Terms and Conditions

Effective date: Jan 07, 2026

Terms and Conditions of Bitcore Technologies (Pvt) Ltd

By accessing or using the Bitnomi portal, registering an account, or engaging in any services provided by Bitnomi (the "Company"), a Virtual Asset Service Provider ("VASP") incorporated and operating in Sri Lanka, you agree to be bound by these Terms and Conditions ("Terms"). These Terms are in compliance with the Financial Transactions Reporting Act, No. 6 of 2006 ("FTRA"), the Prevention of Money Laundering Act, No. 5 of 2006 ("PMLA"), the Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005 ("CSTFA"), recommendations of the Financial Action Task Force ("FATF"), directives from the Central Bank of Sri Lanka ("CBSL") and the Financial Intelligence Unit ("FIU") of Sri Lanka, and other applicable laws and regulations in Sri Lanka (collectively referred as “Applicable Laws”)

If you do not agree to these Terms, you must not access the Portal or use our services. You must tick the box to confirm your acceptance before onboarding.

1. Introduction

The Company provides services related to virtual assets, including but not limited to exchange between virtual assets and fiat currencies, transfers of virtual assets, and safekeeping or administration of virtual assets (collectively, the "Services"). All Services are subject to regulatory oversight by the CBSL and FIU, and the Company is committed to implementing a risk-based approach to prevent money laundering ("ML"), terrorist financing ("TF"), and proliferation financing ("PF") in line with FATF standards and Sri Lankan laws.

These Terms govern your use of the Portal and Services. The Company may update these Terms to reflect changes in Applicable Laws, with notice provided via the Portal or email.

2. Definitions

Virtual Asset (VA): A digital representation of value that can be digitally traded or transferred and used for payment or investment purposes, excluding digital representations of fiat currencies, securities, or other financial assets regulated under existing laws (as defined by FATF).

Virtual Asset Service Provider (VASP): An entity that conducts one or more activities involving VAs on behalf of customers, as defined under FATF Recommendation 15.

Customer Due Diligence (CDD): Measures to verify customer identity, assess risks, and monitor transactions as required under FTRA, PMLA, and FATF.

Suspicious Transaction: Any transaction that may involve ML, TF, or PF, which must be reported to the FIU under FTRA Section 7.

Travel Rule: The requirement to obtain, hold, and transmit originator and beneficiary information for VA transfers exceeding thresholds set by FATF and local regulations.

3. Eligibility and Registration

You must be at least 18 years old and a resident of Sri Lanka or an eligible jurisdiction not subject to sanctions under Applicable Laws. To register, you must provide accurate information and complete CDD processes, including submission of identification documents (e.g., National Identity Card, passport), proof of address, and source of funds/wealth verification as required under FTRA Section 12 and FATF Recommendation 10.

The Company will conduct enhanced due diligence for high-risk customers, such as politically exposed persons ("PEPs"), in accordance with FATF Recommendation 12 and FIU guidelines.

Registration is subject to approval by the Company, and we reserve the right to reject or suspend accounts if CDD cannot be completed or if risks are deemed unacceptable.

You must update your information promptly if it changes and consent to ongoing monitoring.

4. User Obligations

You agree to use the Services only for lawful purposes and in compliance with Applicable Laws.

You must provide complete and accurate information during registration and for all transactions.

You authorize the Company to share your information with counterparties for VA transfers under the Travel Rule (FATF Recommendation 16), including originator name, account number, address, and beneficiary details. You must maintain records of your transactions for at least five years, as required under FTRA Section 16 and FATF Recommendation 11. You agree to cooperate with any investigations by the Company, FIU, CBSL, or law enforcement regarding suspicious activities.

5. Compliance and AML/CFT Measures

The Company implements a comprehensive Anti-Money Laundering/Combating the Financing of Terrorism ("AML/CFT") program in line with FATF Recommendations, FTRA, PMLA, and CSTFA. This includes: Application of the Travel Rule for VA transfers valued at or above USD/EUR 1,000 (or equivalent in LKR), ensuring secure transmission of required information.

You acknowledge that the Company may freeze assets, suspend Services, or terminate your account if suspicious activity is detected, without liability. The Company complies with sanctions regimes, including those from the United Nations and FATF-listed jurisdictions, and will not facilitate transactions involving prohibited entities.

6. Prohibited Activities

You must not use the Services for:

  • Any activity involving ML, TF, or PF, as defined under PMLA Section 3 and CSTFA.

  • Transactions with VAs derived from illegal sources.

  • Evasion of taxes, sanctions, or regulatory requirements.

  • High-risk activities without prior disclosure, such as dealings with non-regulated VASPs or jurisdictions with weak AML/CFT controls (FATF "grey list" or "black list").

  • Misrepresentation of identity or use of anonymous accounts.

  • Any other activity prohibited under Applicable Laws or CBSL directives. 

Violation may result in immediate account termination, asset forfeiture, and reporting to authorities.

7. Risk Acknowledgment

Virtual Assets (VAs) are high-risk and volatile; their value may fluctuate significantly. The Company does not guarantee returns or protect against losses. You acknowledge risks including market volatility, cybersecurity threats, regulatory changes, and potential loss of access to VAs due to technical issues. In line with CBSL public awareness notices, there are limited regulatory safeguards for VAs in Sri Lanka, and you use the Services at your own risk.

The company operates a non-custodial model. Once virtual assets are transferred to your personal wallet or withdrawn from the Portal, the Company has no control over them. You are solely responsible for the security of your private keys, seed phrases, and wallet addresses. 

Scams and Fraudulent Activities: The company is not liable for any losses you incur if you:

  • Transfer virtual assets purchased or held through our services to fraudulent addresses, scam projects, fake investment schemes, phishing sites, or any third-party scams.

  • Become a victim of social engineering, rug pulls, pump-and-dump schemes, or any other fraudulent activity after completing a transaction on our portal.

  • Engage with unregulated or fraudulent entities, DeFi protocols, NFTs, or other high-risk products outside our platform.

The company implements robust Customer Due Diligence (CDD), transaction monitoring, and risk-based controls to prevent the onboarding of bad actors and to detect suspicious activities. We will make our best efforts to identify and block users with prior involvement in scams or fraudulent behavior. However, no system is infallible, and we cannot guarantee that all bad actors will be prevented from using the Services.

You are solely responsible for conducting your own due diligence before transferring virtual assets to any external address or engaging in any transaction outside the Portal. The Company does not endorse, verify, or take responsibility for any third-party projects, wallets, or services.The Company is not liable for losses arising from these risks, including but not limited to scams, fraud, hacking of your personal wallet, or mistaken transfers to incorrect addresses.

Private Key and Seed Phrase Management: It is your sole responsibility to adequately back up and secure your private keys or seed phrases. Any losses resulting from incorrect or inadequate backup, loss, or compromise of these keys/phrases are not the Company's responsibility. The Company does not store, access, or control your seed phrases or private keys, and therefore bears no obligation to secure them on your behalf.

Device Security Risks: Any breaches of your seed phrase or private keys due to your mobile device being compromised (e.g., through malware, unauthorized access, or loss of the device) will not hold the Company liable. While the Company encrypts the storage of relevant data within the app to enhance security, the risk of breaches is not zero, particularly if the underlying mobile device is compromised. You are responsible for maintaining the security of your devices and using best practices such as enabling biometric authentication, using secure passwords, and keeping software updated.

8. Termination and Suspension

You may terminate your account at any time, subject to settlement of obligations. The Company may suspend or terminate your account for violations of these Terms, non-compliance with CDD, suspicious activity, or regulatory requirements. Upon termination, you must withdraw any remaining VAs within a reasonable period; unclaimed assets may be handled as per Applicable Laws.

9. Limitation of Liability

To the maximum extent permitted by Sri Lankan law, the Company, its directors, officers, employees, and agents shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages, including but not limited to:

  • Losses resulting from your transfer of virtual assets to scam addresses or fraudulent entities.

  • Losses due to your interaction with third-party scams, phishing attempts, or fraudulent investment schemes after using our services.

  • Losses arising from the non-custodial nature of the Services, including but not limited to loss of private keys, wallet compromises, or irreversible transactions.

  • Losses from inadequate backup or compromise of your private keys or seed phrases.

  • Losses due to breaches stemming from your mobile device's security vulnerabilities.

Our total liability in any circumstance is limited to the value of the fees paid by you to the Company in the three (3) months preceding the event giving rise to the claim.

The Company shall not be liable for losses arising from force majeure events (e.g., regulatory changes, cyberattacks beyond our reasonable control) or from your failure to secure your account, wallet, private keys, seed phrases, or devices.

10. Governing Law and Dispute Resolution

These Terms are governed by the laws of Sri Lanka. Disputes shall be resolved through negotiation, failing which, by arbitration in Colombo under the Arbitration Act, No. 11 of 1995, or courts in Sri Lanka.

11. Amendments

The Company may amend these Terms with 14 days' notice. Continued use constitutes acceptance.

12. Non-Custodial Nature of Services

The company provides non-custodial wallet services, meaning we facilitate the creation and management of wallets where you, the user, retain full control and ownership of your private keys and seed phrases. In a non-custodial model:

  • The wallet is generated on your device (e.g., via the app or portal).

  • Private keys and seed phrases are created client-side and never transmitted to or stored on our servers.

  • We do not have access to, custody of, or control over your virtual assets, private keys, or seed phrases at any time.

This model empowers you with complete sovereignty over your assets but places the full responsibility for security on you. Upon completion of a purchase, withdrawal, or transfer, full control and ownership of the virtual assets pass irrevocably to you or the designated recipient wallet.

You acknowledge that blockchain transactions are irreversible. The company cannot recover, reverse, or refund virtual assets sent to an incorrect or fraudulent address. You are solely responsible for verifying wallet addresses, transaction details, and the legitimacy of recipients before confirming any transfer.

Seed Phrase and Private Key Security: As the wallet is non-custodial, you must ensure that your seed phrase (a series of words used to recover your wallet) and private keys are adequately backed up and stored securely (e.g., in a safe physical location or encrypted digital vault). The company does not store these on your behalf and cannot assist in recovery if they are lost, stolen, or compromised.

App Encryption and Limitations: While the app employs encryption for any temporary or local storage of wallet-related data on your device, this does not eliminate all risks. Breaches can occur if your mobile device is compromised (e.g., via hacking, theft, or malware). The probability of such breaches is not zero, and the Company cannot be held liable for any resulting losses

13. Acceptance and Onboarding

By ticking the box and proceeding with onboarding, you confirm that you have read, understood, and agree to these Terms. You also consent to electronic communications and acknowledge that these Terms form a binding agreement.