SettleMint
Legal

Privacy Policy

How the SettleMint Digital Asset Lifecycle Platform collects, uses, stores, and protects personal data.

Effective date: March 5, 2026 Last updated: March 5, 2026

SettleMint NV ("SettleMint", "we", "us", or "our"), a company incorporated under the laws of Belgium with company number 0661.674.810, having its registered office at Kempische Steenweg 311 bus 4.01, 3500 Hasselt, Belgium, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with the SettleMint Digital Asset Lifecycle Platform ("DALP" or the "Platform") and our related websites, communications, and services.

This Privacy Policy applies globally. Where specific regulations grant you additional rights, those are detailed in the jurisdiction-specific sections below.

1. Data Controller

SettleMint NV is the data controller responsible for the processing of your personal data as described in this Privacy Policy.

For questions or requests regarding your personal data, contact our Data Protection Officer:

Data Protection Officer SettleMint NV Philipssite 5 bus 1 3001 Leuven, Belgium Email: [email protected]

2. Personal Data We Collect

We collect the following categories of personal data depending on how you interact with us and the Platform:

2.1 Account and Identity Data

When you create an Account or are added as an Authorized User, we collect:

  • Full name
  • Email address
  • Organization name and role
  • Phone number (optional)
  • Account credentials (passwords are stored in hashed form only)
  • Multi-factor authentication identifiers

2.2 Compliance and Verification Data

When you or your end users undergo identity verification workflows on the Platform, the following data may be processed:

  • Government-issued identification documents (passport, national ID, driver's license)
  • Proof of address documentation
  • Corporate registration and beneficial ownership information
  • KYC/KYB verification status and results
  • Sanctions screening results

Important: Compliance and verification data is processed by you (the Platform customer) as the data controller for your end users. SettleMint acts as a data processor for this data. Our processing is governed by the Data Processing Agreement between you and SettleMint.

2.3 Platform Usage Data

When you use the Platform, we automatically collect:

  • Pages visited and features used
  • Actions performed (e.g., asset creation, transaction submissions)
  • Timestamps and session duration
  • Error logs and performance data
  • API usage and request metadata

2.4 Technical Data

We automatically collect certain technical information, including:

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Referring URL
  • Language preferences
  • Time zone setting

2.5 Transaction and Blockchain Data

When you create or manage Digital Assets through the Platform, we process:

  • Transaction metadata (timestamps, asset types, amounts)
  • Wallet addresses associated with your Account
  • Smart contract deployment records
  • On-chain transaction hashes

Note: Data written to a public blockchain is immutable and publicly accessible. SettleMint cannot delete or modify on-chain data. You are responsible for ensuring that no personal data is recorded on-chain in violation of applicable law. For more information on blockchain-related risks and disclaimers, see Section 9.4 of our Terms of Service.

2.6 Audit and Compliance Data

We maintain audit logs of compliance workflows, verification decisions, access events, and regulatory reports generated through the Platform for security, legal compliance, and accountability purposes.

2.7 Communication Data

When you contact us, we collect:

  • Email correspondence content
  • Support ticket details
  • Chat transcripts
  • Phone call records (if applicable)

2.7 Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Platform. For details, see Section 9.

3. How We Use Your Personal Data

We process your personal data for the following purposes and legal bases:

PurposeLegal Basis (GDPR)Categories of Data
Providing and operating the PlatformPerformance of contract (Art. 6(1)(b))Account, Usage, Technical, Transaction
Account creation and managementPerformance of contract (Art. 6(1)(b))Account and Identity
Processing compliance and verification workflowsPerformance of contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))Compliance and Verification
Customer support and communicationPerformance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f))Account, Communication
Platform security and fraud preventionLegitimate interest (Art. 6(1)(f))Account, Usage, Technical
Analytics and Platform improvementLegitimate interest (Art. 6(1)(f))Usage, Technical
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))All categories as required
Billing and invoicingPerformance of contract (Art. 6(1)(b))Account
Marketing communications (with consent)Consent (Art. 6(1)(a))Account (name, email)

Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting our Data Protection Officer.

4. Data Sharing

We share your personal data only in the following circumstances:

4.1 Service Providers

We engage third-party service providers who process personal data on our behalf. These processors are contractually bound to process data only as instructed by us and to implement appropriate security measures. Categories of service providers include:

  • Cloud infrastructure providers (hosting and storage)
  • Identity verification and KYC/KYB providers
  • Analytics and monitoring providers
  • Customer support tools
  • Email and communication services
  • Payment processors

4.2 Professional Advisors

We may share personal data with our legal, financial, and insurance advisors where necessary for the management of our business.

We may disclose personal data where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.

We may share your personal data with third parties where you have given your explicit consent.

We do not sell your personal data to any third party.

5. International Data Transfers

SettleMint operates globally, and your personal data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA).

Where we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place, including:

  • Adequacy decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection
  • Standard Contractual Clauses (SCCs): We use the European Commission's standard contractual clauses (June 2021 version) for transfers to countries without an adequacy decision
  • Supplementary measures: Where necessary, we implement additional technical and organizational safeguards based on transfer impact assessments

You may request a copy of the applicable transfer safeguards by contacting our Data Protection Officer.

6. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention periods are as follows:

Data CategoryRetention PeriodBasis
Account and Identity DataDuration of your subscription + 12 monthsContract performance; legitimate interest for account recovery
Compliance and Verification DataAs required by applicable anti-money laundering law (typically 5–10 years after the end of the business relationship)Legal obligation
Platform Usage Data24 months from collectionLegitimate interest (analytics and improvement)
Technical Data12 months from collectionLegitimate interest (security and troubleshooting)
Transaction and Blockchain DataDuration of your subscription + 7 yearsLegal obligation (financial records retention)
Communication Data36 months from last interactionLegitimate interest (customer support continuity)
Marketing consent recordsDuration of consent + 3 yearsLegal obligation (proof of consent)

On-chain data is immutable and cannot be deleted by SettleMint. Off-chain data is deleted or anonymized at the end of the applicable retention period.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for Account access
  • Role-based access controls with least-privilege principles
  • Regular security assessments and penetration testing
  • Intrusion detection and monitoring systems
  • Employee security training and confidentiality obligations
  • Incident response procedures with documented breach notification protocols

No method of electronic storage or transmission is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

8. Your Rights

8.1 Rights Under GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, the UK, or Switzerland, you have the following rights under applicable data protection law:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete personal data
  • Right to erasure: Request deletion of your personal data where there is no compelling reason for continued processing
  • Right to restriction: Request restriction of processing in certain circumstances
  • Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format
  • Right to object: Object to processing based on legitimate interest, including profiling
  • Right to withdraw consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing
  • Right to lodge a complaint: File a complaint with your local data protection supervisory authority

We will respond to your request within thirty (30) days. This period may be extended by sixty (60) days for complex requests, with prior notification.

8.2 Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act. See Section 11.2 for details.

8.3 Exercising Your Rights

To exercise any of your rights, contact our Data Protection Officer at [email protected]. We may request verification of your identity before processing your request.

We will not discriminate against you for exercising any of your privacy rights.

9. Cookies and Tracking Technologies

9.1 What We Use

We use the following categories of cookies and tracking technologies:

Strictly Necessary Cookies: Required for the Platform to function. These cannot be disabled. They include cookies for authentication, session management, and security.

Functional Cookies: Enable enhanced functionality and personalization, such as language preferences and user interface settings.

Analytics Cookies: Help us understand how the Platform is used, including page views, feature usage, and error reporting. We use these to improve the Platform's performance and user experience.

Marketing Cookies: Used to deliver relevant communications and measure the effectiveness of our marketing campaigns. These are only set with your explicit consent.

When you first visit the Platform, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can update your cookie preferences at any time through the Platform's settings.

You can also manage cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Platform.

9.3 Do Not Track

The Platform does not currently respond to "Do Not Track" browser signals. However, you can manage your tracking preferences through the cookie consent mechanism described above.

10. Children's Privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete such data promptly.

11. Jurisdiction-Specific Provisions

11.1 European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, UK, or Switzerland, the following additional provisions apply:

  • Data Protection Officer: You may contact our DPO at [email protected]
  • Supervisory authority: You have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) at www.gegevensbeschermingsautoriteit.be, or your local supervisory authority
  • Legal bases: All processing activities have a documented legal basis as described in Section 3
  • Automated decision-making: We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you, unless required for contract performance or with your explicit consent

11.2 California (CCPA / CPRA)

If you are a California resident, the following additional provisions apply under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

Categories of Personal Information Collected: In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2, which correspond to the following CCPA categories: identifiers; commercial information; internet or electronic network activity; geolocation data; and professional or employment-related information.

Your California Rights:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share it
  • Right to delete: Request deletion of your personal information, subject to certain exceptions
  • Right to correct: Request correction of inaccurate personal information
  • Right to opt-out of sale/sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
  • Right to limit use of sensitive personal information: Request that we limit our use of sensitive personal information to purposes necessary to provide the Services
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

Submitting Requests: To exercise your California rights, contact us at [email protected]. We will verify your identity before processing your request. We will respond within forty-five (45) calendar days, which may be extended by an additional forty-five (45) days with notice.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you.

11.3 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, anonymize, block, or delete personal data. To exercise these rights, contact [email protected].

11.4 Other Jurisdictions

If you are located in a jurisdiction with data protection laws granting you additional rights not covered above, we will comply with those requirements. Contact our Data Protection Officer for jurisdiction-specific information.

12. Data Processing on Your Behalf

12.1 Customer as Controller

When you use the Platform to process personal data of your end users (for example, through KYC/KYB verification workflows or asset holder management), you act as the data controller and SettleMint acts as the data processor.

12.2 Data Processing Agreement

Our processing of your end users' personal data is governed by a Data Processing Agreement that complies with Article 28 of the GDPR. This agreement covers:

  • The scope and purpose of processing
  • The types of personal data processed
  • The obligations and rights of both parties
  • Sub-processor management and notification
  • Data breach notification procedures
  • Audit rights
  • Data deletion and return upon termination

12.3 Sub-Processors

We use sub-processors to assist in providing the Services. A list of our current sub-processors is available upon request from [email protected]. We will notify you of any changes to our sub-processors, and you may object to a new sub-processor in accordance with the Data Processing Agreement.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. Material changes will be communicated to you at least thirty (30) days in advance via email or through the Platform. The "Last updated" date at the top of this Policy indicates when the latest revision was made.

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the changes, you should discontinue use of the Platform.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a complaint about our handling of your personal data, please contact:

Data Protection Officer SettleMint NV Philipssite 5 bus 1 3001 Leuven, Belgium Email: [email protected]

For general inquiries about the Platform: Email: [email protected]

We aim to resolve all complaints internally. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority.

On this page

1. Data Controller2. Personal Data We Collect2.1 Account and Identity Data2.2 Compliance and Verification Data2.3 Platform Usage Data2.4 Technical Data2.5 Transaction and Blockchain Data2.6 Audit and Compliance Data2.7 Communication Data2.7 Cookies and Tracking Technologies3. How We Use Your Personal Data4. Data Sharing4.1 Service Providers4.2 Professional Advisors4.3 Legal Requirements4.4 Business Transfers4.5 With Your Consent5. International Data Transfers6. Data Retention7. Data Security8. Your Rights8.1 Rights Under GDPR (EEA, UK, and Switzerland)8.2 Rights Under CCPA / CPRA (California Residents)8.3 Exercising Your Rights9. Cookies and Tracking Technologies9.1 What We Use9.2 Cookie Management9.3 Do Not Track10. Children's Privacy11. Jurisdiction-Specific Provisions11.1 European Economic Area, United Kingdom, and Switzerland11.2 California (CCPA / CPRA)11.3 Brazil (LGPD)11.4 Other Jurisdictions12. Data Processing on Your Behalf12.1 Customer as Controller12.2 Data Processing Agreement12.3 Sub-Processors13. Changes to This Privacy Policy14. Contact Us