RABBIT.IO AML/KYC Policy

Last Updated: March 24, 2026

This AML/KYC Policy outlines the procedures Rabbit.io (“Rabbit”, “Platform”, “Company”, “we”, “us”, or “our”) follows to prevent money laundering, terrorist financing, and other illicit activities when users interact with our crypto-to-crypto non-custodial exchange platform. This policy explains the measures we use to detect unusual activity, meet applicable regulatory obligations, and maintain a secure and compliant environment.

1. DEFINITIONS

   For the purposes of these AML/KYC Policy, the following terms shall have the meanings set forth below. All definitions apply equally to singular and plural forms, and all grammatical variations thereof.

   1. "Platform" refers to the web-based interface operated by the Company, accessible at https://rabbit.io, including all associated subdomains, APIs, software modules, and any other services or technologies provided by the Company that enable Users to perform crypto-asset exchange transactions.
   2. "User" refers to any natural or legal person who accesses or uses the Platform, regardless of whether such person initiates a transaction. Where applicable, “you” or “your” shall refer to the User.
   3. "Crypto Asset" (also referred to as "cryptocurrency", "token", or "digital asset") means a digital representation of value that is based on or issued via blockchain technology and is capable of being transferred, stored, or traded electronically. This includes, but is not limited to, Bitcoin (BTC), Ethereum (ETH), and other tokens or coins that are not classified as securities under applicable laws.
   4. "Exchange" or "Swap" refers to a transaction facilitated through the Platform, whereby the User submits one type of Crypto Asset in exchange for another, either via the Company’s proprietary exchange system or through integrated Third-Party Providers.
   5. "Non-Custodial Service" means a service model where the Company does not store, hold, or maintain control over any User funds, wallets, or private keys, except for temporary possession strictly required to facilitate a specific transaction or perform compliance-related reviews.
   6. "AML/KYC Procedures" means Anti-Money Laundering and Know Your Customer screening measures implemented by the Company or its Third-Party Providers to ensure compliance with applicable financial regulations.
   7. "Restricted Jurisdictions" means any country, territory, or region where the use of the Platform is prohibited by law or by decision of the Company, including but not limited to jurisdictions sanctioned by the United Nations, European Union, U.S. Department of Treasury (OFAC), or other relevant authorities.
   8. "Service" or "Services" collectively refers to all functionalities, transactions, exchange mechanisms, compliance processes, customer support tools, APIs, and other related features made available to Users through the Platform.

2. AML, SANCTIONS, AND COMPLIANCE REQUIREMENTS

   The Platform is committed to operating in full compliance with international standards for Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and sanctions enforcement, despite offering a non-custodial and registration-free service. The following provisions apply to all Users of the Platform and form a material part of these Policy.

   1. Regulatory Position and Risk-Based Approach. Although the Platform does not collect traditional Know-Your-Customer (KYC) information at onboarding, the Company reserves the right to implement enhanced due diligence (EDD) procedures in specific circumstances where required by law or where the Company identifies elevated transactional risks. Such procedures may include, without limitation, temporarily holding funds, requesting additional verification, or declining service.
   2. The Company uses a risk-based approach aligned with the recommendations of the Financial Action Task Force (FATF) to assess transactions in real time. Blockchain analytics tools may be employed to screen wallet addresses, transaction histories, or counterparties to detect potential involvement in illicit activities, including but not limited to: ransomware, darknet marketplaces, sanctioned entities, fraud or scam operations, terrorism financing.
   3. Conditional Identity Verification (KYC). In accordance with our AML risk management framework, the Platform may require Users to undergo identity verification (KYC) if a transaction is flagged with a high-risk score based on our automated screening procedures. Such verification may be conducted through trusted third-party KYC providers and may include document-based or biometric checks, in compliance with applicable data protection regulations (e.g., GDPR, CCPA). Refusal to complete such verification may result in delayed execution or refund of the transaction. In some cases, the Platform is unable to issue refunds without passing KYC verification.
   4. Prohibited Use by Sanctioned Persons or Jurisdictions. Users may not access or use the Platform if they are:
      1. subject to international sanctions (including but not limited to sanctions imposed by the United Nations, U.S. Department of the Treasury – OFAC, European Union, or UK HM Treasury),
      2. a citizen or resident of, or accessing the Service from, any country or territory subject to comprehensive sanctions (including but not limited to North Korea, Iran, Syria, Cuba, Crimea, Donetsk, or Luhansk),
      3. acting on behalf of any such persons or entities.
      4. citizens and residents of the United States of America.
      5. residents from countries where usage of cryptocurrency or usage of Service is forbidden by applicable law.
      By using the Platform, you affirm and warrant that you are not located in a restricted jurisdiction, are not a sanctioned individual or entity, and are not using the Services to conduct or facilitate any transaction with or for any such persons.
   5. Transaction Review and Blocking Rights. The Company reserves the right, in its sole discretion and without prior notice, to:
      1. delay or suspend the processing of any transaction that is flagged for potential AML or sanctions concerns;
      2. freeze assets temporarily while further review is conducted;
      3. reject transactions deemed suspicious, high-risk, or in violation of applicable law;
      4. report activity to competent financial intelligence units (FIUs) or law enforcement authorities, where required or appropriate.
      In such cases, the Company shall not be liable for delays, losses, or any inability to complete the exchange arising from such compliance actions.
   6. User Representations and Cooperation Obligations. By using the Platform, you represent and warrant that:
      1. you are the lawful owner and ultimate beneficiary of the crypto assets involved in the exchange;
      2. all funds used are of legal origin and not associated with illicit conduct;
      3. you will cooperate with the Company in good faith if additional information or documents are required for legal or compliance reasons;
      4. you acknowledge that the Company is under no obligation to complete a transaction if it would result in a breach of law or regulatory standards.
   7. No Circumvention of Controls. Users are strictly prohibited from attempting to bypass, obfuscate, or otherwise manipulate the Platform's AML screening mechanisms or technical infrastructure, including by:
      1. initiating multiple transactions to avoid threshold-based detection,
      2. using privacy-enhancing tools (e.g., mixers, tumblers, or anonymizing protocols),
      3. submitting altered, falsified, or incomplete information.
   8. Any attempt to circumvent controls constitutes a material breach of these Terms and may result in immediate denial of access, permanent blocking of transactions, and referral to relevant authorities.

3. RISK-SCORE MODEL, SCREENING, AND HIGH-RISK FUNDS RESOLUTION

   1. Risk-Score model and risk classification

      1. Risk-Score Model (Transaction Risk Assessment). Rabbit uses a risk-based transaction assessment approach. Each incoming deposit address and (where technically feasible) the inbound transaction is screened using an automated blockchain analytics tool (the “AML Analyzer”, defined below). Rabbit then assigns:
         1. an overall Risk Score (expressed as a numeric score and/or percentage reflecting the relative ML/TF risk of the received funds), and
         2. Risk Signals (also known as “risk marks”) reflecting exposure to specific risk categories (e.g., sanctions, scams, stolen funds, mixers) as identified by the AML Analyzer.
      2. Risk factors considered. Risk Score and Risk Signals are derived from (among other factors): address history and exposure to illicit clusters, transaction size, transaction frequency/patterns, and identified counterparties/entities associated with the flow of funds.
      3. Risk categories. For user transparency, Rabbit classifies Risk Scores into three user-facing levels:
         1. Low Risk: transaction may proceed (subject to routine monitoring).
         2. Medium Risk: transaction may be placed in compliance review.
         3. High Risk: transaction is cancelled and handled under the “High-Risk Funds Resolution and Refund” section below.
      4. Rabbit does not disclose the full internal weighting and rule logic used to generate Risk Scores and Risk Signals, as disclosure may enable circumvention of controls. However, Rabbit publishes the Risk-Score thresholds and user outcomes described below.

   2. Risk thresholds and automated outcomes

      1. Acceptance threshold. Rabbit uses the following baseline thresholds for received funds:
         1. Accepted / proceed: Overall Risk Score < 70 (and Risk Signals do not exceed the category limits set below).
         2. High-risk / blocked: Overall Risk Score ≥ 70, or Risk Signals exceed the category limits set below.
      2. Category-based limits (Risk Signals). In addition to the overall Risk Score, Rabbit applies category gating based on Risk Signals produced by the AML Analyzer. Rabbit’s baseline category model is:
         1. Zero-tolerance (0%) categories: Child exploitation, terrorism financing, ransomware/extortion, and other categories designated by the AML Analyzer as “critical” (including cases where sanctioned addresses/entities are directly implicated).
         2. Limited-tolerance categories: For categories such as darknet market/service, enforcement actions, fraudulent exchange, illegal service, mixing services, scams, stolen coins, and sanctions exposure, Rabbit may apply limited tolerance (low single-digit percentages) depending on the asset type, chain traceability, and prevailing typology risk.
      3. Disposition rules. If received funds are classified as high-risk, Rabbit will not complete the exchange. Instead, Rabbit will follow the refund/escalation outcomes below.

   3. AML Analyzer and screening data sources

      1. AML Analyzer. Rabbit uses a commercial blockchain analytics and transaction monitoring solution to conduct wallet/transaction screening and Risk-Score generation.
      2. Current AML Analyzer provider: WAML
      3. Product / module (if applicable): https://wamlapp.com/
      4. What the AML Analyzer does. The AML Analyzer typically provides: attribution and clustering for blockchain addresses, typology/category exposure, sanctions screening, and risk scoring outputs used to support compliance decision-making.
      5. Updates and model drift. Rabbit may update the AML Analyzer provider, configuration, and scoring calibration to reflect new risk typologies, new sanctions designations, and improved attribution datasets. Any material changes to thresholds or user outcomes will be reflected in an updated version of this policy.

   4. High-risk funds resolution without KYC

      1. No KYC/SoF for high-risk funds (current operating rule). At this time, Rabbit does not conduct KYC or Source-of-Funds/Source-of-Wealth procedures for transactions where received funds are classified as high-risk under this policy. Rabbit’s default resolution is cancellation and refund (subject to legal constraints).
      2. Permitted information requests (refund execution only). Where needed to execute a refund safely and correctly, Rabbit may request limited information that does not constitute identity verification, such as:
         1. the order reference,
         2. inbound transaction hash, and
         3. confirmation of the refund address (as described below).

   5. Compliance review stages and timeframes

      1. Stage one: automated screening. Screening is performed as part of Rabbit’s transaction processing and may occur before execution and/or immediately after deposit confirmation.
      2. Stage two: compliance review hold. If incoming funds are flagged as medium or high risk, the order may be placed on a compliance hold to confirm the Risk Score and determine the proper resolution.
         1. Target review time: within 24 hours of identifying the risk flag (subject to network confirmation delays and operational constraints).
         2. Maximum internal hold before resolution: 7 calendar days, unless escalation to competent authorities is required (see below).
      3. Stage three: resolution decision. At the end of the compliance review hold, Rabbit will apply one of the two acceptable outcomes:
         1. Refund to the sender/payer (within a reasonable time and with confirmation), or
         2. Escalation to competent authorities / financial intelligence / law enforcement, if required or appropriate.
      4. Rabbit does not retain user funds without a defined resolution pathway.

   6. Refund terms for AML-flagged transactions

      1. Refund eligibility and destination. If a refund is approved, Rabbit returns funds as follows:
         1. Default: refund is sent back to the sender/payer address that originated the deposit.
         2. Alternative refund address: Rabbit may support a “refund address” field set at the time the order is created. Refunds will not be sent to a new address provided after the fact, except where Rabbit determines (in its discretion) that doing so is required for user protection and does not increase ML/TF risk.
      2. Refund initiation timing and confirmation. Rabbit will initiate an approved refund within 24 hours after:
         1. the refund decision, and
         2. confirmation of the refund destination per the rules above.
         Rabbit will provide the user with on-chain confirmation (transaction hash) once broadcast.
      3. User responsiveness window. If Rabbit requires user confirmation of a refund address (e.g., to confirm the sender address or the pre-set refund address), Rabbit will provide a response window of 3 calendar days. If the user does not respond within that window, Rabbit will proceed with the refund to the original sender/payer address where technically feasible.
      4. Retention limit. Rabbit will not hold funds indefinitely. If a refund cannot be executed within 30 calendar days due to legal restrictions, sanctions concerns, or a competent authority request, Rabbit will treat the matter as an escalation case and proceed under the escalation pathway below.

   7. Refund fees in AML cases

      1. Network fees. All refunds are subject to unavoidable blockchain network fees (paid to the relevant network/miners/validators). Network fees are not controlled by Rabbit and may vary materially.
      2. AML case handling fee (high-risk funds only). If a transaction is blocked due to high-risk AML classification and refunded, Rabbit may charge an AML case handling fee to cover operational and investigative costs. This fee is:
         1. Up to 5% of the blocked amount, not exceeding USD $100 equivalent, plus network fees.
      3. Fee limitation for good-faith customers / non-AML cases. Where Rabbit determines that the user’s funds are not confirmed as illicit and a refund is processed for non-AML reasons (or where an AML flag is cleared without suspicion), Rabbit will limit the deduction to network fees only.
      4. Rabbit will disclose any applied fees in the user communication for the affected order.

   8. Escalation to competent authorities

      1. Escalation triggers. Rabbit may escalate a case to competent authorities / financial intelligence / law enforcement where required or appropriate, including (without limitation):
         1. confirmed sanctions exposure,
         2. credible theft/fraud reports,
         3. legal process or official request, or
         4. circumstances where a refund is prohibited by applicable law or would facilitate ML/TF.
      2. Effect of escalation. If escalation is required, Rabbit may be obligated to maintain a hold on the assets and/or provide relevant transaction data to authorities, subject to applicable legal requirements and restrictions on user notification.

4. AML Compliance Philosophy

   1. While the Platform currently operates on a non-custodial, registration-free basis, the Company is committed to upholding core principles of anti-money laundering (AML) compliance. Transactions may be screened through third-party AML tools, and cooperation with regulatory authorities may be initiated in cases involving suspicious activity, as outlined in Section 9 (Legal Cooperation and Enforcement).

5. Relationship to the Terms of Service

   1. This AML/KYC Policy is a direct excerpt of the Rabbit.io Terms of Service (“Terms”) that has been placed in a separate document solely for convenience and ease of reference. It does not replace, modify, or expand upon the Terms in any way. The full and legally binding version of our AML/KYC obligations and requirements is contained within the Terms of Service, available at: https://rabbit.io/terms-of-use.
   2. In any legal or interpretative context, the Terms of Service shall take priority and remain the primary governing agreement. If any discrepancies arise between this document and the Terms, the wording and intent of the Terms of Service shall prevail.