Privacy Policy of DAOBRIDGE

1. Overview

This Privacy Policy (“Policy”) explains how DAOBRIDGE Sp. z o.o. (“Company”, “DAOBRIDGE”, “We”, “Our”, “Us”) collects, processes, stores, and protects your personal data at a level appropriate to the data protection law applicable in Poland, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

This Policy applies to all individuals who interact with DAOBRIDGE in the context of using Our services, visiting Our website https://daobridge.io/, or otherwise engaging with Us in a way that involves the processing of personal data.

We are committed to protecting the confidentiality, integrity, and availability of your data and ensuring transparency regarding how We handle it. Please read this document carefully to understand your rights and Our obligations.

If you have any questions or concerns regarding this Policy, you may contact us at the details provided in the “Data Controller” section.

2. Definitions

Term	Definition
Biometric data	Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Data controller	A natural or legal person, who is responsible for the decisions related to the processing of data and determines the purposes, means and scope, as well as issues related to these.
Data Protection Officer (DPO)	An individual appointed by DAOBRIDGE to monitor internal compliance, advise on data protection obligations, and act as a contact point for data subjects and supervisory authorities.
Data subject	A natural person to whom the data refers.
Consent	Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data	Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing	Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Supervisory authority	An independent public authority established under Article 51 of the GDPR. In Poland, this authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, PUODO).
Third party	A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

3. Principles of Personal Data Handling

The Company is committed to processing personal data in full accordance with the principles established under the GDPR. These principles are the foundation of all Our data protection practices and ensure that your rights and freedoms are respected at every stage of the data lifecycle.

We adhere to the following principles:

1. Lawfulness, fairness, and transparency. Personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject. We always inform you of the legal basis and purpose of the data collection and provide clear, accessible information on your rights.
2. Purpose limitation. Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes. We do not use your data for purposes that you were not made aware of at the time of collection.
3. Data minimization. We only collect and process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We do not gather excessive or unnecessary information.
4. Accuracy. The Company takes every reasonable step to ensure that personal data is accurate and kept up to date. Inaccurate or outdated data is rectified or erased without delay.
5. Storage limitation. Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or is otherwise lawfully processed. 
6. Integrity and confidentiality. We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
7. Accountability. As a data controller, DAOBRIDGE is responsible for, and able to demonstrate, compliance with all of the above principles. We maintain comprehensive documentation, conduct regular audits, and train staff to uphold the highest data protection standards.

4. Data Controller

The Data Controller responsible for the processing of your Personal Data is DAOBRIDGE Sp. z o.o.

• Registered office:  Konduktorska 18/7, Warszawa, 00-775, Poland
• KRS number: 0001040951
• REGON: 52551912900000
• Email: support@daobridge.io 
• Website: https://daobridge.io/ 

If you have any questions, requests, or concerns regarding how We process your personal data, you may contact Us at the details above.

5. Sources of Personal Data

We obtain personal data from a variety of lawful sources, depending on the context of Our interaction with you and the services you use. We collect data either directly from you, automatically through Our website, or from third-party sources that are authorized to share such information under applicable laws and contracts.

Data provided directly by you. We collect personal data that you voluntarily provide to Us, including when you:

• register for and use Our services (e.g., during account creation or onboarding);
• complete Know Your Customer (“KYC”) and Know Your Business (“KYB”)  verification processes. In the course of KYB verification, we may collect the personal data of legal entity representatives, directors, and shareholders, which are provided to us directly or through the authorized contact person;
• communicate with Us via email, phone, contact forms;
• respond to surveys or submit feedback.

Data collected automatically. We may collect certain information automatically when you visit or interact with Our Website, such as:

• IP address, device type, browser type and version, language settings;
• date and time of access, referral URL, pages visited;
• other usage information.

For more information, please refer to Our Cookie Policy.

Data obtained from third parties. We may receive personal data from trusted external sources, such as:

• identity verification providers;
• blockchain analytics services;
• regulatory or supervisory authorities;
• public databases (e.g., sanctions or politically exposed persons lists);
• referral partners or affiliate marketers.

In all such cases, the Company ensures that the third parties have obtained the data lawfully and have the appropriate legal grounds to share it with Us.

We do not knowingly collect data from illicit or unverified sources, and We always strive to ensure the accuracy and legitimacy of the information We process.

6. Categories of Personal Data Collected

To fulfill Our legal obligations and provide you with secure, compliant, and effective services, DAOBRIDGE collects and processes various categories of personal data. The exact types of data may vary depending on your relationship with Us (e.g., customer, visitor), and the services you use.

There are two types of data that you can share with Us when you visit Our Website and use Our services:

1. personal data that you voluntarily share; and 
2. data that is collected automatically by your use of the DAOBRIDGE website or Our services.

Below are the types of data you provide to us on a voluntary basis:

• Identification and contact data: full name, date of birth, nationality, sex, phone number, email address, tax identification number, personal number, and any other information in the documents you provide to us during the KYC process (e.g., your residential address, passport photo).
• Financial and transactional data: cryptocurrency wallet addresses, account balances, currency, amount, type of transaction, transaction history on our platform, bank account details (IBAN, BIC/SWIFT), payment records, and invoices.
• Biometric data: liveness check.
• Customer support communication: email (your email address, photo of your account, contents of any messages you send and attachments), Telegram chat (your nickname, photo of your account (if stated), phone number (if stated), correspondence with you, attachments).
• Other data: other relevant information necessary for AML/CFT compliance, such as source of funds, occupation, and purpose of the business relationship.

For processing data, which the company receives from your identification documents and other documents used for AML/CFT purposes, we use the services of a third party provider as SumSub (https://sumsub.com/). 

Below you can review the types of data that are collected automatically:

• Usage data: the length of the visit on Our Website, the functions you use and actions you perform, access dates and times, time zone, type of computer or mobile device, search engine terms that you use.
• Device data: device name, device ID, operating system, browser settings (language, browser version, date and time of request, destination URL, etc.), mobile network system, overall geographic location.
• Online identifiers: cookie identifiers, IP address, pixel tags, MAC addresses.
• Marketing data: preferences that you have in relation to obtaining marketing materials from Us or third parties.

Please be aware that not providing the necessary data, submitting incorrect or incomplete information, or failing to comply with Our other requests may result in Our services being unavailable to you.

7. Personal Data We Do Not Collect

DAOBRIDGE follows the principle of data minimization and only processes personal data that is necessary for the provision of Our services, compliance with legal obligations, and the fulfillment of legitimate interests. Accordingly, We do not intentionally collect or process the following categories of personal data:

1. Special categories of personal data –  as defined under Article 9(1) of the GDPR, We do not collect any data revealing:
   1. racial or ethnic origin;
   2. political opinions;
   3. religious or philosophical beliefs;
   4. trade union membership;
   5. genetic data;
   6. biometric data (except where biometric data is collected strictly for identity verification and with appropriate safeguards)
   7. health data;
   8. data concerning a person’s sex life or sexual orientation.
2. Criminal convictions and offenses – We do not process data relating to criminal convictions and offenses except where such processing is explicitly required under applicable law (e.g. for anti-money laundering purposes, in accordance with Article 10 of the GDPR); in such cases, the processing is carried out under strict legal safeguards.
3. Personal data from unlawful or non-transparent sources – We do not obtain or use personal data from third-party sources unless:
   1. the data subject has been properly informed in accordance with Article 14 of the GDPR; and
   2. the transfer is based on a valid legal basis, such as contractual necessity, legal obligation, or legitimate interest.

If you have discovered that the Company has collected such information, please contact Us at support@daobridge.io and request that it be removed.

8. Personal Data of Minors

We do not knowingly collect or process personal data of individuals under the age of eighteen. Our services are intended exclusively for adults who are legally capable of entering into binding agreements and fulfilling identity verification requirements under applicable AML and KYC regulations.

You must confirm that you are at least eighteen years old during the onboarding process. We may verify your age and identity through documentation and third-party verification services. If We become aware that personal data has been collected from a minor under eighteen without verified parental or legal guardian consent, We will take appropriate steps to:

• immediately delete such data from Our records;
• block access to the account or service; and
• notify the individual or their legal representative, where possible.

Because Our services are financial and regulatory in nature, We do not offer or design features for parental consent or child-directed processing. 

We therefore advise that minors do not attempt to access or register for Our services under any circumstances.

9. Legal Bases for Data Gathering

The Company collects and processes personal data only when there is a valid legal basis to do so, as required by Article 6 of the GDPR.

Each processing activity We undertake is grounded in one or more of the following lawful bases:

1. Consent (Article 6(1)(a) GDPR) – in some cases, We process your personal data based on your explicit and freely given consent. This applies to:
   1. marketing and promotional communications;
   2. optional surveys or platform features not essential to service delivery;
   3. placement of non-essential cookies and tracking technologies.
2. Performance of a contract (Article 6(1)(b) of the GDPR) – We process your personal data when it is necessary to enter into or perform a contract with you. This includes:
   1. creating and managing your user account;
   2. verifying your identity and conducting onboarding procedures;
   3. executing crypto-asset transactions;
   4. providing customer support and platform services.
3. Legal obligation (Article 6(1)(c) of the GDPR) – as a VASP, We are subject to a number of legal and regulatory obligations (the Polish Act of March 1, 2018 on Counteracting Money Laundering and Financing of Terrorism, EU AML directives (e.g., AMLD5), data retention requirements, etc.). In this context, We process personal data to:
   1. perform KYC checks;
   2. conduct customer due diligence and enhanced due diligence;
   3. report suspicious transactions to competent authorities;
   4. retain identification and transaction data for legally mandated periods.
4. Legitimate interests (Article 6(1)(f) of the GDPR) – We may process personal data where it is necessary for the purposes of Our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. Examples include:
   1. ensuring cybersecurity and fraud prevention;
   2. monitoring your activity for platform integrity and abuse detection;
   3. improving service functionality and user experience;
   4. enforcing Our terms and protecting Our legal claims.

Whenever We rely on legitimate interest, We perform a balancing test to ensure that Our interests do not unfairly infringe on your privacy rights.

5. Protection of vital interests (Article 6(1)(d) of the GDPR) – this legal basis is rarely applicable but may be invoked in extreme situations where processing is necessary to protect your life or that of another natural person (e.g., emergency disclosures to law enforcement).

In any case, We are here to help you find out exactly what lawful basis the data is being processed.

10. Purposes of Processing

We process your personal data only for specific, explicit, and legitimate purposes, as required by Article 5(1)(b) of the  GDPR. Each processing activity is aligned with a lawful basis (see Section 10) and serves the operational, regulatory, or security needs of Our services.

Below is a detailed list of the purposes:

• We process your data to verify your identity, assess your eligibility to use Our services, and perform due diligence checks as required under AML regulations;
• We use your information to create and manage your account, facilitate access to Our platform, and deliver services;
• your data is processed to monitor activity on Our platform, detect and prevent fraudulent behavior, secure user accounts against unauthorized access, and ensure the technical and procedural integrity of Our services;
• We retain and process your data to fulfill Our legal obligations related to financial reporting, AML supervision, tax compliance, regulatory audits, and submission of mandatory disclosures to competent authorities;
• We use your information internally to perform operational risk assessments, conduct compliance reviews and IT security audits, and establish or defend potential legal claims;
• We rely on your data to provide customer support, respond to your inquiries or complaints, manage communication records, and deliver relevant service-related notifications;
• We analyze technical and behavioral data to improve platform performance, personalize the user experience, troubleshoot issues, and optimize the design and reliability of Our services;
• We may process your data, subject to your explicit consent, to send you promotional content, product updates, special offers, or to invite you to provide feedback via surveys.

We ensure that all processing is purpose-limited, proportional, and clearly linked to either a legal obligation, contractual necessity, or a legitimate interest that does not override your fundamental rights.

11. Data Subject Rights

As a data subject, you have specific rights under the GDPR. DAOBRIDGE is committed to enabling the full and effective exercise of these rights and provides accessible mechanisms for doing so.

Please review this section to be aware of your rights and contact Us if you have any questions, comments or requests concerning the processing of your personal data.

Right	Meaning
Right of access	You have the right to obtain confirmation as to whether or not we process your personal data, and, where that is the case, to access a copy of your data along with information about the purposes of processing, categories of data, recipients, retention periods, your related rights.
Right to rectification	You may request the correction of inaccurate or incomplete personal data concerning you. We will act promptly to ensure the data is accurate and up to date.
Right to erasure (right to be forgotten)	In certain cases, such as when the data is no longer necessary, consent is withdrawn, or processing is unlawful, you have the right to request the erasure of your personal data. This right is subject to applicable legal and regulatory retention obligations, especially under AML law.
Right to restriction of processing	You may request that We restrict the processing of your personal data under specific conditions: the accuracy of the personal data is contested by you, for a period that allows Us to check the accuracy of the personal data;in the case of illegal processing, and you are against erasure of the personal data and request the limitation of their use;there is no longer a need for Us to use personal data for the purposes of the processing, but it is necessary for you for the establishment, exercise or defense of legitimate claims;you have objected to the processing prior to the verification of whether Our legitimate grounds override yours.During restriction, We may store the data but will not process it further without your consent, unless legally required.
Right to data portability	You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request the direct transmission of that data to another controller, where technically feasible and legally permitted.
Right to object	You may object at any time, on grounds relating to your particular situation, to processing based on Our legitimate interests. We will cease such processing unless We demonstrate compelling legitimate grounds overriding your interests or where processing is required for legal claims.Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data for such marketing. In this case, your personal data shall no longer be processed for such purposes.
Right to withdraw consent	Where processing is based on your consent, you have the right to withdraw it at any time. Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to appeal	You have the right to appeal to the PUODO, if the company does not decide on your request within the established terms.

At the time of submitting the request, the applicant must confirm his/her identity and provide the contact details necessary to send a response to the exercise of his/her right.

The provision of information, correction or deletion of personal data is completely free of charge and is provided upon request of the data subject, the record in the database must be updated accordingly.

12. Ways of Exercising Rights

To exercise any of your rights described in the previous section, you may contact Us using one of the following channels:

• by email at support@daobridge.io
• through Our Telegram at @DAO_BRIDGE

Please include sufficient information to identify yourself and clearly specify which right you wish to exercise. We may request additional information or documentation if necessary to verify your identity and ensure that We are responding to a legitimate request.

We will respond to your request without undue delay, and in any case within one month of receipt, as required by Article 12(3) of the GDPR. In complex cases, or where multiple requests are received, this deadline may be extended by an additional two months. We will notify you of any such extension within the original one-month period.

Exercising your rights is free of charge. However, We may charge a reasonable administrative fee or refuse to act on a request if it is manifestly unfounded, excessive, or repetitive, in accordance with Article 12(5) of the GDPR.

If We refuse to act on your request, We will provide a clear justification and inform you of your right to lodge a complaint with the supervisory authority.

If you believe that your data protection rights have been violated, you have the right to file a complaint with the PUODO:

• address: ul. Stawki 2, 00-193 Warszawa, Poland
• website: https://uodo.gov.pl/ 
• email: kancelaria@uodo.gov.pl 

13. Personal Data Disclosure

The Company does not sell or commercially trade your personal data under any circumstances. However, We may disclose your data to third parties strictly in accordance with Article 28 of the GDPR, Article 6 of the GDPR, and Article 13(1)(e), of the GDPR and only when such disclosure is lawful, necessary, and proportionate.

We disclose personal data to the following categories of recipients:

• public institutions, regulatory agencies, or law enforcement authorities when required by applicable law, including but not limited to: the PUODO, the Polish Financial Intelligence Unit (Generalny Inspektor Informacji Finansowej), courts, police, etc.;
• trusted third-party service providers who act on Our behalf and under Our instructions to support the delivery of Our services; these may include cloud hosting and infrastructure providers, identity verification and KYC/AML compliance platforms, etc. (all processors are bound by strict data processing agreements that ensure GDPR-level safeguards and confidentiality, and they are not permitted to use your data for their own purposes);
• Our parent companies, subsidiaries, affiliates;
• business partners with whom We collectively offer products or services, where allowed by law;
• anti-fraud or crime prevention agencies to assist in combating crime, including fraud, money laundering and terrorist financing;
• Our advertising partners.

Our website may contain links to other third-party websites that are governed by their own privacy policies. We are not responsible for these third-party sites or any content posted on them, including policies, advertising, products, services or activities, and/or any loss, damage, disruption or problems arising from or related to these sites. 

We encourage you to familiarize yourself with the policies, terms and conditions of each website you visit.

14. International Data Transfers

DAOBRIDGE may transfer your personal data to third countries (i.e., countries outside the European Economic Area (“EEA”)) only when such transfer is lawful, necessary, and protected by adequate safeguards.

We recognize that data transferred to jurisdictions without an adequacy decision by the European Commission may expose data subjects to increased privacy risks. Therefore, such transfers are carried out only when fully justified and supported by protective legal mechanisms.

Where possible, personal data is transferred only to countries that the European Commission has deemed to provide an adequate level of data protection under Article 45 of the GDPR. In such cases, no additional authorization is required.

If We transfer your data to a country without an adequacy decision, We rely on Standard Contractual Clauses approved by the European Commission. These legally binding agreements ensure that your rights and protections travel with your data.

In rare cases, We may rely on specific derogations under Article 49 of the GDPR, such as:

• your explicit consent after being informed of the potential risks;
• the transfer being necessary for the performance of a contract;
• the transfer being required for the establishment, exercise, or defense of legal claims.

We regularly monitor the legal status of third countries and the validity of transfer mechanisms.

15. Data Retention Periods

The Company retains your personal data only for as long as is necessary to fulfill the purposes for which it was collected, including to comply with legal, regulatory, accounting, and reporting requirements. This practice is fully aligned with the data storage limitation principle set out in Article 5(1)(e) of the GDPR.

The retention period is determined in each case, taking into account factors such as the type of personal data, the purpose of its collection and processing, and compliance with relevant legal or operational retention requirements.

16. Security Measures

We implement a comprehensive set of technical and organizational security measures to ensure the confidentiality, integrity, availability, and resilience of your personal data, as required by Article 32 of the GDPR.

The Company continuously assesses its infrastructure, tools, and internal processes to protect your data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

The security measures We employ may include, but are not limited to:

1. all personal data in transit is protected via TLS 1.2+ encryption protocols;
2. two-factor authentication (2FA)
3. user identifiers and metadata are pseudonymized or hashed wherever possible to minimize risk in the event of unauthorized access;
4. only designated employees are authorized to handle your personal data, and these persons are obligated to keep your data confidential;
5. control of access;
6. network firewalls, intrusion detection and prevention systems, and anti-DDoS protection to shield our infrastructure from external threats;
7. regular internal and external security assessments, including third-party penetration testing of our infrastructure and applications;
8. encrypted backups in geographically separated data centers and a tested disaster recovery plan to ensure business continuity.

DAOBRIDGE treats information security as a core operational priority. We continuously monitor the threat landscape and evolve our protective measures to meet the highest industry standards and regulatory expectations.

17. Advertising

The Company may use your personal data to provide you with marketing and promotional content, but only if We have a valid legal basis, such as your explicit consent or Our legitimate interest.

In addition, We may share your personal data with Our marketing partners for the purposes of targeting, analytics, as well as for advertising activities.

We are committed to ensuring that our advertising practices are lawful, transparent, and respectful of your preferences and rights. We will never send you unsolicited marketing messages without a lawful basis and the ability to withdraw freely.

DAOBRIDGE fully respects your right to object to the processing of your data for marketing purposes at any time, as provided under Article 21(2) of the GDPR.

18. Amendments to the Privacy Policy

DAOBRIDGE reserves the right to amend, update, or revise this Policy at any time to reflect changes in applicable legislation, regulatory guidance, Our business practices, or the technologies We use.

The Company will take appropriate measures (e.g., sending an email) to notify you, depending on the significance of the changes We make. 

Changes will become effective on the date indicated in the revised version of the Policy.

We encourage you to review this Policy periodically to stay informed about how We protect your data. Your continued use of Our services after any update constitutes your acknowledgment and, where applicable, your consent to the updated terms.

Should there be any discrepancy or inconsistency in translation between the English version and any translated versions of this Policy, the English original shall prevail and be binding.