Data Protection and GDPR Compliance Policy

1. OBJECTIVE AND SCOPE

Objective

The primary objective of this policy is to ensure that CryptoMate UAB, in its capacity as a Data Controller and Data Processor, complies with all applicable obligations under the General Data Protection Regulation (EU) 2016/679 (GDPR). This policy establishes a comprehensive framework for the lawful, fair, and transparent processing of personal data, safeguarding the fundamental rights and freedoms of data subjects. The integrity of personal data is not just a legal requirement but a cornerstone of the trust our clients place in us.

This policy is designed to:

• Ensure that all personal data is processed in strict accordance with the core principles of GDPR, embedding data protection by design and by default into all our operations.
• Clearly define the roles, responsibilities, and accountability for data protection across all levels of the organisation, from the Management Body to every employee.
• Establish clear, accessible, and efficient procedures for handling data subject rights, ensuring that individuals can effectively exercise control over their personal data.
• Implement and maintain robust, state-of-the-art technical and organisational measures to protect personal data from unauthorised access, loss, alteration, or destruction.
• Foster a pervasive culture of data protection awareness and accountability among all staff through continuous training and internal communication.

Scope

This policy applies to all processing of personal data conducted by CryptoMate UAB, its employees, contractors, and any third-party processors acting on its behalf, regardless of the geographical location of the data or the data subject. It covers all personal data collected from the legal representatives, employees, ultimate beneficial owners (UBOs), and other associated individuals of our business clients. It also extends to any other individuals whose data we may process in the course of providing our services, including data from website visitors or individuals who contact us with inquiries. This policy governs data processing throughout its entire lifecycle, from initial collection to final, secure disposal.

2. DATA PROTECTION PRINCIPLES

CryptoMate UAB is committed to adhering to the fundamental principles of data protection as outlined in Article 5 of the GDPR. These principles are the foundation of our data handling practices.

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner. This means we will always have a valid legal basis for our processing activities and will provide clear, concise information to data subjects about how and why their data is being used.
• Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes that are clearly communicated to data subjects at the time of collection. We do not further process data in a manner that is incompatible with those original purposes. For example, data collected for AML/CFT compliance will not be used for marketing without separate, explicit consent.
• Data Minimisation: We ensure that the personal data we collect is adequate, relevant, and strictly limited to what is necessary to achieve the purpose for which it is processed. We conduct regular reviews of our data collection processes to eliminate the collection of any superfluous data.
• Accuracy: We take every reasonable step to ensure that personal data is accurate and, where necessary, kept up to date. We have procedures in place to rectify or erase inaccurate data without delay upon request from the data subject or when inaccuracies are otherwise identified.
• Storage Limitation: We keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it was processed. Our data retention schedules are strictly defined by our legal and regulatory obligations, after which data is securely and permanently deleted.
• Integrity and Confidentiality: We process personal data in a manner that ensures its appropriate security. This includes implementing robust technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
• Accountability: We take full responsibility for our data processing activities and are able to demonstrate compliance with all the principles outlined above. This is achieved through comprehensive documentation, regular audits, and the oversight of our Data Protection Officer (DPO).

3. LAWFUL BASIS FOR PROCESSING

CryptoMate UAB will only process personal data where it has a valid lawful basis to do so under Article 6 of the GDPR. The primary legal bases for our processing activities are:

• Legal Obligation: A significant portion of our data processing is necessary for compliance with our extensive legal and regulatory obligations as a prospective CASP. This includes processing personal data for Know Your Business (KYB) and Know Your Customer (KYC) checks on legal representatives and UBOs, ongoing transaction monitoring, and reporting as required by the Lithuanian Law on the Prevention of Money Laundering and Terrorist Financing and the MiCA Regulation.
• Performance of a Contract: We process personal data that is necessary to enter into and perform our contractual obligations with our business clients. This includes, for example, processing the contact details and professional data of our client’s legal representatives and technical points of contact to provide our services and support.
• Legitimate Interests: We may process personal data for our legitimate interests, such as for ICT security monitoring, fraud prevention, system testing, and improving our services. In each case, we conduct a balancing test to ensure that our legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject.
• Consent: Where no other lawful basis applies, we will obtain explicit, informed, and freely given consent from the data subject before processing their personal data. This is primarily relevant for activities such as sending marketing communications. Consent can be withdrawn by the data subject at any time, and we have made this process as simple as it was to give consent.

4. DATA WE PROCESS

As our clients are business entities, the personal data we process primarily relates to the individuals associated with these entities. This includes:

• Identification Data: Full name, date of birth, personal identification code, nationality, and data from official identification documents.
• Contact Data: Residential address, email address, telephone number.
• Professional Data: Position/title, relationship to the legal entity, and professional history where relevant for risk assessment.
• Verification Data: Copies of government-issued identification documents (e.g., passports, ID cards), proof of address documents, and data from third-party verification services.
• Technical Data: IP addresses, device identifiers, browser type, operating system, and other data collected for security, operational, and fraud prevention purposes when interacting with our API and website.

5. DATA SUBJECT RIGHTS

CryptoMate UAB fully respects and facilitates the rights of data subjects under GDPR. Individuals whose personal data we process have the following rights:

• The Right of Access: To request a copy of the personal data we hold about them and information about how it is processed.
• The Right to Rectification: To request the correction of inaccurate or incomplete data.
• The Right to Erasure (’Right to be Forgotten’): To request the deletion of their personal data, subject to legal and regulatory limitations.
• The Right to Restrict Processing: To request the suspension of processing of their personal data in certain circumstances.
• The Right to Data Portability: To request a copy of their data in a structured, commonly used, and machine-readable format and to have it transferred to another controller where technically feasible.
• The Right to Object: To object to the processing of their personal data based on our legitimate interests.

Exercising Rights: Data subjects can exercise their rights by submitting a request to our Data Protection Officer at dpo@cryptomate.me. We will respond to all requests within one month, in line with GDPR requirements.

Limitations: Please note that certain rights, particularly the Right to Erasure, are subject to strict limitations where we are required by law (e.g., AML/CFT regulations) to retain data for a specific period. In such cases, we will inform the data subject of the legal basis for our refusal to comply with their request.

6. DATA SECURITY

We have implemented appropriate and comprehensive technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are regularly reviewed and updated to reflect technological advancements and emerging threats. These measures include:

• Encryption: Strong encryption of data both in transit (using TLS) and at rest (using AES-256).
• Access Controls: Strict role-based access controls and the principle of least privilege to ensure that data is only accessible to authorised personnel on a need-to-know basis. All access is logged and monitored.
• Regular Testing: Regular vulnerability scanning and penetration testing of our systems conducted by independent third parties.
• Staff Training: Mandatory and continuous data protection and cybersecurity training for all employees to ensure they are aware of their responsibilities and can identify potential threats.

7. DATA RETENTION

Personal data is retained only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Our data retention periods are determined by our legal and regulatory obligations. In particular, personal data collected for AML/CFT compliance purposes (e.g., KYC documentation and transaction records) will be retained for eight (8) years after the end of the business relationship, in accordance with the Lithuanian Law on the Prevention of Money Laundering and Terrorist Financing. Data processed for other purposes will be retained for shorter periods, as detailed in our internal data retention schedule.

8. THIRD-PARTY DATA SHARING AND INTERNATIONAL TRANSFERS

We may share personal data with trusted third-party service providers who act as Data Processors on our behalf, such as KYC/KYB verification services, cloud hosting providers, and on-chain analytics providers. We will only share data with processors who provide sufficient guarantees to implement appropriate technical and organisational measures in compliance with GDPR, and all such sharing is governed by a formal and legally binding Data Processing Agreement (DPA).

We may also be required to share personal data with competent authorities, such as the Bank of Lithuania or the FNTT, upon a lawful request.

Personal data will not be transferred outside the European Economic Area (EEA) unless the recipient country ensures an adequate level of data protection as determined by the European Commission, or appropriate safeguards (such as Standard Contractual Clauses) are in place, along with a thorough Transfer Impact Assessment.

9. DATA BREACH MANAGEMENT

CryptoMate UAB has a formal and regularly tested incident response plan in place to manage any personal data breaches. In the event of a breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) without undue delay, and where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to individuals, we will also communicate the breach to the affected data subjects directly, providing them with clear information and advice on how to protect themselves.

10. DATA PROTECTION OFFICER (DPO)

CryptoMate UAB has appointed a Data Protection Officer to independently oversee our compliance with this policy and with GDPR. The DPO has expert knowledge of data protection law and practices and reports directly to the highest level of management. The DPO can be contacted with any questions or concerns regarding the processing of personal data.

Contact Email: compliance@cryptomate.me

11. POLICY REVIEW AND TRAINING

This policy will be reviewed at least annually by the DPO and approved by the Management Body to ensure it remains up-to-date, effective, and compliant with all relevant laws and regulations. All employees will receive mandatory data protection training upon joining the company and on an ongoing basis thereafter, with their understanding assessed and documented.