Privacy Notice

How we collect, use, share, and protect your personal data.

1. Who We Are

Ubyx Inc. is the parent company of the Ubyx group of companies (the “Ubyx Group”). References in this notice to “Ubyx”, “we”, “us”, and “our” include Ubyx Inc. and each of its subsidiary and affiliated entities (together, the “Ubyx Group”). We provide stablecoin and tokenised money acceptance infrastructure and related services (“Ubyx services”). Ubyx Inc is the data controller of any personal data provided through the Websites and in relation to any Ubyx services it provides, and unless otherwise stated Ubyx International Inc is the data controller of all other personal data referred to in this privacy notice.

2. About This Notice

This notice explains how we collect, use, share, and protect personal data in connection with:

  • our relationships with entities with whom we have or are developing a business relationship, including platform participants, clients, commercial partners, technology and service providers, suppliers, vendors, and other counterparties, and the individuals who represent, work for, or are beneficial owners of those entities (“Business Contacts”);
  • enquiries, requests for information, and other communications with Ubyx, whether submitted by email, form, or otherwise;
  • registration for and attendance at webinars, events, and other Ubyx-hosted activities; and
  • use of our Websites at ubyx.xyz and tcmag.org.

3. Personal Data We Collect

3.1 Business Contact Data

When an organisation enters into or develops a business relationship with us, whether as a platform participant, commercial partner, supplier, vendor, or otherwise, we collect personal data about individuals who represent or act on behalf of that organisation. This includes:

  • Identity data: full name, job title, role
  • Contact data: business email address, telephone number, postal address
  • Contractual and transactional data: communications, instructions, authorisations, and records of dealings in connection with our relationship
  • Access and authentication data: credentials for platform or system access; records of platform activity attributable to individual users

We collect this data directly from the individuals concerned and from the organisations they represent.

3.2 Know Your Business and Beneficial Ownership Data

As part of our onboarding and compliance processes, we conduct due diligence on organisations seeking to participate in Ubyx services or with whom we otherwise have a business relationship. This includes collecting personal data about beneficial owners and certain key personnel, directors, and control persons. Data collected includes:

  • Identity data: full legal name, nationality, country of residence, date of birth
  • Identification documents: passport, national identity card, or equivalent government-issued ID
  • Address data: residential address
  • Additional compliance data: source of wealth or funds information, politically exposed person (“PEP”) status, sanctions screening results, adverse media results, to the extent required under applicable law or our internal policies

This data may be collected via our KYB/KYC platform provider (see Section 7.1 below), and/or directly from the organisations and individuals concerned.

3.3 Website Visitors and Other Interactions

When you visit our Websites, contact us, or interact with us in the ways described in Section 2, we may collect:

  • Technical data: IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages
  • Cookie data: as described in Section 12 below
  • Communications data: if you contact us by email, via a form on our Websites, or otherwise, we collect the content of that communication and any personal data included in it
  • Registration data: if you register for a webinar, event, or other Ubyx-hosted activity, we collect name, email address, organisation, job title, and any other information provided at registration

4. The Lawful Bases on Which We Process Personal Data

Under UK GDPR and EU GDPR, we must have a lawful basis for each use we make of personal data. We rely on the following lawful bases:

4.1 Contract Performance

We process personal data where it is necessary to enter into or perform a contract with you or the organisation you represent. This covers processing carried out to negotiate, execute, and administer our agreements with Business Contacts and their organisations, and to provide access to Ubyx services. Where we take steps at your or your organisation’s request before entering into a contract (for example, responding to an enquiry or preparing an agreement), that processing is also covered by this basis.

4.2 Legal Obligation

We process personal data where we are required to do so by applicable law. This primarily covers our obligations under applicable law not to facilitate money laundering, terrorist financing, or violations of applicable sanctions regimes, and to maintain records in connection with those obligations. It also covers other legal record-keeping, reporting, and notification obligations to which we or our group companies are subject.

Where we process personal data on this basis, you may not be able to require us to delete that data during any applicable statutory retention period (see Section 10).

4.3 Legitimate Interests

We process personal data where it is necessary for our legitimate interests or the legitimate interests of a third party, provided that those interests are not overridden by your interests, rights, or freedoms. Our legitimate interests include:

  • operating and administering Ubyx services and our business;
  • maintaining records for audit, compliance, and dispute resolution;
  • managing and developing our relationships with Business Contacts;
  • ensuring the security of our systems, networks, and services;
  • preventing, detecting, and mitigating fraud, financial crime, and other unlawful activity affecting us, our platform participants, or their customers;
  • communicating with Business Contacts on operational matters relevant to our relationship;
  • sending newsletters, updates, and other marketing communications to Business Contacts about Ubyx services; and
  • analysing and improving our Websites and services.

Where we rely on legitimate interests, you have the right to object to that processing (see Section 11.1).

4.4 Consent

We rely on consent in limited circumstances, primarily for the use of non-essential cookies and analytics technologies on our Websites (see Section 12), and for marketing communications sent to individuals with whom we do or do not have an existing business relationship. Where we process on the basis of consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

5. How We Use Your Personal Data

We use personal data for the purposes set out in Sections 5.1 to 5.3, relying on the lawful bases described in Section 4.

5.1 Business Contact Data

We use Business Contact data to negotiate, enter into, and perform contracts; to manage business relationships; to communicate on operational matters; and to send marketing communications where appropriate.

5.2 Know Your Business and Beneficial Ownership Data

We use KYB and beneficial ownership data to conduct due diligence, fulfil our regulatory and compliance obligations, and onboard platform participants.

5.3 Website Visitors and Other Interactions

We use visitor and interaction data to operate and improve our Websites, respond to enquiries, administer events, and analyse usage patterns.

6. Sensitive Personal Data

We do not seek to collect special categories of personal data (as defined under the UK GDPR or EU GDPR) as part of our standard processes. To the extent that identification documents or compliance data incidentally contain such information (for example, nationality information in a passport), we collect and retain only what is strictly necessary for our compliance obligations and handle it with appropriate additional care.

7. How We Share Your Personal Data

We do not sell your personal data. We may share it with the following categories of recipients:

7.1 KYB/KYC and Identity Verification Platform Providers

We use third-party KYB/KYC and identity verification platform providers to process KYB/KYC and beneficial ownership data on our behalf as data processors, pursuant to data processing agreements with Ubyx.

7.2 Settlement Venues

We use third-party settlement venues in connection with the provision of Ubyx services. As part of the onboarding process, we may be required to share certain KYB/KYC and beneficial ownership data with those settlement venues to enable them to conduct their own compliance onboarding. Each such entity receives and processes this data as an independent data controller for its own regulatory compliance purposes. The sharing of such data is subject to a data sharing agreement between Ubyx and the relevant entity and, where required, to appropriate international transfer safeguards (see Section 9).

7.3 Service Providers and Contractors

We engage service providers and contractors who process personal data on our behalf in connection with the operation of Ubyx services and our business. These include providers in the following categories:

  • Information technology and software services
  • Data hosting services
  • CRM and business communications platforms
  • Mailing and marketing services
  • Event management services
  • Background check and due diligence providers
  • Cyber and physical security services
  • Other technology and service providers

All service providers and contractors who process personal data on our behalf are bound by data processing agreements that impose data protection obligations at least equivalent to those applicable to Ubyx.

7.4 Ubyx Group Companies

We may share personal data with other companies within the Ubyx Group to the extent necessary for the operation of Ubyx services, internal administration, compliance, or support functions. All such sharing within the Ubyx Group is subject to intra-group data protection arrangements that provide equivalent protection to that described in this notice.

7.5 Regulators, Law Enforcement, and Legal Proceedings

We may disclose personal data to regulators, law enforcement agencies, courts, or other public authorities where required or permitted by applicable law, or where necessary to establish, exercise, or defend legal claims.

7.6 Business Transfers

If any Ubyx Group company undergoes a merger, acquisition, restructuring, or sale of all or part of its business or assets, personal data may be transferred to the relevant counterparty as part of that transaction, subject to appropriate confidentiality protections.

8. Automated Decision-Making

We do not make decisions about individuals that have legal or similarly significant effects based solely on automated processing.

9. International Transfers

Ubyx Inc. and other Ubyx Group companies are established in jurisdictions that may not provide the same level of data protection as your home jurisdiction. Where we receive personal data from individuals located in the United Kingdom, the European Economic Area, or Switzerland, any transfer to a country not recognised as providing an adequate level of protection is subject to appropriate safeguards:

  • UK data subjects: transfers are made pursuant to the EU Standard Contractual Clauses (EC Decision 2021/914) as supplemented by the UK Addendum issued by the Information Commissioner’s Office under section 119A of the Data Protection Act 2018.
  • EEA data subjects: transfers are made pursuant to the EU Standard Contractual Clauses (EC Decision 2021/914).
  • Swiss data subjects: transfers are made pursuant to the EU Standard Contractual Clauses with modifications required under the Swiss Federal Act on Data Protection (nFADP).

You may request a copy of the relevant transfer safeguards by contacting us using the details in Section 14.

10. How Long We Keep Your Personal Data

Following expiry of the relevant retention period, personal data will be securely deleted or anonymised.

11. Your Rights

Depending on your location, you may have the following rights in respect of your personal data:

11.1 UK and EEA Residents (UK GDPR / EU GDPR)

  • Access: request a copy of the personal data we hold about you
  • Rectification: ask us to correct inaccurate or incomplete data
  • Erasure: ask us to delete your data in certain circumstances (note: we may be unable to delete data we are legally required to retain)
  • Restriction: ask us to restrict processing while a complaint is resolved or accuracy is verified
  • Portability: receive your data in a structured, machine-readable format, where processing is based on consent or contract
  • Objection: object to processing carried out on the basis of our legitimate interests, including marketing communications
  • Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, contact us using the details in Section 14. We will respond within one calendar month (extendable by a further two months for complex or numerous requests, with notice).

You also have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner’s Office (ico.org.uk). In the EU, it is the supervisory authority in the Member State where you are habitually resident, work, or where an alleged infringement occurred.

11.2 Swiss Residents (nFADP)

Equivalent rights apply under the Swiss Federal Act on Data Protection, including rights of access, rectification, and erasure.

11.3 California Residents (CCPA/CPRA)

If you are a California resident and the California Consumer Privacy Act (CCPA) applies to our processing of your personal data:

  • Know: request disclosure of the categories and specific pieces of personal data we have collected about you
  • Delete: request deletion of personal data we have collected (subject to exceptions)
  • Correct: request correction of inaccurate personal data
  • Opt out of sale or sharing: we do not sell or share personal information as those terms are defined under the CCPA
  • Non-discrimination: we will not discriminate against you for exercising your CCPA rights

To submit a request, contact us using the details in Section 14. We will acknowledge requests within 10 business days and respond within 45 days (extendable by a further 45 days with notice).

12. Cookies

Our Websites use cookies and similar tracking technologies. A cookie is a small text file stored on your device when you visit a website. You can manage your cookie preferences via the cookie consent tool on our Websites, or by adjusting your browser settings. Note that disabling certain cookies may affect Website functionality.

13. Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include encryption in transit and at rest, access controls, multi-factor authentication, network security measures, and regular security assessments. We are actively working towards SOC 2 Type II certification.

We will notify affected individuals and, where required, regulators, in the event of a personal data breach in accordance with applicable law.

14. Contact Us

For any questions about this notice or to exercise your data protection rights, please contact us at:

Ubyx Inc. / Ubyx International Inc.
Address: 221 W 9th St, PMB 1011, Wilmington, DE 19801
Email: privacy@ubyx.xyz

UK contact point (UK GDPR enquiries):
Ubyx International Ltd
Address: 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF
Email: privacy@ubyx.xyz

15. Changes to This Notice

We may update this notice from time to time. Where changes are material, we will notify affected Business Contacts directly. The current version will always be available at ubyx.xyz/privacy.

Version 1.0 — April 2026