Dram X
Legal

Privacy
Policy.

Last Updated: 15 May 2026

01 / Introduction & Controller

This policy explains how Dram X handles personal data under the UK GDPR and the Data Protection Act 2018. The data controller is DX Wealth Ltd. ([Company number TBC]), registered office 5 South Charlotte Street, EH2 4AN Scotland, United Kingdom. Data protection enquiries can be sent to sales@dramxwhisky.com ([Data Protection lead: TBC]).

02 / Our Role: Marketplace & Disclosed Agent

Dram X operates a marketplace. For each transaction the vendor (a third-party seller listed on the platform) is the legal seller of the goods to you, and Dram X acts as the vendor's disclosed commercial agent — we collect payment, issue invoices on the vendor's behalf, and provide customer service. As a result, Dram X and each vendor are independent data controllers in respect of the personal data needed to perform a sale; we share the minimum data necessary with the vendor (such as your delivery name, address, and order contents) so they can fulfil your order. Where Dram X engages third parties to perform tasks on our behalf, those parties act as our processors and are listed in §06.

03 / Information We Collect

  • Identity & contact details (name, email, postal address, phone, date of birth)
  • KYC and AML information (government ID, proof of address, selfie / liveness check, source of funds, sanctions and PEP screening results)
  • KYB information (for vendors: company registration documents, beneficial ownership, director ID, VAT number, alcohol-licence evidence)
  • Transaction data (orders, payments, payment-method metadata, refund records, crypto wallet addresses, on-chain transaction hashes)
  • Vendor payout data (bank account details held by Stripe Connect or Revolut Business, payout schedules, commission records)
  • Device & usage data (IP address, browser type, pages visited, referrers)
  • Communications you send us (support messages, emails, call notes)
  • Cookie and similar identifiers

04 / Sources of Data

We collect data directly from you when you register, transact, or contact us; from our identity-verification provider Sumsub (KYC/KYB results); from our payment processors Stripe (card payments and vendor onboarding) and BCB Group Limited (cryptoasset receipts and conversion); from Revolut Business in respect of our own bank account and vendor payouts; from blockchain wallet-screening providers in respect of crypto payment provenance; from vendors in respect of order fulfilment; and through cookies and analytics tools when you use the site.

05 / How We Use Your Data & Lawful Bases

  • Performance of our contract with you: account creation, processing orders as agent for the vendor, arranging delivery, customer support, refunds.
  • Compliance with legal obligations: customer KYC and vendor KYB under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), sanctions screening, tax and accounting records, self-billed VAT invoicing on the vendor's behalf.
  • Our legitimate interests: fraud prevention, securing the platform, blockchain transaction-monitoring on crypto payments, defending legal claims, analysing and improving our services (balanced against your rights).
  • Your consent: marketing communications and non-essential cookies, which you can withdraw at any time.

06 / Processors & Recipients

We use the following third parties to operate the service. Each is contracted under UK GDPR Article 28 where they act as our processor, or operates as an independent controller for its own regulated activity where indicated.

  • Sumsub (Sum and Substance Ltd., Cyprus / UK) — identity verification, document checks, sanctions and PEP screening (controller for its own regulatory recordkeeping; processor for verification on our behalf)
  • Stripe Payments UK Ltd. — card payment processing and Stripe Connect Express accounts for vendors (independent controller in respect of vendor onboarding and Stripe's regulated activity)
  • BCB Group Limited (UK) — receipt of cryptoasset payments and conversion to GBP under its FCA cryptoasset firm registration (independent controller for its regulated activity)
  • Revolut Business (Revolut Ltd., UK) — our operating bank account and the rail for vendor GBP payouts (independent controller for its banking activity)
  • Blockchain wallet-screening provider (provider name TBC) — sanctions and illicit-finance screening of incoming crypto wallets
  • HMRC bonded warehouses — where applicable, for goods storage and title records
  • Google / Firebase (cloud hosting, authentication, database)
  • Resend / similar transactional email provider — order confirmations and invoices
  • Google Analytics — usage analytics (only with your cookie consent)
  • Professional advisers (lawyers, auditors, accountants) under duties of confidentiality
  • Vendors listed on the marketplace — they receive the minimum personal data required to fulfil your order
  • Regulators, law enforcement, and courts where required by law
  • A successor entity in connection with a merger, acquisition, or asset sale

07 / International Transfers

Some of our processors are located outside the UK (for example, Sumsub processes verification data in the EEA; certain cloud and analytics providers may transfer data to the United States). Where we transfer personal data outside the UK, we rely on UK adequacy regulations or, where these do not apply, on the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate technical and organisational safeguards.

08 / Retention

We retain personal data only for as long as necessary for the purposes set out in this policy. KYC, KYB and anti-money-laundering records are retained for five years after the end of the business relationship as required by MLR 2017. Transaction and accounting records (including self-billed VAT invoices) are retained for six years under UK tax law. Wallet-screening results are retained for the same period as the related transaction. Marketing data is retained until you withdraw consent. Where data is no longer required, it is securely deleted or anonymised.

09 / Security

We use encryption in transit and at rest, role-based access controls, and vendor due diligence to protect personal data. Payment card data is handled within Stripe's PCI-DSS environment and is not stored on our systems. No system is perfectly secure; in the event of a personal data breach that meets the relevant threshold, we will notify the Information Commissioner's Office (ICO) and, where required, affected individuals.

10 / Cookies

We use strictly necessary cookies to operate the site, preference cookies to remember your settings, and analytics cookies (including Google Analytics) to understand how the site is used. Non-essential cookies are only set with your consent, which you can manage through the cookie banner or your browser settings.

11 / Your Rights

  • Access a copy of the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request erasure of your data where applicable (note: we are required to retain KYC/AML and tax records for the statutory periods in §08)
  • Request restriction of processing in certain circumstances
  • Receive your data in a portable format and have it transmitted to another controller
  • Object to processing based on our legitimate interests, including direct marketing
  • Withdraw consent at any time where processing is based on consent
  • Not be subject to decisions producing legal effects based solely on automated processing — note that customer KYC tier decisions and vendor KYB outcomes have a human-review path, and you may request human review of any adverse outcome

12 / Complaints

If you have a concern, please contact us first at sales@dramxwhisky.com and we will do our best to resolve it. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

13 / Children

Dram X is intended for users aged 18 or over. We do not knowingly collect or process personal data of children. If you believe a child has provided personal data to us, please contact sales@dramxwhisky.com and we will delete it.

14 / Changes to This Policy

We may update this policy from time to time. Updates will be posted here with a new "Last Updated" date. Material changes will be notified by email or via the platform before they take effect.

15 / Contact

Questions about this policy or how we handle your data can be sent to sales@dramxwhisky.com or by post to DX Wealth Ltd., 5 South Charlotte Street, EH2 4AN Scotland, United Kingdom.