Privacy Notice

We are Crystal Blockchain B.V.; our office is located at the Strawinskylaan 3051, 1077ZX Amsterdam, the Netherlands, Chamber of Commerce registration No 60269618, and all our subsidiaries as defined in article 24a of Book 2 of the Dutch Civil Code. We are responsible for the collection and use of your personal data described in this Privacy Notice.

Crystal powers cryptocurrency transaction analysis and monitoring on the blockchain, bringing best-in-class anti-money laundering compliance and risk management solutions to exchanges, banks, and financial institutions.

We have determined our respective responsibilities for compliance with our obligations under applicable privacy legislation for processing your personal data concerning our global processing activities through an arrangement between you and us. In summary, we have arranged that if you want to exercise your rights, such as your right to access, correct, erase, restrict, object or port personal data or to withdraw your consent, or if you have any questions about the processing of your personal data, you can contact us in accordance with par. 11 “How to Contact Us”.

Crystal ensures that you can exercise your rights and that your questions will be handled within the statutory deadlines.

When you visit our website to read or browse through website material or to download information, we may collect and process the following categories of personal data:

• Name, address, e-mail address, company name, actions performed on our application website, and other contact information

You may choose to write to us or fill out certain forms for registration or online data requests, which provide the abovementioned information. We may use this information to respond to your questions and requests and to proceed with the registration for the application.

• Our communication with you

When you send us an e-mail or otherwise communicate with us online (for example, via social media), we register your communication with us.

• Information we collect when you use this website

When you use this website, certain information may be collected automatically, such as the name of the domain and host from which you access the Internet, the browser software and operating system of your computer, the Internet protocol (IP) address of your computer, and the Internet address of the site from which you linked directly to our site. We also collect information via cookies and similar technologies when you visit this website. For more information, please read our Cookie Notice.

• Information about order processing

When you are a customer of ours, we also collect data for the purpose of order processing, pricing, and other information related to your order history.

• Information in relation to social media

We are active on various social media platforms such as LinkedIn, Facebook, and X (formerly Twitter). We receive, or we can access data about you. We only use this information to register you on our application, to communicate with you, and for statistical research. We encourage you to review the privacy policy of the social media platform that you used to use to get more information about the processing of your personal data.

For specific services or software, we may collect other types of information and use such information for different purposes than described in this Privacy Notice. We inform you about this when you register for the specific service or download the specific software.

We collect the above-mentioned categories of personal data in the following ways:

• We collect the data you provide to us

When you communicate with us via e-mail, online or social media, when you place a purchase order, and when you share personal preferences with us, we collect data directly from you.

• Sometimes, companies we co-operate with also share your data with us

We provide certain services in co-operation with other companies. These companies share your personal data with us if necessary for services provided to you. We also share your personal information with these third parties (please see par. 6 „Information Sharing“ below).

• Depending on your social network settings, we may receive information from your social network provider (please see above)

For example, when you follow us via social media platforms, such as LinkedIn, we can receive personal data from these platforms related to your profile.

• When you use our website, we collect information via cookies and similar technologies

For more information, please read our Cookie Notice.

The main purposes for which we use your personal information are:

• To communicate with you

If you send us an e-mail or communicate with us online or via social media, we process your data to respond to you. The legal basis is Art. 6 (1) 1 lit. b GDPR (prior to or performance of a contract).

• For statistical research

We use automatic tools (such as cookies) to perform statistical research into general trends regarding the use of this website and the behavior of the website’s visitors to improve this website. The legal basis is Art. 6 (1) 1 lit. f GDPR (legitimate interest).

• For record-keeping and to comply with statutory obligations

We collect, store and use your data for internal business purposes, such as record keeping, and to comply with our legal and fiscal obligations. The legal basis is Art. 6 (1) 1 lit. b GDPR (prior to or performance of a contract) or Art. 6 (1) 1 lit. c (legal obligations).

• To process your order

If you place an order on this website, we work on your data to process your order. The legal basis is Art. 6 (1) 1 lit. b GDPR (prior to or performance of a contract).

• To improve the quality of our application

If you register on our application, we work on your data to improve our service. The legal basis is Art. 6 (1) 1 lit. f GDPR (legitimate interest). And if you contact us via social networks, we process your data to communicate with you (legal basis is Art. 6 (1) 1 lit. b GDPR (prior to or performance of a contract)) and to better understand your interests and needs as our customers (legal basis is Art. 6 (1) 1 lit. a GDPR (consent)).

• Security reasons

Analyze processing for security and safety purposes (e.g., preventing DDOS attacs) to ensure we can provide the services. The legal basis is Art. 6 (1) 1 lit. f GDPR (legitimate interest).

We collect, use, and store your personal data to comply with the legal obligations we are subject to, if necessary for our legitimate interests or the interests of a third party, for the execution of an agreement, or on the basis of your consent.

If we process your personal data on the basis of your consent, you may withdraw your consent at any time by following the specific instructions in relation to the processing for which you provided your consent, by adjusting your settings (if available), or by contacting us (please see par. 9 ‘Your Rights’ below).

When we process your personal data for our legitimate interests or the interests of a third party, we have balanced these interests against your legitimate interests. Where necessary we have taken appropriate measures to limit implications and prevent unwarranted harm to you. Our legitimate interests may, for example, include security and safety purposes, to improve this website, or to provide better products and offers to you. For more information on these interests, please see the purposes, for which we process your personal data above. More information on the balancing tests we perform is available upon request. Where we process your personal data for our legitimate interests or the third-party interests, you have the right to object at any time on grounds relating to your particular situation (please see par. 9 ‘Your Rights’ below).

Where we process your personal data for a purpose other than that for which we collected it initially (and we rely on a legal basis other than consent or complying with legal obligations for this new purpose), we will ascertain whether processing for this new purpose is compatible with the purpose for which the personal data were initially collected. More information on this assessment is available upon request (please see par. 9 ‘Your Rights’ below).

Generally, we do not sell or share your personal data with anyone outside Crystal and its affiliates. However, we do disclose or share data with the following categories of recipients for the following purposes:

• For the support services we involve

To conduct our Services, we use third party service providers to provide us with necessary services (e.g., Hetzner Online GmbH). We may transfer your personal data to these service providers for further processing based on the terms of this Privacy Notice or on the basis of your agreement to use our services and only on an existing legal basis. All transfer of data is undertaken by way of secure connections to these service providers. These service providers only receive your personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which your personal data are processed. These include the following categories of service providers: IT suppliers, social network providers, marketing agencies, and anti-fraud screening service providers.

• Statistical research

For statistical research, we make use of third-party software such as Google Analytics or social media platforms. These platforms also have access to the data they collect. For example, when you accept cookies for this website, we analyze cookie data for statistical research via Google Analytics.

• Group companies

When you use one of our services, it is possible that we share data with one of our group companies. For example, when you send us an e-mail about a subject that falls under the responsibility of one of our subsidiaries, we will forward your question to the correct subsidiary.

• Ownership of Crystal changes

If the ownership of Crystal changes as a result of a merger, acquisition, transfer, sale of assets, reorganization, or bankruptcy your personal data may be transferred to the successor entity. The legal basis would be Art. 6 (1) 1 lit. f GDPR (legitimate interest).

• Public authorities

If we are required to by law, we also collect and share your identifying information with public authorities or governmental organizations.

• Third-party websites

This website contains links to third-party websites; if you follow these links, you exit our website. While these third-party websites are selected with care, we cannot accept liability for the use of your personal data by these organizations. For more information, please consult the privacy statement of the website you are visiting (if such a statement is provided).

Crystal ensures that your personal data are properly secured by appropriate technical and organizational measures so that they are protected against unauthorized or unlawful use, alteration, unauthorized access or disclosure, accidental or wrongful destruction, and loss.

Your personal data will be retained for as long as required for the purposes described in this Privacy Notice or in so far as such is necessary for compliance with statutory obligations and for solving any disputes. For the retention period of the cookies used on this website, please see our Cookie Notice.

Crystal may transfer your personal data to countries other than your country of residence (including countries outside the European Economic Area). International transferring occurs in the course of providing your services or because our affiliates, partners, or service providers have operations in countries across the world. The laws of these countries may not afford the same level of protection to your personal data.

In the course of providing your services or because our group companies, partners, or service providers have operations in countries across the world, we may transfer your personal data to Germany, Ireland, Ukraine, the United Kingdom, and the United States of America.

The European Commission has determined that certain countries outside the European Union offer an adequate level of data protection (see article 45 General Data Protection Regulation (GDPR)).

Crystal ensures that adequate safeguards are in place to comply with the requirements for the international transfer of personal data under applicable privacy laws. For transfers of personal data outside the European Economic Area, Crystal uses European Commission-approved Standard Contractual Clauses as safeguards (see article 46 General Data Protection Regulation (GDPR)).

You may contact us (please see par. 11 ‘How to Contact Us’ below) to exercise any of the rights you are granted under applicable data protection laws, which includes (1) the right to access your data, (2) to rectify them, (3) to erase them, (4) to restrict the processing of your data, (5) the right to data portability and (6) the right to object to processing.

• Right to access

You may ask us whether or not we process any of your personal data and, if so, receive access to that data in the form of a copy. When complying with an access request, we will also provide you with additional information, such as the purposes of the processing, the categories of personal data concerned as well as any other information necessary for you to exercise the essence of this right.

• Right to rectification

You have the right to have your data rectified in case of inaccuracy or incompleteness. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement.

• Right to erasure

You also have the right to have your personal data erased, which means the deletion of your data by us and, where possible, by any other controller to whom your data has previously been made public by us. Erasure of your personal data only finds a place in certain cases, prescribed by law and listed under article 17 of the General Data Protection Regulation (GDPR). Certain cases include situations where your personal data are no longer necessary in relation to the initial purposes for which they were processed as well as situations where they were processed unlawfully. Due to the way we maintain certain services, it may take some time before backup copies are erased.

• Right to restriction of processing

You have the right to obtain the restriction of the processing of your personal data, which means that we suspend the processing of your data for a certain period of time. Circumstances that may give rise to this right include situations where the accuracy of your personal data was contested but some time is needed for us to verify their (in)accuracy. This right does not prevent us from continue storing your personal data. We will inform you before the restriction is lifted.

• Right to data portability

Your right to data portability entails that you may request us to provide you with your personal data in a structured, commonly used, and machine-readable format and to have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller.

• Right to object

You also have the right to object to the processing of your personal data, which means you may request us to no longer process your personal data. This only applies in case the ‘legitimate interests’ ground constitutes the legal basis for processing (see par. 5 “Legal Basis” above).

At any time and free of charge you can object to direct marketing purposes in case your personal data are processed for such purposes, which includes profiling purposes to the extent that it is related to such direct marketing. In case you exercise this right, we will no longer process your personal data for such purposes.

You may withdraw your consent at any time by following the specific instructions in relation to the processing for which you provided your consent, by adjusting your settings (if available), or by contacting us (please see par. 11 ‘How to Contact Us’).

For more information on how you can withdraw your consent for cookies and similar technologies we use when you visit our websites, please check our Cookie Notice.

Under conditions, we are entitled to deny or restrict your rights as described above. In any case, we will carefully assess whether such an exemption applies and inform you accordingly.

We may, for example, deny your request for access when necessary to protect the rights and freedoms of other individuals or refuse to delete your personal data in case the processing of such data is necessary for compliance with legal obligations. The right to data portability, for example, does not apply in case the personal data was not provided by you or if we process the data not on the basis of your consent or for the performance of a contract.

When you would like to exercise your rights, all you have to do is send your request to us using the contact details stated below (please see par. 11 “How to Contact Us”).

You can also contact us if you have any questions, remarks, or complaints in relation to this Privacy Notice. However, if you have unresolved concerns, you also have the right to complain to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, dutchdpa.nl) located in Hague, the Netherlands.

We may update and/or change the terms of our Privacy Notice. If we make any material changes, we will notify you by email, through our services, or by posting a prominent notice on the website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices. The effective date of this Privacy Notice is indicated at the top of this page above and replaces previous versions.

If you have any questions or concerns regarding this Privacy Notice, please feel free to contact us at:

Email our DPO:

privacy@crystalblockchain.com

Mailing Address:

Crystal Blockchain B.V.; our office is located at the Strawinskylaan 3051, 1077ZX Amsterdam, the Netherlands.