Legal

Privacy Policy

Effective July 1, 2026

Introduction

This Privacy Policy governs the practices of how Elendil Capital Sp. z o. o. (referred to herein as “we”, “our”, “ours” or “us”) collects, uses, transfers and shares personal information related to your use of our Services and the App. This Policy is designed to align with the European General Data Protection Regulation (“GDPR”) provisions. It is committed to ensuring the transparent, lawful, equitable, and secure management of our Users' data.

Our Privacy Policy explains what kind of personal data we gather through our App and Services, how and why we collect it, our purposes for its use, and the third parties we may share it with. Moreover, it explains how you, as a data subject, may exercise your rights about your data.

Should any alterations be made to this Policy (alongside other policies, including our Terms of Service, we will notify you of such changes through our official communication channels on Discord and Twitter and directly on this page.

We strongly encourage you to read this Policy to understand the processes involving your data and your associated rights. For inquiries related to this Privacy Policy, data collection and usage, data disclosure and sharing, or any other concerns or requests related to your data, please do not hesitate to contact us via the communication channels mentioned above.

Definitions

The following section covers the basic definitions used in this Privacy Policy. It describes what your data means and who controls and processes your data.

Personal Data: Personal data means any information about an identified or identifiable natural person. This includes details like names, addresses, email addresses, identification numbers, and even IP addresses or cookie identifiers, as well as any information found online that may reveal your physical, genetic, mental, economic, cultural or social identity.
Data Subject: The data subject is the person the personal data is about. In simpler terms, it’s you or any other individual whose personal information is being collected and processed.
Data Controller: The data controller is the one who determines the purposes and means of processing personal data. In other words, they're the boss when deciding why and how your data is used. In this case, it would be us.
Data Processor: The data processor, on the other hand, processes personal data on behalf of the data controller. In our case, they are vendors and partners we collaborate with that process your data for purposes determined by us.

Data protection officer

We have designated a data protection officer (“DPO”) to supervise inquiries regarding this privacy policy. Should you have any inquiries or questions concerning this Privacy Policy or our

privacy procedures, or if you wish to exercise your legal rights as a data subject, please do not hesitate to contact our Data Protection Officer at skywalker@offramp.xyz.

Information we collect

We need to gather information about you to provide our Services and offer our Products.

Information that You Provide

This category covers your content and details using our Services and the App. We will never request information about your racial or ethnic background, personal life, sexual orientation, political views, philosophical or religious beliefs, biometric or genetic data, or trade union membership.

When you create your Account, we may request your contact information, including your full name, personal address, email address, and phone number. Additionally, to verify your identity in compliance with legislative requirements, we may collect the following personal information as outlined in the table below:

Category of personal information	Examples of personal information (list non-exhaustive)
Identity data	Full name · Date of birth · Gender · Nationality · Passport number · Social Security number · Driver's licence number · National ID card details
Contact data	Email address · Phone number · Physical address · Mailing address · Emergency contact information
Financial data	Bank account numbers · Credit card information · Income details · Tax identification number · Financial transaction history
Location data	GPS coordinates · Location History · Wi-Fi access point data · IP addresses
Employment data	Employment details · Job titles and descriptions · Workplace location
Transaction data	Purchase and sale history · Transaction amounts · Payment methods used · Billing addresses · Order amounts
Usage Data	Website or app usage patterns · Session durations · Pages visited · Clickstream data · Error logs and crash reports
Marketing data	Marketing preferences · Subscriptions and newsletter preferences · Responses to marketing campaigns · Engagement with promotional materials · Referral sources
User Account data	Usernames and account identifiers · Profile pictures and avatars · User-generated content (profile descriptions, bios) · User Preferences and settings · Social connections and followers
Social media data	Social media profiles · User-generated content (posts, comments) · Friends and connections · Social network activity

Communications

If you contact us directly, we may request additional information such as your name, email address, personal address, phone number, and other relevant personal details. Whenever we ask for this information during communication, we will clearly explain the reasons behind it.

Payment Information

Our Services enable users to select their preferred payment method for executing Orders and Transactions via third-party credit and financial institutions and payment service providers. We do not retain your financial account information; the payment provider securely handles it. Note that these vendors may, in turn, collect and process your personal information on their behalf and for their purposes and obligations. To learn more about how third-party payment service providers and financial institutions collect, use and share your personal information, you are encouraged to read their privacy policies or notices provided on the official websites of the respective service providers.

Information from Third Parties

In our continuous effort to provide seamless and comprehensive Services, we may obtain personal data from third-party partners and vendors. In case of such integration, the information collected by our partners is shared with us. We require our partners to have lawful purposes to collect, process and use your data before sharing it with us. These third-party

partners and vendors play a vital role in enhancing the functionality and utility of our platform. Here's how personal data from these sources may be used:

Merchant VASPs : We collaborate with third-party Merchant VASPs to facilitate transactions with Fiat currencies. In such cases, we may receive information you shared with these Merchant VASPs as part of your transactions. This information may include transaction history, account details, and other relevant financial data. Strict privacy and security standards govern our use of this data to ensure the confidentiality and integrity of your financial information.
API Integrations : We may integrate with third-party APIs like Plaid and Chainlink to provide you with certain features and services. These integrations allow us to access and retrieve specific financial data with your explicit consent. The data obtained through such integrations may include bank account information, transaction history, account balances, and other financial details. We utilise this data to offer enhanced features and allow you to purchase Crypto Funds in exchange for fiat currency before depositing it into your account. Your consent is sought and obtained when accessing your financial data through API integrations, and you retain control over the scope of data shared.
Public Databases: We may obtain personal data from publicly available databases to enhance our Services and fulfil our legal and regulatory obligations. The information retrieved from these databases may include names, addresses, contact information, employment details, affiliations with restricted, sanctioned, or prohibited groups and associations (as defined by relevant legal acts), and other publicly accessible data. This data assists us in various functions, such as identity verification, fraud prevention, and compliance with relevant laws and regulations.
Identity Verification Partners: To ensure the security and integrity of our Services, we collaborate with identity verification partners who provide us with access to specific personal data required for identity verification purposes. This data may comprise full names, address information, identification document images and data, personal identification codes, identification document holder photos, date of birth, citizenship, place of birth and other relevant identity-related data.
Credit and Financial Institution: We may obtain personal data from financial and credit institutions in compliance with the law and industry standards. This data can encompass financial transaction history, account balances, credit scores, account details, and other financial information. This information is crucial for enabling financial transactions and ensuring compliance with relevant regulation
Google Single Sign-on (SSO): We may collect the user’s email address data in order to streamline user log-on through Google SSO authentication features. User data collection shall remain limited to the user's email address and will not encompass any other user data.
Blockchain Data: We may collect publicly available blockchain data to monitor and detect illegal activities, including those defined by applicable laws and regulations. This data may include blockchain transaction details, wallet addresses, and other relevant blockchain information.
Marketing Partners, Advertisers and Analytics: In collaboration with marketing partners, we may collect personal data to better understand your interaction with our app and services. This data aids us in refining our marketing strategies and offering you personalised recommendations. In turn, advertisers may provide us with personal data

to assess the effectiveness of advertising campaigns and optimise ad targeting. At the same time, analytics partners help us understand how you use and interact with our platform. The partners' shared data may include user preferences, interaction patterns, user behaviour on our App, response to marketing campaigns, interest-based data, click-through rates, conversion data, session durations, traffic sources, clickstream data, and other relevant data.

How we use your data

Lawful Basis and Legitimate Interest

Our collection, use, and sharing of your data are founded on various lawful bases, depending on the context. The following scenarios represent the circumstances in which we engage in data collection:

Consent: We process your data when you grant your explicit consent. This typically occurs when you have reviewed our data processing purposes and willingly agreed to them. Examples include subscribing to our marketing notifications and campaigns or permitting the use of your personal information to enhance your experience while using our App and Services.
Performance of a contract : We process your information when performing a contract with you is essential. This encompasses situations where your data is required for processing and finalising your orders or adhering to the terms of any other contractual agreement we have entered into with you. It also includes enforcing the terms of this Policy and other agreements, providing our Services, ensuring the quality of our Services, and offering customer service and support.
Legal Obligation: We use your data when a legal obligation necessitates data disclosure. This occurs when compliance with legal requirements imposed by law or legal orders is mandatory.
Legitimate Interests: We may process your data when we have a legitimate interest that aligns with the operation and provision of our Services. This includes activities aimed at improving our App, maintaining proper security measures, and preventing illegal activities related to your data. Our legitimate interests are pursued only when they do not infringe upon our fundamental rights.

In the table below, you will find the list of purposes for which we use your data and what lawful bases we invoke for its use.

Purpose	Purpose description	Lawful basis
Providing and Maintaining Services and App	Providing and maintaining Services and the App: Managing the operation and maintenance of our Services to ensure their functionality and availability	Performance of a contract
Payment Processing and Order Execution	Processing payments and executing Orders in compliance with market fairness, transparency, competitiveness, and genuineness rules	Performance of a contract
Fraud Prevention	Detecting and preventing fund losses, including those resulting from fraud and misuse of our Services and App	Legitimate interest
Compliance with Laws and Regulations	Ensuring compliance with relevant laws and regulations, including anti-money laundering, terrorism financing, fraud prevention, and other financial crime regulations	Compliance with a legal obligation Performance of a contract Legitimate interest: ensuring that we do not deal with funds resulting from proceeds of crime, such as money laundering or terrorist financing, and do not assist in or facilitate in any manner any financial crime and other criminal activities.
Travel Rule Compliance	Where required by applicable law, including Regulation (EU) 2023/1113 and applicable anti-money laundering and counter-terrorist financing legislation, we may collect and process information relating to the originator and beneficiary of virtual asset transfers. Such information may include the names and identifying details of the sender and recipient, wallet addresses, account identifiers, transaction information, and any other data required to verify, process, or support a transfer in accordance with applicable legal and regulatory requirements. We process this information to comply with our legal obligations, facilitate the execution of transactions, and support the prevention, detection, and investigation of money laundering, terrorist financing, fraud, and other unlawful activities.	Legal Obligation
User Communication and Support	Communicating with you directly or through our partners for customer support, notifications regarding changes and updates to the Services, crucial service-related information, marketing, and promotional purposes.	Performance of a contract
User Notifications	Sending various communications, including notifications, reminders, and confirmations, to keep you informed about your activities and our Services	Performance of a contract
Service Improvement	We are continuously improving the quality, performance, and features of our Services.	Legitimate interest: to grow our business continuously, to implement the industry's best practices and adhere to its standards, to attract potential customers and users to use the Services and the App
Research and Development	Conducting research and development activities related to our Services, including the development of new features and functionalities of the App and the introduction of new products and services	Legitimate interest: to improve the functionality of our Services and the App, to ensure the competitiveness of our product, to grow our business and attract potential customers and users by introducing novel features and providing continuous development of the App
Measurement and Analytics	Performing measurement and analytics to understand how our users interact with our Services, analyse user behaviour, and identify user preferences	Legitimate interest: to learn how users interact with and use our Services and App, to conduct studies, to develop a marketing strategy and implement amendments to the Services, fixes and new features Consent, if required
Safety and Security	Promoting the safety, security, and integrity of your funds, our Services, and data through protective measures and ongoing monitoring	Legitimate interest: to ensure the security of our data and funds, to prevent unauthorised access to your account and irreversible loss of funds. Performance of a contract
User Account Management	Managing user accounts, including account setup, recovery, and termination	Performance of a contract
Personalisation	Tailoring user experiences based on preferences and behaviours for personalised content and recommendations	Legitimate interest: to ensure that our users receive information and content that they opt to see, to enhance user experience and customer satisfaction Consent, if required
Third-Party Service Providers	Engaging third-party service providers for specific tasks such as payment processing and customer support	Legitimate interest Consent, if required
User Feedback	Collecting user feedback to improve our services and gather valuable insights	Performance of a contract Legitimate interest: to gather feedback from our users to learn of errors, issues and problems arising from the use of Services and the App, to implement fixes, to develop new features and to ensure customer satisfaction with our Services and the App. Consent, if required
Record Keeping	Maintaining records for auditing, accounting, and compliance purposes by applicable laws	Compliance with a legal obligation
Partnerships and Collaborations	Sharing data with partners, collaborators, or affiliates for joint initiatives, promotions, or integrated services	Legitimate interest: to ensure certain functionality of our App, to develop and grow our business
User Education	Providing educational resources and training materials to enhance user knowledge and promote secure service usage	Legitimate interest: to educate our users and enhance your experience on the App
Social Media Use	Using social media channels, such as Twitter and Discord, for advertising, notification and customer support, among others	Consent Performance of a contract

How we share your data

We may share the information we collect with various third parties to support and enhance our business operations (data sub-processors). You may find a list of our sub-processors annexed at the end of this Policy.

Please be aware that certain service providers operate outside of the EU/EEA area. For detailed information on how your data is handled when shared with third parties outside the EU/EEA, please refer to the Data Transfers Outside the EU/EEA section below. This section clarifies the types of third parties with whom we share information and highlights the presence of non-EU/EEA service providers for transparency regarding data handling practices.

Vendors and Service Providers: We collaborate with vendors and service providers who assist us in maintaining and optimising our business. These service providers encompass a range of functions, including web and mobile analytics services, advertisers, IT partners, hosting and software providers, and sales and marketing products.
Credit and Financial Institutions: We may share your information with credit and financial institutions to process your transaction and complete your order. Payment providers collect information expressly to process your transaction. For further details, please read the privacy policy of the respective credit or financial institution you use. We may forward your information to credit and financial institutions to finalise your order; however, we never keep your payment information or use it in any way other than to process your transaction.
Third-Party VASPs: In certain instances, we may share your personal information with third-party VASPs to facilitate the exchange of fiat currency to cryptocurrency as part of your transactions. To complete the exchange of fiat currency to cryptocurrency as part of your transactions, we may share your relevant personal information with third-party Virtual Asset Service Providers (VASPs). These VASPs are integral to ensuring the successful execution of your cryptocurrency transactions. We recommend reviewing their respective privacy policies to understand how these VASPs collect, use, and protect your personal information.
Metamask : To provide you with an enhanced user experience and the capability to connect your wallet to your Account seamlessly, we collaborate with Metamask. This integration allows for convenient wallet management and access to cryptocurrency-related features. Metamask's handling of your personal information is governed by its privacy policy, which we encourage you to review for detailed insights into its data practices. Your personal information is shared with Metamask solely to facilitate cryptocurrency transactions and enhance your wallet connectivity.
Identity Verification Services: We utilise third-party identity verification services to ensure compliance with legal requirements under relevant law and to uphold your activities' safety, transparency, and lawfulness. Using our verification partners' services, we cross-reference the personal information you provide, or a third party offers with the information in our databases and public records.
Advertisers: In our commitment to providing you with a seamless experience, we may share certain information with advertisers who play a role in enhancing our Services. These advertisers assist us in delivering relevant content and promotions tailored to

your interests. The information shared with advertisers may include user preferences, interaction patterns, engagement with advertising campaigns, and interest-based data. Our collaboration with advertisers aims to provide advertisements that align with your preferences and interests.

Business Partners: To jointly deliver integrated services, promotions, or joint initiatives, we may share specific information with our trusted business partners in various fields. The data shared with business partners can encompass a variety of relevant information to support our shared objectives. Any information shared is handled in compliance with data protection laws and regulations, and it is used exclusively to deliver the intended services and enhance your overall experience.
Law Enforcement: We may share your information with law enforcement agencies and competent authorities in exceptional circumstances and as applicable laws and regulations require. This is done to support investigations, maintain legal compliance, and ensure the safety and security of our App and users. It may be necessary in the case of court proceedings, complying with a legal order or other legal process, as well as for financial crime, money laundering and terrorism financing prevention, if we have substantial grounds to believe any natural or legal person to be involved in or associated with the said forms of crime.
Transfers, Mergers and Acquisitions: In insolvency, bankruptcy, acquisition, transfer of ownership, sale of assets or succession, your personal information may be disclosed to the new owner, acquirer or successor of the company or other relevant third parties.

How your data is secured

At Elendil Capital Sp. z o. o. we consider the security of your personal information paramount. We employ various technical, organisational, and administrative measures to safeguard your data against unauthorised access, disclosure, alteration, and destruction. These security measures include:

Data Encryption: We utilise industry-standard encryption protocols to protect data during transmission and storage. This ensures that your information remains confidential and secure.
Access Controls: Access to your personal information is restricted to authorised personnel who require access for legitimate business purposes. Access controls and authentication mechanisms are implemented to verify and restrict access.
Employee Training: Our team is trained in data security best practices to ensure they handle your information with care and adhere to strict data protection guidelines.
Data Backups : Regular data backups are performed to prevent data loss in case of unexpected events or system failures.
Incident Response: We have established incident response procedures to address and mitigate any security incidents or breaches promptly, should they occur.
Blockchain Technology: Our App operates on blockchain technology, inherently providing transparency, immutability, and decentralisation. This ensures that your transactional and personal data is stored securely across multiple nodes, reducing the risk of unauthorised alterations or data breaches.
User-Controlled Data: As an App User, you control your personal information through private keys and digital wallets. Your data is encrypted and accessible only by you, reducing the exposure to external threats.
Smart Contracts: We employ intelligent contracts, self-executing and tamper-proof agreements, to govern and automate transactions. These contracts enhance security by reducing the need for intermediary intervention and minimising the risk of fraud.
Cryptography: Robust cryptographic protocols secure data transmission and storage within our App. This ensures that your sensitive information remains confidential and protected from unauthorised access.
Regular Audits and Updates: Our team conducts regular security audits and updates to identify and mitigate potential vulnerabilities or weaknesses in our App's infrastructure. We remain committed to staying at the forefront of security best practices in the blockchain space.
Data Minimization: We collect and store only the minimum personal information necessary to facilitate your transactions and provide our Services. Unnecessary data is not retained, reducing the potential impact of any security incidents.
User Education: We encourage users to educate themselves about blockchain security best practices and the responsible management of private keys and digital assets. We provide resources and guidance to help you protect your data effectively.

While we take extensive measures to protect your data, it's also essential for users to play a role in their data security. We encourage you to:

Use strong, unique passwords for your Metamask and payment accounts connected to the App;
Enable multi-factor authentication when available;
Keep your login credentials confidential; and
Regularly update your account information and review access permissions.

If you ever have concerns about the security of your data, suspect any unauthorised activity, or would like to know the specific measures undertaken to secure your data, please don't hesitate to contact us via Telegram or Discord.

Data retention

Your personal information is held and stored securely for your active account with us. We are committed to retaining your personal information only for the period necessary to fulfil the specific purposes for which it was collected. The retention periods may vary depending on the type of personal information and the purposes for which it was initially gathered. Here's an outline of our data retention practices:

Category	Retention purposes and periods
Legal obligations	Personal information related to our legal obligations, such as compliance with anti-financial crime and anti-money laundering laws and regulations, may be stored for as long as these legal requirements mandate. We are dedicated to upholding our legal obligations and ensuring that data is retained as necessary to meet these standards.
Marketing contact information	Contact information used for marketing purposes is retained only for your consent. If you decide to withdraw your consent, this data is promptly deleted from our records.
Correspondence with us	Correspondence with us may be retained for up to five years. This ensures we can maintain accurate quality assurance, dispute resolution, and compliance records.
Technical information	Information collected through technical means, such as cookies and analytics, is retained for up to one year. This data assists us in improving the performance and functionality of our services and enhancing your overall experience.
Transaction history	Transaction records, including details of cryptocurrency transactions and innovative contract interactions, may be retained for five years following the end of the business relationship and, where required by law, for an additional period permitted under applicable regulations to ensure transparency, auditability, and dispute resolution. These records help users track their transaction history and support the integrity of the blockchain network.
Smart contract data	Data related to intelligent contracts executed within the App may be retained indefinitely on the blockchain for transparency and verification. Smart contract data is typically accessible and immutable as per the nature of blockchain technology.
User preferences	User preferences and settings, such as language preferences or interface customisation, may be stored for as long as necessary to maintain a personalised user experience. This data allows users to have a consistent and tailored interaction with the App.
Error and debug logs	Logs of errors and debugging information may be retained for up to three years to identify and resolve technical issues. These logs support the continuous improvement and maintenance of the App's functionality.
Consent records	Records of user consent, particularly in the context of data processing, are retained for as long as the consent is valid, plus five years after its withdrawal. These records help verify that users have provided informed consent for specific data processing activities and comply with the relevant legal requirements imposed on us.
Blockchain metadata	Metadata associated with blockchain transactions, such as timestamps and block numbers, may be retained as part of the blockchain's permanent ledger.
Security and Access Logs	Logs of user access and security-related events, such as login attempts and authentication records, may be retained for security monitoring and threat detection for up to five years. These logs help protect the dApp from unauthorised access and breaches.

Your rights as data subject

As a User of our Services and the App, you have certain rights regarding the personal data that we collect and use. These rights are designed to give you control and transparency over your data. The following are your rights as a data subject:

Right to Access: You can request access to the personal data we hold about you. This includes the right to obtain confirmation of whether we are processing your data and, if so, access to specific details of that processing.
Right to Rectification: If you believe that the personal data we hold about you is inaccurate or incomplete, you have the right to request the correction or completion of such data.
Right to Erasure (Right to Be Forgotten): You have the right to request the deletion of your data under certain circumstances. This right is not absolute and may be subject to legal requirements or legitimate interests that override your request.
Right to Restriction of Processing: You can request the restriction of processing of your data in certain situations. We will limit how we use your data, but we may continue storing it.
Right to Data Portability: In some cases, you have the right to receive your data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.
Right to Object: You can object to processing your data, including for direct marketing purposes or when we rely on legitimate interests as our legal basis for processing.
Rights Related to Automated Decision-Making and Profiling: We commit to transparent and fair automated decision-making processes. If you are subject to automated decision-making that produces legal effects or significantly affects you, you can request human intervention and reconsider the decision.

Exercising Your Rights

To exercise any of the rights outlined above or if you have any questions or concerns regarding processing your data, don't hesitate to get in touch with our Data Protection Officer (DPO) at skywalker@offramp.xyz. Our DPO will assist you in addressing your data-related inquiries and ensuring that your rights as a data subject are respected and upheld.

You will not be charged a fee for accessing your data or exercising any abovementioned rights. If your request is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee. This fee, if applicable, will be based on the administrative costs associated with processing your request. Alternatively, we may refuse to comply with your request in these exceptional circumstances. If such a situation arises, we will explain our decision clearly and transparently. Please note that we will always act by applicable data protection laws and regulations when assessing the reasonableness of any fees or the validity of requests.

Under the GDPR, we are committed to responding promptly to legitimate requests regarding your data. The statutory period for us to reply to such requests is one month from the date of receipt. However, when the request is particularly complex or has a high volume of requests, we may extend this period by up to two months as necessary. This extension will be based on carefully considering the complexity and number of requests received.

Data transfers outside EU/EEA

As some of our business partners, vendors and service providers are outside the European Union or European Economic Area, we may need to transfer your data to countries outside the EU/EEA zone.

We take stringent measures to ensure that such transfers are conducted in compliance with applicable data protection laws and that your data remains adequately protected.

Transfers to and from Processors in Countries with Adequacy Decisions: Some of our data processing activities may involve transfers to and from data processors in countries that have received adequacy decisions from the European Commission. Adequacy decisions confirm that these countries provide a level of data protection that is deemed equivalent to EU/EEA standards. When such transfers occur, your data is adequately protected by the recipient's legal framework.
Transfers from and to Other Countries: In cases where data is transferred to countries that do not have adequacy decisions or other recognised mechanisms, we utilise Standard Contractual Clauses (SCCs) as provided by the European Commission. SCCs are a set of contractual terms and conditions approved by the European Commission, providing a framework for the lawful transfer of personal data that imposes data protection obligations on both parties involved in the data transfer and ensuring that your data remains protected according to EU/EEA standards. These clauses include provisions that require the recipient to provide an adequate level of data protection.

We are committed to ensuring that all international transfers of your data are conducted with the utmost care and in compliance with relevant data protection regulations. If you have any questions or concerns about international data transfers or the mechanisms we employ to protect your data, please do not hesitate to contact our Data Protection Officer (DPO) at [DPO contact information].

Policy changes

We may periodically update this Privacy Policy to reflect changes in our data processing practices and legal requirements or to improve transparency and clarity. When we make significant changes to this policy, we will notify you through the following channels:

Direct updates to the Policy: Any substantial changes to this Privacy Policy will be incorporated directly into the Policy and available for viewing through the App. We encourage you to review this Policy periodically to stay informed about how we handle your data.
Notification via Twitter: We will use our official Twitter account to announce essential updates and changes to the Privacy Policy. Follow us on Twitter to receive messages and stay informed about the latest developments.
Notification via Discord: We will also use our official Discord channel to communicate significant changes to the Privacy Policy. Join our Discord community to receive updates and discuss our data practices.

Contact details

For any inquiries, requests, or concerns related to this Privacy Policy or our data processing practices, please get in touch with us using the following information:

Elendil Capital Sp. z o. o.

Registered Office Address: Bartycka 22B/21A, 00-716 Warszawa, Poland Contact Email: contact@offramp.xyz

Data Protection Officer (DPO): Luc Mikhail H Loja

DPO Contact Email: skywalker@offramp.xyz

Official Twitter: https://twitter.com/OfframpXYZ

Official Discord: https://discord.gg/offrampxyz

Annex i

Sub-processor list

Sub-Processor	Jurisdiction	Purpose
Sumsub	United Kingdom	Identity Verification and Anti-Money Laundering Screening
Flagright	Singapore	Transaction Monitoring and Anti-Money Laundering Screening
Third National	Puerto Rico	Payment card issuer
Dynamic Labs, Inc.	United States	User onboarding
Google LLC	United States	User sign-in
Manteca	Argentina	QR Payments
Dinari	United States	Tokenization
Zendesk	United States	Customer service
Due	United Kingdom	Payment services
Bridge	United States	Payment services
Superbank	United States	Payment services

Annex ii

Supplemental privacy provisions for business customers

This Annex forms an integral part of the Privacy Policy and applies to legal entities and other organizations using the Services through a business account ("Business Customer"). To the extent that any provision of this Annex differs from the Privacy Policy, this Annex shall govern the processing of information relating to Business Customers. Capitalized terms not defined in this Annex have the meanings assigned to them in the Privacy Policy.

1 Personal Data Collected from Business Customers and Their Representatives In addition to the data categories described in the main Privacy Policy, where a User registers or operates a business account, we collect and process the following categories of personal data relating to natural persons connected with the Business Customer:

(a)Corporate identity and ownership data: registered name and number of the business entity, registered address and principal place of business, certificate of incorporation or equivalent constitutional document, details of all directors and officers, beneficial ownership register disclosing all natural persons who ultimately own or control more than twenty-five percent (25%) of the entity’s share capital or voting rights or who exercise control by other means, including names, dates of birth, nationalities, residential addresses, and identity document details of each such person; (b) Authorised representative data: full name, job title, identity document details, and contact information of any individual authorised to act on behalf of the Business Customer in relation to the Services; (c) Authorised User data: identity verification data and account credentials of each natural person designated as an Authorised User of the business account; (d) Business activity data: a description of the entity’s principal business activities, the stated purpose of its use of the Services, estimated transaction volumes, and the jurisdictions in which it principally operates; and (e) Politically Exposed Person (PEP) and sanctions screening data: information gathered in the course of screening directors, beneficial owners, and Authorised Users against applicable PEP lists, sanctions lists, and adverse media sources, including the results of such screening and any supporting documentation.

The lawful bases for this processing are: compliance with a legal obligation (in particular obligations arising under the Act of 1 March 2018 on Anti-Money Laundering and Counter-Terrorist Financing and associated EU directives), performance of a contract with the Business Customer, and our legitimate interest in managing financial crime risk and ensuring the integrity of the Services. Where processing is required to assess whether an individual is a PEP, we rely on our legal obligations and legitimate interests as the applicable bases.

2 Processing of Authorised Users’ Personal Data

Where a Business Customer designates one or more individuals as Authorised Users of its business account, we process the personal data of each such Authorised User in our capacity as Data Controller, independently of the Business Customer, for the purpose of identity verification, access management, transaction monitoring, compliance screening, and fraud prevention. Each Authorised User is a data subject in their own right and is entitled to exercise the rights described in the “Your Rights as Data Subject” section of this Privacy Policy.

The Business Customer is responsible for ensuring that each Authorised User has been duly informed of the processing of their personal data by Elendil Capital, including by providing them with a copy of or a link to this Privacy Policy prior to their designation as an Authorised User.

The Business Customer warrants that it has a lawful basis for sharing each Authorised User’s personal data with Elendil Capital for the purposes described in this Annex. Elendil Capital shall not be liable for any failure by the Business Customer to satisfy its own notification or transparency obligations toward Authorised Users under applicable data protection law.

3 Business Customers Acting as Data Controllers — Data Processing Agreement In certain configurations of the Services, a Business Customer may operate as a Data Controller in respect of personal data belonging to its own end-users or customers, which it submits to or processes through the Offramp platform. In such circumstances, Elendil Capital acts as a Data Processor on the Business Customer’s behalf within the meaning of Article 4(8) of the GDPR, and the parties are required to execute a Data Processing Agreement (“DPA”) in accordance with Article 28 of the GDPR prior to the commencement of any such processing

The DPA will set out: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data involved; the categories of data subjects; and the respective obligations and rights of Elendil Capital as Processor and the Business Customer as Controller. Business Customers must not submit any personal data of third parties to the platform in circumstances where Elendil Capital acts as Processor unless and until a DPA has been duly executed. Requests for a DPA should be directed to our Data Protection Officer at skywalker@offramp.xyz.

4 Sharing of Business Customer Data with Third Parties

In addition to the general data sharing described in the “How We Share Your Data” section of this Privacy Policy, personal data collected as part of the KYB process for Business Customers may be shared with the following categories of recipients, where applicable and to the extent necessary: (a) identity verification and KYB service providers, including those listed in the Sub-Processor List at Annex I; (b) beneficial ownership registries and public corporate registries, for the purposes of verifying the information provided; (c) sanctions screening and adverse media providers, to fulfil our obligations under applicable AML legislation; (d) partner financial institutions or VASPs through whom Services are delivered to the Business Customer, where disclosure is required to perform the contract or comply with partner-specific compliance requirements; and (e) competent authorities, regulators, law enforcement agencies, and courts, where we are required by law or a binding legal order to disclose such data, or where we have reasonable grounds to suspect financial crime, money laundering, or terrorist financing involving the Business Customer or its associated persons.

5 Data Retention for Business Accounts

The retention periods set out in the main “Data Retention” section of this Privacy Policy apply equally to Business Customers, subject to the following supplemental provisions that reflect the enhanced legal obligations arising from business account relationships:

(a)KYB documentation: Corporate documents, beneficial ownership registers, director and officer identity records, and all due diligence documentation collected during the KYB process will be retained for a minimum of five (5) years from the date of termination of the business relationship, in accordance with the obligations imposed by the Act of 1 March 2018 on Anti-Money Laundering and Counter-Terrorist Financing and corresponding EU AML directives. Where an ongoing investigation, regulatory inquiry, or legal proceeding requires retention beyond this period, documents will be held until the relevant matter is conclusively resolved. (b)

PEP and sanctions screening records: Records of screening outcomes, including the dates, sources, and results of checks performed against PEP lists and sanctions databases, will be retained for five (5) years from the date of the most recent screening. (c) Authorised User records: Identity verification records and access logs for each Authorised User will be retained for five (5) years following the cessation of that individual’s access to the business account, irrespective of whether the underlying business account remains active. (d) Transaction records related to business accounts: All records of Transactions processed through a business account will be retained for at least five (5) years from the date of the Transaction, as required under applicable AML and accounting regulations, and may be retained for longer periods where required by a competent authority or by applicable tax law.

Business Customers and their associated natural persons (including directors, beneficial owners, and Authorised Users) who wish to exercise data subject rights in respect of personal data held pursuant to AML legal obligations should be aware that such rights may be subject to restriction or deferral where exercise of those rights would undermine the purposes for which the data is held or would conflict with statutory retention requirements. In such cases, we will inform the relevant data subject of the applicable restriction to the extent permitted by law and without compromising any ongoing investigation.

← Back to Offramp