Privacy Policy

PRIVACY POLICY

1. Introduction

1.1. Purpose of This Privacy Policy

Caiz Trade S.r.o. (“Caiz,” “we,” “us,” or “our”) is committed to ensuring the privacy, security, and transparency of how we collect, use, store, and process personal data in compliance with all applicable data protection laws, regulations, and industry standards. This Privacy Policy outlines our data practices concerning users (“you,” “your”) who access, use, or interact with our website, mobile applications, platforms, services, and digital assets.

This Privacy Policy is designed to comply with:

• General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) – Protecting the personal data of individuals within the European Economic Area (EEA).
• EU ePrivacy Directive 2002/58/EC and the Privacy and Electronic Communications Regulations (PECR) – Regulating online tracking, cookies, and direct marketing.
• Financial Action Task Force (FATF) Guidelines – Ensuring compliance with anti-money laundering (AML) and counter-terrorist financing (CTF) frameworks.
• Anti-Money Laundering Directives (AMLD) of the European Union – Covering data protection obligations in financial transactions.
• United Nations Convention Against Corruption (UNCAC) & OECD Guidelines – Addressing corporate governance, compliance, and financial transparency.
• Applicable Local and International Data Protection Regulations – Covering users in jurisdictions where Caiz operates, excluding the United States and other prohibited countries.

1.2. Scope and Applicability

This Privacy Policy applies to all personal data collected, processed, and stored by Caiz when you:

• Visit our website or use any digital platform operated by Caiz.
• Register for an account or sign up for our services.
• Engage in financial transactions or interact with our blockchain-based ecosystem.
• Communicate with us through customer support, inquiries, or feedback.
• Subscribe to our newsletters, marketing communications, or promotional materials.
• Participate in surveys, events, or promotional campaigns conducted by Caiz.
• Use integrated third-party services, including social media, advertising, or analytics platforms.

This Privacy Policy does not apply to:

• Third-party websites, services, or platforms that are linked to our website but are not under our direct control.
• Public blockchain transactions, as blockchain data is inherently immutable and publicly accessible.
• Anonymous or aggregated data that does not identify any individual user.

By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by the terms set forth in this Privacy Policy. If you do not agree with this Privacy Policy, you should discontinue the use of our services immediately.

1.3. Who We Are

Caiz is a legally registered company operating within the European Union, specifically incorporated in Slovakia under the name Caiz Trade S.r.o., with its registered office at:

Company Name: Caiz Trade S.r.o.

Registered Address: Mostová 185/2, Bratislava – mestská časť Staré Mesto 811 02, Slovakia

Data Protection Officer (DPO): Mr. Ilyas Güclü, Goldcliff Consulting & Services GmbH Wächtersbacher Str. 90, 60386 Frankfurt am Main

DPO Contact: datenschutz@goldcliff-stark.com

Privacy Contact Email: legal@caiz.com

Telephone Number: +49 69 95518950

Caiz is a global financial technology company that operates within the cryptocurrency and blockchain industry, offering decentralized financial services in compliance with Shariah-compliant ethical finance principles and international financial regulations. Our blockchain-based ecosystem enables digital asset transactions, financial services, and cross-border payments while adhering to robust regulatory frameworks.

1.4. Changes to This Privacy Policy

We reserve the right to amend, update, or modify this Privacy Policy at any time to reflect changes in legal requirements, technological advancements, or operational practices. When we make significant changes, we will notify you by:

• Posting an updated version on our website with a revised “Last Updated” date.
• Sending direct notifications via email (if you have opted to receive such updates).
• Displaying a prominent notice on our digital platforms.

It is your responsibility to review this Privacy Policy periodically. Your continued use of our services after any amendments to this Privacy Policy will be deemed as acceptance of the changes. If you do not agree with the revised Privacy Policy, you must cease using our services immediately.

2. Definitions and Key Concepts

For the purpose of this Privacy Policy, the following terms shall have the meanings assigned to them below. These definitions are in compliance with international data protection laws, including the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), Slovakia’s Act No. 18/2018 Coll. on the Protection of Personal Data (PPA), Financial Action Task Force (FATF) Guidelines, EU ePrivacy Directive, and other applicable local and global regulations governing data privacy and security.

2.1. Personal Data

“Personal Data” refers to any information that relates to an identified or identifiable natural person (“Data Subject”). A person is considered identifiable if they can be directly or indirectly identified through identifiers such as:

• Name, surname, or alias
• Home address or physical location
• Email address (personal or work-related)
• Phone number (mobile, landline, or VoIP)
• Identification numbers (e.g., passport number, national ID, social security number)
• Financial details (e.g., bank account details, cryptocurrency wallet address)
• Online identifiers (e.g., IP address, cookie identifiers, device IDs)
• Biometric data (e.g., facial recognition data, fingerprint scans, voice patterns)
• Location data (e.g., GPS coordinates, mobile tower triangulation)

Personal Data also includes any combination of information that can lead to the identification of an individual, even if the individual elements themselves do not reveal identity directly.

2.2. Sensitive Personal Data (Special Category Data)

“Sensitive Personal Data” refers to data that requires additional protection due to its sensitive nature, as outlined under Article 9 of the GDPR. This includes:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic and biometric data (when used for identification purposes)
• Health data (e.g., medical records, disability information, vaccination status)
• Sexual orientation or sex life
• Criminal convictions and offenses (subject to Article 10 of the GDPR)

Caiz does not intentionally collect Sensitive Personal Data, except where strictly necessary for regulatory compliance (e.g., AML/KYC checks, fraud prevention). In such cases, explicit consent will be obtained where required by law.

2.3. Processing of Personal Data

“Processing” refers to any operation or set of operations performed on Personal Data, whether manually or via automated means. This includes:

• Collection
• Recording
• Organization
• Structuring
• Storage
• Adaptation or alteration
• Retrieval
• Consultation
• Use
• Disclosure by transmission
• Dissemination or making available
• Alignment or combination
• Restriction
• Erasure or destruction

Any action that involves handling Personal Data falls under the definition of Processing and is governed by applicable privacy laws.

2.4. Data Controller

A “Data Controller” is the entity that determines the purposes and means of Processing Personal Data. Caiz Trade S.r.o. acts as the Data Controller for all user data processed in connection with its services.

Data Controller Information:

Caiz Trade S.r.o.

Mostová 185/2, Bratislava – mestská časť Staré Mesto 811 02, Slovakia

Email: legal@caiz.com

2.5. Data Processor

A “Data Processor” is any third party that processes Personal Data on behalf of the Data Controller, under written contractual instructions. This includes:

• Cloud storage providers
• IT and security service providers
• Payment processors and banking institutions
• Compliance and fraud detection partners

Caiz ensures that all Data Processors adhere to GDPR-compliant security and confidentiality obligations through legally binding agreements.

2.6. Data Subject

A “Data Subject” is an individual whose Personal Data is collected, stored, and processed. This includes:

• Registered users of Caiz’s services
• Visitors to Caiz’s website
• Clients, partners, and business associates
• Employees or job applicants (in HR-related data processing)

Data Subjects are granted specific rights under GDPR and other data protection laws.

2.7. Legal Basis for Processing

Under Article 6 of the GDPR, Processing of Personal Data is only lawful when based on at least one of the following legal bases:

• Consent – The Data Subject has given explicit and informed consent for Processing (e.g., marketing emails, optional data sharing).
• Contractual Necessity – Processing is required to fulfill a contract or pre-contractual obligation (e.g., account registration, transaction processing).
• Legal Obligation – Processing is required for compliance with applicable laws (e.g., AML/KYC verification, tax reporting).
• Vital Interests – Processing is necessary to protect the vital interests of the Data Subject (e.g., fraud detection, security alerts).
• Public Interest – Processing is necessary for tasks carried out in the public interest (e.g., financial crime investigations).
• Legitimate Interests – Processing is necessary for the legitimate business interests of Caiz, provided such interests do not override user rights (e.g., service improvements, cybersecurity).

2.8. Data Retention

“Data Retention” refers to the period during which Caiz stores Personal Data in compliance with legal, regulatory, and business requirements. Retention policies depend on:

• Statutory retention periods (e.g., financial records retained for AML compliance).
• Contractual obligations (e.g., data stored to fulfill a service agreement).
• User rights to deletion (subject to legal exceptions).

After retention periods expire, Personal Data is securely deleted, anonymized, or archived where necessary.

2.9. Data Security and Encryption

Caiz implements industry-standard security measures to protect Personal Data from unauthorized access, alteration, disclosure, or destruction. This includes:

• Encryption of sensitive information in transit and at rest.
• Access controls limiting data access to authorized personnel.
• Firewalls and intrusion detection systems to protect against cyber threats.
• Regular security audits to ensure compliance with GDPR and other security frameworks.

Despite these measures, users acknowledge that no online service is completely immune from cyber threats.

2.10. Automated Decision-Making and Profiling

Caiz may use automated systems to make decisions related to:

• Fraud detection and transaction monitoring (e.g., AI-based anomaly detection).
• Compliance with AML/CTF regulations (e.g., automatic risk scoring of users).
• Personalized user experience (e.g., content recommendations based on behavior).

Data Subjects have the right to object to automated decision-making, unless required for contractual or legal compliance purposes.

2.11. Blockchain and Data Immutability

Due to the decentralized nature of blockchain technology, certain Personal Data (e.g., transaction details, wallet addresses) may be immutable and cannot be altered or deleted once recorded on the ledger. While Caiz applies privacy-enhancing technologies (e.g., pseudonymization), users acknowledge that:

• Public blockchain transactions may be permanently visible.
• Data privacy on blockchain networks may differ from traditional data protection laws.
• Users must exercise caution when sharing blockchain-related data.

For more details, refer to our Blockchain Data Privacy Notice.

2.12. Third-Party Services and Data Sharing

Caiz may share Personal Data with third-party service providers, subject to:

• Confidentiality agreements ensuring data protection compliance.
• Purpose limitation (data is used only for specified purposes).
• Cross-border transfer safeguards (e.g., Standard Contractual Clauses for non-EU data transfers).

Users are encouraged to review third-party privacy policies when interacting with external services integrated with Caiz’s platform.

3. Categories of Data We Collect

Caiz collects and processes various categories of personal data in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), Slovakia’s Act No. 18/2018 Coll. on the Protection of Personal Data (PPA), EU ePrivacy Directive 2002/58/EC, Financial Action Task Force (FATF) Guidelines, Anti-Money Laundering Directives (AMLDs), and other relevant international privacy laws.

The nature of data collected depends on the specific interactions between Caiz and the user, including the use of our platform, services, and third-party integrations. The categories of data collected are outlined below:

3.1. Personal Identification Data

This category includes information that directly or indirectly identifies an individual and is required for account creation, regulatory compliance, and transaction processing. It may include:

• Full Name (First name, last name, and middle name if applicable)
• Date of Birth
• Nationality and Country of Residence
• Government-Issued Identification Data (e.g., Passport, National ID card, Driver’s License)
• Tax Identification Number (TIN) (if required by law)
• Social Security Number or Other National Identifiers (as mandated by local regulations)

Purpose:

• Identity verification for Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance.
• Prevention of fraudulent activity, identity theft, and financial crime.
• Compliance with global financial regulatory frameworks.

Legal Basis: Legal Obligation, Contractual Necessity, Legitimate Interest

3.2. Contact Information Data

This includes data collected for communication and customer support purposes:

• Email Address
• Phone Number (Mobile & Landline)
• Residential or Business Address
• Preferred Language for Communication

Purpose:

• Account verification, security alerts, and transaction confirmations.
• Customer support and inquiries.
• Regulatory compliance and fraud prevention.

Legal Basis: Contractual Necessity, Legitimate Interest, Consent (where applicable)

3.3. Financial and Payment Data

To facilitate transactions on the Caiz platform, we may collect and process financial data, including:

• Bank Account Details (e.g., IBAN, SWIFT code)
• Cryptocurrency Wallet Address (for blockchain transactions)
• Payment Card Information (only processed via third-party payment providers)
• Transaction History (record of deposits, withdrawals, transfers, and purchases)
• Billing and Invoice Details

Purpose:

• Execution of payments and transactions.
• Compliance with AML/CFT (Combating the Financing of Terrorism) Regulations.
• Risk assessment and fraud detection.

Legal Basis: Contractual Necessity, Legal Obligation, Legitimate Interest

3.4. Device and Technical Data

When you access the Caiz platform, we automatically collect certain data from your device for security, performance optimization, and compliance purposes:

• Device Type (e.g., mobile, tablet, desktop)
• Operating System and Version
• Browser Type and Version
• IP Address and Geolocation Data
• Device Identifiers (e.g., MAC address, IMEI number)
• Network Information (e.g., ISP, connection type)

Purpose:

• Ensuring platform security and fraud prevention.
• Compliance with geo-blocking regulations in restricted jurisdictions.
• Optimizing platform functionality and user experience.

Legal Basis: Legitimate Interest, Contractual Necessity

3.5. Transactional and Blockchain Data

As a blockchain-based financial services provider, Caiz collects transactional data related to the use of digital assets. Due to the inherent transparency of blockchain networks, certain transaction details may be publicly recorded. This data may include:

• Cryptocurrency Wallet Addresses (public keys)
• Transaction Hashes (unique blockchain transaction identifiers)
• Timestamps and Blockchain Network Details
• Smart Contract Interaction Data

Note: Due to the immutable nature of blockchain technology, once a transaction is recorded on a blockchain, it cannot be altered or erased. Users are encouraged to exercise caution when sharing blockchain-related personal data.

Purpose:

• Facilitating digital asset transactions.
• Enhancing the transparency and security of the Caiz blockchain ecosystem (this also indicates legacy blockchain ecosystems that Caiz may use).
• Ensuring compliance with AML and FATF Travel Rule requirements.

Legal Basis: Contractual Necessity, Legal Obligation

3.6. Behavioural and Usage Data

To improve our services and user experience, we collect analytics and behavioral data, including:

• Browsing Activity on Our Platform (e.g., pages visited, links clicked)
• Session Duration and Frequency of Use
• User Preferences and Settings
• Interaction with Customer Support and Chatbots

Purpose:

• Service improvement and user personalization.
• Detecting unusual activities indicative of security threats.
• Ensuring compliance with data analytics and cookie regulations (EU ePrivacy Directive).

Legal Basis: Legitimate Interest, Consent (for tracking technologies)

3.7. Communications and Correspondence Data

Caiz may collect and store:

• Email Communications with Customer Support
• Chat Logs from Live Support Services
• Support Tickets and Complaint Records
• Recorded Calls (where legally permissible, with consent)

Purpose:

• Enhancing customer service quality.
• Resolving disputes and responding to regulatory inquiries.
• Ensuring legal compliance and contractual obligations.

Legal Basis: Contractual Necessity, Legitimate Interest, Legal Obligation

3.8. Employment and Recruitment Data

For job applicants and employees, we may collect:

• Curriculum Vitae (CV) and Resumes
• Employment History and Qualifications
• References and Background Check Data
• Work Authorization and Visa Information
• Compensation and Payroll Details

Purpose:

• Recruitment, hiring, and onboarding.
• Compliance with labor laws and tax regulations.
• Internal security and risk management.

Legal Basis: Contractual Necessity, Legal Obligation, Legitimate Interest

3.9. Cookies and Tracking Technologies

We use cookies, tracking pixels, and analytics tools to collect and store information about users’ interactions with our platform. These technologies collect:

• Cookie Identifiers
• IP Address and Device Fingerprints
• Geolocation Data (if permitted by the user)
• Advertising and Behavioral Tracking Data

Purpose:

• Enhancing website performance and personalization.
• Analysing user engagement for platform improvements.
• Conducting targeted advertising (where permitted).

Legal Basis: Consent (for non-essential cookies), Legitimate Interest

3.10. Special Categories of Data

Caiz does not collect Special Category Data unless explicitly required by regulatory authorities for compliance purposes, in which case explicit user consent is obtained. Special Category Data includes:

• Religious beliefs (except for ethical finance principles).
• Political affiliations.
• Health data.
• Criminal records (except where required for AML/KYC).

Legal Basis: Explicit Consent, Legal Obligation (if required by AML laws)

4. Sources of Data Collection

Caiz collects personal data from multiple sources to ensure regulatory compliance, fraud prevention, secure transactions, and enhanced user experience. Our data collection practices align with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), EU ePrivacy Directive 2002/58/EC, Financial Action Task Force (FATF) Guidelines, Anti-Money Laundering Directives (AMLDs), and other relevant local and international privacy and financial regulations. The data we collect comes from four primary sources:

• Data Provided Directly by Users
• Data Collected Automatically
• Data Collected from Third-Party Sources
• Publicly Available Data

4.1. Data Provided Directly by Users

Users voluntarily provide personal data when they engage with Caiz’s platform, services, and support channels. This data collection is necessary for:

• Account Creation & Identity Verification
• Transaction Processing & Security
• Customer Support & Dispute Resolution
• Regulatory Compliance (AML, KYC, CFT Requirements)

The types of personal data provided by users include:

4.1.1. Registration and Account Setup

• Full Name
• Date of Birth
• Nationality & Country of Residence
• Government-Issued Identification Documents (e.g., Passport, National ID, Driver’s License)
• Email Address and Phone Number
• Username and Password (for account access security)
• Residential or Business Address

4.1.2. Financial and Payment Information

• Bank Account Details (IBAN, SWIFT, or other payment identifiers)
• Cryptocurrency Wallet Addresses and Blockchain Transactions
• Billing and Invoice Data
• Payment Card Information (processed through third-party providers)
• Transaction History and Account Activity

4.1.3. Communications with Caiz

• Emails, Support Tickets, and Contact Forms
• Live Chat Conversations and Customer Support Calls (where legally permissible, with consent)
• Feedback, Surveys, and User Submissions

4.1.4. Employment & Recruitment Data (for job applicants)

• Resumes, CVs, and Cover Letters
• Employment History and Academic Qualifications
• References and Background Checks (if applicable)

Legal Basis for Processing:

• Contractual Necessity (User Registration & Transactions)
• Legal Obligation (AML, KYC, CFT Compliance)
• User Consent (Marketing Communications, Surveys, etc.)
• Legitimate Interest (Customer Support, Dispute Resolution)

4.2. Data Collected Automatically

We collect certain information automatically when users access, browse, or use our platform. This data is crucial for:

• Platform Security & Fraud Prevention
• Performance Optimization & User Experience
• Regulatory Compliance & IP-Based Restrictions

The automatically collected data includes:

4.2.1. Device and Technical Information

• IP Address and Geolocation Data
• Device Type (Mobile, Desktop, Tablet)
• Operating System and Browser Version
• Unique Device Identifiers (MAC Address, IMEI, etc.)
• Internet Service Provider (ISP) Information

4.2.2. Usage and Behavioural Data

• Pages Visited and Interaction with Platform Features
• Time Spent on Pages, Clickstream Data, and Navigation Paths
• Date and Time of Access (Session Data)
• Referral URLs (Websites that led users to our platform)

4.2.3. Cookies and Tracking Technologies

We use cookies and other tracking technologies to enhance platform performance and ensure compliance with legal regulations, such as the EU ePrivacy Directive. This includes:

• Essential Cookies (for secure login and fraud prevention)
• Functional Cookies (to remember user preferences)
• Analytics Cookies (Google Analytics, user behavior tracking)
• Marketing Cookies (for personalized ads, where consent is given)

Legal Basis for Processing:

• Legitimate Interest (Fraud Prevention, Security, Platform Optimization)
• Legal Obligation (Regulatory Compliance & IP-Based Restrictions)
• User Consent (where required for analytics and advertising)

4.3. Data Collected from Third-Party Sources

Caiz partners with regulated third parties to enhance security, comply with financial regulations, and optimize user experience. This includes:

4.3.1. Identity Verification and Compliance Partners

To meet AML, KYC, and CFT requirements, we work with identity verification providers, including:

• Government Databases and Sanctions Lists
• Credit Reference Agencies & Risk Assessment Tools
• Financial Institutions and Payment Providers

Examples of data collected:

• Verification of Identity & Address
• Screening Against Global Sanctions & Watchlists (e.g., FATF, UN, EU, OFAC lists)
• Enhanced Due Diligence (EDD) Data for High-Risk Users

4.3.2. Financial Institutions and Payment Processors

For transaction processing, Caiz may receive data from:

• Banks, Payment Processors, and Crypto Exchanges
• Card Issuers and Fraud Prevention Networks

Examples of data collected:

• Transaction Verification & Payment Confirmation
• Dispute Resolution & Chargeback Data
• Transaction Fraud Indicators

4.3.3. Social Media and Third-Party Authentication Providers

If users log in via Google, Facebook, Apple, or other social logins, we may collect:

• Public Profile Information (Name, Email, Profile Picture)
• Social Media Interactions with Caiz
• Behavioral Data from Integrated Third-Party Services

Legal Basis for Processing:

• Legal Obligation (AML, KYC Compliance)
• Legitimate Interest (Fraud Prevention & Identity Verification)
• User Consent (for Third-Party Authentication)

4.4. Publicly Available Data

Caiz may collect personal data from publicly available sources, where legally permissible, including:

• Government Registries and Corporate Filings
• Public Blockchain Ledgers (for crypto transactions)
• Media and News Reports (for background checks)
• Social Media Profiles (where publicly accessible)

Examples of data collected:

• Business Registration and Company Ownership Details
• Wallet Addresses and Public Transaction Histories
• Published Public Statements and Official Announcements

Note: While blockchain transactions are publicly recorded, Caiz does not control or process personal data stored on decentralized networks. Users must exercise caution when sharing blockchain-related personal data.

Legal Basis for Processing:

• Legitimate Interest (AML & Risk Monitoring)
• Legal Obligation (Regulatory Compliance)

5. Legal Basis for Processing Personal Data

Caiz processes personal data in strict compliance with applicable data protection laws, including but not limited to:

• General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
• EU ePrivacy Directive 2002/58/EC
• Financial Action Task Force (FATF) Guidelines
• Anti-Money Laundering Directives (AMLDs) of the European Union
• Other relevant international, regional, and local privacy regulations

As required under Article 6 of the GDPR, any processing of personal data must be based on a lawful legal basis. This section outlines the specific legal bases on which Caiz relies when processing personal data.

5.1. Consent (Article 6(1)(a) GDPR)

We process personal data based on user consent in situations where:

• Users actively opt-in for marketing communications (newsletters, promotional emails).
• Users provide explicit consent to store and use cookies and tracking technologies, where required.
• Users agree to participate in voluntary surveys, research, or promotional campaigns.
• Users voluntarily submit additional personal data beyond what is required for our services.

How We Obtain Consent:

• Through opt-in checkboxes during account registration or form submissions.
• Via cookie consent banners and preference management tools.
• Through explicit confirmations in emails or digital agreements.

User Rights Regarding Consent:

• Right to Withdraw Consent – Users may withdraw their consent at any time without affecting the lawfulness of processing before withdrawal.
• Right to Manage Preferences – Users can modify their marketing and cookie preferences via account settings or the Cookie Consent Management Tool.

Note: Consent is not required where another lawful basis applies, such as contractual necessity or legal obligations.

5.2. Contractual Necessity (Article 6(1)(b) GDPR)

We process personal data where it is necessary to fulfill contractual obligations between Caiz and the user. This includes:

• Account registration and authentication (verifying identity during onboarding).
• Facilitating financial transactions, including fiat and cryptocurrency payments.
• Processing deposits, withdrawals, and wallet transfers on the Caiz blockchain.
• Providing customer support and dispute resolution services.
• Enabling access to user-requested features and services on our platform.

Consequences of Not Providing Data:

Failure to provide personal data necessary for contractual obligations may result in:

• Inability to register for an account or access our services.
• Inability to complete transactions or withdrawals.
• Restriction of certain functionalities or benefits.

Note: If a user terminates their contract with Caiz, we may still retain certain personal data to comply with legal obligations (see Section 5.3).

5.3. Compliance with Legal Obligations (Article 6(1)© GDPR)

We are required to process certain personal data to comply with applicable legal, regulatory, and statutory obligations, including but not limited to:

5.3.1. Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) Compliance

• Know Your Customer (KYC) Verification: Processing government-issued ID, proof of address, and biometric data.
• Transaction Monitoring: Recording transactions for fraud prevention and regulatory reporting.
• Risk Assessment: Screening users against international sanctions lists (e.g., EU, UN, FATF, OFAC).

5.3.2. Financial and Tax Compliance

• Reporting transactions to financial regulators and tax authorities (where required by law).
• Retaining financial records for mandatory legal periods (e.g., AMLD mandates transaction data retention for at least five years).

5.3.3. Data Protection and Security Compliance

• Responding to data subject access requests (DSARs) under GDPR.
• Notifying supervisory authorities of personal data breaches, where legally required.
• Complying with ePrivacy and cookie consent laws under the EU ePrivacy Directive.

Failure to comply with these legal obligations may result in fines, penalties, and regulatory sanctions, making this legal basis non-negotiable for certain data processing activities.

5.4. Legitimate Interests (Article 6(1)(f) GDPR)

We process personal data where necessary for our legitimate business interests, provided such interests do not override the rights and freedoms of users. This includes:

5.4.1. Security and Fraud Prevention

• Detecting and preventing unauthorized access, fraud, and financial crime.
• Investigating suspicious activities, transaction anomalies, and account misuse.
• Ensuring cybersecurity protection (e.g., DDoS protection, encryption, and network security).

5.4.2. Business Operations and Platform Optimization

• Improving the functionality, security, and performance of our platform.
• Conducting analytics and user behavior research to enhance services.
• Optimizing customer support, user interactions, and product development.

5.4.3. Internal Record-Keeping and Legal Defense

• Maintaining internal business records for compliance and governance.
• Protecting against legal claims, fraud, or security threats.

Note: Users have the right to object to processing based on legitimate interest. If an objection is raised, we will assess whether our interests override user rights.

5.5. Vital Interests (Article 6(1)(d) GDPR)

In rare cases, we may process personal data where it is necessary to protect the vital interests of an individual. This includes:

• Preventing financial harm (e.g., fraud alerts, stolen funds investigation).
• Notifying law enforcement agencies in cases of suspected illegal activity.

While this basis is rarely used, it remains a legal foundation in emergencies.

5.6. Public Interest and Official Authority (Article 6(1)€ GDPR)

Where applicable, we may process personal data in the public interest or under a legal mandate. This may include:

• Compliance with law enforcement requests and government investigations.
• Regulatory requirements imposed by financial authorities.

Note: Data subjects cannot object to processing under this legal basis if required by law.

5.7. Special Category Data Processing (Article 9 GDPR)

Caiz does not collect or process special category data (e.g., religious beliefs, health data, political views) unless:

• Explicit user consent is provided.
• Legal obligations require processing (e.g., criminal background checks for AML compliance).

Where special category data is processed, additional safeguards are applied.

5.8. Automated Decision-Making and Profiling (Article 22 GDPR)

Caiz may use automated systems for:

• Fraud detection and risk assessment (transaction monitoring, anomaly detection).
• Automated KYC screening for faster onboarding.

Users have the right to request human intervention in automated decisions affecting them.

6. How We Use Your Personal Data

Caiz processes personal data strictly in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679),  EU ePrivacy Directive 2002/58/EC, Financial Action Task Force (FATF) Guidelines, Anti-Money Laundering Directives (AMLDs) of the European Union, and other applicable local and international laws governing data privacy, financial transactions, and cybersecurity.

This section outlines the specific purposes for which we collect, store, use, and share personal data. All processing is conducted under a lawful legal basis as detailed in Section 5 (Legal Basis for Processing Personal Data).

6.1. Account Creation, User Registration, and Identity Verification

To facilitate access to Caiz’s platform and services, we collect and process user-provided personal data for:

• Creating and managing user accounts.
• Verifying user identity and credentials during onboarding.
• Authenticating logins and securing access through multi-factor authentication (MFA).
• Confirming residency and eligibility to use Caiz services (excluding users from restricted jurisdictions).
• Preventing identity theft, fraud, and unauthorized account access.

Legal Basis: Contractual Necessity, Legal Obligation (AML/KYC), Legitimate Interest.

6.2. Know Your Customer (KYC) and Anti-Money Laundering (AML) Compliance

To comply with AML/CFT (Combating the Financing of Terrorism) regulations, Caiz is legally required to process certain personal data, including:

• Government-issued identification documents (e.g., passport, national ID, driver’s license).
• Proof of address (e.g., utility bills, bank statements, lease agreements).
• Transaction history and source of funds information.
• Screening against global sanctions lists (e.g., EU, UN, OFAC, FATF blacklists).

Failure to provide the required information may result in service denial, account suspension, or termination.

Legal Basis: Legal Obligation (AML Directives, FATF Guidelines), Contractual Necessity.

6.3. Processing Financial Transactions

As a blockchain-based financial platform, we process personal data to facilitate:

• Deposits, withdrawals, and currency conversions.
• Crypto-to-fiat and fiat-to-crypto transactions.
• Execution of blockchain transactions on the Caiz blockchain.
• Transaction fraud detection and risk assessments.
• Regulatory reporting of high-value transactions.

Legal Basis: Contractual Necessity, Legal Obligation (AML, Tax Regulations).

6.4. Fraud Prevention, Security Monitoring, and Risk Management

To protect users from financial fraud, unauthorized access, and cyber threats, we:

• Monitor user activity and transaction patterns to detect anomalies.
• Analyze IP addresses, geolocation data, and device fingerprints to prevent unauthorized logins.
• Flag suspicious transactions for manual review or automated risk scoring.
• Deploy anti-bot mechanisms, firewalls, and real-time threat detection.

Suspicious accounts may be reported to regulatory authorities where required.

Legal Basis: Legitimate Interest, Legal Obligation (AML Compliance).

6.5. Customer Support and Dispute Resolution

We process personal data to:

• Respond to customer inquiries, complaints, and technical support requests.
• Investigate and resolve transaction disputes and chargebacks.
• Communicate service updates, security alerts, or critical platform changes.

Legal Basis: Contractual Necessity, Legitimate Interest.

6.6. Platform Performance, Analytics, and Service Improvement

To optimize our website, app, and platform experience, we collect and analyze:

• User engagement metrics (e.g., time spent on pages, clicks, navigation paths).
• Performance logs to identify system errors or crashes.
• Usage behavior to personalize content and improve service offerings.
• Testing of new features, algorithms, or AI-based functionalities.

Where legally required, analytics data is collected with user consent (e.g., via cookies).

Legal Basis: Legitimate Interest, User Consent (for analytics tracking).

6.7. Marketing, Advertising, and Promotions

If users opt-in, we may process personal data to:

• Send newsletters, promotional materials, and exclusive offers.
• Deliver personalized ads based on user preferences and browsing history.
• Analyse marketing effectiveness and campaign performance.

Users can manage or revoke marketing consent at any time via account settings or the unsubscribe link in emails.

Legal Basis: User Consent.

6.8. Compliance with Legal and Regulatory Obligations

To fulfill our obligations under applicable laws, we may process personal data for:

• Tax reporting and financial audits (where legally required).
• Cooperating with law enforcement, financial regulators, and supervisory authorities.
• Providing data in response to valid legal requests, court orders, or subpoenas.

We will only disclose user data where legally required and in full compliance with GDPR safeguards.

Legal Basis: Legal Obligation.

6.9. Blockchain Transparency and Public Ledger Disclosure

As a decentralized financial ecosystem, certain blockchain transaction details are inherently public and immutable. This includes:

• Cryptocurrency wallet addresses.
• Transaction IDs and blockchain timestamps.
• Smart contract interactions.

Users should exercise caution when conducting blockchain transactions, as data recorded on the blockchain cannot be modified or deleted.

Legal Basis: Contractual Necessity, Legitimate Interest.

6.10. Automated Decision-Making and AI-Based Risk Assessments

We may use automated algorithms to:

• Analyse user risk profiles and transaction behaviours.
• Flag potentially fraudulent activities for further review.
• Assess eligibility for certain platform features or financial services.

Users have the right to request human intervention if a decision significantly affects them.

Legal Basis: Legitimate Interest, Legal Obligation.

6.11. Employee and Job Applicant Data Processing

For employment and recruitment purposes, we process:

• Resumes, work history, and qualifications.
• Reference checks and employment verification.
• Background screening (if legally required for high-risk roles).

Legal Basis: Contractual Necessity, Legal Obligation, Legitimate Interest.

6.12. Retention and Deletion of Personal Data

Personal data is retained only for as long as necessary for the stated purposes and in compliance with statutory retention periods, which may vary depending on:

• Regulatory requirements (e.g., AML laws mandate a minimum retention period of 5 years).
• The nature of transactions and user interactions.
• Ongoing legal obligations or active investigations.

Upon expiration of retention periods, data is securely deleted, anonymized, or archived as per GDPR guidelines.

Legal Basis: Legal Obligation, Legitimate Interest.

7. Sharing and Disclosure of Data

At Caiz we value your privacy and ensure that your personal data is not sold or shared indiscriminately. Any disclosure or transfer of personal data is conducted in strict compliance with applicable data protection laws, including but not limited to:

• General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
• EU ePrivacy Directive 2002/58/EC
• Financial Action Task Force (FATF) Guidelines
• Anti-Money Laundering Directives (AMLDs) of the European Union
• Other relevant international, regional, and local privacy regulations

This section explains how, why, and with whom we share or disclose personal data, ensuring full transparency and accountability in data handling.

7.1. Categories of Third Parties with Whom We Share Data

We may share personal data with the following categories of recipients:

• Regulatory and Law Enforcement Authorities (AML/KYC compliance, financial regulations)
• Financial Institutions and Payment Processors (banking transactions, wallet operations)
• Identity Verification and Compliance Providers (KYC/AML checks, fraud prevention)
• Technology and Cloud Service Providers (data storage, cybersecurity)
• Business Partners and Affiliates (joint service offerings)
• Blockchain Networks (transaction transparency, immutability)

All disclosures are made only where necessary, under contractual safeguards that comply with GDPR and Standard Contractual Clauses (SCCs) for international data transfers.

7.2. Sharing with Regulatory and Law Enforcement Authorities

In compliance with legal obligations, Caiz may share personal data with:

• Financial Regulatory Bodies and Supervisory Authorities
• Tax Authorities (for financial reporting obligations)
• Law Enforcement Agencies and Courts
• Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) Agencies
• Sanctions and Compliance Screening Bodies (EU, UN, FATF, OFAC lists)

Purpose of Sharing:

• To comply with financial regulations and reporting requirements
• To detect and prevent financial crime, fraud, money laundering, and terrorism financing
• To respond to lawful requests, subpoenas, and court orders
• To cooperate in legal proceedings and regulatory audits

Note: We do not share personal data with government entities without a valid legal basis. Requests from authorities are carefully reviewed for legitimacy before compliance.

Legal Basis: Legal Obligation (GDPR Article 6(1)(c)), Public Interest (GDPR Article 6(1)(e))

7.3. Sharing with Financial Institutions and Payment Processors

To facilitate transactions, deposits, withdrawals, and wallet operations, we may share user data with:

• Banking Institutions (SEPA, SWIFT, IBAN transactions)
• Payment Processors and Card Issuers
• Cryptocurrency Exchanges and Wallet Providers

Purpose of Sharing:

• Processing fiat and crypto payments securely
• Preventing fraudulent transactions and chargebacks
• Complying with global anti-money laundering (AML) regulations

Legal Basis: Contractual Necessity (GDPR Article 6(1)(b)), Legal Obligation

7.4. Sharing with Identity Verification and Compliance Partners

To meet Know Your Customer (KYC) and AML requirements, we may share user data with:

• Identity Verification Providers (biometric checks, document authentication)
• Compliance Screening Services (AML risk assessment, politically exposed person (PEP) lists)
• Blockchain Analytics and Risk Monitoring Firms

Purpose of Sharing:

• Verifying user identity and residency status
• Screening against sanctions lists and watchlists
• Enhancing fraud detection and financial security

Legal Basis: Legal Obligation (AML Laws, FATF), Contractual Necessity

7.5. Sharing with Technology and Cloud Service Providers

To maintain the security, efficiency, and functionality of our platform, we use third-party technology vendors, such as:

• Cloud Computing and Data Storage Providers
• Cybersecurity and Encryption Services
• Website and IT Infrastructure Providers
• Artificial Intelligence (AI) and Machine Learning Partners

Purpose of Sharing:

• Securely storing encrypted user data
• Enhancing system security against cyber threats
• Providing scalable infrastructure for platform operations

Legal Basis: Legitimate Interest (GDPR Article 6(1)(f)), Contractual Necessity

7.6. Sharing with Business Partners and Affiliates

Caiz may share personal data with its affiliated companies, subsidiaries, or trusted business partners, but only for:

• Joint ventures or co-branded services
• Referral programs or partnerships
• Customer service and operational support

Purpose of Sharing:

• Improving user experience across multiple services
• Providing cross-platform financial solutions

Legal Basis: Legitimate Interest, Contractual Necessity (GDPR Article 6(1)(f))

7.7. Blockchain Networks and Public Ledger Disclosure

Due to the decentralized nature of blockchain technology, certain transaction-related data is publicly recorded and cannot be modified or erased.

Data That Becomes Public on the Blockchain:

• Cryptocurrency wallet addresses (public keys)
• Transaction hashes and timestamps
• Smart contract interactions

User Advisory:

• Once data is recorded on the Caiz blockchain, it becomes permanent and immutable.
• Private personal data (e.g., name, email, KYC details) is never stored directly on the blockchain.

Legal Basis: Contractual Necessity (GDPR Article 6(1)(b)), Legitimate Interest

7.8. International Data Transfers

As a global financial platform, Caiz may transfer personal data to:

• Data Centers and Cloud Providers located outside the European Economic Area (EEA)
• International Compliance Partners and Regulatory Agencies
• Third-Party Service Providers in Non-EEA Jurisdictions

How We Protect International Transfers:

• Standard Contractual Clauses (SCCs) under GDPR
• Adequacy Decisions for data transfers to countries with GDPR-equivalent laws
• Binding Corporate Rules (BCRs) for intra-company transfers

Legal Basis: Legal Obligation (GDPR Article 46), Contractual Necessity

7.9. User-Controlled Sharing of Data

Users may choose to share their personal data voluntarily by:

• Linking social media accounts to their Caiz profile
• Sharing wallet addresses for transactions
• Participating in public discussions or forums

Users are responsible for managing their own privacy settings and should be aware that any data they voluntarily disclose in public forums or blockchain transactions may be visible to others.

Legal Basis: User Consent (GDPR Article 6(1)(a))

7.10. No Sale of Personal Data

Caiz does not sell, rent, or trade personal data to third parties for commercial purposes. All data processing is conducted in strict compliance with GDPR and ethical finance principles.

8. International Data Transfers

8.1. Overview

Caiz operates as a global financial technology and blockchain service provider, offering decentralized financial solutions to users worldwide (except jurisdictions where cryptocurrency activities are prohibited). Due to the international nature of our services, it may be necessary to transfer personal data across borders to ensure platform functionality, regulatory compliance, fraud prevention, and operational efficiency.

All international data transfers are conducted in strict compliance with applicable data protection laws, financial regulations, and cybersecurity mandates, including:

• General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
• EU ePrivacy Directive 2002/58/EC
• Financial Action Task Force (FATF) Guidelines (for AML/CFT compliance)
• Anti-Money Laundering Directives (AMLDs) of the European Union
• Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) under GDPR
• Other relevant regional and international data protection regulations

This section outlines how, when, and why Caiz transfers personal data internationally, along with the safeguards and legal mechanisms we employ to protect user privacy.

8.2. Circumstances Requiring International Data Transfers

We may transfer personal data to countries outside the European Economic Area (EEA), on case to case basis for the following purposes:

8.2.1. Cloud Storage and IT Infrastructure

To enhance security, scalability, and operational efficiency, Caiz relies on third-party cloud service providers and data centers that may be located outside the EEA. These providers assist in:

• Securely storing encrypted data
• Ensuring high availability and redundancy
• Performing disaster recovery and data backups

8.2.2. Payment Processing and Financial Transactions

To facilitate fiat and cryptocurrency transactions, Caiz partners with international financial institutions, payment processors, and banking entities outside the EEA, including:

• Banking institutions handling cross-border transactions
• Cryptocurrency exchanges and liquidity providers
• AML/KYC compliance vendors processing international user verifications

8.2.3. Customer Support and Business Operations

Caiz may process personal data outside the EEA when providing:

• Multilingual customer support services via international help centers
• Technical assistance from global IT teams
• Fraud monitoring and security incident response

8.2.4. Compliance with Legal and Regulatory Obligations

Caiz may be legally required to transfer personal data to:

• Foreign regulatory bodies conducting financial crime investigations
• Law enforcement agencies responding to fraud, AML, or cybersecurity threats
• Tax authorities in multiple jurisdictions where users conduct transactions

All legal requests for data transfer are thoroughly reviewed for legitimacy before any disclosure is made.

8.3. Legal Mechanisms for International Data Transfers

When transferring personal data internationally, Caiz ensures that such transfers comply with GDPR and other applicable data protection laws by implementing appropriate safeguards, such as:

8.3.1. Adequacy Decisions (Article 45 GDPR)

Where possible, we transfer personal data to countries that have been officially recognized by the European Commission as providing an adequate level of data protection.

8.4. User Rights Regarding International Data Transfers

Under GDPR and applicable data protection laws, users have the following rights concerning their personal data transfers:

• Right to Information: Users can request details on where their data is transferred and under what legal basis.
• Right to Object: Users can object to international transfers that are not legally mandated.
• Right to Data Portability: Users can request a copy of their personal data in a structured, machine-readable format.
• Right to Withdraw Consent: If data transfer is based on user consent, users can withdraw consent at any time.

To exercise these rights, users may contact legal@caiz.com

9. Data Retention and Storage

9.1. Overview

Caiz is committed to ensuring that personal data is retained and stored securely, in strict compliance with applicable data protection laws, financial regulations, and cybersecurity standards, including:

• General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
• EU ePrivacy Directive 2002/58/EC
• Financial Action Task Force (FATF) Guidelines
• Anti-Money Laundering Directives (AMLDs) of the European Union
• Local and international cybersecurity mandates

This section explains:

• How long Caiz retains personal data
• The legal basis for data retention
• The measures in place to securely store and dispose of data
• Users’ rights regarding data deletion and storage

9.2. Principles of Data Retention

We adhere to the following key data retention principles:

9.2.1. Purpose Limitation

Personal data is retained only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, including:

• Providing our services (account management, transaction processing, KYC verification).
• Complying with legal and regulatory requirements.
• Defending against legal claims and ensuring cybersecurity.

9.2.2. Storage Limitation

Personal data is stored only for the minimum duration required and deleted when no longer needed.

9.3. Retention Periods for Different Categories of Data

The duration for which we retain personal data depends on:

• Legal and regulatory obligations
• Operational and security needs
• User-initiated deletion requests

The specific retention periods for each category of data are outlined below: