Never bother to read the privacy policy when signing up for a cryptocurrency exchange? Maybe you should.

For Privacy Week, CoinDesk reviewed the privacy policies and notices of 24 major crypto exchanges and lending services to see how much they know about users and how transparent they are about it. The two dozen companies represent a cross-section of popular consumer-facing platforms.

It turns out crypto platforms collect a wealth of their users’ personal data – ironic considering this asset class grew out of the privacy-championing cypherpunk movement and was originally conceived as anonymous digital cash.

All major crypto services these days are subject to laws and regulations obliging them to perform know-your-customer (KYC) checks on any new client. Crypto platforms are inherently online so to make sure they are dealing with the same person who submitted ID documents, over the past few years they adopted biometric verification, asking prospective users to provide a photo with their ID, a short video of themselves or both.

Given that many of these platforms are accepting fiat payments from bank accounts of their clients to let them buy crypto with their local currencies (acting as so-called fiat on-ramps), they also process users’ banking information, and in some cases tax IDs, too.

Such platforms collect their users' home addresses, phone numbers, employment information, banking details, photos of their IDs and photos and/or videos of their faces. In addition, platforms can see the entire history of their users' trades, cryptocurrency addresses they use to deposit and withdraw funds and any transactions related to them on public blockchains.

Platforms also routinely gather technical information about the devices users are logging in from, including operating systems, browser details, IP addresses and the location and time zone settings of computers and phones their clients use to trade.

This is a pretty typical set of data more or less any regulated crypto service would process and store. However, they differ in the amount of data they store, how they protect users' privacy and how much they disclose about such practices.

The companies explain in their privacy policies that they use this data to provide quality service to their clients, prevent fraud and keep customers posted about relevant news and updates. However, this abundance of personal information makes the platforms huge data banks – and, in cases of security breaches, they may become sources of massive leaks.

It's hard to verify how companies are actually handling their users’ data. But by reading the privacy policies these companies publish on their websites, we can see how explicit and forthright they are about it.

Here are some of the issues to be mindful of.

Crypto platforms provide varying levels of disclosure about the data they receive and store related to users' financials. (In this article, we don't look at the financial information platforms collect about corporate users, only about individuals.)

Most of the privacy policies CoinDesk reviewed mentioned bank account numbers and (as one would expect) trading history on the platform. Crypto lending provider BlockFi stood out with the longest list of types of banking data it collects. Exchanges Binance, BitMEX, Poloniex, and OKEx did not mention what banking data they collect at all in their privacy policies.

Paxful mentions that financial information may be stored if users send it to their trading counterparties via the chat on the platform, as Paxful keeps the chat records.

"BitMEX doesn’t operate any fiat payment gateways for its users and so does not receive credit card or other banking information in respect of its users,” explained BitMEX Communications and Content Manager Jessica Lindeman. “Instead users are able to purchase XBT or USDT through Banxa,” a payments company.

Poloniex said via spokesperson Gabriel Wang that it too "does not deal with fiat directly, so no credit card/banking info is stored on our system."

Richard Kay, OKEx’s senior public relations manager in the U.K. and Europe, said the exchange also does not store its users’ banking information. That's taken care of by third-party payment providers, including Coinify, MoonPay, Okcoin, Banxa, Mercuryo, Simplex and Itez, he said.

Binance told CoinDesk via spokesperson that it actually does process banking information. "We would would only process credit card or banking information when users decide to share this information with Binance, for transactional purposes, as it is not mandatory information to open an account," the company added.

Crypto services usually need multiple partners to maintain their websites and process trades, so they have to share users’ data with those partners. Various services provide different levels of openness about which companies they share users' data with, and about their reasons for doing so.

Some companies merely mention they might share data with third parties, while others provide names and explanations, with varying degrees of detail.

Bitfinex and BitMEX provided the longest lists of counterparties they share data with. Bitfinex lists third parties at the end of its privacy policy and BitMEX has a special page dedicated to the list of its data partners.

Europe-based platforms normally mention, among other things, if they are transferring users' data to any places outside the EU, and how they make sure such transfers are secure. These parts of the privacy policies look pretty similar across different platforms.

Many companies separately describe their approaches for EU citizens, whose personal data since 2018 has been protected by the General Data Protection Regulation (GDPR), or for Californians, under the California Consumer Privacy Act (CCPA). Some platforms also specify their treatment of residents of Vermont, which has its own local privacy laws.

We won’t delve into those sections in this article, as they’re largely relevant only to residents of these particular areas, but if you are one, check if your crypto service notes anything important for you.

To make sure they know enough about their users, platforms gather information about them from outside sources, meaning they might know much more about you than you yourself told them.

This might include companies affiliated with the platform via common owners; third-party providers of identity verification and other technology; banks; government organizations; social networks and other sources.

Out of the 24 platforms in our list, Gemini, founded by Cameron and Tyler Winklevoss, seems to have the most exhaustive list of outside sources of information it’s gathering about users

Many companies mention they might look you up in anti-fraud databases, public court documents, sanctions lists, and also ask credit bureaus and various government bodies about you.

Major crypto exchanges these days are closely watched by regulators around the world and often asked to disclose information about their users when the authorities suspect wrongdoing, from tax evasion to money laundering.

"The companies that collect that information can – and often do – share that personal information with governments, even when the government has not gotten a warrant to collect that information," said Marta Belcher, a cryptocurrency and civil liberties attorney.

A silver lining is that more and more companies are disclosing how many requests from authorities they get.

"What it really comes down to is whether companies are going to stand up for their users, and whether they are going to be transparent about the requests they receive from governments and whether they voluntarily turn that information over," Belcher said.

The most famous (or infamous) precedent of a government body reaching for a trove of crypto exchange users' data was the U.S. International Revenue Service (IRS) getting access to information on about 13,000 U.S. users of Coinbase in 2018. The move was preceded by a long court fight between the exchange and the IRS, which initially wanted data about 500,000 users.

The way a company describes its reasons for answering questions from governments matters, said Peter Van Valkenburg, director of research at Coin Center, an industry think tank.

"Do they need a warrant or subpoena, or they’re happy to answer even without the warrant from the judge?" Van Valkenburg said.

Out of 24 companies CoinDesk looked at, 13 mentioned subpoenas and court orders in their privacy policies among reasons to cooperate with the requests from government agencies and law enforcement. However, not all companies claim to require such a formal request before handing over customer information.

Blockchain.com, an exchange and crypto wallet provider, says it would insist that authorities present "a court order, or equivalent proof that they are statutorily authorised to access your data." By contrast, eToro says it would provide information "to assist regulatory, cybercrime, data and information protection agencies and police with their enquiries and enforcement, even if not compelled to do so."

Bitfinex dedicated a separate page on its website to explain how it approaches requests from law enforcement bodies.

Ultimately, it's hard to predict how a particular platform would act in a real-life situation when a regulatory body is knocking on its door, or how evolving crypto regulation around the world could change the rules of the game in years to come. But the way platforms describe their approach might give some clues about what you can possibly expect.

Another thing to pay attention to is how long your data is stored on the exchange's servers after you're no longer a client. Such disclosures often are put under the title "data retention" in privacy policies.

In most cases, it would take platforms about five years to erase your data after you part ways, but most also note that due to some specific reasons, like an ongoing investigation, they can keep your data longer.

Among the 24 companies, Bittrex and Bistamp mention the longest possible time for keeping users' data, with each saying it might store information for up to 10 years after an account is deleted.

Bitstamp appeared to be the only company among the 24 that said it destroys biometric data as soon as account verification is complete.

Coinbase and LocalBitcoins provided the most detailed descriptions of how long they keep various kinds of data. LocalBitcoins also specified that the information of users who never actually used the platform to trade will be stored for a much shorter time than that of active users: up to 13 months compared to five years.

There is no universal standard for disclosing data security measures among crypto services: Some of them just say they take technological and organizational measures to ensure your information is safe, while others mention specific tech solutions, rules of access to their data centers and other steps.

Data security is a complex task, and to prevent attacks, companies in most cases refrain from fully disclosing the details and specifics of their data security systems, so as not to tip their hands to potential attackers.

In this sense, these disclosures serve not so much as attestations of platforms' actual security level, but more as a demonstration of how straightforward and diligent they are in talking to users about privacy and security.

"If the company doesn’t outline how they protect user data, it is a red flag,” said Lili Rhodes, senior mining analyst at Compass Mining, a bitcoin mining firm in the U.S. “Users do not know how this company will safeguard their data in the event of a breach."

What if security measures fail and the platform where you're trading is breached? We checked the privacy policies for indications if these companies pledge to disclose security breaches and data leaks to their users.

Note that the answer "No" in the table does not mean the platform won't tell you if it gets hacked; it means it doesn't explicitly promise to do so if that happens.

A spokesperson for Nasdaq-listed Coinbase noted that many jurisdictions have rules about disclosing breaches to customers, which the crypto exchange follows, and that disclosing everything the company does to comply with laws would make a privacy policy an unwieldy read.

Privacy policies are not the most exciting reads (no comparison to price charts and market analytics). But if you want to check them yourself and see how the platforms you use treat your sensitive information, below you’ll find links to all the privacy policy pages CoinDesk reviewed for this story.

As they say: don't trust, verify.

Bakkt

Binance

Bitfinex

BitMEX

Bitstamp

Bittrex

Blockchain.com

BlockFi

Celsius

Coinbase

Crypto.com

undated

eToro

FTX

Gemini

Huobi

Kraken

LocalBitcoins

Nexo

Okcoin

OKEX

Paxful

Poloniex

SALT