Policy Statement on the Transfer of Crypto-Assets

1. Introduction
‍

This Crypto-asset Transfer Policy Notice (the “Notice”) provides a structured description of the operational model, control system and governance framework adopted by YouHodler Italy S.r.l. (“YouHodler” or the “Company”) in relation to the provision of crypto-asset transfer services on behalf of its clients pursuant to Article 3(1)(26) of Regulation (EU) 2023/1114 (“MiCAR”).

This Policy has been drawn up in accordance with (i) MiCAR; (ii) the ESMA Guidelines on investor protection and transparency in crypto-asset services; (iii) anti-money laundering legislation; (iv) Regulation (EU) 2023/1113 (“Travel Rule”); and (iv) the principles of ICT risk management and operational resilience pursuant to Regulation (EU) 2022/2554 (“DORA”).

2. Nature of the transfer service

The crypto-asset transfer service on behalf of the Client consists of the execution of crypto-asset transfer transactions from addresses or accounts controlled by the Company, acting as custodian, to distributed ledger addresses designated by the Client, within a custodial model in which the Company retains control of the cryptographic keys (the “Transfer Service”). The Service is provided within the Company’s custody infrastructure. 
‍

Clients do not interact directly with the blockchain, but issue instructions via the YouHodler platform; upon receipt of the instruction, the Company carries out authentication, technical validation and compliance checks before proceeding with execution. The Transfer Service is provided using a risk-based approach, with controls applied that are proportionate to the nature of the transaction and the associated level of risk.
‍

The transfer takes place via a distributed ledger technology (DLT) and is governed by the rules of the relevant blockchain protocol, which are neither controlled nor influenced by the Company. Consequently, the Service does not guarantee specific settlement times on the blockchain, as these depend on the operation of the underlying network.
‍

Transfers involving EMTs, as they qualify as payment services under applicable legislation, are not executed by the Company. 

3. Transfer procedure

The customer submits the transfer order via the YouHodler platform, following strong authentication. Upon receipt of the transfer instruction, but prior to the execution of the transfer, the Company provides the customer with a summary screen or equivalent communication containing at least (i) the crypto-assets subject to the transfer; (ii) the transfer amount; (iii) the selected or applicable DLT network; (iv) the destination crypto-asset address or account specified by the customer; (v) applicable fees, costs and charges, with a clear distinction, where applicable, between network fees/gas fees and fees charged by the Company; (vi) any operational limits or compliance controls applicable to the transfer; and (vii) a standardised warning regarding the irreversibility or sufficient irreversibility of the transfer on the selected DLT network.
‍

Each request is subject to internal controls, including those required by anti-money laundering regulations and the Travel Rule, checks on operational limits and, where necessary, enhanced procedures based on the transaction’s risk profile. YouHodler may suspend or delay execution in the event of invalid technical parameters, incomplete information, a negative outcome of security or compliance checks, or the detection of operational anomalies.
‍

Withdrawals from custodial wallets are subject to multi-level authorisation mechanisms (Multi-Signature) where applicable, with segregation of duties and traceability of activities. Once transmitted to the blockchain network and confirmed in accordance with the protocol rules, the transaction is technically irreversible.
‍

The transfer instruction is deemed to have been received when (i) it has been correctly transmitted by the client via the Platform; (ii) authentication checks have been completed; (iii) all information required by applicable regulations is available, including the Travel Rule where applicable; and (iv) the instruction has passed preliminary technical validation checks relating at least to the selected crypto-asset, the DLT network, the destination address and the transfer amount. For the purposes of traceability and auditability, the timestamp recorded by the YouHodler platform at the time the instruction is sent by the customer shall be deemed authentic ( ).
‍

Under normal circumstances, the processing times for received instructions are as follows:

• in the case of automatic processing, instructions are processed within 5 (five) minutes of receipt;
• in the case of straight-through processing (STP), instructions are processed within 1 (one) hour of the completion of the required checks;
• in the case of manual review, instructions are placed in the operational queue within 60 (sixty) minutes, whilst the review is completed within 24 hours or, if later, by the following working day; in particularly complex cases, this period may be extended to up to 3 (three) working days. 

Settlement times on the blockchain, however, depend on the characteristics of the underlying protocol and the operational conditions of the applicable network and are not entirely within YouHodler’s control.
‍

Once the transfer has been executed, the Customer receives, via the YouHodler platform, in electronic format and free of charge, at least the following information:

• the amount and type of crypto-assets transferred or received;
• the DLT network used and, where applicable, the wallet addresses of the recipient and the sender;
• date and time of receipt and execution of the instruction;
• a unique transaction reference, where available (e.g. TXID or equivalent reference);
• the status of the transaction and, where applicable, the relevant network confirmations; as well as
• any fees, costs or charges applied by YouHodler in connection with the transfer.

Post-execution information is made available via the YouHodler platform, electronic notifications, account statements or periodic reports. Where such information is provided no more than once a month, it is made available free of charge, unless otherwise provided for by applicable legislation.

4. Customer Rights

The Customer is entitled to receive, in electronic format via the platform, clear, complete and up-to-date information before, during and after each transfer. 
‍

In particular, the Client is entitled to receive:

• before the contract is concluded, information regarding the characteristics of the service, the operating procedures, the applicable costs and fees, the liability terms, the cancellation procedures, the execution times and the supported DLT networks;
• before each transfer, a summary containing at least the crypto-asset being transferred, the amount, the selected DLT network, the destination address, the applicable fees and warnings regarding the irreversibility or sufficient irreversibility of the transaction;
• after the transfer, information regarding the transfer details, including, where applicable, information on the transferor and transferee, the transaction identification reference, the amount transferred, the execution date and the fees or network charges applied;
• in the event of a refusal, suspension, delay or return of the transfer, information regarding, subject to any limitations arising from applicable legislation, the reasons for the refusal, suspension, delay or return, any corrective actions required of the customer and any refund of applicable fees or charges.

The Customer is also entitled to:

• revoke the instruction before it becomes irrevocable following the commencement of the technical execution of the transfer or the transmission of the transaction to the DLT network;
• receive a copy of the contract and information relating to the service in electronic format;
• be informed promptly of any significant changes to the service; and
• withdraw from the contract in accordance with the procedures set out in the contractual documentation.

5. Customer’s Responsibilities and Notifications

The Customer is responsible for the accuracy of the instructions given, in particular regarding (i) the correctness of the destination address and the selected blockchain network; (ii) the security of their login credentials; and (iii) the completeness and accuracy of the information provided.
‍

In the event of an unauthorised transfer or one that has been incorrectly arranged or executed, the customer must report this to YouHodler without undue delay and in any event within 30 (thirty) days, via the secure channels indicated on the YouHodler platform, providing (i) the transfer ID; (ii) the crypto-asset; (iii) the amount; (iv) date; (v) destination address; (vi) description of the anomaly; and (vii) any document or information useful for reconstructing the transaction. 

6. Execution times and irreversibility

1. Once transmitted to the DLT network, the transaction is irrevocable or sufficiently irreversible after a number of block confirmations that varies depending on the underlying network. 

7. Risks specific to the Transfer Service

The Crypto-asset Transfer Service, as further set out in the Risk Policy, involves inherent risks such as:

• irreversibility;
• address typing errors;
• incorrect network selection;
• blockchain congestion;
• cyber attacks on the client’s external wallets; and
• suspensions or restrictions due to regulatory obligations.

‍

Such risks cannot be entirely eliminated and do not in themselves constitute a breach of service.

8. Security Policies

YouHodler adopts a security framework compliant with ISO/IEC 27001 standards and aligned with applicable requirements regarding network and information system security, including the NIS2 Directive and DORA, which includes:

• strong customer authentication;
• access controls based on the principle of least privilege;
• security event monitoring and correlation (SIEM or equivalent);
• infrastructure protection measures, including perimeter controls, intrusion detection and prevention systems (IDS/IPS) and anomaly detection tools;
• vulnerability assessments and penetration tests on critical components, at least annually or following significant changes;
• three-tier custodial infrastructure (Hot, Warm and Cold Wallets);
• HSM systems for cryptographic key management;
• multi-signature mechanisms for transaction signing.

9. Incident and anomaly management and business continuity

The Company adopts measures aimed at ensuring service continuity and the effective management of any anomalies, incidents – including ICT incidents – or operational disruptions that may impact the performance of transfer services.

The Company implements business continuity and resilience measures, in line with its Business Continuity Plan (BCP) and Disaster Recovery Procedures (DRP), designed to ensure the continuity of critical services and the restoration of operations in the event of disruptions. 

10. Suspension or refusal of a transfer

YouHodler may suspend or refuse a transfer in the event of regulatory obligations, suspected fraud or significant operational risks. Decisions to suspend, refuse or execute a transfer are made using a risk-based approach, which takes into account, amongst other things, the transaction amount, whether the destination address is new, any alerts generated by blockchain monitoring systems, as well as the obligations under anti-money laundering regulations and the Travel Rule.
‍

In such cases, it shall promptly communicate, to the extent permitted by law, the reasons, any corrective actions and the additional information required. 

11. Customer Notice

This policy is published on the YouHodler website.
‍

The Customer’s consent is deemed to have been given upon registration on the website or upon acceptance of the Terms of Service.
‍

The Customer may at any time request a digital copy of the Policy on the crypto-asset transfer service by email.
‍

This Policy must be read in conjunction with the Terms of Service and other applicable policies; in the event of any inconsistencies, the Terms of Service shall prevail. 
‍

YouHodler may update this Policy to reflect regulatory, technological or operational changes to the service, notifying the customer in accordance with the Terms of Service.