Privacy Notice

This Privacy Notice (the "Notice") describes how Cyclops, Inc. and its affiliates (collectively, "Cyclops," "we," "us," or "our") collect, use, disclose, and otherwise process personal information about individuals who interact with our websites, platform, and services.

We designed this Notice to give you a clear picture of our data practices. As a provider of payments, wallet, custody, card-issuing, and related compliance infrastructure used by businesses to serve their own merchants and end users, the information we handle may come to us directly from you or indirectly through one of our business customers.

This Notice is intended to be consistent with, and to implement our obligations under, the data protection and privacy laws that apply to our activities, including:

• the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "EU GDPR");
• the UK General Data Protection Regulation and the UK Data Protection Act 2018 (together, the "UK GDPR"); and
• the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the "CCPA"), together with other U.S. state privacy laws that apply to our activities (collectively, "Applicable Privacy Laws").

Where a term used in this Notice is defined in an Applicable Privacy Law, that definition applies unless we have clearly given the term a different meaning here.

If you have questions about this Notice or our privacy practices, please contact us using the details in Section 17.

The Cyclops group

Cyclops, Inc. is the parent company of the Cyclops group. For the purposes of the EU GDPR and the UK GDPR, the controller (or, where applicable, joint controller or processor) of personal information is typically determined by the relationship giving rise to the processing. Unless we indicate otherwise, references in this Notice to "Cyclops" include Cyclops, Inc., Cyclops USA, Inc., Cyclops EEC Services GmbH, and any other affiliate involved in the relevant processing.

What we do

We build, license, and operate technology that enables our business customers (and, in turn, their merchants) to accept payments, transfer funds, and generally manage transactions involving stablecoins and other digital assets. Because our services are often embedded into our customers' products through APIs, we may interact with individuals directly, indirectly, or not at all—depending on the implementation.

Individuals covered by this Notice

This Notice applies when we process personal information about:

• visitors to cyclops.io and any other associated website, mobile application, or developer portal that we control (each, a "Cyclops Property");
• individuals who register for, access, or use our platform directly—for example, to manage an API integration or administer an account;
• individuals who represent a current, former, or prospective business customer, partner, vendor, introducer, or other counterparty;
• individuals whose personal information we receive from a business customer in connection with the services we provide to that customer (for example, end users of a customer's product, including cardholders, wallet holders, payers, payees, and transaction counterparties); and
• any other individual whose personal information we process in connection with our services or business operations.

Some sections of this Notice apply primarily to one or more of these groups. Where that is the case, we have tried to make it clear.

We process personal information in several broad categories. The specific categories that apply to you depend on your relationship with us and on how you (or the Cyclops customer you are transacting with) interacts with our services.

We collect sensitive categories of personal information—such as government-issued identification numbers, nationality, or, in limited cases, biometric information processed through third-party identity-verification vendors—only where we have a legitimate basis to do so and, where required by law, with your consent.

We obtain personal information from a range of sources, including:

• Directly from you—for example, when you create an account, register on a Cyclops Property, use our services, complete a KYC or KYB process, respond to a survey, submit a support request, or otherwise communicate with us.
• From our business customers—for example, when a customer provides us with information about its own end users, cardholders, wallet holders, merchants, or counterparties in order to use, configure, or integrate our services.
• From service providers and partners acting on our or our customers' behalf, including identity-verification vendors, anti-fraud and sanctions-screening providers, analytics providers, and payment processors.
• From other third parties—including financial institutions, blockchain analytics providers, credit-reference agencies, and other entities that provide information needed to operate our services, prevent fraud, and meet our compliance obligations.
• From public and openly available sources—including public registries, company filings, sanctions and watchlists, public blockchains, and publicly available content on the internet.
• Automatically, through your use of Cyclops Properties—for example, through cookies, server logs, and analytics technologies (see Section 8).

We process personal information for the purposes described below. For individuals in the EEA and the UK, we have also identified the lawful basis on which we rely under Article 6 of the EU GDPR (and, as applicable, the UK GDPR). Where we rely on legitimate interests, we have assessed that our interests (or those of a third party) are not overridden by the interests or fundamental rights of the individual concerned. You may request more information about our legitimate-interest assessments by contacting us.

Where we rely on your consent for a particular processing activity, you may withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

In some cases, we process personal information about individuals who are not our direct customers. This typically happens where we provide payment, wallet, card-issuing, custody, compliance, or related infrastructure services to a business customer and that customer uses our services to interact with other individuals—for example, cardholders, wallet holders, payees, payers, merchants, or recipients of transfers.

Depending on how our services are integrated, these individuals may interact with Cyclops systems directly and accept Cyclops end-user terms, or we may process their information solely because they are transacting with or receiving funds from one of our business customers. In some implementations, Cyclops acts as a processor on behalf of the customer; in others, we act as an independent (or joint) controller—for example, where we have our own legal obligations with respect to the processing, such as AML monitoring or regulatory reporting.

Where we process personal information about end users and counterparties without a direct relationship with them, we typically do so:

• to enable our business customers to deliver their services and complete transactions;
• to meet our own legal and regulatory obligations, including those relating to AML, sanctions, and the Travel Rule; and
• for the other purposes described in Section 5, to the extent applicable.

We share personal information with the categories of recipients described below, and only to the extent necessary for the purposes described in this Notice.

7.1 Within our corporate group

We share information within the Cyclops group where such sharing is needed to operate our business, provide our services, or manage our platform on a consolidated basis.

7.2 Business customers and their authorized representatives

Where our services are embedded or integrated into a business customers' product, we share personal information with that customer (and its authorized users) as necessary to deliver the service.

7.3 Regulated financial partners

We share information with licensed banks, payment institutions, e-money institutions, custodians, card networks, and similar regulated counterparties as needed to execute, settle, or otherwise support transactions and to meet settlement, licensing, and operational requirements.

7.4 Service providers and processors

We engage third parties to perform services on our behalf under written contracts that require them to protect personal information and to use it only for agreed purposes. Categories of service providers include:

• infrastructure, cloud-hosting, and IT providers;
• identity-verification and biometric vendors;
• anti-fraud, anti-money-laundering, sanctions-screening, and transaction-monitoring providers;
• analytics, security, and incident-response providers;
• tax, accounting, and reporting providers;
• customer-support platforms, including live chat and automated-messaging tools;
• communications and messaging providers (e.g., email, SMS);
• document storage and e-signature providers; and
• professional advisors (e.g., legal, accounting, and audit advisors).

7.5 Fraud and financial-crime prevention networks

We share information with agencies and industry bodies that help detect and prevent fraud, money laundering, terrorism financing, sanctions evasion, and other financial crime in payments, digital asset, and related services.

7.6 Travel Rule counterparties

Where required by the "Travel Rule" and related regulations, we may share or receive counterparty information with the originator or beneficiary virtual asset service provider, financial institution, or wallet provider in connection with a transaction.

7.7 Regulators, law enforcement, and public authorities

We share information with regulators, courts, tribunals, and law-enforcement, tax, and other governmental authorities where we are legally required to do so or where doing so is otherwise consistent with this Notice and applicable law.

7.8 Corporate transactions

We may share personal information with counterparties and their advisors in connection with an actual or proposed corporate transaction (such as a merger, acquisition, financing, reorganization, or sale of assets), subject to appropriate confidentiality protections.

7.9 With your authorization

We may share personal information with any other party that you have authorized us to share it with, or that we have disclosed to you at the point of collection.

Cyclops operates across multiple jurisdictions, including the United States and the European Economic Area. As a result, personal information we collect may be transferred to, stored in, and processed in countries other than the country in which you reside, including countries whose data protection laws differ from those in your jurisdiction.

When we transfer personal information out of the EEA, the UK, or another jurisdiction with cross-border transfer restrictions, we take steps designed to ensure the transfer complies with applicable law. Depending on the circumstances, these steps may include:

• transferring to a country that has been recognized as providing an adequate level of protection;
• entering into the European Commission's Standard Contractual Clauses (including, for UK transfers, the UK International Data Transfer Agreement or Addendum) with the recipient of the data;
• implementing additional technical or organizational safeguards where appropriate; or
• relying on another transfer mechanism permitted by applicable law.

You can obtain further information about the safeguards we use for international transfers by contacting us at privacy@cyclops.io.

We retain personal information only for as long as is reasonably necessary to achieve the purposes described in this Notice, taking into account, among other things:

• the duration of our relationship with you (or with the business customer on whose behalf we process your information);
• our legal, regulatory, tax, accounting, and audit obligations—including record-keeping obligations that apply to financial institutions, payment services, and virtual asset service providers;
• the need to resolve disputes, enforce our agreements, and protect our legal rights; and
• legitimate business needs, such as fraud prevention, information security, and maintaining the integrity of our services.

The specific retention period for any particular item of personal information depends on the nature of the information, the purpose of the processing, and the applicable legal requirements. Where we no longer need personal information, we delete it, anonymize it, or securely archive it in accordance with our internal retention standards.

We maintain technical and organizational measures designed to protect personal information against loss, misuse, unauthorized access, unauthorized disclosure, alteration, and destruction. These measures are calibrated to the nature of the information we handle and the risks presented by our processing activities, and we review them on a periodic basis.

We host personal information on servers maintained by Cyclops or by reputable third-party infrastructure providers, and we engage our service providers under contractual arrangements that require them to implement appropriate safeguards. No method of electronic transmission or storage is fully secure, and we cannot guarantee absolute security.

If you believe that your interaction with us is no longer secure—for example, if you suspect unauthorized access to your account—please contact us using the details in Section 17.

Depending on where you live and the Applicable Privacy Laws, you may have some or all of the following rights with respect to your personal information:

• Access—request confirmation of whether we process personal information about you and, if so, a copy of that information.
• Correction—ask us to correct personal information that is inaccurate or incomplete.
• Deletion (erasure)—ask us to delete your personal information, subject to applicable exceptions.
• Restriction—ask us to restrict our processing of your personal information in certain circumstances.
• Objection—object to our processing of your personal information where we are relying on legitimate interests or for direct-marketing purposes.
• Portability—request a copy of certain personal information in a portable, machine-readable format, or ask us to transmit it to another controller.
• Withdrawal of consent—where we rely on your consent, withdraw it at any time.
• Limit use of sensitive personal information—where required by Applicable Privacy Laws, limit our use or disclosure of sensitive personal information to what is necessary to provide our services or otherwise permitted by law.
• Opt out of sale, sharing, or targeted advertising—as noted, we do not sell personal information or use it for cross-contextual behavioral advertising, and you may confirm this status at any time.
• Non-discrimination—you have the right not to be treated in a discriminatory manner for exercising your privacy rights, including with respect to the price or level of service you receive.
• Complaint to a supervisory authority—lodge a complaint with a data-protection authority or other competent regulator.

To exercise any of these rights, contact us at privacy@cyclops.io or through the channels described in Section 17. To protect you and others, we will take reasonable steps to verify your identity before responding, and we may ask for additional information.

If our records indicate that we process your personal information as a processor on behalf of a Cyclops customer—for example, because you are an end user of that customer's product—we may ask you to direct your request to that customer and will support them in responding.

You may designate an authorized agent to make a request on your behalf, subject to reasonable verification.

The following disclosures supplement this Notice for individuals in the regions identified below.

13.1 European Economic Area and United Kingdom

If you are located in the EEA or the UK, the controller of your personal information is generally the Cyclops entity that has the closest relationship with the processing at issue. For processing relating to EEA or UK individuals in the ordinary course of our services, the controller will typically be Cyclops, Inc., with Cyclops EEC Services GmbH acting as our EEA contact and, where required, our representative under Article 27 of the EU GDPR. We identify the specific controller at the point of collection where we are required to do so.

Our EU Representative. Pursuant to Article 27 of the EU GDPR, our EU Representative is Cyclops EEC Services GmbH. You may contact our EU Representative at privacy@cyclops.io or at the postal address listed in Section 17.

Our UK contact point. Individuals in the United Kingdom may also direct inquiries regarding the UK GDPR to Cyclops EEC Services GmbH at the contact details above.

Supervisory authorities. You have the right to lodge a complaint with your local EEA data protection authority or with the UK Information Commissioner's Office (ico.org.uk). A list of EEA authorities is available at edpb.europa.eu.

13.2 California

If you are a California resident, the CCPA provides you with the rights described in Section 12. In the twelve months preceding the "Effective / Last Updated" date of this Notice, we have collected the categories of personal information identified in Section 3, from the sources described in Section 4, for the purposes described in Section 5, and shared those categories with the categories of recipients described in Section 7. We have not sold personal information and have not shared personal information for cross-contextual behavioral advertising.

"Shine the Light." California residents may also request, once per calendar year, information about our disclosures of certain categories of personal information to third parties for their direct-marketing purposes under California Civil Code § 1798.83. To make such a request, contact us at privacy@cyclops.io.

13.3 Other U.S. states

Residents of other U.S. states that have enacted general consumer-privacy laws may have similar rights, including rights to access, correct, delete, and port personal information, and to opt out of certain types of processing. You may exercise these rights through the channels described in Section 12.

Cyclops does not direct its services to children, and we do not knowingly collect personal information from children under the age of 13 (or the applicable age of digital consent in your jurisdiction). If you are under the relevant age, please do not submit personal information to us.

We encourage parents and legal guardians to supervise their children's use of the internet and to help enforce this Notice by instructing their children not to provide personal information through our services. If we become aware that we have collected personal information from a child under the applicable age without appropriate consent, we will take steps to delete it promptly. If you believe we may have received such information, please contact us at privacy@cyclops.io.

Third-party websites

Cyclops Properties may contain links to websites, products, or services operated by third parties. We do not control those third parties, and we are not responsible for their privacy practices or the content of their sites. We encourage you to review the privacy notices of any third-party websites you visit.

Do-not-track signals

At this time, our websites and platform are not configured to respond to "Do Not Track" signals sent by web browsers. We may revisit this position as industry standards develop.

We may update this Notice from time to time to reflect changes in our practices, technologies, legal requirements, or other operational needs. When we do, we will revise the "Effective / Last Updated" date at the top of this Notice and, where appropriate, provide additional notice—for example, by email or through a prominent notice on a Cyclops Property. We encourage you to review this Notice periodically.

If you have questions about this Notice or our privacy practices, or if you would like to exercise any of your rights, you can reach us as follows:

Privacy Team
Email: privacy@cyclops.io
Alternate: support@cyclops.io
Postal: Cyclops Privacy Team, 1000 Brickell Avenue, Suite 715, Miami, FL 33131, USA

EU Representative (Article 27 EU GDPR)
Cyclops EEC Services GmbH
Address: Seilerstätte 24, 1010 Vienna, Austria
Email: privacy@cyclops.io