Privacy Policy

Last updated: March 18, 2026

This Privacy Policy explains how Cogentic ("we", "us", "our") collects, uses, and protects information in connection with the Vasp Track service at vasptrack.org (the "Service"). We are committed to protecting your privacy and being transparent about our data practices.

1. Information We Collect

VASP and CASP Data (Public Data)

The core of the Service is a directory of Virtual Asset Service Providers (VASPs) and Crypto Asset Service Providers (CASPs). This data is aggregated from public sources, including:

• GLEIF — Legal Entity Identifiers, registered addresses, legal form, and registration details
• CoinGecko — Trust scores, trading volume, websites, and logos
• Wikidata — Founded year, descriptions, and website URLs
• Government and regulator registers — ESMA MiCA CASP register, AUSTRAC DCE register, and other public regulatory registers
• Sanctions lists — OFAC SDN, UN Consolidated, EU Consolidated, UK OFSI
• FATF and risk indices — FATF grey/black lists, Basel AML Index, Corruption Perceptions Index
• Travel Rule networks — Notabene, TRISA GDS, TRUST consortium

This data is publicly available and is aggregated and presented through the Service. It is not personal data in most cases, as it relates to registered business entities.

Submitted Data

When users submit information about a VASP or CASP (such as corrections, updates, or new listings), we collect:

• The submitted data itself (entity information, regulatory details, etc.)
• The submitter's name and email address (for verification and follow-up)

Profile Claim Data

When a VASP representative claims their organisation's profile, we collect:

• Work email address (used for domain verification)
• The claimed organisation's identity

Usage Data

When you use the Service, we automatically collect:

• IP address
• Browser type and version
• Pages visited and time spent
• Referring URL
• Device information (operating system, screen size)

This is standard web analytics data collected to understand how the Service is used and to maintain its security and performance.

2. How We Use Your Information

We use the information we collect to:

• Provide the directory service — aggregate, organise, score, and display VASP/CASP data
• Process submissions — review, verify, and incorporate user-submitted data
• Verify profile claims — confirm that claimants are authorised representatives via email domain matching
• Improve data quality — identify gaps, correct errors, and enrich records
• Maintain and improve the Service — monitor performance, fix issues, and develop new features
• Enforce our Terms — detect and prevent abuse, fraud, and misuse
• Communicate with you — respond to enquiries, send verification emails, and notify about material changes

3. Data Sharing

VASP/CASP Directory Data

VASP and CASP data — including regulatory status, risk scores, corporate information, and Travel Rule readiness — is published publicly through the website and API. This is the core purpose of the Service.

Personal Data

We do not sell, rent, or share your personal data (such as email addresses) with third parties, except:

• Service providers — we may use third-party services for email delivery, hosting, and analytics that process data on our behalf under appropriate agreements
• Legal obligations — we may disclose data if required by law, regulation, or legal process
• Business transfers — in connection with a merger, acquisition, or sale of assets, data may be transferred as part of the transaction

4. Cookies and Analytics

The Service may use cookies and similar technologies to:

• Remember your preferences (such as theme settings)
• Collect anonymous usage analytics
• Maintain session state

You can control cookie settings through your browser. Disabling cookies may affect some features of the Service.

5. Data Retention

• VASP/CASP data is retained indefinitely as a public record of the registry. Historical data is valuable for tracking changes in regulatory status and risk over time.
• Submission data (including submitter email) is retained as long as necessary to process the submission and maintain data provenance.
• Profile claim data (work email) is retained for as long as the claim is active.
• Usage data is retained in aggregated, anonymised form. Raw usage logs are retained for no longer than 12 months.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate personal data
• Deletion — request deletion of your personal data (subject to legal retention requirements)
• Objection — object to processing of your personal data for certain purposes
• Portability — request your personal data in a structured, machine-readable format
• Withdraw consent — where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Note that VASP/CASP directory data is aggregated from public sources and relates to business entities, not individuals. Requests to remove or modify public business data will be assessed on a case-by-case basis.

7. Security

We implement appropriate technical and organisational measures to protect data, including:

• Encrypted connections (HTTPS) for all Service traffic
• Access controls limiting who can modify directory data
• Regular security reviews and updates
• Database backups and disaster recovery procedures

No system is completely secure. If you believe your data has been compromised, please contact us immediately.

8. Children's Privacy

The Service is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. International Transfers

The Service is operated from Australia. If you access the Service from outside Australia, your data may be transferred to and processed in Australia. By using the Service, you consent to this transfer. We take steps to ensure that data transferred internationally is protected in accordance with this Privacy Policy and applicable law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

11. Contact

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Cogentic Email: [email protected] Website: vasptrack.org