What Happens to Your Exchange Data After You Move Crypto to Self-Custody?
DAC8 Compliance · Updated 2026-07-17 · 10 min read
On this page
TL;DR:
- Moving crypto to self-custody changes who holds the asset, not what the exchange already has on file. Self-custody removes the asset from the exchange’s custody and from its live account balance. It does not remove historical balance, transaction, identity, or withdrawal-address records already retained by the exchange.
- Closing the account does not immediately erase the identity and transaction records the exchange must retain. EU anti-money-laundering rules require covered crypto platforms to keep customer identification documents and transaction records for five years after the customer relationship ends — and member states can extend that. Under an applicable five-year retention period, closing an account in 2026 may mean certain records remain into 2031.
- A withdrawal to your own wallet is recorded — but that is not the same as being monitored. The exchange that processed the withdrawal does not thereby become a permanent reporter of every later transaction made by that wallet. Later interactions with a CASP (crypto-asset service provider) may create new records and reporting events of their own.
You have already used a KYC exchange and withdrawn. What data remains behind?
Say you opened an account at an EU exchange in 2021. To get verified, you handed over a passport photo, a selfie, your home address, and a bank card — that process is called KYC: the checks and information a platform uses to confirm who you are. In June 2026 you moved everything to a self-custody wallet, and then closed the account as well. The crypto is now at an address you control. It is a clean break in custody — but not in data retention.
Understanding why matters for one practical reason: the exchange’s file may connect verified identity and address information with account and balance history. If that file ever leaks, you cannot fix it the way you fix a leaked password. A password can be rotated in a minute. Core identity facts and historical verification records cannot be made obsolete the same way. We’d call this non-rotating identity data: core identity facts and historical verification records — such as date of birth, previously submitted ID images and past verified addresses — that cannot be neutralised simply by changing a credential.
This page maps what an exchange keeps after you leave, which parts of it may be reported or transmitted, and which layer of risk actually changes when you move to self-custody. The aim is to help you tell apart the risks that moving your crypto reduces from the risks that only better decisions about your data can reduce.
What your exchange keeps — and which parts may be reported
Start with what is actually in the file. It often contains more than identity documents alone, and it splits into four categories.
Identity and verification data. The KYC layer: legal name, date of birth, identity document images, selfies, home address, and often tax identification numbers. Collected to meet identity-verification, anti-money-laundering and related compliance requirements, with the exact fields varying by platform and customer risk.
Account and balance history. What you held, when, and how much it was worth — including balance snapshots that persist after the balance itself goes to zero.
Trading, withdrawal and transfer records. Records of trades, deposits and withdrawals processed through the account, including destination addresses used for withdrawals.
Device, access and risk data. Platforms may also record device identifiers, IP-linked session data, login activity, site interactions and risk signals. Not every field is specifically mandated by law: platforms collect different combinations for account security, fraud prevention, compliance, service operation and product analytics. Coinbase’s public privacy documentation, to take one major platform’s example, lists “online behaviors,” device data and activity logs among the categories a customer can request access to.
The next distinction is where each part of the file goes. The four categories above do not map one-to-one onto destinations; the same piece of data can sit in several channels at once.
Most of the file stays in the exchange’s internal records. A defined slice is reported to tax authorities under DAC8 — the EU rule under which covered crypto platforms report specified customer and transaction information through the applicable tax authority, after which the information may be exchanged between tax authorities — covering activity from the 2026 reporting period onward. The information covered by that reporting is specific: identity data such as name, address, tax residence and taxpayer identification number, plus aggregate transaction data per crypto-asset type and transaction categories. It is narrower than everything the platform holds — our reference on DAC8 and self-custody withdrawals explains when and how the first reports move through the system.
A separate slice accompanies regulated transfers under the EU Travel Rule (TFR — the rule that requires transfers to carry identifying information about the sender and the recipient). The obligations here fall on CASPs — crypto-asset service providers, the regulated category that can include exchanges, custodians and providers offering crypto-to-fiat exchange services. For transfers involving self-hosted wallets above €1,000, CASPs must also assess, where applicable, whether the address is owned or controlled by the customer involved in the transfer. The “address” being assessed there is what the rules call a self-hosted address — an address controlled through a wallet you manage yourself, the kind this article’s example moved to.
And beyond both channels, platforms may also be required to provide additional records in response to lawful, case-specific requests from competent authorities.
One real incident shows what the internal layer contains when it surfaces. In May 2025, Coinbase disclosed — in a filing with the U.S. Securities and Exchange Commission — that individuals working in overseas support roles had been bribed to obtain data from internal systems. The compromised data included names, addresses, phone numbers and emails; masked Social Security numbers; masked bank-account identifiers; government-ID images; and account data including balance snapshots and transaction history. A separate regulatory notification put the number of affected customers at 69,461. No passwords or private keys were taken, and the exposed data did not itself provide direct access to customer funds. The lasting exposure was the identity and account-information layer — a real breach shows why the distinction matters: identity records and account information may remain valuable long after a password has been changed.
The practical takeaway from the map: what your tax authority receives automatically is a defined slice. The broader exposure comes from the larger set of data the platform retains, not only the fields reported automatically.
Does closing your account delete your data?
Not the records that matter here. Closing an exchange account does not normally erase the identity, transaction and transfer records the platform is legally required to retain — though some other data, such as marketing preferences or survey responses, may be deleted or anonymised on request.
The reason is not platform policy but EU anti-money-laundering law. Crypto platforms that are obliged entities under the EU anti-money-laundering framework must keep copies of customer identification documents and transaction records for five years after the end of the business relationship, and member states may extend that by up to five more years. The EU’s new directly applicable anti-money-laundering regulation carries the core retention framework forward when it begins applying in July 2027. So, in the example this article opened with: if the applicable retention period is five years from the end of the customer relationship, closing the account in June 2026 may mean certain records remain until at least mid-2031 — longer where a member state has extended the period, and longer still if a dispute or investigation intervenes.
Think of it the way you’d think of a bank: closing the account ends the relationship, it does not shred the file. What closing an account does change is the future. Ordinary trading, balance and account-session data generally stops accumulating. The historical record remains, even though ordinary account activity has stopped.
Closing an account can stop new data from accumulating. It is not a way to erase the historical record — and knowing that tells you where your real options are, which is where this article ends up.
Can the exchange still see my wallet after I withdraw?
On a public blockchain, anyone — including your former exchange — can look at any address. But “can look at a public ledger” and “has an ongoing reporting relationship with your wallet” are two very different things, and collapsing them is a common misreading in this area.
Pull the event apart into three layers:
The withdrawal is recorded. When you moved your crypto out, the exchange recorded that transfer — amount, asset, destination address — as part of its transfer and account records, the same category of record described above.
The record may feed applicable reporting. Depending on which rules apply, information about that transfer or about you as a customer may have to be retained, transmitted alongside the transfer, or reflected in periodic reporting. These are different regimes with different rhythms — a Travel Rule data packet is not a tax report — and they attach to the event and the customer relationship, not to your wallet as such. Our DAC8 withdrawals reference covers which of these flows automatically and which does not.
Later wallet activity is not automatically an exchange report. The exchange that processed the withdrawal does not thereby become a permanent reporter of every later transaction made by that wallet. Later interactions with a CASP may create new records and reporting events of their own.
Two honest caveats keep this from being too comfortable. Whether tax authorities or analytics firms can re-associate your later on-chain activity with the withdrawal record is a separate question — a public ledger means observation is always possible, even where no reporting obligation exists. And each covered provider you later use may create its own records and may have its own reporting obligations, depending on the service, the transaction and the applicable rules: the data relationship with your old exchange winds down; new ones begin wherever you go next.
The boundary: withdrawing to self-custody is an ordinary, lawful action. It may still be screened or reviewed like other transfers, but it does not by itself create a permanent reporting relationship between the exchange and every later transaction made by the wallet.
What self-custody actually changes — and what it doesn’t
For the person in our example, three things changed and three did not.
What changed: custody and control of the asset — the exchange no longer holds it or shows it as a live customer balance; the forward surface — with the account closed, ordinary trading, balance and session data generally stops accumulating; and the shape of future exposure — there is no live balance for a future incident at that exchange to capture.
What did not change: the historical KYC, balance and transaction records, for as long as retention law holds them — and additional compliance or administrative records may still be created even after closure; the possibility that this historical file leaks; and your tax obligations. Moving to self-custody changes where your assets sit — it does not change what you owe. As our DAC8 reference puts it, reporting rules change what the tax authority knows, not what is owed.
Taken together: the move reduces future custody exposure and limits the new account data held by that exchange. It does not erase the historical file, and it does not prevent public blockchain activity from being observed elsewhere.
Self-custody removes assets from the exchange’s control, not your historical identity and transaction records from its systems. It explains both the forward-looking protection self-custody can provide and the backward-looking exposure it cannot remove.
Your situation → your options
You still hold most of your crypto on an exchange and haven’t moved yet. Know before you move what will stay behind: everything above. The actions that change your forward surface are reducing the standing balance you keep on-platform, closing idle accounts, and avoiding unnecessary duplicate accounts and identity submissions at services you do not plan to use. Where this doesn’t apply: if you still need a fiat on/off-ramp, keeping one verified account is a reasonable cost — see our reference on replacing exchange functions for what moves and what stays.
You already moved, and the historical data is what worries you. You cannot recall it, but you can bound it. Download and keep your own copies of transaction and withdrawal history — including from accounts you’ve closed — read the platform’s account-closure and retention policy so the timeline holds no surprises, and don’t expect withdrawal or closure to reset anything to zero. What not to do: don’t let discomfort with KYC push you toward unregulated no-KYC venues; that may replace a data-retention concern with a more serious counterparty and recovery risk.
A breach or a news story about physical attacks on crypto holders scared you. Separate the layers. Moving the asset protects against future exchange-custody exposure, but it does not remove the identity risk already stored in the exchange’s KYC file. Rotate what rotates: passwords, two-factor methods, linked email. For what doesn’t rotate, raise your guard against targeted phishing that quotes your real details, and watch for the platform’s formal remediation. Personal physical-security practice matters and has its own literature; it is beyond what this reference covers.
You hesitated to withdraw because you’d heard it gets you flagged. A withdrawal can be recorded and screened without placing the wallet into a permanent reporting relationship with the exchange. The important distinction is between a transfer entering compliance records and the exchange becoming a continuing reporter of all later wallet activity — the boundary section above walks through it, and the DAC8 withdrawals reference is the fuller map of the reporting pipeline itself.
FAQ
Can I ask the exchange to delete my data under GDPR?
You can ask, but the right to deletion is not absolute. Under EU data-protection law, an exchange may refuse to delete records it must retain to comply with legal obligations — such as the retention periods described above — while deleting or restricting other data that is no longer necessary. One major platform’s public privacy documentation illustrates the split: categories like marketing data and survey responses can be deleted freely, while deletion of identity or transaction data requires closing the account, and data subject to regulatory retention is not deleted until those requirements have been met.
If my exchange had a breach, what should I actually do?
Change what can be changed — password, two-factor method, linked email — even if the platform says credentials weren’t taken. For what can’t be changed, assume targeted phishing will eventually quote real details from the leak — and treat such details as evidence of possible targeting, not as proof that a message is genuine. The fact that a message knows your address or balance does not make it your platform’s support team. Use the platform’s formal remediation, such as credit monitoring or dedicated support, where offered.
Is my data safer at a small exchange than a big one?
Size alone is not a reliable measure of data safety. What determines your exposure is what the platform collects, how much it centralises, how long it retains it, and how it controls internal and vendor access. The useful comparison is privacy-policy substance, not brand size.
DeGate develops a multichain self-custody wallet. This reference is intended to explain both what self-custody changes and what it does not. It is not legal, tax, or security advice; retention periods, platform policies, and reporting rules vary by member state and change over time. Verify against the primary sources below or with a qualified adviser.
Questions this reference answers
The specific questions this page is written to address — useful as a jump-off for what to look up next.
- What data does an exchange keep after you withdraw crypto to self-custody?
- Does closing an exchange account delete your KYC and transaction records?
- Can the exchange still see or report your wallet after you withdraw?
- What did the 2025 Coinbase breach expose, and why does it matter for self-custody?
- Can you ask an exchange to delete your data under GDPR?
- What does moving to self-custody actually change about your data exposure?
Sources
Primary statutes, official guidance, and dashboards cited above. Each links to the canonical source so you can verify what we’ve said.
Legislation & primary statutes
- Directive (EU) 2015/849, Art. 40 (AMLD — CDD document and transaction-record retention for five years after the end of the business relationship; member-state extension of up to five further years)· EU
- Regulation (EU) 2024/1624 (AMLR — carries the core retention framework forward when it begins applying in July 2027)· EU
- Directive (EU) 2023/2226 (DAC8)· EU
- Regulation (EU) 2023/1113 (Transfer of Funds Regulation)· EU
Administrative guidance
- Coinbase Global, Inc. — Form 8-K, Item 1.05 Material Cybersecurity Incident (filed 2025-05-15; affected data categories, overseas support personnel, no passwords or private keys compromised)· US · 2025-05-15
- SecurityWeek — Coinbase Says Rogue Contractor Data Breach Affects 69,461 Users (May 21, 2025; figure from the mandatory notification filed with the Maine Attorney General)· US · 2025-05-21
Last updated on July 17, 2026. Written by DeGate Editorial Team.
Corrections and primary-source updates welcome at corrections@degate.com .
Related references
Do Exchange Withdrawals to Self-Custody Get Reported Under DAC8?
A reference on DAC8 reporting and self-custody for European crypto-asset users moving funds off centralized exchanges in 2026.
Where Do European Crypto Exchanges Report Under DAC8?
A reference on DAC8 reporting paths — same member state, cross-border EU exchange, and non-EU CASPs — and why exchange location is not a loophole.
Best CEX Alternatives for Self-Custody in 2026: How to Move Off Coinbase or Binance Safely
How to move off Coinbase or Binance to self-custody in 2026 — which CEX alternative fits your use case, and how to migrate without losing funds.
What MiCA Changes About Leaving a Centralized Exchange — and What It Doesn't
How MiCA reshapes the CEX-versus-self-custody choice for EU users: what it changes on the exchange side, what it leaves untouched in self-custody.