STOEX

Koshayojan Services DMCC

PRIVACY POLICY

Last Updated: January 2026

Koshayojan Services DMCC ("Koshayojan" "we," "our," or "us") operates the platform and Stoex ("Platform") is committed to protecting your privacy. This Privacy Policy explains how your Personal Information is collected, used, and disclosed by us.

This Privacy Policy applies to our website, APIs, mobile applications and its associated subdomains (collectively, our "Service(s)") in accordance with applicable UAE data protection laws, the UAE Federal Decree-Law No. 45 of 2021, and the Virtual Assets Regulatory Authority (VARA) Rulebooks. By using our Services, you confirm that you understand and agree to our data handling practices as set out in this Policy and our Terms and Conditions.

1. DEFINITIONS AND KEY TERMS

To help explain things as clearly as possible in this Privacy Policy, every time any of these terms are referenced, are strictly defined as:

(i) Cookie:

small amount of data generated by a website and saved by your web browser. It is used to identify your browser, provide analytics, remember information about you such as your language preference or login information.

(ii) Company:

when this policy mentions "Company," "we," "us," or "our," it refers to Koshayojan Services DMCC, that is responsible for your information under this Privacy Policy.

(iii) Customer:

refers to the company, organization or person that signs up to use our Service.

(iv) Device:

any internet connected device such as a phone, tablet, computer or any other device that can be used to visit our website, APIs, mobile applications and use the Services.

(v) IP address:

Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the Internet.

(vi) Personnel:

refers to those individuals who are employed by the Company or are under contract to perform a service on behalf of one of the parties.

(vii) Personal Data/ Personal Information:

shall have the same meaning as ascribed to it in Clause 9.2 of this Privacy Policy;

(viii) Service:

refers to the service provided by the Company as described in the relative terms (if available) and on this platform.

(ix) Third-party service:

refers to advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.

(x) Website:

STOEX Exchange Website

(xi) You:

a person or entity that is registered onto the platform to use the Services.

2. WHAT INFORMATION DO WE COLLECT?

2.1

We collect information from you when you visit or interact with our website, mobile applications, or Services, including but not limited to when you register, place an order, complete forms, subscribe to communications, respond to surveys, or engage in KYC onboarding. The data collected may include:

  • (i) Name / Username;
  • (ii) Phone Numbers;
  • (iii) Email Addresses;
  • (iv) Mailing Addresses;
  • (v) Billing Addresses;
  • (vi) Debit/credit card numbers;
  • (vii) Age;
  • (viii) Password;
  • (ix) Your Know-your-Customer ("KYC") details which include your identification documents, address proof, tax registration numbers etc.;
  • (x) Any other information necessary for providing Services.

2.2

We also collect information from mobile devices for a better user experience, although these features are completely optional:

  • (i)Location (GPS): Location data helps to create an accurate representation of your interests, and this can be used to bring more targeted and relevant ads to potential customers.
  • (ii)Phonebook (Contacts list): Your contacts list allows the platform to be much more easy to use by the user, since accessing your contacts from the app makes you save tons of time.
  • (iii)Camera (Pictures): Granting camera permission allows the user to upload any picture straight from the platform, you can safely deny camera permissions for this platform.
  • (iv)Photo Gallery (Pictures): Granting photo gallery access allows the user to upload any picture from their photo gallery, you can safely deny photo gallery access for this platform.

3. USE OF INFORMATION

Your information will be visible to other users of the Platform to facilitate communication between users. You agree that we may use your information in the following ways:

a.

We use the information we collect about you to provide the Services to you, create a better, more personalized experience for you based on your individual usage habits, improve our marketing and promotional efforts, analyze site usage and disclose aggregated statistics, improve our content and service offerings, aid in our monetization efforts, and customize our Platform content, layout and services. This may include migrating your information to other platforms owned by us. We also use the information we collect about you to review and investigate your activities or transaction on our Platform, resolve disputes, troubleshoot problems, and enforce our Terms and Conditions.

b.

We may use your correspondence with us, information posted by you for publication on our Platform for promotional, sales or any use that we consider appropriate, whether submitted via email, or posted on our Platform.

c.

If we are involved in a merger, acquisition, restructuring or asset transfer, we may share Personal Information with the relevant successor only where the recipient: (i) agrees in writing to assume all obligations under this Privacy Policy and applicable UAE data-protection and VARA requirements; (ii) uses the information solely for the purposes for which it was originally collected; and (iii) is bound by confidentiality and security obligations no less protective than ours. We will provide any notices/consents required by law before such a transfer.

d.

We may engage trusted third party service providers to perform functions and provide services to us, such as hosting and maintaining our servers and the website, database storage and management, e-mail management, storage marketing, credit card processing, customer service and fulfilling orders for products and services you may purchase through the website. We will likely share your Personal Information, and possibly some non-personal information, with these third parties to enable them to perform these services for us and for you.

e.

We may share portions of our log file data, including IP addresses, for analytics purposes with third parties such as web analytics partners, application developers, and ad networks. If your IP address is shared, it may be used to estimate general location and other technographics such as connection speed, whether you have visited the website in a shared location, and type of the device used to visit the website. They may aggregate information about our advertising and what you see on the website and then provide auditing, research and reporting for us and our advertisers.

f.

We may also disclose personal and non-personal information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate in order to respond to claims, legal process (including subpoenas), to protect our rights and interests or those of a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to otherwise comply with applicable court orders, laws, rules and regulations. Where permitted by law, we will notify you of any legally-mandated request for your Personal Information to give you an opportunity to seek protection, unless we are legally prohibited from doing so.

g. VARA Compliance

Notwithstanding anything in this Policy, we will implement and maintain all notifications, contractual provisions and consents necessary to enable the Dubai Virtual Assets Regulatory Authority (VARA) to access information relating to our compliance with VARA's Technology & Information Rulebook regardless of where such information is stored, and we will provide such access in the manner and within the timelines communicated by VARA. In addition, where we notify any data regulator (including in the UAE) or a Data Subject of an incident affecting Personal Data, we will notify VARA within 24 hours of such notification, unless prohibited by applicable law.

h.

We maintain and enforce policies, procedures and controls to protect the confidentiality of information related to clients and related records. Such information is used only for its intended purpose and in accordance with applicable confidentiality obligations and law. Staff are trained on, and periodically certify compliance with, these requirements; Staff must not share confidential information within the Company or with other entities unless strictly necessary to conduct VA Activities, and may not use confidential information for the trading of Virtual Assets.

The Company ensures that the use and disclosure of personal data complies with applicable UAE Data Protection Laws and VARA requirements, including enabling data subjects to exercise their rights to access, rectify, or erase their personal data, where applicable.

4. How Long Do We Keep Your Information?

4.1 International Operations

Please note that the Platform is being operated and managed from UAE and is subject to the applicable laws of UAE. While we have formulated this Privacy Policy in accordance with internationally recognized standards and regulations, particularly the European Union's General Data Protection Regulation (GDPR) which establishes a global benchmark for data protection and privacy; as an international user (located or situated outside of UAE) certain other data privacy laws of your territory may be applicable on processing of your Personal Information.

4.2 Storage Period

We shall store and retain your Personal Information as long as it is required for the fulfilment of Services set out in this Privacy Policy or as required in accordance with the applicable data privacy laws, whichever is later ("Storage Period"). After the processing is complete or in case you withdraw the consent given for such processing, the Personal Information that is stored and retained with us shall be either deleted or anonymized in accordance with the applicable laws.

4.3 Blockchain Immutability

However, it is to be noted that the Platform employ smart contracts that are executed on blockchain technology which is immutable and hence cannot be altered, amended or deleted unless allowed in the smart contract. If you use the Platform, you are consenting to allow certain information such as account transactions, wallet entries etc. to be cryptographically transmitted and stored on that blockchain that may be permanently stored on such blockchain.

5. Security & Reliability

We take reasonable security measures to protect Personal Information against loss, misuse, unauthorized or accidental access, disclosure, alteration and destruction.

We have implemented policies and maintained appropriate technical, physical, and organizational measures and followed industry practices and standards in adopting procedures for securing and implementing systems designs and protecting Personal Information from unauthorized access, improper use, disclosure and alteration.

Incident Notification

In the event of an incident affecting, or potentially affecting, Personal Data, the Company shall notify the Dubai Virtual Assets Regulatory Authority (VARA) as soon as possible and in any event within twenty-four (24) hours after it notifies either any data regulator (including in the UAE) or a Data Subject. The notification to VARA will include a summary of any report made to the data regulator and, where the relevant data regulator is located in the UAE, a copy of that report, unless and to the extent prohibited by applicable law.

6. Third-Party Websites and Data Sharing

Our Platform may contain links to third-party websites that are not affiliated with or authorized by the Company. When you click on such a link, you will leave our Platform and may be redirected to a website maintained by another entity. These third-party websites may independently collect Personal Information. We do not control, monitor, or assume responsibility for the content, privacy practices, or data collection policies of these websites.

In addition, the Company may share Personal Information with trusted third-party service providers solely for the purpose of enabling services, fulfilling contractual obligations, or complying with applicable regulatory requirements. Prior to any such engagement, the Company conducts due diligence to ensure each service provider upholds adequate data protection standards.

7. Children's Privacy

Platform does not allow persons under 18 to register for any Service, and we do not knowingly collect any personally identifiable information from persons under the age of 18. If you are aware of someone under the age of 18 using our Services, please contact us immediately by contact form.

8. User Access to Personal Information

8.1 Modifying Your Information

You can modify all of your Personal Information and your privacy preferences by accessing the "Account" section of this website/application at any given time. Users are encouraged to put in a diligent effort in updating their Personal Information from time to time, to continue the flow of seamless counselling and services.

8.2 Withdrawing Consent

Subject to the limitation of immutability of data transmitted on blockchains, you may at any point of time, withdraw your consent given to us to process your Personal Information, pursuant to which, you shall not be able to access or use any service provided on the Platform and no further data of yours shall be collected or processed by us. However, the Personal Information already in our possession shall be stored and retained till the Storage Period. To withdraw your consent, please write to us at support@stoex.io.

9. General Data Protection Regulation (GDPR)

9.1 What is GDPR?

GDPR is an EU-wide privacy and data protection law that regulates how EU residents' data is protected by companies and enhances the control the EU residents have, over their Personal Data. The GDPR is relevant to any globally operating company and not just the EU-based businesses and EU residents. Our customers' data is important irrespective of where they are located, which is why we have implemented GDPR controls as our baseline standard for all our operations worldwide.

9.2 What is Personal Data/Information?

Any data that relates to an identifiable or identified individual. GDPR covers a broad spectrum of information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data extends beyond a person's name or email address. Some examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical address, sexual orientation, and ethnicity.

9.3 Data Subject Rights

We are committed to helping our customers meet the data subject rights requirements of GDPR. If you are a user who is subject to the GDPR, you have the right to:

  • Request an access to your Personal Information collected and processed by us
  • Request a rectification of the incorrect Personal Information (if any) or completion of any incomplete Personal Information stored with us
  • Request deletion or removal of any of your particular or complete Personal Information stored with us
  • Dispute, object or request a restriction on processing of your Personal Information collected by us
  • Withdraw your consent for processing of your Personal Information at any time

To exercise any of these rights, please write to us at support@stoex.io

10. International Users

The Platform is being operated and managed from UAE and is subject to the applicable laws of UAE. As an international user (located or situated outside of UAE) certain other data privacy laws of your territory may be applicable on processing of your Personal Information. However, when you access our Platform and provide your Personal Information through any mode whether through cookies or otherwise, you accept and acknowledge that your Personal Information is being processed in accordance with this Privacy Policy and the Personal Information may be processed and stored in UAE or other countries where the applicable provisions may be less stringent than the data privacy laws of your territory. Where Personal Information is transferred outside the UAE, we implement appropriate safeguards (e.g., contractual clauses or approved mechanisms) to ensure a level of protection not less than that required under UAE PDPL.

11. Cookies

Platform uses "Cookies" to identify the areas of our website that you have visited. A Cookie is a small piece of data stored on your computer or mobile device by your web browser. We use Cookies to enhance the performance and functionality of our website but are non-essential to their use. However, without these cookies, certain functionality like videos may become unavailable or you would be required to enter your login details every time you visit the website as we would not be able to remember that you had logged in previously. Most web browsers can be set to disable the use of Cookies. However, if you disable Cookies, you may not be able to access functionality on our website correctly or at all. We never place Personally Identifiable Information in Cookies.

12. Changes to This Privacy Policy

This Privacy Policy may be updated from time to time for any reason. We will notify you of any changes to our Privacy Policy by posting the new policy on our website. The date the Policy was last revised is identified at the beginning of this policy. You are responsible for periodically visiting our Platform and this Privacy Policy to check for any amendments.

13. Governance and Oversight

Company maintains a formal Data Protection Function responsible for overseeing the implementation of this Privacy Policy and ensuring compliance with applicable data protection laws, including the UAE Personal Data Protection Law (PDPL). The function operates under the supervision of the appointed Data Protection Officer (DPO), who has the authority and independence to monitor data compliance, advise on privacy obligations, and liaise with supervisory authorities. Company shall provide access to records, systems, and information related to the implementation of this Privacy Policy upon request by the Dubai Virtual Assets Regulatory Authority (VARA) or any other competent authority, in accordance with applicable regulations.

14. Data Protection Officer (DPO)

Company has appointed a Data Protection Officer (DPO) who acts independently and possesses appropriate expertise in data privacy and information governance. The DPO is responsible for advising on data protection obligations, monitoring internal compliance with this Policy and applicable law, and serving as the contact point for users and data protection authorities.

15. Grievance Officer

All your questions, discrepancies and grievances with respect to processing of Personal Information shall be made to the Grievance Officer.

The Grievance Officer shall redress the grievances of the users and other individuals expeditiously and in any event within the period prescribed under law. In case of any queries regarding the content, interpretation, implications of this Policy, you may contact the Grievance Officer at support@stoex.io

Let’s Define the Future Together

We invite issuers, investors, advisors, and ecosystem collaborators to explore how tokenised real-world assets can expand financial inclusion, unlock liquidity, and foster more efficient market structures.