SettleMint
Legal

Privacy Policy

How the SettleMint Digital Asset Lifecycle Platform collects, uses, stores, and protects personal data.

Effective date: March 5, 2026 Last updated: May 24, 2026

SettleMint NV ("SettleMint"), incorporated in Belgium (company number 0661.674.810, registered at Kempische Steenweg 311 bus 4.01, 3500 Hasselt), publishes this Privacy Policy. It covers personal data processed in connection with the SettleMint Digital Asset Lifecycle Platform ("DALP" or the "Platform") and related websites and services, including your rights and the special rules that apply to public blockchain records.

In short: SettleMint processes account, usage, technical, compliance, and transaction-related data to operate DALP and meet its legal obligations. It uses this data to support customers and secure the Platform. Personal data written to public blockchain networks cannot be deleted or modified by SettleMint. Keep personal data and confidential terms off-chain unless your own legal and operational process allows it.

This Privacy Policy applies globally. Where specific regulations grant you additional rights, those are detailed in the jurisdiction-specific sections.

Privacy at a glance

This policy covers three privacy surfaces that behave differently in DALP. Each has distinct rules.

Privacy surfaceWhat it coversWhat this means
Platform recordsAccount, usage, technical, communication, and compliance records that SettleMint or its subprocessors process to provide DALP and support customersThese records follow the access, retention, transfer, and deletion controls in this policy.
Customer-controlled recordsEnd-user identity, verification, holder, and transaction records that a customer processes through DALP as its own controllerThe customer decides the lawful basis and instructions for that processing. SettleMint acts as processor where the Data Processing Agreement applies.
Public-chain recordsWallet addresses, transaction hashes, smart contract records, and other data that can become visible on public EVM networksSettleMint cannot remove these records after submission to the network.
Rendering diagram...

Use this diagram as the operating model for the rest of the policy: off-chain records follow the controls described below; public-chain records follow network permanence and visibility rules.

1. Data controller

SettleMint NV is the data controller responsible for processing your personal data as described in this Privacy Policy. For questions or requests, contact the Data Protection Officer:

Data Protection Officer SettleMint NV Philipssite 5 bus 1 3001 Leuven, Belgium Email: [email protected]

2. Personal data SettleMint collects

The categories below cover the personal data SettleMint collects. Which categories apply depends on how you interact with the Platform.

2.1 Account and identity data

Creating an Account or being added as an Authorized User triggers collection of the following data:

  • Full name
  • Email address
  • Organisation name and role
  • Phone number (optional)
  • Account credentials (passwords are stored in hashed form only)
  • Multi-factor authentication identifiers

2.2 Compliance and verification data

Identity verification workflows may process the following data about you or your end users:

  • Government-issued identification documents (passport, national ID, driver's license)
  • Proof of address documentation
  • Corporate registration and beneficial ownership information
  • KYC/KYB verification status and results
  • Sanctions screening results

Compliance and verification data is processed by you (the Platform customer) as the data controller for your end users. SettleMint acts as a data processor for this data. SettleMint's processing is governed by the Data Processing Agreement between you and SettleMint.

2.3 Platform usage data

Platform usage generates the following data, which SettleMint collects automatically:

  • Pages visited and features used
  • Operations performed (for example, asset creation and transaction submissions)
  • Timestamps and session duration
  • Error logs and performance data
  • API usage and request metadata

2.4 Technical data

SettleMint automatically collects the technical information listed below.

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Referring URL
  • Language preferences
  • Time zone setting

2.5 Transaction and blockchain data

Creating or managing Digital Assets through the Platform causes SettleMint to process the following data:

  • Transaction metadata (timestamps, asset types, amounts)
  • Wallet addresses associated with your Account
  • Smart contract deployment records
  • On-chain transaction hashes

Data written to a public blockchain is immutable and publicly accessible. SettleMint cannot delete or modify on-chain data. Keep personal data, private document identifiers, and confidential terms out of public-chain metadata, calldata, and transaction inputs. All off-chain records remain governed by the retention and deletion controls described in this policy. For more information on public-chain privacy boundaries, see Public chain privacy on EVM networks.

Before launching a public-chain asset workflow, decide where each record belongs. Use the table below as a guide.

Keep off-chainUse on-chain only when required for execution or enforcement
Identity documents, KYC/KYB files, sanctions reports, beneficial-ownership evidence, investor questionnaires, review notes, and private customer referencesWallet addresses, smart contract addresses, transaction hashes, role changes, token events, registry relationships, claim topics, and compliance parameters that the contracts need
Private reserve files, custody records, commercial terms, document identifiers, and internal approval notesNeutral metadata, public references, or transaction inputs that your legal and operational review has approved for public-chain visibility

For asset operations, review names, symbols, metadata fields, document references, calldata, event fields, and transaction inputs before submission. Once the transaction reaches the selected EVM network, SettleMint cannot erase or redact the public-chain record.

2.6 Audit and compliance data

SettleMint maintains audit logs of compliance workflows, verification decisions, access events, and regulatory reports generated through the Platform. These records support security, legal compliance, and accountability obligations.

2.7 Communication data

When you contact SettleMint for support or other purposes, SettleMint collects the data listed below and uses it to respond to your inquiry and to maintain service records.

  • Email correspondence content
  • Support ticket details
  • Chat transcripts
  • Phone call records (where applicable)

2.8 Cookies and tracking technologies

SettleMint uses cookies and similar technologies to operate and improve the Platform. You can manage cookie preferences through the consent banner or your browser settings. For details, see Section 9.

3. How SettleMint uses your personal data

SettleMint processes your personal data for the purposes and legal bases listed below:

PurposeLegal Basis (GDPR)Categories of Data
Providing and operating the PlatformPerformance of contract (Art. 6(1)(b))Account, Usage, Technical, Transaction
Account creation and managementPerformance of contract (Art. 6(1)(b))Account and Identity
Processing compliance and verification workflowsPerformance of contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))Compliance and Verification
Customer support and communicationPerformance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f))Account, Communication
Platform security and fraud preventionLegitimate interest (Art. 6(1)(f))Account, Usage, Technical
Analytics and Platform improvementLegitimate interest (Art. 6(1)(f))Usage, Technical
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))All categories as required
Billing and invoicingPerformance of contract (Art. 6(1)(b))Account
Marketing communications (with consent)Consent (Art. 6(1)(a))Account (name, email)

Where SettleMint relies on legitimate interest as a legal basis, it has conducted a balancing test confirming that its interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting the Data Protection Officer.

4. Data sharing

SettleMint does not sell personal data. It shares personal data only in the circumstances described below.

4.1 Service providers

SettleMint engages third-party service providers who process personal data on SettleMint's behalf. These processors are contractually bound to process data only as instructed and to apply appropriate security measures.

Current processor categories include the following.

  • Cloud infrastructure providers (hosting and storage)
  • Identity verification and KYC/KYB providers
  • Analytics and monitoring providers
  • Customer support tools
  • Email and communication services
  • Payment processors

4.2 Professional advisors

SettleMint may share personal data with professional advisors where necessary for business management. These recipients are bound by professional confidentiality obligations.

SettleMint may disclose personal data where required by law, regulation, legal process, or governmental request. Disclosure may also occur where necessary to protect SettleMint's rights, your safety, or the safety of others.

4.4 Business transfers

In connection with a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the acquiring entity. The acquiring entity receives the data subject to the same privacy protections described in this policy.

SettleMint may share personal data with third parties where you have given explicit consent. SettleMint does not sell personal data to any third party.

5. International data transfers

SettleMint operates globally, and your personal data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA).

Where SettleMint transfers personal data outside the EEA, appropriate safeguards are in place.

  • Adequacy decisions: transfers to countries the European Commission recognizes as providing an adequate level of data protection
  • Standard Contractual Clauses (SCCs): SettleMint uses the European Commission's standard contractual clauses (June 2021 version) for transfers to countries without an adequacy decision
  • Supplementary measures: where necessary, SettleMint implements additional technical and organizational safeguards based on transfer impact assessments

You may request a copy of the applicable transfer safeguards by contacting the Data Protection Officer.

6. Data retention

SettleMint retains personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by law. The table below sets out the applicable retention periods.

Data CategoryRetention PeriodBasis
Account and Identity DataDuration of your subscription + 12 monthsContract performance; legitimate interest for account recovery
Compliance and Verification DataAs required by applicable anti-money laundering law (typically 5 to 10 years after the end of the business relationship)Legal obligation
Platform Usage Data24 months from collectionLegitimate interest (analytics and improvement)
Technical Data12 months from collectionLegitimate interest (security and troubleshooting)
Transaction and Blockchain DataDuration of your subscription + 7 yearsLegal obligation (financial records retention)
Communication Data36 months from last interactionLegitimate interest (customer support continuity)
Marketing consent recordsDuration of consent + 3 yearsLegal obligation (proof of consent)

On-chain transaction history is immutable and SettleMint cannot delete it. SettleMint deletes or anonymizes off-chain personal data at the end of the applicable retention period, unless a legal obligation requires continued retention.

7. Data security

SettleMint implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. Controls include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for Account access
  • Role-based access controls with least-privilege principles
  • Regular security assessments and penetration testing
  • Intrusion detection and monitoring systems
  • Employee security training and confidentiality obligations
  • Incident response procedures with documented breach notification protocols

No method of electronic storage or transmission is 100% secure. SettleMint applies the measures above but cannot guarantee absolute security.

8. Your rights

8.1 Rights under GDPR (EEA, UK, and Switzerland)

If you are in the EEA, the UK, or Switzerland, the following rights apply under applicable data protection law:

  • Right of access: request a copy of the personal data SettleMint holds about you
  • Right to rectification: request correction of inaccurate or incomplete personal data
  • Right to erasure: request deletion of personal data where no compelling reason for continued processing exists. This right covers off-chain records only; immutable public-chain transaction history cannot be removed.
  • Right to restriction: request restriction of processing in certain circumstances
  • Right to data portability: receive your personal data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interest, including profiling
  • Right to withdraw consent: where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing
  • Right to lodge a complaint: file a complaint with your local data protection supervisory authority

SettleMint will respond to your request within thirty (30) days. SettleMint may extend this period by sixty (60) days for complex requests, with prior notification.

8.2 Rights under CCPA / CPRA (California residents)

California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act. See Section 11.2 for details.

8.3 Exercising your rights

To exercise any of your rights, contact the Data Protection Officer at [email protected]. SettleMint may request identity verification before processing your request. SettleMint will not discriminate against you for exercising any of your privacy rights.

9. Cookies and tracking technologies

9.1 What SettleMint uses

SettleMint uses four categories of cookies and tracking technologies. Strictly necessary cookies are required for the Platform to function and cannot be disabled; they cover authentication, session management, and security. Functional cookies enable enhanced functionality and personalization, such as language preferences and user interface settings. Analytics cookies help SettleMint understand how the Platform is used, covering page views, feature usage, and error reporting; SettleMint uses these to improve Platform performance and the user experience. Marketing cookies deliver relevant communications and measure the effectiveness of campaigns; SettleMint sets these only with your explicit consent.

When you first visit the Platform, a cookie consent banner lets you accept or reject non-essential cookies. You can update your cookie preferences at any time through the Platform's settings. You can also manage cookies through your browser settings; disabling certain cookies may affect Platform functionality.

9.3 Do Not Track

The Platform does not currently respond to "Do Not Track" browser signals because no uniform standard for honoring them exists. To limit tracking, use the cookie consent mechanism described above or adjust your browser settings.

10. Children's privacy

The Platform is not directed at individuals under the age of 18. SettleMint does not knowingly collect personal data from children, and no features are intended for use by minors. If SettleMint becomes aware that a child's data was collected without appropriate consent, it will delete those records promptly.

11. Jurisdiction-specific provisions

11.1 European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, UK, or Switzerland, GDPR and equivalent national laws grant you the rights and protections described throughout this policy. The following additional provisions also apply. - Data Protection Officer: you may contact the DPO at [email protected]

  • Supervisory authority: you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) at www.gegevensbeschermingsautoriteit.be, or your local supervisory authority
  • Legal bases: all processing activities have a documented legal basis as described in Section 3
  • Automated decision-making: SettleMint does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you, unless required for contract performance or with your explicit consent

11.2 California (CCPA / CPRA)

If you are a California resident, the following additional provisions apply under the California Consumer Privacy Act (as amended by the California Privacy Rights Act). In the preceding twelve (12) months, SettleMint has collected the categories of personal information described in Section 2, which correspond to the following CCPA categories: identifiers; commercial information; internet or electronic network activity; geolocation data; and professional or employment-related information.

California residents hold the following rights:

  • Right to know: request disclosure of the categories and specific pieces of personal information SettleMint has collected, the sources of collection, the business purposes, and the categories of third parties with whom SettleMint shares it
  • Right to delete: request deletion of your personal information, subject to certain exceptions
  • Right to correct: request correction of inaccurate personal information
  • Right to opt-out of sale/sharing: SettleMint does not sell your personal information and does not share it for cross-context behavioral advertising
  • Right to limit use of sensitive personal information: request that SettleMint limit its use of sensitive personal information to purposes necessary to provide the Services
  • Right to non-discrimination: SettleMint will not discriminate against you for exercising your CCPA rights

Submitting requests: contact SettleMint at [email protected] to exercise your California rights. SettleMint verifies your identity before processing your request. SettleMint responds within forty-five (45) calendar days; this period may extend by an additional forty-five (45) days with notice.

Authorized agents: you may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you.

11.3 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, anonymize, block, or delete personal data. To exercise these rights, contact [email protected].

11.4 Other jurisdictions

If you are located in a jurisdiction with data protection laws granting you additional rights not covered above, SettleMint will comply with those requirements. Contact the Data Protection Officer for jurisdiction-specific information.

12. Data processing on your behalf

12.1 Customer as controller

When you use the Platform to process personal data of your end users, for example through KYC/KYB verification workflows or asset holder management, you act as the data controller. SettleMint acts as the data processor.

12.2 Data processing agreement

SettleMint's processing of your end users' personal data is governed by a Data Processing Agreement that complies with Article 28 of the GDPR. The agreement addresses the following:

  • The scope and purpose of processing
  • The types of personal data processed
  • The obligations and rights of both parties
  • Sub-processor management and notification
  • Data breach notification procedures
  • Audit rights
  • Data deletion and return upon termination

12.3 Sub-processors

SettleMint uses sub-processors to assist in providing the Services. A list of current sub-processors is available on request from [email protected]. SettleMint notifies you of changes to sub-processors; you may object to a new sub-processor under the Data Processing Agreement.

13. Changes to this policy

SettleMint may update this Privacy Policy to reflect changes in practices, the Platform, or applicable law. SettleMint will communicate material changes at least thirty (30) days in advance via email or through the Platform. The "Last updated" date at the top of this policy indicates when the latest revision was made.

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes acceptance of the changes. If you do not agree with the changes, discontinue use of the Platform.

14. Contact

Contact the Data Protection Officer to ask about this Privacy Policy, exercise your rights, or complain about the handling of your personal data:

Data Protection Officer SettleMint NV Philipssite 5 bus 1 3001 Leuven, Belgium Email: [email protected]

For general inquiries about the Platform: Email: [email protected]

SettleMint aims to resolve all complaints internally. If you are not satisfied with the response, you have the right to lodge a complaint with the relevant data protection supervisory authority.

On this page