This Privacy Policy describes our policies and procedures on the collection, use, and disclosure of your information when you use our Services and tells you about your privacy rights and how the law protects you. By using or accessing the Services in any manner, you acknowledge that you accept the practices and policies outlined in this Privacy Policy and you hereby consent to our collection, use, and sharing of your information as described below to the extent consent is a valid legal basis in your jurisdiction.

Remember that your use of our Services is at all times subject to our General Terms of Service (the “General Terms”), which incorporate this Privacy Policy. Any terms used in this Privacy Policy without defining them have the same definitions given to them in our General Terms and any applicable service-specific terms that are incorporated into our General Terms.

This Privacy Policy is intended to meet our duties under applicable privacy laws, including the General Data Protection Regulation (“GDPR”) and applicable U.S. state privacy laws, such as the California Consumer Privacy Act as amended (“CCPA/CPRA”), to the extent applicable.

As a general guide, this Privacy Policy is intended to describe our practices regarding:

1. Collecting and Using Your Personal Data
2. Use of Your Personal Data
3. Retention of your Personal Data
4. International Transfer of your Personal Data
5. Disclosure of Your Personal Data
6. Security of Your Personal Data
7. Analytics and Email Marketing
8. Your Rights
9. Children’s Privacy
10. Links to Other Websites
11. Changes to this Privacy Policy
12. Contact Us
13. Tracking Technologies and Cookies

WHO WE ARE

Data Controller / Business

Emittendo is the data controller responsible for your Personal Data (collectively referred to as “Emittendo”, “we”, “us” or “our” in this Privacy Policy).

Our full company details are:

• Legal entity name: Emittendo GmbH
• Registered office: Kaiserswerther Markt 6, 40489 Düsseldorf
• Email address: support@emittendo.com

You can contact us at the above address if you have any questions about this Privacy Policy or if you would like to exercise any of your rights under Data Protection Laws (as described below).

1. COLLECTING AND USING YOUR PERSONAL DATA

1.1 What is “Personal Data”?

“Personal Data” means any information that identifies you or can reasonably be used to identify you (directly or indirectly). Depending on your jurisdiction, certain categories may be treated as “Sensitive Personal Data” (U.S.) or “Special Categories of Personal Data” (GDPR).

1.2 Information Collected From You

We collect the following information that may enable us to identify you personally (“Personal Data”) from you when you use our Services.

Table 1 — Information Collected From You

| Type of Personal Data Collected | Personal Data Collected | | ----- | ----- | | Identity and Contact Data | Legal names, username or other identifiers, email, phone number, address, residency or citizenship information, date of birth, gender, title, picture or video (including audio recordings), copies of tax and other identification documents, tax identification or reference numbers, passwords, KYC details, demographic information, occupation status and title, government documents, and other information related to your identity or method of contacting you personally. | | Biometric Information | If, as part of identity verification, you provide selfie videos and/or identification documents that include biometric identifiers, you acknowledge that we (or our verification provider) may extract and process biometric information contained therein (including facial geometry data) for identity verification and fraud prevention, where permitted by law. You understand and acknowledge that we may store underlying images, video and related biometric information to the extent necessary for these purposes and as described in this Privacy Policy. | | Social Media / Online Presence / Social Data and Other Content Containing Personal Data | References or links to social media accounts, personal websites, blogs, other online presence materials that may identify you; identity and contact information for friends or contacts you may refer; messages and other communications you send to other users using our Services; public-facing profile information; and other content you post on the Services that constitutes “Content” under our Terms. | | Professional, Financial, Investment, and Transactional Data | Bank account details, payment information, crypto wallet addresses (if provided), historical transaction or blockchain transactional data (if relevant), employment details, investment experience details, objectives and preferences you provide, educational/professional history, professional interests and accolades, tax information required for reporting to competent authorities (where applicable), and other historical financial/professional/investment data you provide. | | Communications and Support Data | Messages to support, emails, chat messages, requests, complaint records, and other communications with us. | | Usage and Technical Data (automatically collected) | IP address, device identifiers, browser type, operating system, time zone and location (approximate), referral URLs, pages viewed, actions taken within the Services, log files, and diagnostic data. | | Public/Interactive Areas Notice | Please be aware that when you use certain social or interactive features (e.g., messaging other users, commenting in groups publicly), any Personal Data you provide may be considered “public,” unless otherwise required by applicable law, and may not be subject to the same privacy protections. Please exercise caution before revealing information that may identify you to other users. |

1.3 Aggregated / De-identified Data

When you use our Services, we may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your Personal Data, but once aggregated it does not directly or indirectly reveal your identity. However, if we associate aggregated data with Personal Data in a way that can identify you, we treat it as Personal Data.

1.4 GDPR Special Categories / Sensitive Personal Data

We ask that you do not submit GDPR “Special Categories of Personal Data” (e.g., health, political opinions, religion, etc.) unless expressly requested as part of a lawful process. Some Personal Data we collect may be treated as “Sensitive Personal Data” under U.S. state privacy laws. We use and disclose Sensitive Personal Data for business/compliance functions and other legally authorized purposes. If you submit Special Categories of Personal Data, you agree that this Privacy Policy applies to it.

2. USE OF YOUR PERSONAL DATA

2.1 How We Use Your Personal Data

We generally use your Personal Data for the following purposes (as applicable):

• To provide, maintain, and improve our Services, including monitoring usage, remedying security/technical issues, and analyzing performance.
• To manage your Account, including registration, authentication, and access to features.
• For the performance of a contract, including development, compliance, and undertaking of contracts and transactions through the Services.
• To maintain legal and regulatory compliance, including where applicable anti-money laundering, sanctions, securities, tax, and other financial laws.
• To contact you and manage your requests, including service messages, security notices, and support communications.
• To provide news, special offers, and general information (marketing) where permitted and unless you opt out.
• To respond to law enforcement requests and as required by law.
• For internal administrative and auditing purposes.
• To detect security incidents and protect against malicious, deceptive, fraudulent, or illegal activity, including to prosecute those responsible.
• For business transfers, such as merger, acquisition, divestiture, reorganization, dissolution, bankruptcy, or sale/transfer of assets, where Personal Data may be among the transferred assets.
• Automated Decision Making, including profiling (e.g., for determining eligibility or qualification status following completion of questionnaires), as described below.

2.2 Automated Decision Making

We may engage in automated decision making, including profiling (e.g., determining eligibility, screening outcomes, or qualification flags based on information you provide). Our processing of your Personal Data will not result in a decision based solely on automated processing that significantly affects you or your legal rights unless such a decision is necessary as part of a contract we have with you, we have your consent, or we are permitted by law to engage in such automated decision making (e.g., Article 22 GDPR).

If we have made a decision about you based solely on an automated process that significantly affects you, you may request human intervention and contest the decision, to the extent required by law. We may be unable to continue providing certain Services if we cannot process necessary data.

2.3 Sharing Content with Friends / Referrals (if enabled)

Our Services may offer referral tools that allow you to share content with a friend or colleague. Please only provide us contact information of people with whom you have a relationship and whose authorization you have to provide their Personal Data, and after having provided them with this Privacy Policy.

2.4 Legal Bases Required for Processing (GDPR)

Where GDPR applies, the legal bases we rely on depend on the Services you use and how you use them. Our legal bases may include:

• Necessity for the Services (to operate the Services and provide support);
• To perform a contract (or to protect vital interests);
• Legitimate interests (appropriately weighed against your data protection interests), such as R&D, marketing, and protecting our legal rights;
• Legal or regulatory obligations (e.g., AML laws, sanctions screening, recordkeeping); or
• Your consent (where we seek it for an explicit purpose).

Where we need to process your Personal Data to provide the Services, perform a contract, or satisfy legal obligations, and you fail to provide the data as needed, we may be unable to provide the Services.

3. RETENTION OF YOUR PERSONAL DATA

We will retain your Personal Data only for as long as is reasonably necessary to fulfill the purpose for which we collected it, including for the purpose of complying with our legal obligations, resolving disputes, and enforcing our legal agreements and policies. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

4. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA

Your information, including Personal Data, is processed at our operating offices and in any other places where the parties involved in processing are located. This means your information may be transferred to and maintained on computers located outside your state, province, country, or other governmental jurisdiction.

We take commercially reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy, including ensuring that service providers processing Personal Data have appropriate contractual protections (e.g., data processing addenda) and maintain policies required to comply with applicable law.

EEA/UK Transfers: Whenever we transfer your Personal Data out of the UK or EEA to service providers or any other third party, we ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards are in place, for example:

• transfers to countries deemed adequate by regulators; or
• use of approved standard contractual clauses.

5. DISCLOSURE OF YOUR PERSONAL DATA

We require third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow third-party service providers to use your Personal Data for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

We may share your Personal Data in the following situations and may have disclosed it within the preceding 12 months:

5.1 With Service Providers

We may share Personal Data with service providers from time to time, including:

• IT & website hosting; communications and analytics; identity / KYC / eligibility verification service providers;
• professional advisors such as tax or legal advisors (e.g., to establish, exercise, or defend legal claims);
• consultants, insurance companies/claim managers, and accountants;
• agents, suppliers, subcontractors, and associated organizations engaged to help deliver Services.

5.2 With Affiliates

We may share Personal Data with our affiliates, in which case we will require those affiliates to honor this Privacy Policy.

5.3 With Business Partners

We may share Personal Data with business partners to offer you certain products/services/promotions you requested, or products/services offered jointly.

5.4 Advertising Partners

We may share Personal Data with third-party advertising partners for purposes of promoting our Services. These partners may set Tracking Technologies on our Services to collect information about your activities and device (e.g., IP address, cookie identifiers, pages visited, location, time of day) and use this information to deliver personalized ads across their networks.

If you do not use advertising/retargeting, remove this section.

5.5 With Other Users

When you share Personal Data or otherwise interact in public areas with other users, such information may be viewed by other users and may be publicly distributed outside. If you interact with other users or register through a third-party social media service, your contacts may see your name, profile, pictures, and activity descriptions.

5.6 With Your Consent

We may disclose Personal Data for any other purpose with your consent.

5.7 Business Transactions

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase/sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such transaction, as permitted by law and/or contract.

5.8 Disclosures to Protect Us or Others

We may access, preserve, and disclose information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to:

• comply with law enforcement, national security requests, or legal process (e.g., court order or subpoena);
• protect your, our, or others’ rights, property, or safety;
• enforce our policies or contracts;
• collect amounts owed to us; or
• assist with investigation or prosecution of illegal activity;
  or as otherwise required by law.

6. SECURITY OF YOUR PERSONAL DATA

The security of your Personal Data is important to us, but remember that no method of transmission over the internet or method of electronic storage is 100% secure. We strive to use commercially reasonable means to protect Personal Data, including industry-standard safeguards, confidentiality obligations for service providers, and limiting access to those who require it to provide Services. Despite these measures, we cannot guarantee absolute security or that your information will not be accessed, disclosed, or destroyed by a breach of safeguards.

By using our Services or providing Personal Data to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues. If we learn of a security breach, we may attempt to notify you electronically by posting a notice on our Services, by mail, or by sending an email to you.

7. ANALYTICS AND EMAIL MARKETING

7.1 Analytics

We may use third-party service providers to monitor and analyze the use of our Services (e.g., to understand traffic and product usage). For example, Google Analytics tracks and reports site traffic and may share data with other Google services, and may use collected data to contextualize and personalize ads within Google’s advertising network. You may opt out of Google Analytics as described in Google’s materials and by using available opt-out tools. You may also opt out of other analytics providers by following their privacy policies or website instructions. If you cannot identify the relevant information and would like to opt out, contact us.

7.2 Email Marketing

We may use your Personal Data to contact you with newsletters, marketing or promotional materials, and other information that may be of interest to you. You may opt out by using the unsubscribe link in any email we send or by contacting us. Note that you will continue to receive important transactional or administrative emails (e.g., notifications of updates to this Privacy Policy).

8. YOUR RIGHTS

8.1 Your Legal Rights (General)

Depending on the law in your jurisdiction, you may have rights including:

• request access to your Personal Data (including disclosures about categories/sources/purposes/recipients in the preceding 12 months where applicable);
• request correction of inaccurate Personal Data;
• request erasure/deletion (subject to legal retention needs);
• object to processing (especially where based on legitimate interests or for direct marketing);
• restrict processing;
• request portability;
• withdraw consent (where processing is based on consent);
• request to limit use and disclosure of Sensitive Personal Data (where applicable under U.S. laws);
• opt out of “selling” or “sharing” for cross-context behavioral advertising (where applicable).

8.2 Exercising Your Rights

You may exercise your rights by contacting us at: support@emittendo.com

What we may need from you: We may request specific information to confirm your identity and ensure your right to access Personal Data (or exercise rights). This is a security measure to prevent disclosure to unauthorized persons. We may contact you for additional information to speed up our response.

Time limit to respond: We try to respond to legitimate requests within one month (and as required by law). It may take longer if requests are complex or numerous; in that case we will notify you and keep you updated.

You have the right to complain to a Data Protection Authority about our collection and use of Personal Data (EEA users: contact your local authority).

We do not and will not discriminate against individuals for exercising rights described above.

8.3 Personalized Ads / Opt-Out

Site opt-outs: You can opt out of receiving personalized ads served by certain providers through industry tools such as:

• NAI opt-out: networkadvertising.org/choices
• EDAA opt-out: youronlinechoices.com
• DAA opt-out: optout.aboutads.info

Opt-out places a cookie in your browser; if you change browsers or delete cookies, you must opt out again.

Mobile devices: Your mobile device may allow you to limit interest-based ads, e.g., “Opt out of Ads Personalization” (Android) or “Limit Ad Tracking / Ask app not to track” (iOS). You can also stop collection of location data by changing device settings.

8.4 “Do Not Track” Policy

Do Not Track (“DNT”) is a privacy preference available in some browsers. We do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

8.5 Sale of Personal Data (CCPA/CPRA)

We do not “sell” Personal Data as that term is commonly understood. That said, we may share information with third-party advertisers for the purpose of promoting our Services. To the extent such sharing is considered a “sale” or “sharing” under applicable law, you may opt out by disabling third-party cookies on your device or contacting us.

8.6 California “Shine the Light”

California residents with an established business relationship can request information once a year about sharing of Personal Data with third parties for their direct marketing purposes (where applicable). Contact us using the information below.

9. CHILDREN’S PRIVACY

Our Services do not address anyone under the age of 13 (or such higher age required by local law). We do not knowingly collect Personal Data from children. If you are a parent/guardian and are aware that your child has provided Personal Data, contact us. If we become aware we collected Personal Data from a child without required verification/consent, we take steps to remove it from our servers.

If we need to rely on consent and your country requires parental consent, we may require parental consent before collecting/using such information.

10. LINKS TO OTHER WEBSITES

Our Services may contain links to third-party websites not operated by us. If you click a third-party link, you will be directed to that site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for third-party content, privacy policies, or practices.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you by posting the new Privacy Policy on this page and updating the “Last updated” date. We may also notify you via email and/or a prominent notice on our Services prior to effectiveness where appropriate. You are advised to review this Privacy Policy periodically. Changes are effective when posted.

12. CONTACT US

If you have any questions about this Privacy Policy, you can contact us by email at support@emittendo.com.

13. TRACKING TECHNOLOGIES AND COOKIES

We use cookies and similar tracking technologies to track activity on our Services and store certain information. For purposes of this Privacy Policy, “Tracking Technologies” includes beacons, tags, and scripts to collect and track information and to improve and analyze our Services.

The Tracking Technologies we use may include:

13.1 Cookies

A cookie is a small file placed on your device. You can instruct your browser to refuse all cookies or indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some parts of our Services. Unless you have adjusted your browser settings to refuse cookies, our Services may use cookies.

13.2 Web Beacons

Certain sections of our Services and emails may contain small electronic files known as web beacons (clear gifs, pixel tags, single-pixel gifs) that permit us to count users who have visited pages or opened emails and compile related statistics (e.g., popularity of certain sections, verifying system integrity).

13.3 Session vs. Persistent Cookies

Cookies can be “Persistent” or “Session” cookies. Persistent cookies remain on your device when you go offline, while session cookies are deleted when you close your browser. We use both types for the purposes set out below.

Table 2 — Cookies We Use

| Type of Cookie | Administered By | Purpose | | ----- | ----- | ----- | | Necessary / Essential Cookies | Us | Essential to provide services available through the Site and enable core features. Help authenticate users and prevent fraudulent use of accounts. Without these cookies, requested services cannot be provided. | | Cookies Policy / Notice Acceptance Cookies | Us | Identify whether users have accepted the use of cookies on the Site (or saved preferences). | | Functionality Cookies | Us | Remember choices you make (e.g., login state, language preference) to provide a more personal experience and avoid re-entering preferences. | | Analytics, Tracking and Performance Cookies | Third Parties (and/or Us) | Track traffic and how users use the Site. Information may directly or indirectly identify you because it is typically linked to a pseudonymous identifier associated with your device. May also be used to test new pages/features. | | Social Media Cookies | Third Parties | Used when you share information using a social widget/button or link your account or engage with content on social platforms. May also include code to track conversions from ads, optimize ads, build audiences, and remarket to qualified leads. |

13.4 Managing Cookies

You can manage cookies through:

• your browser settings (block/delete cookies); and
• our cookie banner/preferences center (if available).

If you disable cookies, parts of the Services may not work properly.

SERVICE PROVIDERS LIST

• Hosting/Cloud: Cloudflare & Amazon
• Analytics: Google
• Email: Mailgun
• KYC/AML: Sumsub
• Payment processor: Canton Network
• Wallet provider: 5n Loop
• Error monitoring: Sentry