Privacy Policy
Last Updated: 23 June, 2026
Effective Date: 1 July 2026
1. Background
This Privacy Policy (the “Policy”) details how and why Stormrake Pty Ltd (ACN 630 754 826), Stormrake IA Pty Ltd (ACN 680 043 538), and Related Persons (“Stormrake”, “Company”, “we”, “our”, and “us”) may access, collect, store, use, and/or share your personal information when you use our Services.
By providing us with information, you consent to the collection, disclosure, and use of your information in accordance with this Policy and any other applicable terms. If you do not agree with our policies and practices, please refrain or discontinue your use of the Stormrake Facility and Services. If you still have any questions or concerns, please contact us.
Stormrake Pty Ltd and Stormrake IA Pty Ltd’s handling of Personal Information complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles, as amended. We will notify you and the OAIC of any eligible data breach in accordance with the Notifiable Data Breaches scheme.
Stormrake reserves the right to amend, modify, or change this Policy, at any time to ensure compliance with evolving laws and regulations or to enhance the Stormrake Services. We will notify you of material changes to the Privacy Policy which affect your Stormrake Account(s) and provide you with ample notice of the changes. Any revisions will be effective upon the posting of the updated Terms on the Stormrake website, and supplant all prior versions.
Your continued use of the Stormrake Facility and Services after the effective date of any changes shall constitute your consent to the amended Policy. If you do not accept the updated Privacy Policy or don’t wish to be bound by it, you must cease using Stormrake’s Facility and Services.
2. Personal Information we Collect
Personal Information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
Personal information we may collect includes:
Audio and electronic information: Such as records of your communications with us, for correspondence via our website, phone, email, or other communication channel.
Banking information: Such as bank account numbers, routing numbers, and your source of funds and source of wealth
Behavioural information: When you use our Facility or Services, we may collect data about your interaction with and navigation of our websites, such as the webpages you view and your general usage patterns, to analyse, improve, and secure our Services;
Contact information: Such as email address, residential address, and phone number.
Customer support information: Such as information relating to your inquiries or requests.
Demographic Information: Such as date of birth and marital status.
Device information: Such as IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, and other technical details.
Employment information: Such as employer information, employment status, job title, and salary.
Location information: We may use your IP address to infer your general geographic location (e.g city, state, and country).
On-chain information: Such as digital asset wallet addresses and transaction IDs.
Sensitive personal information: Such as driver’s licence, passport number, social security number, citizenship and visa information (some of which may be protected classifications), and biometric data.
Transaction information: Such as the assets, notional value, fees, and time and date of the trades, deposits, and withdrawals on your account.
We only collect the personal data that is necessary for the purposes outlined in this Privacy Policy. We do not collect more data than is required to deliver our Services and fulfil our legal and compliance obligations.
3. How we Collect your Personal Information
We collect personal information in the course of operating and providing our Facility and Services, including information you provide to us. We usually collect your personal information directly from you, but may also collect your personal information from other sources such as from our Related Persons, third parties, contractors, service providers, or publicly available sources.
We may collect your personal information from the relevant corporate regulator if you are a Director, Officer, or shareholder of a corporate entity that has registered for an Account with Stormrake.
4. Sensitive Information we Collect
Sensitive information is personal information that includes information or an opinion about an individual’s racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, trade union membership or associations, sexual orientation or practices, criminal record, health or genetic information, or some aspects of biometric information.
We may collect sensitive information in the course of operating and providing our Services, including information you provide to us. Some sensitive information we collect and hold, including but not limited to one’s racial or ethnic origin, may be inferred from your identity documents.
5. How we Use your Personal Information
Our primary purpose in collecting information is to help us operate, provide, improve, customise, support, and market our Services. We may also process your information for other purposes with your consent.
We may use your information to:
verify your identity;
create and manage your account;
provide the Services and customer support you request;
provide updates on the digital asset market and financial markets
resolve disputes and troubleshoot problems;
send you essential notifications, such as updates to our terms, policies, and other changes that impact our Services and your Account(s);
act upon and fulfil your Digital Asset Withdrawal Instructions by providing the necessary information to beneficiary institution Virtual Asset Service Providers in the context of the Travel Rule
make available to you your deposited Digital Assets that originate from ordering institution Virtual Asset Service Providers in the context of the Travel Rule
analyse usage patterns to enhance our Services and understand how we may improve your experience;
prevent and investigate potentially prohibited or illegal activities, and/or violations of our posted Terms; and
deliver targeted marketing and service update notices based on your communications preferences.
6. How we Protect Personal Information we Collect
We take reasonable and appropriate steps to protect your personal information (including sensitive information) from unauthorised access, alteration, disclosure, destruction, and use. We generally store your personal information in information technology systems, including those operated by our service providers on behalf of Stormrake.
7. How we Disclose Personal Information we Collect
7. 1 Third Party Disclosure
We may share personal information (including sensitive information) in specific situations where it is necessary to provide our Services, comply with legal and compliance obligations, or improve our operations.
We may disclose your personal information to law enforcement or government agencies where we are required to do so by law or under court order. Where permitted, we will provide notice to our clients whose data is requested by any government or law enforcement agency. In the event that we are unable to provide prior notice, we will endeavour to give notice as soon as disclosure is permitted and is reasonably practicable.
Third parties with whom we may share your personal information include:
our service providers, including but not limited to:
identity verification service providers
payment processors and financial institutions
IT service providers
email service providers
our Referral Partners
government, regulatory, or law enforcement agencies
In each of these cases, we take reasonable steps to ensure that these third parties have adequate safeguards in place to protect your information and that it is only shared for the specified purpose.
7.2 Overseas Disclosure
When we share personal information, it may be disclosed to and received by individuals or entities outside of Australia and the country in which you live, including but not limited to the United States. Some of Stormrake’s related entities and service providers are located inside and outside Australia, and some of our cloud and IT servers may be located inside and outside Australia.
In cases where we disclose your personal information to an overseas recipient, we will take reasonable steps to ensure that they handle your information in the same way and with the same level of care that we do. Personal information will only be disclosed to overseas recipients with your express consent, where contractually necessary, where legally authorised, or where required by an international convention or treaty.
7.3 Disclosure to Related Persons
We may share your information with our Related Persons, and we will take reasonable steps to ensure they honour this Privacy Policy. Related Persons include Stormrake Pty Ltd and Stormrake IA Pty Ltd’s related entities, along with their respective directors, shareholders, members, officers, employees, attorneys, agents, representatives, and any subsidiaries, joint venture partners, or other companies under common control with us.
7.4 Disclosure to Service Providers
We may share your information with service providers who perform services for us or on our behalf, and need access to that information to perform their work. These third parties are not permitted to use your personal information for any other purpose.
7.5 Disclosure to Referral Partners
With your consent, we may share your information with Referral Partners for the purpose of offering you products, services, or promotions. We will not disclose your personal information to a Referral Partner of Stormrake without your consent.
7.6 Disclosing your Information in Connection with Transfers of Business
We may share or transfer your information in connection with, or during negotiations for, any merger, sale of company assets, financing, or acquisition of all or part of our business.
8. Accessing and Correcting your Information
8.1 Accessing your Information
You may contact us to request access to information about you that we hold. In order to request access, please contact us using the contact details provided in Section 14 (“Contact Details”). We will respond to requests within 30 calendar days, and provide access where it is reasonable, legal, and practicable to do so.
There may be circumstances in which we are obliged to refuse you access to information that we hold about you. This relates to cases where:
providing access would have an unreasonable impact on the privacy of others;
providing access would pose a serious threat to life, safety, or health;
the information is subject to legal professional privilege; or
there are legal or regulatory circumstances restricting us from sharing this information.
8.2 Correcting your Information
If you suspect that we hold any information about you that is incorrect, inaccurate, or out-of-date, you may contact us to request its correction. We encourage you to assist Stormrake in keeping your information up-to-date by promptly notifying us when there is a change of information. You may do so by using the contact details provided in Section 14 (“Contact Details”), and we will take all reasonable steps to collect the correct information.
9. Document Verification Service
We may use the Australian Government’s Document Verification Service (DVS) to verify the identity of Australian clients and meet our regulatory and legal obligations. The DVS allows for the comparison of your submitted documents (e.g driver’s licence, passport) against the records and databases managed by the Australian government agency issuer of those documents, and returns a ‘match’ or ‘no match’ response. If you are an Australian client and decline to have your identity verified through the DVS, we may not be able to open and service your account. If you provide documents issued by a government agency in New Zealand, these may also be checked against records and databases managed by the issuer of those documents.
10. Use of Cookies and Other Tracking Technologies
We use cookies and similar tracking technologies (e.g., web beacons and pixels) to gather information about your interactions with our Services. These technologies help us maintain the security of our Services, improve functionality, and analyse usage patterns. Some of the data collected may include your browsing history, preferences, or other actions you take on our website.
We also allow third parties to use cookies for analytics and targeted advertising. You can manage your cookie preferences by adjusting your browser settings.
11. Information Retention Period
We will retain your personal information only for as long as it is necessary for the purposes outlined in this Privacy Policy. If a longer retention period is required by law (such as for tax, accounting, legal, or compliance purposes), we will retain your information for that period.
When we no longer have a legitimate legal, compliance, or business need to retain your personal information, we will either delete it or de-identify it. In cases where deletion or de-identification is not possible, we will securely store your data and isolate it from further processing until it can be deleted.
You may contact us using the contact details provided in Section 14 (“Contact Details”) to request the deletion of your personal information. Please note that for compliance with the AML/CTF Act 2006 (Cth), we are legally required to retain your identification and transaction records for a minimum of 7 years after your account closes.
12. Opt out of Communications
In the event we send any communication to you which is unrelated to your account, we will provide you with an “unsubscribe” mechanism through which you may opt out of receiving other similar messages in the future. You may also opt out by contacting us using the contact details provided in Section 14 (“Contact Details”).
Please note that if you opt out, you will continue receiving communications about trades, deposits, withdrawals, as well as essential compliance or security-related communications.
13. Complaints
If you have concerns about our collection, use, and handling of your information, you may inquire further or submit a complaint using the contact details provided in Section 14 (“Contact Details”).
If you are not satisfied with our response or the outcome of a complaint, you may contact the Office of the Australian Information Commissioner (OAIC), the independent Australian national regulator for privacy and freedom of information. The OAIC investigates complaints about the handling of personal information, and can be contacted by phone at 1300 363 992, via their website at www.oaic.gov.au, or by email at enquiries@oaic.gov.au.
For more information about our complaints process, please see our Internal Dispute Resolution Policy.
14. Contact Details
We have detailed the best methods for contacting us below, depending on your country of residence or incorporation.
Clients (excluding the United States)
By dialling +61 (3) 8594 1454
By emailing privacy@stormrake.com
United States Clients
By dialling +1 888-429-9651
By emailing privacy@stormrake.com
15. Gramm-Leach-Bliley Act (GLBA)
Under the Gramm-Leach-Bliley Act (GLBA), we are required to disclose our information-sharing practices to United States clients and provide them with the opportunity to opt out of certain sharing of their nonpublic personal information. The details of our collection, use, and disclosure practices are set out throughout this Policy, and a summary of disclosures can be found in Stormrake IA - GLBA Notice.
U.S. state privacy laws generally do not apply to personal information that is subject to the GLBA. If you wish to opt out of any permissible sharing, please contact us using the details provided in Section 14 (“Contact Details”).
16. Children’s Online Privacy Protection Act (COPPA)
In the United States, The Children’s Online Privacy Protection Act (COPPA) regulates how commercial websites, apps, and online services collect, use, or disclose personal information from children under 13. Stormrake IA does not knowingly collect personal information from children under the age of 13 nor direct our services to children. If we learn that we have inadvertently collected the personal information of a child, we will take appropriate measures to remove the information from our records. If you are the parent or guardian of a child, or otherwise learn that we have collected the personal information of a child, please contact us using the details provided in Section 14 (“Contact Details”).
