# Privacy Policy

Source: https://docs.settlemint.com/docs/business/legal/privacy-policy
How the SettleMint Digital Asset Lifecycle Platform collects, uses, stores,
and protects personal data.




Effective date: March 5, 2026
Last updated: May 24, 2026

SettleMint NV ("SettleMint"), incorporated in Belgium (company number 0661.674.810, registered at Kempische Steenweg 311 bus 4.01, 3500 Hasselt), publishes this Privacy Policy. It covers personal data processed in connection with the SettleMint Digital Asset Lifecycle Platform ("DALP" or the "Platform") and related websites and services, including your rights and the special rules that apply to public blockchain records.

In short: SettleMint processes account, usage, technical, compliance, and transaction-related data to operate DALP and meet its legal obligations. It uses this data to support customers and secure the Platform. Personal data written to public blockchain networks cannot be deleted or modified by SettleMint. Keep personal data and confidential terms off-chain unless your own legal and operational process allows it.

This Privacy Policy applies globally. Where specific regulations grant you additional rights, those are detailed in the [jurisdiction-specific sections](#11-jurisdiction-specific-provisions).

## Privacy at a glance [#privacy-at-a-glance]

This policy covers three privacy surfaces that behave differently in DALP. Each has distinct rules.

| Privacy surface             | What it covers                                                                                                                                      | What this means                                                                                                                                       |
| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| Platform records            | Account, usage, technical, communication, and compliance records that SettleMint or its subprocessors process to provide DALP and support customers | These records follow the access, retention, transfer, and deletion controls in this policy.                                                           |
| Customer-controlled records | End-user identity, verification, holder, and transaction records that a customer processes through DALP as its own controller                       | The customer decides the lawful basis and instructions for that processing. SettleMint acts as processor where the Data Processing Agreement applies. |
| Public-chain records        | Wallet addresses, transaction hashes, smart contract records, and other data that can become visible on public EVM networks                         | SettleMint cannot remove these records after submission to the network.                                                                               |

<Mermaid
  chart="graph LR
    A[Account, usage, technical, compliance, and communication data] --> B[DALP platform processing]
    C[Customer end-user and verification records] --> B
    B --> D[Off-chain platform records governed by this policy]
    B --> E[Public EVM network records]
    E --> F[Immutable public-chain history]"
/>

Use this diagram as the operating model for the rest of the policy: off-chain records follow the controls described below; public-chain records follow network permanence and visibility rules.

## 1. Data controller [#1-data-controller]

SettleMint NV is the data controller responsible for processing your personal data as described in this Privacy Policy. For questions or requests, contact the Data Protection Officer:

Data Protection Officer
SettleMint NV
Philipssite 5 bus 1
3001 Leuven, Belgium
Email: [privacy@settlemint.com](mailto:privacy@settlemint.com)

## 2. Personal data SettleMint collects [#2-personal-data-settlemint-collects]

The categories below cover the personal data SettleMint collects. Which categories apply depends on how you interact with the Platform.

### 2.1 Account and identity data [#21-account-and-identity-data]

Creating an Account or being added as an Authorized User triggers collection of the following data:

* Full name
* Email address
* Organisation name and role
* Phone number (optional)
* Account credentials (passwords are stored in hashed form only)
* Multi-factor authentication identifiers

### 2.2 Compliance and verification data [#22-compliance-and-verification-data]

Identity verification workflows may process the following data about you or your end users:

* Government-issued identification documents (passport, national ID, driver's license)
* Proof of address documentation
* Corporate registration and beneficial ownership information
* KYC/KYB verification status and results
* Sanctions screening results

Compliance and verification data is processed by you (the Platform customer) as the data controller for your end users. SettleMint acts as a data processor for this data. SettleMint's processing is governed by the Data Processing Agreement between you and SettleMint.

### 2.3 Platform usage data [#23-platform-usage-data]

Platform usage generates the following data, which SettleMint collects automatically:

* Pages visited and features used
* Operations performed (for example, asset creation and transaction submissions)
* Timestamps and session duration
* Error logs and performance data
* API usage and request metadata

### 2.4 Technical data [#24-technical-data]

SettleMint automatically collects the technical information listed below.

* IP address
* Browser type and version
* Operating system
* Device identifiers
* Referring URL
* Language preferences
* Time zone setting

### 2.5 Transaction and blockchain data [#25-transaction-and-blockchain-data]

Creating or managing Digital Assets through the Platform causes SettleMint to process the following data:

* Transaction metadata (timestamps, asset types, amounts)
* Wallet addresses associated with your Account
* Smart contract deployment records
* On-chain transaction hashes

Data written to a public blockchain is immutable and publicly accessible. SettleMint cannot delete or modify on-chain data. Keep personal data, private document identifiers, and confidential terms out of public-chain metadata, calldata, and transaction inputs. All off-chain records remain governed by the retention and deletion controls described in this policy. For more information on public-chain privacy boundaries, see [Public chain privacy on EVM networks](/docs/compliance-security/privacy/overview).

Before launching a public-chain asset workflow, decide where each record belongs. Use the table below as a guide.

| Keep off-chain                                                                                                                                              | Use on-chain only when required for execution or enforcement                                                                                                                        |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Identity documents, KYC/KYB files, sanctions reports, beneficial-ownership evidence, investor questionnaires, review notes, and private customer references | Wallet addresses, smart contract addresses, transaction hashes, role changes, token events, registry relationships, claim topics, and compliance parameters that the contracts need |
| Private reserve files, custody records, commercial terms, document identifiers, and internal approval notes                                                 | Neutral metadata, public references, or transaction inputs that your legal and operational review has approved for public-chain visibility                                          |

For asset operations, review names, symbols, metadata fields, document references, calldata, event fields, and transaction inputs before submission. Once the transaction reaches the selected EVM network, SettleMint cannot erase or redact the public-chain record.

### 2.6 Audit and compliance data [#26-audit-and-compliance-data]

SettleMint maintains audit logs of compliance workflows, verification decisions, access events, and regulatory reports generated through the Platform. These records support security, legal compliance, and accountability obligations.

### 2.7 Communication data [#27-communication-data]

When you contact SettleMint for support or other purposes, SettleMint collects the data listed below and uses it to respond to your inquiry and to maintain service records.

* Email correspondence content
* Support ticket details
* Chat transcripts
* Phone call records (where applicable)

### 2.8 Cookies and tracking technologies [#28-cookies-and-tracking-technologies]

SettleMint uses cookies and similar technologies to operate and improve the Platform. You can manage cookie preferences through the consent banner or your browser settings. For details, see [Section 9](#9-cookies-and-tracking-technologies).

## 3. How SettleMint uses your personal data [#3-how-settlemint-uses-your-personal-data]

SettleMint processes your personal data for the purposes and legal bases listed below:

| Purpose                                          | Legal Basis (GDPR)                                                         | Categories of Data                     |
| ------------------------------------------------ | -------------------------------------------------------------------------- | -------------------------------------- |
| Providing and operating the Platform             | Performance of contract (Art. 6(1)(b))                                     | Account, Usage, Technical, Transaction |
| Account creation and management                  | Performance of contract (Art. 6(1)(b))                                     | Account and Identity                   |
| Processing compliance and verification workflows | Performance of contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))    | Compliance and Verification            |
| Customer support and communication               | Performance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) | Account, Communication                 |
| Platform security and fraud prevention           | Legitimate interest (Art. 6(1)(f))                                         | Account, Usage, Technical              |
| Analytics and Platform improvement               | Legitimate interest (Art. 6(1)(f))                                         | Usage, Technical                       |
| Compliance with legal obligations                | Legal obligation (Art. 6(1)(c))                                            | All categories as required             |
| Billing and invoicing                            | Performance of contract (Art. 6(1)(b))                                     | Account                                |
| Marketing communications (with consent)          | Consent (Art. 6(1)(a))                                                     | Account (name, email)                  |

Where SettleMint relies on legitimate interest as a legal basis, it has conducted a balancing test confirming that its interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting the Data Protection Officer.

## 4. Data sharing [#4-data-sharing]

SettleMint does not sell personal data. It shares personal data only in the circumstances described below.

### 4.1 Service providers [#41-service-providers]

SettleMint engages third-party service providers who process personal data on SettleMint's behalf. These processors are contractually bound to process data only as instructed and to apply appropriate security measures.

Current processor categories include the following.

* Cloud infrastructure providers (hosting and storage)
* Identity verification and KYC/KYB providers
* Analytics and monitoring providers
* Customer support tools
* Email and communication services
* Payment processors

### 4.2 Professional advisors [#42-professional-advisors]

SettleMint may share personal data with professional advisors where necessary for business management. These recipients are bound by professional confidentiality obligations.

### 4.3 Legal requirements [#43-legal-requirements]

SettleMint may disclose personal data where required by law, regulation, legal process, or governmental request. Disclosure may also occur where necessary to protect SettleMint's rights, your safety, or the safety of others.

### 4.4 Business transfers [#44-business-transfers]

In connection with a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the acquiring entity. The acquiring entity receives the data subject to the same privacy protections described in this policy.

### 4.5 With your consent [#45-with-your-consent]

SettleMint may share personal data with third parties where you have given explicit consent. SettleMint does not sell personal data to any third party.

## 5. International data transfers [#5-international-data-transfers]

SettleMint operates globally, and your personal data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA).

Where SettleMint transfers personal data outside the EEA, appropriate safeguards are in place.

* Adequacy decisions: transfers to countries the European Commission recognizes as providing an adequate level of data protection
* Standard Contractual Clauses (SCCs): SettleMint uses the European Commission's standard contractual clauses (June 2021 version) for transfers to countries without an adequacy decision
* Supplementary measures: where necessary, SettleMint implements additional technical and organizational safeguards based on transfer impact assessments

You may request a copy of the applicable transfer safeguards by contacting the Data Protection Officer.

## 6. Data retention [#6-data-retention]

SettleMint retains personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by law. The table below sets out the applicable retention periods.

| Data Category                    | Retention Period                                                                                                         | Basis                                                          |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------- |
| Account and Identity Data        | Duration of your subscription + 12 months                                                                                | Contract performance; legitimate interest for account recovery |
| Compliance and Verification Data | As required by applicable anti-money laundering law (typically 5 to 10 years after the end of the business relationship) | Legal obligation                                               |
| Platform Usage Data              | 24 months from collection                                                                                                | Legitimate interest (analytics and improvement)                |
| Technical Data                   | 12 months from collection                                                                                                | Legitimate interest (security and troubleshooting)             |
| Transaction and Blockchain Data  | Duration of your subscription + 7 years                                                                                  | Legal obligation (financial records retention)                 |
| Communication Data               | 36 months from last interaction                                                                                          | Legitimate interest (customer support continuity)              |
| Marketing consent records        | Duration of consent + 3 years                                                                                            | Legal obligation (proof of consent)                            |

On-chain transaction history is immutable and SettleMint cannot delete it. SettleMint deletes or anonymizes off-chain personal data at the end of the applicable retention period, unless a legal obligation requires continued retention.

## 7. Data security [#7-data-security]

SettleMint implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. Controls include:

* Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
* Multi-factor authentication for Account access
* Role-based access controls with least-privilege principles
* Regular security assessments and penetration testing
* Intrusion detection and monitoring systems
* Employee security training and confidentiality obligations
* Incident response procedures with documented breach notification protocols

No method of electronic storage or transmission is 100% secure. SettleMint applies the measures above but cannot guarantee absolute security.

## 8. Your rights [#8-your-rights]

### 8.1 Rights under GDPR (EEA, UK, and Switzerland) [#81-rights-under-gdpr-eea-uk-and-switzerland]

If you are in the EEA, the UK, or Switzerland, the following rights apply under applicable data protection law:

* Right of access: request a copy of the personal data SettleMint holds about you
* Right to rectification: request correction of inaccurate or incomplete personal data
* Right to erasure: request deletion of personal data where no compelling reason for continued processing exists. This right covers off-chain records only; immutable public-chain transaction history cannot be removed.
* Right to restriction: request restriction of processing in certain circumstances
* Right to data portability: receive your personal data in a structured, machine-readable format
* Right to object: object to processing based on legitimate interest, including profiling
* Right to withdraw consent: where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing
* Right to lodge a complaint: file a complaint with your local data protection supervisory authority

SettleMint will respond to your request within thirty (30) days. SettleMint may extend this period by sixty (60) days for complex requests, with prior notification.

### 8.2 Rights under CCPA / CPRA (California residents) [#82-rights-under-ccpa--cpra-california-residents]

California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act. See [Section 11.2](#112-california-ccpa--cpra) for details.

### 8.3 Exercising your rights [#83-exercising-your-rights]

To exercise any of your rights, contact the Data Protection Officer at [privacy@settlemint.com](mailto:privacy@settlemint.com). SettleMint may request identity verification before processing your request. SettleMint will not discriminate against you for exercising any of your privacy rights.

## 9. Cookies and tracking technologies [#9-cookies-and-tracking-technologies]

### 9.1 What SettleMint uses [#91-what-settlemint-uses]

SettleMint uses four categories of cookies and tracking technologies. Strictly necessary cookies are required for the Platform to function and cannot be disabled; they cover authentication, session management, and security. Functional cookies enable enhanced functionality and personalization, such as language preferences and user interface settings. Analytics cookies help SettleMint understand how the Platform is used, covering page views, feature usage, and error reporting; SettleMint uses these to improve Platform performance and the user experience. Marketing cookies deliver relevant communications and measure the effectiveness of campaigns; SettleMint sets these only with your explicit consent.

### 9.2 Cookie management [#92-cookie-management]

When you first visit the Platform, a cookie consent banner lets you accept or reject non-essential cookies. You can update your cookie preferences at any time through the Platform's settings. You can also manage cookies through your browser settings; disabling certain cookies may affect Platform functionality.

### 9.3 Do Not Track [#93-do-not-track]

The Platform does not currently respond to "Do Not Track" browser signals because no uniform standard for honoring them exists. To limit tracking, use the cookie consent mechanism described above or adjust your browser settings.

## 10. Children's privacy [#10-childrens-privacy]

The Platform is not directed at individuals under the age of 18. SettleMint does not knowingly collect personal data from children, and no features are intended for use by minors. If SettleMint becomes aware that a child's data was collected without appropriate consent, it will delete those records promptly.

## 11. Jurisdiction-specific provisions [#11-jurisdiction-specific-provisions]

### 11.1 European Economic Area, United Kingdom, and Switzerland [#111-european-economic-area-united-kingdom-and-switzerland]

If you are in the EEA, UK, or Switzerland, GDPR and equivalent national laws grant you the rights and protections described throughout this policy. The following additional provisions also apply. - Data Protection Officer: you may contact the DPO at [privacy@settlemint.com](mailto:privacy@settlemint.com)

* Supervisory authority: you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) at [www.gegevensbeschermingsautoriteit.be](https://www.gegevensbeschermingsautoriteit.be), or your local supervisory authority
* Legal bases: all processing activities have a documented legal basis as described in [Section 3](#3-how-settlemint-uses-your-personal-data)
* Automated decision-making: SettleMint does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you, unless required for contract performance or with your explicit consent

### 11.2 California (CCPA / CPRA) [#112-california-ccpa--cpra]

If you are a California resident, the following additional provisions apply under the California Consumer Privacy Act (as amended by the California Privacy Rights Act). In the preceding twelve (12) months, SettleMint has collected the categories of personal information described in [Section 2](#2-personal-data-settlemint-collects), which correspond to the following CCPA categories: identifiers; commercial information; internet or electronic network activity; geolocation data; and professional or employment-related information.

California residents hold the following rights:

* Right to know: request disclosure of the categories and specific pieces of personal information SettleMint has collected, the sources of collection, the business purposes, and the categories of third parties with whom SettleMint shares it
* Right to delete: request deletion of your personal information, subject to certain exceptions
* Right to correct: request correction of inaccurate personal information
* Right to opt-out of sale/sharing: SettleMint does not sell your personal information and does not share it for cross-context behavioral advertising
* Right to limit use of sensitive personal information: request that SettleMint limit its use of sensitive personal information to purposes necessary to provide the Services
* Right to non-discrimination: SettleMint will not discriminate against you for exercising your CCPA rights

Submitting requests: contact SettleMint at [privacy@settlemint.com](mailto:privacy@settlemint.com) to exercise your California rights. SettleMint verifies your identity before processing your request. SettleMint responds within forty-five (45) calendar days; this period may extend by an additional forty-five (45) days with notice.

Authorized agents: you may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you.

### 11.3 Brazil (LGPD) [#113-brazil-lgpd]

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, anonymize, block, or delete personal data. To exercise these rights, contact [privacy@settlemint.com](mailto:privacy@settlemint.com).

### 11.4 Other jurisdictions [#114-other-jurisdictions]

If you are located in a jurisdiction with data protection laws granting you additional rights not covered above, SettleMint will comply with those requirements. Contact the Data Protection Officer for jurisdiction-specific information.

## 12. Data processing on your behalf [#12-data-processing-on-your-behalf]

### 12.1 Customer as controller [#121-customer-as-controller]

When you use the Platform to process personal data of your end users, for example through KYC/KYB verification workflows or asset holder management, you act as the data controller. SettleMint acts as the data processor.

### 12.2 Data processing agreement [#122-data-processing-agreement]

SettleMint's processing of your end users' personal data is governed by a Data Processing Agreement that complies with Article 28 of the GDPR. The agreement addresses the following:

* The scope and purpose of processing
* The types of personal data processed
* The obligations and rights of both parties
* Sub-processor management and notification
* Data breach notification procedures
* Audit rights
* Data deletion and return upon termination

### 12.3 Sub-processors [#123-sub-processors]

SettleMint uses sub-processors to assist in providing the Services. A list of current sub-processors is available on request from [privacy@settlemint.com](mailto:privacy@settlemint.com). SettleMint notifies you of changes to sub-processors; you may object to a new sub-processor under the Data Processing Agreement.

## 13. Changes to this policy [#13-changes-to-this-policy]

SettleMint may update this Privacy Policy to reflect changes in practices, the Platform, or applicable law. SettleMint will communicate material changes at least thirty (30) days in advance via email or through the Platform. The "Last updated" date at the top of this policy indicates when the latest revision was made.

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes acceptance of the changes. If you do not agree with the changes, discontinue use of the Platform.

## 14. Contact [#14-contact]

Contact the Data Protection Officer to ask about this Privacy Policy, exercise your rights, or complain about the handling of your personal data:

Data Protection Officer
SettleMint NV
Philipssite 5 bus 1
3001 Leuven, Belgium
Email: [privacy@settlemint.com](mailto:privacy@settlemint.com)

For general inquiries about the Platform:
Email: [support@settlemint.com](mailto:support@settlemint.com)

SettleMint aims to resolve all complaints internally. If you are not satisfied with the response, you have the right to lodge a complaint with the relevant data protection supervisory authority.
