Privacy Policy

1. Introduction

We respect your privacy and are committed to protecting your privacy rights. Please take the time to read our Privacy Policy (this "Policy") carefully. We aim to be transparent about how we use your information and how you can protect your privacy. This Privacy Policy outlines our information-handling practices when you access our products, as defined below.

References in this Policy to "Cwallet", "we", "our", or "us" refer to ​Amarium s.r.o.​, a company registered in the Commercial Register of the Municipal Court Bratislava III under registration number ​56 695 268​, with its registered address at ​Dunajská 66, Bratislava, 811 08, Slovakia​. References to "user", "customer", "you", or "your" refer to individuals who visit or use:

i. The platform accessible via mobile or desktop applications ("Applications"), the website https://cwallet.com, and/or the interface of our automated bot software (collectively referred to as the "Platform");

ii. Applications for mobile phones, tablets, desktops, or other devices that provide access to the Platform’s functionality;

iii. The automated bot software that allows access to the Platform’s functionality through predefined commands, without a graphical user interface ("Bot Software");

iv. Our website https://cwallet.com, which serves as a point of access to our Platform and provides information about our products, services, and projects.

In this Policy, we collectively refer to the Platform, Applications, Bot Software, and Website as the "Software".

By accessing, communicating with, downloading, joining messengers' groups or channels, registering for, or using the Software (as applicable), you indicate your acceptance to the terms outlined in this Privacy Policy. Where we require your consent to process your personal information, we will ask for your consent to the collection, use, and disclosure of your personal information as described further below.

If you do not agree with this Policy, please leave the platform; uninstall mobile or desktop applications; disable your access to the bot software or cease using our services immediately.

All the definitions used in this Policy shall have the same meaning as in our Terms of Service unless this Policy sets a different meaning

2. Controller

Amarium s.r.o. ("Cwallet", "we", or "us") acts as the data controller about personal information about you that may be either provided by you or collected by us

As a data controller, we will solely determine the purposes and means of the processing of your personal information.

We are in the process of appointing a Data Protection Officer (DPO) in accordance with Articles 37–39 GDPR and the Slovak Act No. 18/2018 Coll. Until a DPO is formally appointed, you may contact our designated Privacy Contact Point at [email protected] or by post at our registered office address regarding any data protection matters.

3. What Personal Data does Cwallet Collect and How We Collect It

Personal data, or personal information, refers to any information that pertains to an identified or identifiable living individual. This encompasses information you provide to us, data collected about you automatically, and information obtained from third parties.

For details on how Cwallet safeguards the data collected from its users, please refer to Section 7 "Information Security" below.

Cwallet collects, processes and stores Personal Data based on your use of the Service or when you have provided your consent.

We collect only the personal data that is adequate, relevant, and limited to what is necessary for the specified purposes, and do not use personal data for purposes incompatible with those stated in this Privacy Policy.

We collect information you provide during the onboarding process, whether the process is completed, incomplete or abandoned. We also collect Personal Data when you reach out to us through customer support, subscribe to marketing communications, communicate via phone, email, or other channels, or when you complete a transaction on your Cwallet account. We may actively or automatically collect, use, store, or transfer your Personal Data, which may include, but is not limited to, the following:

We may also gather Personal Data about you from third parties, such as electronic verification services, referrers, marketing agencies, or liquidity providers. In such cases, we will take reasonable measures to ensure they are aware of the relevant privacy laws. Additionally, we may employ third parties to analyze traffic on our website, which may involve the use of cookies (further details on "Cookies" are provided in Section 6 below). Information collected through this analysis is not anonymous.

We will not collect Sensitive Information about you without your consent, unless an exemption or exception applies. These exemptions include instances where collection is required or authorized by law, or when it is necessary to take appropriate action in response to suspected unlawful activity or serious misconduct.

If you do not provide the Personal Data we request, we may be unable to offer you the full benefits of our Services or adequately meet your needs. Therefore, we do not allow you to interact with us anonymously or under a pseudonym.

3.1. Purpose Limitation and Children’s Data

We collect only the data necessary for the stated purposes and do not process it for incompatible purposes. Our services are not directed to individuals under 18 years old, and we do not knowingly process children’s data.

4. How We Use Your Personal Information and the Legal Basis for processing

We use your information, including your personal data, for the following purposes:

Our legitimate interests include: i.) preventing fraud and abuse, ii.) ensuring platform security and integrity, iii.) improving the reliability and user experience of our services, and iv.) conducting internal analytics to detect suspicious activity. These interests do not override your fundamental rights and freedoms.

In addition to the specific purposes for which we may process your personal information set out in this Section 4, we may also process any of your personal information where such processing is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.

Please do not supply any other person's personal information to us, unless we prompt you to do so.

5. Disclosing Your Personal Information

a.) We may disclose your personal information to our affiliates, our contractors, and our service providers insofar as reasonably necessary for the purposes, and on the legal basis, set out in this Policy.

b.) We may disclose your personal information to our insurers and/or professional advisers insofar as reasonably necessary for obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise, or defense of legal claims, whether in court proceedings or an administrative or out-of-court procedure.

c.) In addition to the specific disclosures of personal information set out in this Section, we may disclose your personal information where such disclosure is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person. We may also disclose your personal information where such disclosure is necessary for the establishment, exercise, or defense of legal claims, whether in court proceedings or an administrative or out-of-court procedure.

d.) If we are required by the applicable law (for example, you are a resident of the EEA zone or Switzerland) and your personal information is to be transferred outside our country of incorporation (Slovakia) and/or the EEA zone or Switzerland, we will ensure an adequate level of protection by any of the recognized methods of transfer, including but not limited to entry into the standard contractual clauses for the transfer of personal information to processors established in third countries.

e.) We appoint third-party processors under Art.28 GDPR and ensure data processing agreements with security measures under Art.32 GDPR. Key processors include AWS (hosting), Sumsub (KYC), MistTrack (KYT).

We may share your personal information with carefully selected third-party service providers (“data processors”) who act solely on our documented instructions to support the operation, security, and legal compliance of our services.

The categories of processors include:

• Cloud hosting and infrastructure providers – to operate and store our platform systems;

• Identity verification and AML/KYC compliance providers – to verify users and meet legal obligations;

• ​Payment and blockchain transaction infrastructure providers ​​–​ ​to process deposits, withdrawals, and transfers;

• ​Cybersecurity, DDoS mitigation, and CDN providers ​​– to secure our systems from cyber threats;

• Customer support and communication platforms – to handle support requests and communications;

• Analytics and monitoring providers – to improve performance and detect suspicious activity;

• ​Professional advisers and auditors ​​– for legal, compliance, and audit services.

Categories of recipients. We may share personal data with:

• (i) financial institutions (banks, EMI, payment processors);

• (ii) verification and screening providers (e.g., Sumsub for KYC, MistTrack for KYT/sanctions screening);

• (iii) cloud/IT vendors (e.g., AWS);

• (iv) customer support and analytics providers;

• (v) auditors, legal and compliance advisors;

• (vi) competent public authorities and courts where required by law.

All such providers are bound by data processing agreements under Article 28 GDPR, must implement technical and organisational security measures under Article 32 GDPR, and ensure their personnel are bound by confidentiality.

Where any processors are located outside the EEA, we ensure appropriate safeguards, including Standard Contractual Clauses (SCCs) or adequacy decisions, under Chapter V GDPR.

A detailed internal register of all current processors and sub-processors is maintained and will be made available to the Slovak supervisory authority (Úrad na ochranu osobných údajov SR) or the National Bank of Slovakia upon request, in line with Article 62(2)(f) of Regulation (EU) 2023/1114.

6. Your Data Protection Rights

You may exercise your rights (access, rectification, erasure, restriction, portability, objection, consent withdrawal) by emailing [email protected]. We will respond within 1 month (extendable by 2 months in complex cases).

7. Cookies and Similar Technologies

We use strictly necessary cookies under our legitimate interests. Analytics/marketing cookies are set only with your consent via our cookie banner. You may withdraw consent at any time in ‘Cookie settings’.

As with many other websites in the world, our Platform uses cookies. A cookie is a small file on your device with a string of letters and numbers which serves as a unique identifier. Sometimes cookies can also be used to store your personal preferences on websites. When you open our Platform for the first time, cookies are created on your device. When you open it next time, cookies are sent back to us, thus letting us know you’ve already been there. We don’t create cookies ourselves, but we use third-party providers who do it for us.

Cookies make it easier for you to use our Platform during future visits. They also allow us to monitor traffic and personalize the content of our Platform for you. Session-based cookies only last while your browser is open, and are automatically deleted when you close the browser. Persistent cookies last until you or your browser deletes them or until they expire.

Some of our cookies are necessary for certain uses of the Platform. These cookies allow us to make our Platform usable by enabling basic functions like page navigation. The Platform may not function properly without these cookies.

We may also use functional cookies and cookies from third parties for analysis and marketing purposes. Functional cookies enable certain parts of the Platform to work properly and your user preferences to remain known. Analytic cookies, among other things, collect information on how visitors use our Platform, the content and products that users view most frequently, and the effectiveness of our third-party advertising.

We generally use cookies for the following purposes:

• Authentication – we use cookies to identify you when you visit the Platform and as you navigate through the Platform;

• Status – we use cookies to help us to determine if you are logged into the Platform;

• Security – we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect the Platform and our services generally;

• Analysis – we use cookies to help us to analyze the use and performance of the Platform and services; and

• Cookie consent – we use cookies to store your preferences about the use of cookies more generally.

We use analytics packages from trusted third parties to constantly improve your experience of using the Platform and our services. Our trusted partners help us serve advertising and/or analytics and may place cookies on your device. You can find their privacy policies in the list below. Please read their privacy policies to ensure that you are comfortable with how they use cookies.

We use the following third-party services to monitor and analyze web traffic and user behavior:

• Google Analytics. Google Analytics is a web analysis service provided by Google Inc. Google utilizes the data collected to track and examine user behavior, prepare reports, and share insights with other Google services. Google may use the data collected to contextualize and personalize the advertisements launched via Google's advertising network. The service is subject to Google's Privacy Policy: https://policies.google.com/privacy

• Cloudflare. Cloudflare provides DDoS mitigation and Internet security services. Cloudflare utilizes the data collected to detect malicious visitors to the Platform and minimize blocking legitimate users. The data collected is used to identify users behind a shared IP address and apply security settings on a per-client basis. The service is subject to Cloudflare’s Privacy Policy: https://www.cloudflare.com/en-gb/privacypolicy/

• Amplitude. Amplitude is a cloud-based product analytics platform. Amplitude utilizes the data collected to track and examine user behavior and prepare reports on how our users use the Platform and services. The service is subject to Amplitude’s Privacy Notice: https://amplitude.com/privacy

While we do our best to keep this list updated, please note that third parties who place cookies on your device may change from time to time, and there may be a slight delay updating the list.

You can generally activate or later deactivate the use of cookies through a functionality built into your web browser or mobile device. To learn more about how to control cookie settings through your browser, please consult the documentation that your browser manufacturer provides.

8. Information Security

Your account is secure and protected, please preserve your account and password information properly. We will ensure that your information is not lost, abused and altered by storing backups of other servers and encrypting the user passwords. Please note that there are no "perfect security measures" on the information network. When using our platform services for online trades, you will inevitably disclose your personal information, such as contact information or postal address, to the counterparty or other potential counterparties. Please protect your personal information and provide it to others only if necessary.

If you find that your personal information have been leaked, especially your account and password, please contact our customer service immediately so that we can take appropriate measures.

In the event of a personal data breach, we will notify the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR) within 72 hours of becoming aware of the breach, and notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

8.1. Data Protection Impact Assessments (DPIAs)

Where processing is likely to result in a high risk to the rights and freedoms of natural persons, we will conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 GDPR before starting such processing.

8.2. Data Protection Training and Internal Governance

All employees and contractors with access to personal data receive regular training on data protection and information security, and are subject to confidentiality obligations.

8.3. Risk Management and DPIA

We apply a risk-based approach and conduct Data Protection Impact Assessments (DPIA) for high-risk processing (e.g., KYC biometrics, sanctions screening), including proportional safeguards. In case of a personal data breach, we will notify the supervisory authority and affected individuals where required.

9. Local Storage

Local storage, including Javascript-enabled local Storage, is a typical way for a website to store a small file of letters and numbers in your browser. We use local storage files to keep you signed in on the Platform and to keep your account authorization settings. Local storage files are deleted when the website that stored them deletes them. You can also delete local storage files from your browser at any time you like by visiting your web browser settings.

You can clear local storage files from your browser by taking the following actions:

• In Firefox, localStorage is cleared when the following conditions are met: (a) user clears recent history, (b) cookies are selected to be cleared, and (c) time range is "Everything";

• In Chrome, localStorage is cleared when the following conditions are met: (a) clear browsing data, (b) "Cookies and other site data" is selected, and (c) timeframe is "from the beginning of time." In Chrome, it is also now possible to delete localStorage for one specific site;

• In Internet Explorer, to clear localStorage: (a) click on Tools--Internet Options, (b) General tab, (c) delete browsing history on exit, (d) ensure "Cookies and website data" (or "temporary internet files and website files") is selected, and (e) consider unchecking "Preserve Favorites website data" at the top;

• In Safari, to clear localStorage: (a) click Safari, (b) then click preferences, (c) select the Privacy tab, (d) click Remove all website data and (e) click Remove Now.

10. General Processing

Our processing means any operation or set of operations which is performed on personal information, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, support, maintenance, etc. We do not make automated decisions, including profiling.

Your personal information is stored on cloud services provided by Amazon. Amazon Privacy Notice is available at https://aws.amazon.com/privacy.

We have implemented measures designed to secure your personal information from accidental loss and unauthorized access, use, alteration, and disclosure.

11. Retaining and Deleting Personal Information

We retain personal data in accordance with the applicable laws. That is, we will destroy or anonymize your personal data when we have reasonably determined that (i) the purpose for which that the personal data was collected is no longer being served by the retention of such personal data; (ii) retention is no longer necessary for any legal or business purposes; and (iii) no other legitimate interests warrant further retention of such personal data. If you cease to use our Services, we may continue storing, using and/or disclosing your personal data in accordance with this Privacy Policy and our obligations under the applicable laws.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with applicable laws and regulations. Retention periods are determined by Slovak and EU regulations, including but not limited to:

• General Data Protection Regulations (GDPR)

• Act No. 18/2018 Coll. On Personal Data Protection (Slovakia), implementing GDPR

• Act No. 297/2008 Coll. On Protection Against Money Laundering and Terrorist Financing (Slovak AML Act) - mandatory record-keeping for financial institutions.

KYC/AML records are retained for at least 5 years (and up to 10 years where required) under Act No.297/2008 Coll. and Regulation (EU) 2023/1114 (MiCA). Transaction logs are retained for 5 years to comply with financial monitoring obligations.

12. Third Parties

We appoint third-party processors under Art.28 GDPR and ensure data processing agreements with security measures under Art.32 GDPR. Key processors include AWS (hosting), Sumsub (KYC), MistTrack (KYT).

The Platform, Applications, or any other parts of Software may contain links to any other websites or services. Please note that we are not responsible for the privacy practices or the content of such websites or services, and you should review the privacy policy of each such website or service to make sure you are comfortable with it before providing any personal information.

13. International transfers (Cross-border)

While many of our external third parties are based outside of the Slovak Republic, therefore their processing of personal data will involve a transfer of data outside of the Slovak Republic. That means:

Personal data may be transferred to and processed in countries outside your country of residence.

We ensure appropriate safeguards, including but not limited to entry into the standard contractual clauses for the transfer of personal information to processors established in third countries.

Depending on your jurisdiction, you may have additional rights. We will honour requests in accordance with applicable law.

Where data is transferred outside the EEA, we rely on: (a) adequacy decisions (Art.45 GDPR); or (b) Standard Contractual Clauses (SCCs) (Art.46 GDPR) with supplementary measures where necessary. Copies of SCCs are available upon request.

14. Rights of European Users

If you are located in the EEA zone, the UK, Switzerland as a data subject (a person whose personal information is collected, stored, and processed) you have several rights under data privacy laws:

Right of access. You have the right to obtain confirmation of your personal information is being processed by us. If that is the case, you can access your personal information and the following information: (i) the purposes of the processing; (ii) the categories of personal information; (iii) to whom the personal information has been or will be disclosed; (iv) the envisaged period for which the personal information will be stored, or the criteria used to determine that period.

If you would like to have a copy of your personal information from us, we will provide it if (i) you prove your identity, (ii) it will not adversely affect the rights and freedoms of others. The first copy will be provided for free, for any further copies, we may charge a reasonable fee based on administrative costs.

Right to rectification. You have the right to demand that we correct without undue delay your personal information which we have in our systems if it is inaccurate or incomplete.

Right to erasure ("right to be forgotten"). You have the right to demand that we erase your personal information, and we shall erase it without undue delay where one of the following grounds applies: (i) this personal information is no longer necessary to the purposes for which it was processed; (ii) you withdraw consent on which the processing is based, and where there is no other legal ground for the processing; (iii) you object to the processing and there are no overriding legitimate grounds; (iv) your personal information has been unlawfully processed; (v) your personal information has to be erased for compliance with a legal obligation.

Right to restrict processing. ​You have the right to restrict us in the ability the process your information where one of the following applies: (i) you contest the accuracy of your personal information and we are verifying it; (ii) the processing is unlawful and you want to restrict it instead of erasure; (iii) we no longer need your personal information, but you need it for the establishment, exercise or defense of legal claims; (iv) you have objected to the processing and we are verifying whether legitimate grounds override your request.

Right to data portability. You have the right to receive your personal information which you provided to us in a structured, commonly used, and machine-readable format and have the right to transmit those data to another company, where: (i) the processing is based on your consent or a contract; and (ii) the processing is carried out by automated means.

Where technically feasible, you can demand that we transmit those data directly to another company.

Right to object. You have the right to object to the processing of your personal information based on our legitimate interests. We shall no longer process your personal information unless we demonstrate compelling legitimate grounds for the processing or the establishment, exercise, or defense of legal claims.

Where personal information is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal information for such marketing.

We send marketing communications only with your consent or, where applicable, under legitimate interest with a clear opt-out in every message. You may unsubscribe at any time.

Right to withdraw consent. You have the right to withdraw your consent for the processing of your personal information at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint. ​You have the right to lodge a complaint with the Slovak Data Protection Authority (Úrad na ochranu osobných údajov Slovenskej republiky): Hraničná 12, 820 07 Bratislava, Slovak Republic

Email: [email protected] | Website: https://dataprotection.gov.sk

15. Childrens' Personal Data

Our Software is not intended for minors under the age of 18 years, and we do not knowingly collect data relating to minors.

We collect only the data necessary for the stated purposes and do not process it for incompatible purposes. Our services are not directed to individuals under 18 years old, and we do not knowingly process children’s data.

16. Changes to this Privacy Policy

We will notify you of material changes to this Policy at least 15 days in advance via the Platform or by email, providing a summary of the updates.

We may modify this Privacy Policy by providing notice of such changes, such as by sending you an email, providing notice through the Software or its newsfeed, or updating the "Last Updated" date at the bottom of this Privacy Policy. By continuing to access or use the Software, you confirm your agreement to the modified Privacy Policy. If you do not agree to any modification to this Privacy Policy, you must stop using the Software and our services. We encourage you to frequently review the Privacy Policy to ensure you understand the terms and conditions that apply to your access to, and use of, the Software and our services.

17. Contact details

If you have any requests concerning your personal information or any queries about this Privacy Policy, please feel free to contact us at [email protected].