Privacy Policy

BTM Vendor, LLC (“BTM Vendor,” “we,” “our,” or “us”) is committed to protecting the privacy of our investors, visitors, and prospective partners. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our website at btmvendor.com, create an investor account, purchase a Bitcoin ATM ownership fraction, or otherwise interact with our services (collectively, the “Services”).

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms described herein, please discontinue use of our Services.

We collect information you provide directly to us, information generated automatically when you use our Services, and information we may receive from third parties. The categories of personal information we may collect include:

Information You Provide Directly

• Identity Information: Full legal name, date of birth, government-issued identification number (e.g., Social Security Number, passport number, driver's license number), and a copy of identity documents for KYC/AML verification purposes.
• Contact Information: Email address, phone number, mailing address, and country of residence.
• Financial Information: Bank account details, cryptocurrency wallet addresses, routing numbers, and other payment-related information necessary to process deposits and withdrawals.
• Account Credentials: Username, password (stored in hashed form), two-factor authentication settings, and security PIN.
• Investment Preferences: Ownership fraction selected, investment objectives, and account tier.
• Communications: Support ticket messages, email correspondence, and any other content you submit through our contact forms or investor portal.
• Referral Information: If you refer others to our platform, we may collect their email address and your referral relationship to calculate and credit commissions.

Information Collected Automatically

• Log Data: IP address, browser type and version, operating system, referring URLs, pages visited, time spent on pages, and access timestamps.
• Device Information: Hardware model, unique device identifiers, and mobile network information.
• Usage Data: Clickstream data, feature interactions, session duration, and investor portal activity logs.
• Location Data: Approximate geographic location derived from your IP address.
• Cookies and Tracking Technologies: Information collected via cookies, web beacons, pixels, and similar technologies as described in Section 7 of this Policy.

Information From Third Parties

• Identity Verification Providers: We work with licensed third-party KYC/AML service providers who may provide us with verification results, risk scores, and identity-match data.
• Financial Institutions: Banks or payment processors may provide us with transaction confirmation data.
• Blockchain Analytics: On-chain data associated with cryptocurrency wallets you provide, sourced from blockchain analytics tools we use to maintain regulatory compliance.
• Fraud Prevention Services: Risk signals and device fingerprinting data from fraud prevention partners.

We use the personal information we collect for the following purposes:

Where applicable law requires a legal basis for processing personal data (such as under the California Consumer Privacy Act (CCPA) or similar state privacy laws), BTM Vendor relies on the following bases:

• Contractual Necessity: Processing required to fulfil our obligations under the Investor Agreement or to take steps at your request prior to entering such an agreement — including account creation, investment management, and payment processing.
• Legal Obligation: Processing necessary to comply with applicable laws, including KYC/AML obligations under the Bank Secrecy Act (BSA), FinCEN regulations, state money transmitter laws, and any applicable IRS reporting requirements.
• Legitimate Interests: Processing for fraud prevention, platform security, analytics, and improving our Services, provided these interests are not overridden by your data protection rights.
• Consent: Where we rely on your consent (e.g., for marketing communications), you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

BTM Vendor does not sell, rent, or trade your personal information to third parties for their own marketing purposes. We may share your information in the following limited circumstances:

Service Providers

We engage trusted third-party companies and individuals to perform functions on our behalf, including:

• KYC/AML identity verification platforms
• Payment processors and banking partners for deposits and withdrawals
• Cloud hosting and infrastructure providers
• Email service providers for transactional and support communications
• Analytics platforms for platform performance monitoring
• Fraud detection and cybersecurity providers
• Customer support and ticketing software providers

These service providers are contractually required to handle your information only as directed by BTM Vendor and may not use your data for their own purposes.

Legal & Regulatory Disclosures

We may disclose your personal information where required to do so by law or in good-faith belief that such action is necessary to:

• Comply with a legal obligation, court order, subpoena, or governmental request
• Respond to a lawful request by public authorities, including for national security or law enforcement purposes
• Meet our Suspicious Activity Report (SAR) or Currency Transaction Report (CTR) obligations under FinCEN rules
• Protect and defend the rights or property of BTM Vendor
• Prevent or investigate possible wrongdoing in connection with our Services
• Protect the personal safety of investors or the public

Business Transfers

If BTM Vendor undergoes a merger, acquisition, asset sale, or similar corporate transaction, your personal information may be transferred as part of that transaction. We will provide notice of any such change in control and any new privacy policy that applies to you.

As an operator of Bitcoin ATMs and a money services business (MSB) registered with FinCEN, BTM Vendor is legally required to implement a comprehensive Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance programme. This includes collecting and verifying the identity of all investors before they can deposit funds or receive payouts.

What KYC Verification Involves

• Collection of a valid government-issued photo ID (passport, driver's licence, or national identity card)
• Proof of address (utility bill, bank statement, or government correspondence dated within 90 days)
• Social Security Number or equivalent tax identification number for US persons
• Verification of your identity through our licensed third-party KYC provider
• Ongoing transaction monitoring and periodic re-verification as required by law
• Screening against OFAC sanctions lists and Politically Exposed Persons (PEP) databases

Records Retention for Compliance

In accordance with the Bank Secrecy Act and FinCEN regulations, we are required to retain KYC records, transaction records, and Suspicious Activity Reports for a minimum of five (5) years from the date of the transaction or the closure of the account, whichever is later. This retention obligation cannot be waived at your request.

BTM Vendor uses cookies and similar tracking technologies to enhance your experience, maintain session security, and analyse platform usage. A cookie is a small text file placed on your device by our web server when you visit our website.

You may configure your browser to refuse all cookies or to alert you when cookies are being sent. Please note that disabling strictly necessary cookies will impair the functionality of your investor account. We do not use third-party advertising cookies on our platform.

BTM Vendor employs industry-standard technical and organisational security measures to protect your personal and financial information from unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encryption in Transit: All data transmitted between your browser and our servers is protected by TLS 1.3 encryption (HTTPS).
• Encryption at Rest: Sensitive data, including identity documents and financial details, is encrypted at rest using AES-256 encryption.
• Access Controls: Employee access to investor data is restricted on a need-to-know basis, with role-based permissions and mandatory multi-factor authentication for all staff accessing production systems.
• Two-Factor Authentication (2FA): Investor accounts are protected by optional 2FA, which we strongly recommend enabling.
• Withdrawal PIN: All withdrawal requests require a separate 6-digit PIN, adding a layer of protection beyond your account password.
• Session Security: Investor sessions are time-limited and invalidated upon logout or detected inactivity.
• Penetration Testing: We conduct regular third-party security assessments of our platform and infrastructure.
• Incident Response: We maintain a documented data breach response plan and will notify you in accordance with applicable breach notification laws if a security incident affects your personal information.

We retain your personal information for as long as necessary to fulfil the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. Our general retention guidelines are as follows:

When personal information is no longer required, we securely delete or anonymise it in accordance with our data destruction procedures. Note that for data subject to legal retention requirements (particularly KYC and transaction records), deletion requests cannot be honoured during the mandatory retention period.

Depending on your jurisdiction, you may have certain rights with respect to your personal information. BTM Vendor respects and honours these rights to the extent required by applicable law.

To exercise any of these rights, please submit a written request to [email protected] or by mail to the address in Section 15. We will respond within 45 days. Note that certain rights are subject to limitations where we are required to retain data by law — specifically, KYC and transaction records held pursuant to our BSA/FinCEN obligations cannot be deleted during the mandatory retention period.

Our Services are intended solely for adults aged 18 years or older. We do not knowingly collect, process, or store personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will take immediate steps to delete such information from our systems.

If you believe that a minor has provided us with personal information without parental consent, please contact us immediately at [email protected] so we can take appropriate action.

Our website and investor portal may contain links to third-party websites, services, or resources that are not operated or controlled by BTM Vendor. This Privacy Policy applies only to our Services. If you follow a link to a third-party site, you should review that site's privacy policy before providing any personal information.

BTM Vendor is not responsible for the privacy practices or the content of any third-party websites, and the inclusion of a link does not imply endorsement by BTM Vendor of that site or any association with its operators.

BTM Vendor is headquartered in Boise, Idaho, United States, and our Services are primarily designed for investors in the United States and Canada. Your personal information is processed and stored on servers located in the United States.

If you are located outside the United States and choose to use our Services, please be aware that your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country of residence. By using our Services, you consent to this transfer and processing.

Where we transfer personal data of individuals in jurisdictions with specific cross-border transfer requirements, we will implement appropriate safeguards as required by applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Policy, we will notify you by:

• Posting the updated Policy on this page with a revised “Last Updated” date
• Sending a notification to your registered email address at least 30 days before the changes take effect (for material changes)
• Displaying a prominent notice on your investor dashboard the next time you log in

Your continued use of our Services after the effective date of a revised Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically to stay informed about how we protect your information.

Previous versions of this Privacy Policy are available upon request by emailing [email protected].

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using any of the following methods:

We aim to respond to all privacy-related enquiries within 10 business days. If you are not satisfied with our response, you may have the right to lodge a complaint with your relevant data protection authority.