Privacy policy - PROSEGUR GOLD

The processing of the User’s personal data is governed by this Privacy Policy, in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights, and any other applicable regulations.

1. Data Controller

The controller of the personal data provided by the User is “Prosegur Custodia de Activos Digitales, S.L.U.” (Prosegur Crypto), with the identifying details indicated at the beginning of this document. For any queries or for the exercise of data protection rights, the User may contact the Data Protection Officer (DPO) appointed by Prosegur Crypto via the dedicated data protection email address: dpo@prosegur.com.

2. Data collected

The personal data that Prosegur Crypto may collect from the User include, among others:

  • Identification data: first name, last name, identity document, date of birth, nationality.
  • Contact data: telephone number, postal address, email address.
  • Economic and financial data: IBAN, transaction history, payment information.
  • Data obtained during the identity verification (KYC) process: facial image (non-biometric), proof of address, source of funds.
  • Technical data related to access to the Platform: logs, IP address, cookies in accordance with the Cookies Policy.

3. Purposes of processing

Prosegur Crypto will process the User’s data for the following main purposes:

  • Management of the contractual relationship: including the creation and administration of the User account; the execution of purchase orders for Gold Tokens, buybacks, physical deliveries, and other requests; communication with the User regarding related matters (transaction confirmations, security notices, updates to terms and conditions, etc.); and, in general, the provision of the requested services.
  • Legal compliance: in particular, compliance with obligations related to the prevention of money laundering and terrorist financing (KYC identity verification, monitoring of suspicious transactions, communication with competent authorities when necessary), as well as any other legal obligations (tax, consumer protection, etc.) that require the processing of personal data. For example, Prosegur Crypto may be required to provide information on certain transactions to tax or regulatory authorities in accordance with the law.
  • Security and fraud prevention: Prosegur Crypto may process data to implement security measures on the Platform, authenticate access, prevent unauthorized or fraudulent use of accounts, investigate potentially unlawful activities involving transactions (e.g., identity theft attempts, hacking, etc.), and ensure the integrity of the User’s and the company’s funds.
  • Commercial communications (marketing): Only if the User gives explicit consent (for example, by subscribing to newsletters or checking the corresponding box), Prosegur Crypto may use the User’s contact details to send commercial information related to its services, product updates (e.g., the launch of new metal tokens, special promotions), or other content of interest related to investments in digital assets or precious metals. The User may withdraw such consent at any time and stop receiving promotional communications, without affecting the main purchase and sale relationship.

4. Legal basis for processing

The legal bases that entitle Prosegur Crypto to process the User’s data are: (i) the performance of the contract for the purchase and sale of Gold Tokens (account management and transactions); (ii) compliance with legal obligations (e.g., anti-money laundering, tax, and commercial regulations); (iii) Prosegur Crypto’s legitimate interest in protecting its business and its customers from fraud or security incidents (fraud prevention, network security); and (iv) the User’s consent in cases involving marketing communications or other situations where consent is required. Prosegur Crypto will ensure that, when processing is based on legitimate interest, such interest does not override the User’s rights and freedoms. In any case, the User may object to such processing insofar as permitted by law.

Images collected during the identity verification process will not be subject to automated biometric identification processing. Their use is limited to manual verification to validate the User’s identity, in accordance with Law 10/2010 and due diligence regulations.

5. Data Recipients

As a general rule, Prosegur Crypto will not disclose the User’s personal data to third parties without the User’s consent. Exceptions apply where disclosure is required by law (e.g., financial institutions and supervisory authorities in the event of detection of suspicious transactions, law enforcement agencies or courts upon request, the Tax Agency with respect to transactions subject to tax obligations, etc.).

Likewise, Prosegur Crypto may share data with contracted service providers acting as data processors, such as: technology providers maintaining the platform, identity verification services, payment institutions processing transfers, courier/security companies delivering physical gold, etc. In all such cases, Prosegur Crypto ensures through contractual agreements that these processors handle the data only in accordance with its instructions, for the assigned purpose, and with an appropriate level of confidentiality and security, and that they may not use the data for their own purposes.

Prosegur Crypto belongs to the Prosegur Group. In certain cases, it may be necessary to share data within the corporate group (e.g., with the parent company or another subsidiary) for internal administrative or support purposes, always under intragroup agreements that protect privacy and, in the case of international transfers, with appropriate safeguards in accordance with the GDPR.

6. International Data transfers

As a general rule, data are stored and processed within the European Union. If any service provider or data recipient is located outside the European Economic Area (EEA), thus involving an international data transfer, Prosegur Crypto will ensure that the third country provides an adequate level of protection (by decision of the European Commission) or, failing that, that appropriate contractual safeguards are implemented, such as the execution of Standard Contractual Clauses approved by the European Commission, together with any additional measures as required. The User may request information about any international transfers of their data, if applicable, through the contact channels provided.

7. Data retention period

Prosegur Crypto will retain the User’s personal data for as long as necessary to fulfill the purposes for which they were collected. This means that, during the term of the contractual relationship, Prosegur Crypto will maintain and update the User’s information. After the end of the relationship (for example, when the User sells all their tokens and closes their account), Prosegur Crypto may keep the personal data blocked for the applicable statutory limitation periods.

In particular, anti-money laundering regulations require certain data and transaction information to be retained for a minimum period of 10 years from the termination of the business relationship, and commercial and tax regulations usually establish a minimum of 6 years for contractual and accounting documents. Once these periods have elapsed, the data will be securely deleted.

If the User starts the registration process but does not complete it, Prosegur Crypto will retain the provided data for a maximum period of 6 months, solely for fraud control and service improvement purposes. During this period, Prosegur Crypto may contact the User to confirm their interest and, where appropriate, delete unnecessary data. After this period without interaction, the data will be securely deleted or anonymized.

8. User rights

The User may exercise their data protection rights at any time, including:

  • Right of Access: to know which personal data Prosegur Crypto holds and to obtain a copy thereof in a structured format.
  • Right to Rectification: to request the correction of inaccurate or incomplete data.
  • Right to Erasure: to request the deletion of data when, among other reasons, they are no longer necessary for the stated purposes (note that this right is not absolute; Prosegur Crypto may retain certain data in a blocked state if there is a legal obligation to do so).
  • Right to Object: to object to processing based on legitimate interest, on grounds relating to the User’s particular situation. In such cases, Prosegur Crypto will cease the challenged processing unless it demonstrates compelling legitimate grounds that prevail or the processing is necessary for the establishment, exercise, or defense of legal claims.
  • Right to Restriction of Processing: to request that the processing of personal data be restricted in certain cases (e.g., while a request for rectification or objection is being verified).
  • Right to Data Portability: to receive the personal data provided by the User in a structured, commonly used, and machine-readable format, and to transmit them to another controller of the User’s choice, when the processing is based on consent or a contract and is carried out by automated means.

These rights may be exercised by submitting an express request, attaching a copy of a document proving the identity of the applicant, to the designated email address dpo@prosegur.com or by postal mail to the registered address of Prosegur Crypto, indicating “Attn: Data Protection Officer.” Prosegur Crypto will respond within the statutory time limits (a maximum of 1 month, extendable to 2 months in complex cases, with notice of the extension). If the User does not receive a response within the deadline or if the response is unsatisfactory, they have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or another competent supervisory authority.

 

© 2026 Prosegur Custodia De Activos Digitales, S.L. All rights reserved.