Kraken Global Privacy Policy

Table of Contents

A table of contents is a structural navigation tool designed to help you quickly locate specific sections of our legal documentation. Use the links below to navigate our privacy guidelines.

• 1. Introduction & Scope
• 2. Data Collection Methods
• 3. How We Use User Data
• 4. Information Sharing & Disclosure
• 5. Data Protection Architecture
• 6. Data Retention Policies
• 7. Your Privacy Rights
• 8. Cookies & Tracking
• 9. International Transfers
• 10. Contact Our DPO

1. Introduction & Scope

The introduction and scope section defines the legal boundaries and applicability of this privacy policy across all Kraken products, services, and digital platforms. This policy governs the handling of user data for all individuals who interact with our exchange, mobile applications, APIs, and institutional services globally.

When you use our services, you are trusting us with your personal and financial information. We recognize that data protection is critical to maintaining that trust. This policy explains what information we collect, why we collect it, how we use it, and the controls you have over your personal data. We comply with major global privacy frameworks, including the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and other applicable regional data protection laws established through 2026.

By accessing or using our platform, you acknowledge that you have read, understood, and agree to the practices described in this document. If you do not agree with this policy, you should not use our services or provide us with any personal information.

2. Data Collection Methods

Data collection methods are the specific mechanisms and touchpoints through which we gather necessary personal and financial information to provide our services securely. We collect user data directly from you during account creation, automatically through your interaction with our platform, and occasionally from verified third-party sources.

Information You Provide to Us: When you register for a Kraken account, we collect essential identification details including your full legal name, date of birth, residential address, email address, and phone number. To comply with strict Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations, we also collect government-issued identification documents, facial recognition data for identity verification, and financial information such as bank account details or source of funds declarations.

Information Collected Automatically: As you navigate our platform, we automatically record technical user data to ensure security and optimize performance. This includes your IP address, device identifiers, browser type, operating system, and geolocation data. We also log your trading activity, transaction history, and interaction patterns with our user interfaces.

Information from Third Parties: To enhance our data protection capabilities and prevent fraud, we may receive information about you from secure third-party partners. This includes identity verification services, blockchain analytics providers, and public databases that help us assess risk and comply with legal obligations.

3. How We Use User Data

Data utilization refers to the specific, legally permissible purposes for which we process your personal information to deliver, improve, and secure our financial services. We strictly limit the use of user data to operational necessities, regulatory compliance, and enhancing the overall customer experience.

First and foremost, we use your information to provide our core services. This includes processing your cryptocurrency transactions, executing trades, managing your fiat deposits and withdrawals, and providing customer support. Without this essential data, the platform could not function securely or effectively.

Secondly, your user data is critical for maintaining robust security and preventing fraud. We analyze behavioral patterns and transaction histories to detect unauthorized access attempts, mitigate potential cyber threats, and prevent illicit activities such as money laundering or market manipulation. This proactive approach to data protection safeguards the entire Kraken ecosystem.

Finally, we may use anonymized, aggregated data to improve our products, develop new features, and conduct market research. When we use data for marketing purposes—such as sending you promotional offers or newsletters—we do so only with your explicit consent, and you maintain the right to opt-out at any time.

4. Information Sharing & Disclosure

Information sharing and disclosure is the highly regulated process of transmitting specific personal data to trusted third parties, partners, or regulatory bodies under strict legal conditions. Kraken does not sell your user data to data brokers or advertising networks under any circumstances.

We only share your information with trusted service providers who assist us in operating our platform. These include cloud hosting providers, identity verification services, customer support platforms, and payment processors. All third-party vendors are bound by stringent data protection agreements and are audited regularly to ensure they meet our rigorous security standards.

In certain circumstances, we are legally obligated to disclose user data to law enforcement agencies, regulatory bodies, or tax authorities. This occurs only when we receive a valid subpoena, court order, or similar legal process. We carefully review all such requests to ensure they are legally sound and narrowly tailored, pushing back against overly broad demands to protect your privacy.

5. Data Protection Architecture

Data protection architecture is the comprehensive framework of technical and organizational security controls designed to defend your personal information against unauthorized access, alteration, or destruction. Kraken employs military-grade encryption and zero-trust security models, as detailed on our dedicated security page, to ensure your user data remains impenetrable.

All personal and financial data transmitted between your device and our servers is secured using Transport Layer Security (TLS) 1.3 encryption. At rest, your sensitive information—including KYC documents and biometric data—is encrypted using AES-256 standards and stored in highly secure, geographically distributed data centers with strict physical access controls.

Our internal access policies follow the principle of least privilege. This means Kraken employees are only granted access to the specific user data necessary to perform their job functions. All employee access is logged, monitored by our dedicated security operations center, and requires multi-factor authentication (MFA) via hardware security keys.

6. Data Retention Policies

Data retention policies are the formal guidelines that dictate exactly how long we store your personal information before it is securely deleted or irreversibly anonymized. We retain your user data only for as long as necessary to fulfill the purposes outlined in this policy and to comply with our legal obligations.

While your account is active, we retain your profile information, transaction history, and communication records to provide you with continuous service. If you choose to close your account, we are still required by global financial regulations (such as the Bank Secrecy Act) to retain certain KYC and transaction records for a minimum period of five to seven years, depending on your jurisdiction.

Once this mandatory legal retention period expires, your user data is subjected to a secure cryptographic deletion process. Any remaining data is permanently aggregated and anonymized so that it can never be linked back to your individual identity, ensuring your long-term privacy.

7. Your Privacy Rights

Privacy rights are the legally enforceable entitlements that grant you direct control, visibility, and authority over how your personal information is collected and processed by our organization. Depending on your jurisdiction, you possess a comprehensive suite of rights regarding your user data.

Right to Access: You have the right to request a complete copy of the personal data we hold about you. This includes your transaction history, account details, and the specific categories of data we have collected.

Right to Rectification: If you discover that your user data is inaccurate, incomplete, or outdated, you have the right to request immediate correction or updates to your profile.

Right to Erasure (Right to be Forgotten): Under certain conditions, you may request the deletion of your personal data. Please note that this right is not absolute and is often superseded by our legal requirements to retain financial records for anti-money laundering purposes.

Right to Data Portability: You can request that we transfer your data directly to another service provider in a structured, commonly used, and machine-readable format, empowering you to move freely within the digital economy.

8. Contact Our Data Protection Officer

A Data Protection Officer (DPO) is an independent enterprise security leadership role responsible for overseeing data protection strategy and implementation to ensure compliance with global privacy laws. If you have any questions, concerns, or requests regarding your privacy or this policy, our DPO is your primary point of contact. You can also manage your privacy settings through the account management dashboard.

You can reach our dedicated privacy team and the Data Protection Officer by submitting a secure request through your authenticated Kraken account dashboard, or by emailing privacy@kraken.com. We are committed to acknowledging all privacy-related inquiries within 48 hours and resolving complex data requests within 30 days, as mandated by international data protection frameworks. For additional assistance, visit our 24/7 support center.