — we will tell you by email at least 14 days before the changes take effect and update the effective date at the top of this document. Minor or clarifying changes may be made without specific notification. The current version is always available at xsettle.com/privacy.
This Cookie Policy forms part of XSettle's Privacy Policy. It explains what cookies and similar technologies we use on xsettle.com, why we use them, and how you can control them.
A cookie is a small text file placed on your device when you visit a website. Different cookies serve different purposes — some are essential for the site to work, others help us understand how visitors use it.
Strictly necessary cookies are essential for xsettle.com to function. They keep your browsing session active, protect the site against certain security threats, and remember your cookie consent preferences so you are not asked again on every visit. You cannot disable these cookies through our consent tool. If you block them in your browser settings, parts of the site may stop working.
Functional cookies allow the site to remember choices you have made — such as your preferred language or display settings — so that your experience is more consistent on return visits. These are not strictly necessary for the site to work, and we will only place them with your consent. You can update your preferences at any time through the Cookie Settings link in the site footer.
We use analytics cookies to understand how visitors use xsettle.com — which pages they find most useful, how they navigate, and where they come from. This helps us improve the site over time. We use a privacy-focused analytics tool configured with IP anonymisation enabled and cross-site tracking disabled, rather than Google Analytics in its default form. The data we collect is aggregated and pseudonymised where applicable; we are not profiling individual users. We do not share this data with our analytics provider for their commercial purposes. Analytics cookies are placed only with your consent.
We do not use advertising or targeting cookies. We do not run retargeting campaigns or serve ads to visitors based on their visit to xsettle.com. We do not have Facebook Pixel, LinkedIn Insight Tag, Twitter/X pixel, or any other social media tracking technology on our site. We do not share your browsing data with ad networks, data brokers, or profiling services of any kind. Our analytics are confined to this site only.
If this ever changes, we will update this Cookie Policy before placing any new tracking technology and ask for your consent.
When you first visit xsettle.com, a cookie consent banner will appear. You can accept all cookies, accept only the strictly necessary ones, or customise your preferences by category. Your choice is saved and remembered for 12 months.
You can change your cookie preferences at any time by clicking the Cookie Settings link in the footer of xsettle.com. Your updated preferences take effect immediately.
You can also control cookies directly in your browser. Most modern browsers let you view and delete existing cookies, block third-party cookies, or block all cookies. If you block all cookies, the strictly necessary cookies will also be blocked and some parts of the site may not work as expected. You can find instructions in the support pages for your browser — Chrome, Firefox, Safari, and Edge all provide clear guidance on cookie management.
Some browsers send a Do Not Track (DNT) signal to websites. There is currently no universally agreed standard for how websites should respond to these signals, and xsettle.com does not respond to them technically. Our cookie consent tool is the reliable way to manage your tracking preferences with us.
xsettle.com does not currently embed third-party services — such as video players, social share buttons, or live chat widgets — that would place their own cookies on your device. If we add any such integrations in future, we will update this Cookie Policy and seek your consent before any third-party cookies are placed.
We review this Cookie Policy at least once a year and whenever we change the cookies or analytics tools we use. Significant changes will be communicated through the cookie consent banner on your next visit to the site. The current version is always available at xsettle.com/privacy.
For questions about this Privacy Policy or to exercise your data rights, write to us at privacy@xsettle.com. We aim to respond within 30 days. For complaints, you can also contact the FDPIC at www.edoeb.admin.ch, or the data protection authority in your EU member state if that is where you are based. Our postal address is XSL AG, Attn: Privacy/Compliance, Blegistrasse 7, 6340 Baar, Canton Zug, Switzerland. Our EU Representative under Article 27 GDPR is Cristian Vasco, who can be contacted at privacy@xsettle.com for any matters relating to the processing of personal data of individuals based in the European Economic Area.