# IOPn Privacy Policy Effective Date: March 31, 2025\ Last Updated: March 31, 2025 *** ### Introduction IOPn Limited ("IOPn," "we," "our," or "us") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you access or use the IOPn platform, including OPN Chain, OPN Wallet, DeFi services, NFT platform, AI-powered services, and partner API integrations (collectively, the "Services"). This Privacy Policy applies to all users globally and has been prepared in compliance with: * UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law — PDPL) * UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 * EU General Data Protection Regulation (EU GDPR — Regulation 2016/679) * Applicable anti-money laundering (AML) and know-your-customer (KYC) regulations across relevant jurisdictions Please read this Privacy Policy carefully. By using our Services, you acknowledge that you have read, understood, and agreed to the practices described herein. *** ### 1. Identity and Contact Details of the Data Controller IOPn Limited is the data controller responsible for the personal data collected through the Services. Registered Address:\ Office A, RAKDAO Business Centre\ RAK BANK ROC Office, Ground Floor\ Al Rifaa, Sheikh Mohammed Bin Zayed Road\ Ras El Khaimah, UAE Privacy Enquiries: For users in the UK or EEA, IOPn Limited acts as the data controller and processes your data in accordance with UK GDPR and EU GDPR respectively. If you are located in the EEA and require a local representative, please contact us at the email above. If you follow a link to a third-party service, that organisation will be the independent data controller and will be subject to their own privacy notice. *** ### 2. Categories of Personal Data We Collect We collect and process the following categories of personal data depending on the nature of your interaction with our Services: #### 2.1 Identification and KYC Data As part of our regulatory obligations under applicable AML and KYC laws, we may collect and process the following identity verification data: | Category | Examples | | ------------------------------------ | ---------------------------------------------------------------------------------------------------- | | Basic Identity | Full legal name, date of birth, nationality, country of residence | | Government-Issued Identity Documents | Passport (including photo page), national identity card, driver's licence | | Proof of Address | Utility bills, bank statements, official correspondence | | Biometric Data (where applicable) | Facial recognition data used solely for identity verification via approved third-party KYC providers | | Source of Funds | Documentation relating to the origin of funds used on the platform | Important: Identity documents and biometric data are classified as sensitive personal data. We process these only to the extent strictly necessary for regulatory compliance and use approved, security-certified third-party KYC providers. These documents are handled with the highest level of security and are never used for any purpose beyond identity verification and regulatory compliance. #### 2.2 Contact Information * Email address * Phone number * Mailing address #### 2.3 Financial and Transaction Data * Blockchain wallet addresses * Transaction histories and amounts * Payment information (excluding full payment card numbers) * Token holdings and activity on OPN Chain #### 2.4 Compliance and AML Data * Politically Exposed Person (PEP) and sanctions screening results * Risk assessment and classification data * Transaction monitoring records * Suspicious activity reports (where legally required) #### 2.5 Technical Data * IP addresses and geolocation data (country/region level) * Device identifiers and browser type * Login history and session metadata * API access logs (for partner integrations) * Smart contract interaction data #### 2.6 User-Generated Content and Preferences * Profile information you provide * Communication history with IOPn support * Preferences and settings within the platform * AI service interaction logs (see Section 3.6) *** ### 3. Purposes for Which We Process Your Personal Data #### 3.1 Service Delivery To provide, maintain, and improve our Services, including OPN Chain infrastructure, OPN Wallet, DeFi transactions, NFT platform access, and AI-powered features. #### 3.2 Identity Verification and KYC Compliance To verify your identity in compliance with applicable AML/KYC regulations before granting access to certain Services. This includes: * Reviewing government-issued identity documents * Verifying proof of address * Conducting liveness checks or biometric verification where required * Ongoing monitoring of your account status against updated watchlists #### 3.3 AML and Financial Crime Prevention To detect, investigate, and prevent money laundering, terrorist financing, fraud, and other financial crimes, including: * Screening against global sanctions lists (OFAC, UN, EU, HM Treasury) * Monitoring transactions for suspicious activity * Filing Suspicious Activity Reports (SARs) where legally obligated #### 3.4 Regulatory and Legal Compliance To meet our obligations under applicable laws and regulations in the UAE, UK, EEA, and other relevant jurisdictions, including responding to lawful requests from regulatory authorities, law enforcement, and courts. #### 3.5 Security and Fraud Prevention To protect IOPn, our users, and the integrity of the OPN Chain ecosystem from unauthorised access, abuse, and malicious activity. #### 3.6 AI-Powered Services When you use IOPn's AI-powered features, interaction data may be processed to: * Generate responses and personalised outputs * Improve model performance (in anonymised/aggregated form only, unless you consent to identifiable data use) * Detect misuse of AI services AI interaction logs are retained in accordance with Section 7 below and are never used to train third-party AI models without your explicit consent. #### 3.7 Partner API Integrations When accessing IOPn services via partner integrations, limited data may be shared with and received from authorised partners to facilitate the requested service. Partners are subject to data processing agreements consistent with this Privacy Policy. #### 3.8 Marketing and Communications To send you information about our products, services, and events that we believe may be of value to you, subject to your communication preferences. You may opt out at any time. #### 3.9 Analytics and Product Improvement To conduct business analytics, generate platform usage reports, and improve the overall user experience. Analytics data is processed in aggregated or pseudonymised form wherever possible. *** ### 4. Legal Basis for Processing We process your personal data on the following legal bases: | Legal Basis | When It Applies | | --------------------- | ---------------------------------------------------------------------------------------------------------------- | | Consent | Marketing communications; optional biometric verification; AI interaction data used for identifiable improvement | | Contractual Necessity | Providing the Services you have signed up for; processing wallet transactions | | Legal Obligation | KYC/AML compliance; regulatory reporting; responding to lawful authority requests | | Legitimate Interests | Fraud prevention; platform security; analytics; product improvement; defending legal claims | | Vital Interests | Rare emergency situations requiring data processing to protect life | For users in the UK and EEA, we process sensitive personal data (including identity documents and biometric data) solely on the basis of legal obligation (AML/KYC compliance) or, where applicable, explicit consent. *** ### 5. Data Sharing and Disclosure We may share your personal data with the following categories of recipients: #### 5.1 KYC and Identity Verification Providers Third-party identity verification services (e.g., document scanning and liveness check providers) that process your identity documents and biometric data strictly for KYC purposes under binding data processing agreements. #### 5.2 Regulatory and Law Enforcement Authorities When required by law, regulation, or court order in the UAE, UK, EEA, or any other applicable jurisdiction. This includes AML-related reporting obligations. #### 5.3 Blockchain Infrastructure and Network Participants Certain transaction data (e.g., wallet addresses, on-chain activity) is inherently public on OPN Chain. We have no control over on-chain data once a transaction is broadcast to the network. #### 5.4 Technology and Service Providers Third-party vendors who assist with platform infrastructure, payment processing, cloud storage, security monitoring, customer support, and AI services. All providers are subject to data processing agreements and are required to process data only in accordance with our instructions. #### 5.5 Partner Organisations Authorised integration partners who access IOPn services via our API, subject to contractual data protection obligations at least equivalent to those set out in this Privacy Policy. #### 5.6 Affiliates and Group Companies For operational, legal, and compliance purposes, with appropriate data protection safeguards in place. #### 5.7 Business Transfers In connection with a merger, acquisition, restructuring, or sale of assets, provided the receiving party agrees to handle your data in accordance with applicable privacy laws. We do not sell your personal data to third parties. *** ### 6. International Data Transfers IOPn operates globally and may transfer your personal data to countries outside of your country of residence, including outside the UAE, UK, and EEA. For transfers from the EEA, we rely on: * EU Standard Contractual Clauses (SCCs) approved by the European Commission * Adequacy decisions where applicable For transfers from the UK, we rely on: * UK International Data Transfer Agreements (IDTAs) * UK adequacy regulations where applicable For UAE data transfers, we comply with the cross-border transfer requirements of the UAE PDPL, including ensuring receiving jurisdictions or entities offer adequate protection. You may request details of the specific safeguards in place for any international transfer by contacting . *** ### 7. Data Retention We retain your personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, or as required by law. | Data Category | Retention Period | | --------------------------------- | ---------------------------------------------------------------------------------------- | | KYC and identity documents | Minimum 5 years from end of customer relationship (or as required by applicable AML law) | | Transaction and financial records | Minimum 5–7 years (jurisdiction-dependent) | | AML/compliance records | As required by applicable regulation | | Account and profile data | Duration of account + 2 years post-closure | | Technical and log data | 12 months (rolling) | | Marketing preferences | Until opt-out + 1 year | | AI interaction logs | 90 days (anonymised aggregates retained longer for improvement) | Where retention is no longer legally required, we securely delete or anonymise your data. *** ### 8. Security of Personal Data IOPn implements industry-standard technical and organisational security measures to protect your personal data, including: * Encryption at rest and in transit (AES-256 and TLS 1.2+) * Access controls with role-based permissions and multi-factor authentication * Identity document handling protocols — documents are processed in isolated, access-restricted environments and never stored in plaintext * Regular security audits and penetration testing * Incident response procedures to detect, report, and remediate data breaches Despite these measures, no system is entirely immune from risk. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant supervisory authorities in accordance with applicable law. *** ### 9. Your Rights Depending on your jurisdiction, you may have the following rights regarding your personal data: #### 9.1 Rights Available to All Users (UAE PDPL) * Right to be Informed — to know how your data is being used * Right to Access — to obtain a copy of your personal data * Right to Rectification — to correct inaccurate or incomplete data * Right to Erasure — to request deletion of your data (subject to legal retention requirements) * Right to Restrict Processing — to limit how your data is used * Right to Object — to object to processing for direct marketing or statistical purposes * Right to Withdraw Consent — where processing is consent-based #### 9.2 Additional Rights for UK and EEA Users (UK/EU GDPR) * Right to Data Portability — to receive your data in a structured, machine-readable format * Right not to be Subject to Automated Decision-Making — to request human review of decisions made solely by automated means, including profiling with significant legal or similar effects * Right to Lodge a Complaint with your national supervisory authority: * UK: Information Commissioner's Office (ICO) — ico.org.uk * EEA: Your local Data Protection Authority (DPA) #### 9.3 Exercising Your Rights To exercise any of the above rights, contact us at . We will respond within the timeframes required by applicable law (generally 30 days, with possible extension for complex requests). We may request proof of identity before processing your request. Note: Certain rights, particularly erasure and restriction, may be limited where we are required to retain data for legal or regulatory compliance purposes (e.g., AML record-keeping). *** ### 10. Cookies and Tracking Technologies IOPn uses cookies and similar tracking technologies on its web platforms. A separate Cookie Policy governs our use of cookies and is available on our website. You can manage your cookie preferences through our cookie consent tool. *** ### 11. Children's Privacy Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at and we will take prompt steps to delete it. *** ### 12. Third-Party Links Our platform may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access. *** ### 13. Changes to This Privacy Policy We review and update this Privacy Policy periodically. When we make material changes, we will notify you via email or a prominent notice on our platform prior to the changes taking effect. The "Last Updated" date at the top of this document reflects the most recent revision. Continued use of our Services after changes take effect constitutes acceptance of the updated policy. *** ### 14. Contact Us For any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact: IOPn Limited — Data Privacy Team\ 📧 \ 📍 Office A, RAKDAO Business Centre, RAK BANK ROC Office, Ground Floor, Al Rifaa, Sheikh Mohammed Bin Zayed Road, Ras El Khaimah, UAE *** This document was last reviewed and updated on March 31, 2025.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://iopn.gitbook.io/iopn/legal-and-compliance/iopn-privacy-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.