PRIVACY POLICY

YouHodler Italy S.r.l. (hereinafter, “YouHodler,” the “Company,” “we,” or “our”) is committed to protecting your privacy. We have prepared this Privacy Policy (hereinafter, the “Policy”) to explain how we collect, use, and disclose personal information regarding individuals (hereinafter, “Users”) who visit the website https://www.youhodler.com/it and the YouHodler app (both hereinafter, the “Platform”) or who interact with our social media, our marketing activities, and any other activities described in this Policy.

This Policy describes the methods and purposes of the processing of personal data carried out by YouHodler and is drafted in accordance with Regulation (EU) 2016/679 (hereinafter, “GDPR”).

This Policy also takes into account, where applicable, Regulation (EU) 2023/1114 (hereinafter, “MiCAR”), with particular reference to the transparency obligations regarding the provision of crypto-asset services.

Any substantial changes to this Policy or to the processing of personal data will be communicated to data subjects in an appropriate manner and in compliance with Articles 13 and 14 of the GDPR.

For information on the use of cookies and similar technologies, please refer to the Cookie Policy.

1. DATA CONTROLLER

The Data Controller is:

YouHodler Italy S.r.l.

Tax ID/VAT No. 12481390966

Registered office: Via del Commercio 32 - 00154 - Rome (RM)

Email: privacy@youhodler.it

Certified Email: youhodler@legalmail.it

The Data Controller has appointed privacy@youhodler.it as the Data Protection Officer (“DPO”), who can be contacted at the email address privacy@youhodler.it.

2. PURPOSES AND LEGAL BASIS OF THE PROCESSING

Users’ personal data is processed for the following purposes:

2.1 Provision of Services and management of the contractual relationship

Personal data is processed to enable User registration, account creation and management, access to the Reserved Area, use of crypto-asset-related Services, execution of operations and transactions, as well as the management of customer support, any complaints, and contractual relationships related to the services offered through the Platform.

Legal basis: performance of a contract or pre-contractual measures (Art. 6, para. 1, letter b) GDPR).

2.2 Compliance with regulatory obligations, AML/KYC, and fraud prevention

Personal data is processed to comply with obligations under applicable law, including obligations regarding anti-money laundering (“AML”), counter-terrorist financing (“CTF”), know-your-customer (“KYC”), transaction monitoring, sanctions and PEP screening, record retention, and compliance with competent authorities.

Such processing may include identity verification activities, anti-fraud checks, verification of the origin of funds, and the use of specialized providers in blockchain analytics and compliance.

Legal basis: compliance with legal and regulatory obligations (Art. 6(1)(c) GDPR).

The verification, analysis, and monitoring activities carried out for the purpose of complying with regulatory obligations, including obligations regarding AML, CTF, KYC, fraud prevention, and sanctions screening, are not based on the data subject’s consent, but rather on compliance with legal obligations and, where applicable, on the need to perform the contractual relationship.

For the purposes of conducting compliance and verification activities, certain personal data may also be obtained from public sources, official registries, publicly accessible databases, and providers specializing in identity verification, fraud prevention, blockchain analytics, and AML/CTF screening.

2.3 Platform Security and Prevention of Abuse

Personal data may be processed to ensure the security of the Platform, prevent unauthorized access, detect fraudulent or abusive use of the Services, manage security incidents, perform technical checks, and protect the integrity of IT systems.

Legal basis: the Data Controller’s legitimate interest in system security and fraud prevention (Art. 6(1)(f) GDPR).

2.4 Service improvement, analytics, and Platform development

Personal data may be used to analyze how the Platform is used, improve the user experience, develop new features, perform aggregated statistical analyses, monitor operational performance, and ensure the proper functioning of the services offered through the Platform.

Legal basis: the Data Controller’s legitimate interest in improving and developing the Services (Art. 6(1)(f) GDPR).

The provision of personal data for the purposes set forth in paragraphs 2.1, 2.2, 2.3, and 2.4 is necessary for the establishment and performance of the contractual relationship, as well as for compliance with applicable regulatory obligations. Failure to provide the data may make it impossible to establish or continue the contractual relationship and to provide the services offered through the Platform.

2.5 Direct Marketing and Promotional Communications

Subject to the User’s consent where required by applicable law, personal data may be processed for the purpose of sending newsletters, commercial communications, service updates, promotional initiatives, events, market research, and other marketing activities related to the services offered through the Platform.

Legal basis: consent of the data subject (Art. 6, para. 1, letter a) GDPR).

2.5 Profiling and personalization of commercial communications

Subject to the User’s consent where required by applicable law, personal data may be processed to analyze preferences, interests, how the Platform is used, and interactions with the services offered through the Platform, in order to personalize commercial communications, content, and offers related to crypto-asset services.

Legal basis: consent of the data subject (Art. 6(1)(a) GDPR).

The provision of personal data for the purposes referred to in paragraphs 2.5 and 2.6 is optional. Failure to provide consent or its subsequent withdrawal does not affect the ability to use the services offered through the Platform or the validity of the contractual relationship.

The data subject may withdraw the consent provided at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal.

3. CATEGORIES OF PERSONAL DATA PROCESSED

3.1 Identification and Contact Information

The User’s personal and identifying information, including first name, last name, date of birth, nationality, country of residence, residential address or domicile, email address, phone number, username, account identifiers, and additional information provided during registration or use of the Platform.

3.2 KYC/AML Data and Verification Data

Data collected for the purposes of Know Your Customer (“KYC”), Anti-Money Laundering (“AML”), and Counter-Terrorism Financing (“CTF”), including identity documents, document images, selfies, video identification, biometric data where applicable, proof of address, information on the source of funds and wealth, data regarding politically exposed person (“PEP”) status, sanctions screening, anti-fraud information, and additional data required by applicable regulations or internal compliance procedures.

3.3 Financial, wallet, and transaction data

Data related to the Services used and transactions carried out via the Platform, including wallet addresses, public blockchain addresses, balances, transaction history, transactions carried out, data related to deposits and withdrawals, data related to fiat currency accounts, payment data, IBANs, bank details, information regarding the payment methods used, and additional information necessary for the execution of transactions and the management of the services offered through the Platform.

3.4 Technical, usage, and browsing data

Data collected automatically while using the Platform, including IP address, access logs, device identifiers, browser and operating system information, session data, cookies and similar technologies, browsing data, interactions with the Platform, analytics data, performance information, and data related to the security and proper functioning of the services offered through the Platform.

3.5 Data related to customer support and communications

Data contained in communications with the Company via email, support tickets, chat, social media, telephone, or other official channels, including the content of requests, records of interactions, and information necessary for managing support requests, complaints, or disputes.

3.6 Data collected from third parties

Data received from KYC/AML service providers, payment providers, technology partners, blockchain analytics providers, public databases, sanctions registries, PEP lists, and other authorized sources, to the extent permitted by applicable law.

4. METHODS OF DATA COLLECTION AND PROCESSING

Personal data is collected and processed in accordance with the principles of lawfulness, fairness, transparency, data minimization, and integrity as set forth in the GDPR.

4.1 Methods of Data Collection

Personal data is collected:

directly from the User, through registration, use of the services offered via the Platform, or communications with the Company;
automatically, through the use of the Platform, including log files, cookies, and technical monitoring systems;
through third parties, including KYC/AML service providers, payment providers, blockchain analytics infrastructure, and other technology partners necessary for the provision of services offered through the Platform.

4.2 Recipients of Personal Data

Personal data may be disclosed to third parties within the limits of the purposes indicated above, including:

IT service providers, cloud infrastructure providers, and hosting providers;
KYC/AML, anti-fraud, and blockchain analytics service providers;
payment institutions and financial intermediaries;
communication and customer support service providers;
legal, tax, and professional advisors;
public authorities and supervisory bodies, in cases provided for by law.

The entities listed above act, as applicable, as data processors pursuant to Article 28 of the GDPR or as independent data controllers.

4.3 Data Security and Technical and Organizational Measures

The Data Controller implements appropriate technical and organizational measures pursuant to Article 32 of the GDPR to ensure a level of security appropriate to the risk, taking into account the technological nature of the Services related to crypto-assets and the risks associated with the use of digital infrastructure and DLT systems.

The measures taken are designed to prevent the loss of personal data, unauthorized access, unauthorized disclosure, and unauthorized alteration or destruction of such data.

Data processing may be carried out using electronic means and, in limited cases, also on paper.

The Data Controller conducts periodic risk assessments and, where necessary, data protection impact assessments pursuant to Article 35 of the GDPR.

In the event of a personal data breach, the Data Controller shall comply with the requirements set forth in Articles 33 and 34 of the GDPR, including, where required, notification to the Data Protection Authority and communication to the data subjects.

5. TRANSFERS OF DATA TO THIRD COUNTRIES

Personal data may be transferred outside the European Economic Area.

Such transfers are made in compliance with Articles 44 et seq. of the GDPR and based on one of the following appropriate safeguards:

adequacy decisions adopted by the European Commission;
Standard Contractual Clauses (SCCs) approved by the European Commission;
any additional technical, organizational, and contractual measures adopted to ensure a level of personal data protection substantially equivalent to that provided in the European Union.

For further details regarding the countries to which data is transferred, the suppliers involved, and the specific safeguards applied, please refer to Annex 1 – List of Cross-Border Transfers, which forms an integral part of this Policy.

The data subject may obtain a copy of the safeguards adopted for the transfer of personal data by writing to the contact details provided in this Policy.

6. DATA RETENTION PERIOD

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected, in accordance with the data retention limitation principles set forth in Article 5(1)(e) of the GDPR.

Specifically:

data processed for contractual purposes is retained for the entire duration of the contractual relationship and, thereafter, for the period necessary to comply with applicable legal obligations, including civil, tax, and regulatory obligations, and in any case for a period not exceeding 10 years from the termination of the relationship;
data processed for the purpose of complying with regulatory obligations, including those relating to anti-money laundering and the prevention of terrorist financing, are retained for the period provided for by applicable legislation and, in any case, for no longer than 10 years from the termination of the contractual relationship, subject to further retention obligations provided for by law or the need for protection in legal proceedings;
data processed for marketing purposes is retained until consent is withdrawn and, in any case, for a period not exceeding 24 months from the date consent is obtained;
Data processed for profiling purposes is retained for a period not exceeding 12 months from the date consent is obtained, unless consent is revoked earlier.

At the end of the respective retention periods, personal data is deleted, anonymized, or rendered irreversibly unidentifiable.

Personal data is stored on servers located within the European Economic Area, subject to any transfers to third countries carried out in compliance with applicable regulations and the safeguards set forth in Article 5 of this Policy.

7. RIGHTS OF THE DATA SUBJECT

The data subject may exercise, within the limits and under the conditions set forth in Articles 15–22 of the GDPR, the following rights:

the right of access to personal data and information regarding the processing;
the right to rectify inaccurate data and to have incomplete data completed;
the right to erasure of personal data in the cases provided for in Article 17 of the GDPR;
the right to restriction of processing in the cases provided for in Article 18 of the GDPR;
the right to data portability, in the cases provided for by Article 20 of the GDPR, in a structured, commonly used, and machine-readable format;
the right to object to processing in the cases provided for by Article 21 of the GDPR;
the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent given prior to withdrawal;
the right not to be subject to decisions based solely on automated processing, including profiling, in the cases provided for in Article 22 of the GDPR;
the right to lodge a complaint with the Data Protection Authority pursuant to Article 77 of the GDPR.

The exercise of these rights may be limited in the cases provided for by applicable law, including retention or processing obligations arising from anti-money laundering regulations and other legal obligations.

Data subjects may exercise their rights by writing to: privacy@youhodler.it.

The Data Controller will respond to the data subject’s requests without undue delay and, in any case, within one month of receiving the request, which may be extended in the cases provided for in Article 12 of the GDPR.

7.1 Contacts for Exercising Rights

To exercise rights or for any information regarding the processing of personal data, the Customer may contact:

YouHodler Italy S.r.l.

Via del Commercio 32 - 00154 - Rome (RM)

Email: privacy@youhodler.it

Certified Email: youhodler@legalmail.it

‍

ANNEX 1 – LIST OF CROSS-BORDER TRANSFERS

‍EU Member States under the GDPR

- United Kingdom: Adequacy Decision

- United States of America: Additional security and organizational measures

- Switzerland: Adequacy Decision

Other recipients of personal data for processing purposes (Sub-processors)

AWS - Compliance Program; GDPR Center; Additional Measures Addendum;

Ireland

Infrastructure provider offering hosting and storage services

Data essential for the operation of services and the establishment of the contractual relationship

Infomaniak SA

Switzerland

Infrastructure provider offering hosting and storage services

Data essential for the operation of services and the establishment of the contractual relationship

Atlassian

Netherlands; USA; Australia; United Kingdom

Infrastructure provider; Customer service management

Data essential for the operation of services and the establishment of the contractual relationship

Cloudflare.com

Infrastructure provider;

ANONYMIZED DATA

SumSub Ltd.

Germany

KYC provider, Data validation, Document verification, Biometric processing, Fraud detection

Data essential for the operation of services and the establishment of the contractual relationship; Data collected for compliance with AML and/or EU laws; Data collected for compliance with other applicable laws and regulations

Intercom

Ireland

Customer account support and communications

Data essential for the operation of services and the establishment of the contractual relationship; Data collected for marketing purposes

Twilio

USA/EU/Switzerland

Communications technology provider

Data essential for the operation of services and the establishment of the contractual relationship

Applicable ONLY if users choose to use SMS for 2FA

Sendgrid

USA/EU/Switzerland

Communications technology provider

Data essential for the operation of services and the establishment of the contractual relationship;

Applicable ONLY if users choose to use email for 2FA

Sift

EU / USA

Data analytics tool using artificial intelligence

Data collected for compliance with AML and/or EU laws; Payment data

Elliptic

United Kingdom

Data analysis tool

Data collected for compliance with AML and/or EU laws;

Lightspark

USA

DLT infrastructure enabling certain operational services

Data essential for the operation of the service; Data collected for compliance with AML and/or EU laws; payment data

Checkout

USA, UK, EU

Payment service provider

Data collected for compliance with AML and/or EU laws; Payment data

Unlimint

Payment service provider

Data collected for compliance with AML and/or EU laws; Payment data

Volet

Canada

Payment service provider

Data collected for compliance with AML and/or EU laws; Payment data

Intergiro

Payment service provider

Data collected for compliance with AML and/or EU laws; Payment data

Mixpanel

United Kingdom/Spain/Singapore

Product analysis

Data essential for the operation of services and the establishment of the contractual relationship; Data collected for marketing purposes

Customer.io

USA

Communications technology provider

Data essential for the operation of services and the establishment of the contractual relationship; Data collected for marketing purposes

PandaDoc

USA

Digital signature platform

Docusign

France, United Kingdom, Italy, Germany, Netherlands, Spain

Digital signature platform

Typeform

USA, Luxembourg

Form Management

Data collected for marketing purposes

Affise

Cipro

Affiliate marketing management platform

Data essential for the operation of services and the establishment of the contractual relationship with affiliates; Data collected for marketing purposes

Applicable ONLY if the user is part of the affiliate network

Google Inc

Ireland, Belgium, Germany, Switzerland, United Kingdom

Infrastructure provider offering hosting and storage services; Internal communications

Data essential for the operation of services and the establishment of the contractual relationship

Slack

USA

Internal communications

Data essential for the operation of services and the establishment of the contractual relationship

WEGLOT.COM

Used by YouHodler.com to store the user’s language and automatically load the website version in the preferred language

ANONYMIZED DATA

ANNEX 2 – STANDARD CONTRACTUAL CLAUSES FOR INTERNATIONAL TRANSFERS

The standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council are incorporated herein by reference and made available at the following link:

https://commission.europa.eu/system/files/2021-06/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf

The forms are available upon request via email at: [legal@youhodler.com]