Privacy Policy

Effective Date: 7 July 2025

Pursuant to Article 13 of Regulation (EU) 2016/679 (the "GDPR"), this Privacy Notice describes how we collect and process your personal data when you register and access to Kleos application and request the services provided by us (the "Service") or benefit from this Service.

To the extent that you are a customer of our services, this Privacy Notice applies together with any terms of business and other contractual documents, including but not limited to any agreements we may have with you.

Regarding the terms used in this Privacy Notice, such as "processing" or "controller" or "personal data", we refer to the definitions of the GDPR.

1. Who is the data controller of my personal data?

The data controller of your personal data is Kleos Ireland Sr Limited, with registered office at The Black Church, St. Mary's Place, Dublin 7, Ireland D07 P4AX, operating under the brand name Kleos ("Kleos" or "we/our/us").

2. How have my personal been obtained?

We collect your personal data directly from you at the time you access to the Service and when we provide the Service to you or automatically or through our third parties.

3. What personal data does Kleos collect and process?

We may collect and process the following personal data:

Identity Data: first name, last name, title, date of birth and gender, ID documents such as national ID card, passports, driving licences or other forms of ID documents.

Identity Related Data: risk assessment, compliance assessment.

Contact Data: residence details, billing and delivery address (for cards), email address and telephone number, proof of address documentation.

Financial Data: payment card details, amounts associated with accounts, external account details, source of funds and related documentation.

Transactional Data: details about incoming and outgoing operations.

Technical Data: internet connectivity data, IP address, operator and carrier data, login data, browser type and version, device type, category and model, time zone setting and location data, language data, operating system, diagnostics data such as crash logs and any other data we collect for the purposes of measuring technical diagnostics.

Profile Data: your username and password, your identification number as our user, requests by you for products or services, your interests, preferences and feedback, other information generated by you when you communicate with our customer support.

Special categories of data: biometric data.

Data that we collect or receive from third parties: information about you from the third-party providing services to you, and/or from the group of companies related to us by common control or ownership as a normal part of conducting business.

4. For what purposes will my personal data be processed?

We will process your personal data for the following processing purposes:

A. to perform our obligations under the Terms of Service entered into between you and us or to take steps at your request prior to entering into the Terms of Service in accordance with art. 6, para. 1, let. b) of the GDPR;

B. to comply with legal obligations, including anti-money laundering, financial, tax and consumers' protection laws in accordance with Art. 6, para. 1, let. c) of the GDPR;

C. to pursue our legitimate interest in (i) preventing frauds and assessing your trustworthiness and reliability as a potential customer and to (ii) extract statistical information on service usage and (ii) check functioning of the services in accordance with Art. 6, para. 1, let. f) of the GDPR;

D. for authentication purposes with your optional consent, in accordance with art. 6, para. 1, let. a) and art. 9, para. 2, let. A of the GPDR.

E. for marketing purposes (direct sales, sending of advertising material, carrying out market research, commercial communication, surveying the degree of customer satisfaction) and for sending you marketing communications by email relating to products/services offered by us, with your optional consent, in accordance with art. 6, para. 1, let. a) of the GDPR.

5. Is the provision of data mandatory or optional?

The collection and the processing of your personal data under A), B) and C) of the Section 4 above is optional but failing to provide the data would prevent the possibility for you to enter into the Terms of Service and be provided with the Service.

If you do not consent to the processing of your personal data under D) and E) of the Section 4 above, you will not suffer any prejudicial consequences whatsoever. In any case, you can freely withdraw your consent to the processing of your personal data at any time, even selectively, requesting it in the manner indicated in Section 12 below. In relation to promotional communications sent via e-mail, you can revoke your consent to the processing of your e-mail address for marketing purposes by clicking on the cancellation link (opt-out) in each promotional e-mail.

6. How will my personal data be processed and for how long will they be stored?

Your personal data will be processed using automated and non-automated means. Specific security measures are put in place to prevent data loss, illicit or incorrect use and unauthorized access. Your personal data will be retained for 10 years from the date on which the contract between us has terminated or from the date of the last event interrupting the statutory prescription period.

Your personal data that we process upon your consent will be retained until you will revoke your consent to the processing of your personal data for marketing and/or profiling purposes. However, the information needed to prove your consent will be retained for 10 years from the date on which you have revoked your consent or from the date of the last event interrupting the statutory limitation period.

7. Who might have knowledge of my personal data?

Our employees and collaborators in charge of the management of the Service might have knowledge of your personal data. Moreover, the following categories of entities, acting as data processors, might have knowledge of your personal data: IT service providers; crypto to fiat exchange providers; banks; AML services providers; providers of management and administrative services; consultants.

8. Will my personal data be disclosed to third parties?

Your personal data may be disclosed to third parties belonging to the following categories: banks and payment institutions, to the extent necessary to make or receive payments in connection with the Services; taxation public authorities, to the extent required by the law; judicial authorities and/or police forces, when required by the law; lawyers and law firms, where necessary to pursue our legitimate interest in exercising or defending a right in court and out of court; third parties which the contract has been assigned to or third-party companies that have acquired our companies or a branch of our companies.

Third Party Data Controllers

Through the Kleos application, you may request services which are provided by third-party service providers acting as independent data controllers for their own purposes. The third-party service providers rely on legal basis for data processing as disclosed in their respective privacy notices, provided to you directly by them or accessible from their websites.

9. Will my personal data be transferred outside the European Economic Area?

No. Your personal data is processed and stored within the European Union. Kleos ensures that all data processing activities take place in compliance with EU data protection laws and regulations.

10. Which are my rights?

You have the right to exercise at any time, free of charge and without formalities the following rights as per Articles from 15 to 22 of the GPDR: the right to request access to personal data (or the right to obtain from us the confirmation that data concerning you are being processed and, if so, to obtain the access to personal data, obtaining a copy of them and of the information referred to in Article 15 of the GDPR) and rectification (i.e. the right to obtain the correction of inaccurate data concerning you or the integration of incomplete data) or the erasure of the same (meaning the right to obtain the deletion of data concerning you, should any of the events indicated in Article 17 of the GDPR occur) or the restriction of the processing related to you (meaning the right to obtain, in the cases indicated in art. 18 of the GDPR, the marking of stored personal data with the aim of limiting their processing in the future), in addition to the right to data portability (i.e. the right, in the cases indicated in Article 20 of the GDPR, to receive from us, in a structured, commonly used and machine readable format the data concerning you, and to transmit it to another data controller without impediments). You also have the right to object to the processing (see Section 9 below). Should you deem that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint of the competent supervisory authority of the EU Member State where you live or work or where the alleged breach has occurred (Article 77 of the GDPR) or to take a legal action before a court (Article 79 of the GDPR).

11. Do I also have the right to object to the processing?

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on letter e) (performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or f) (legitimate interest) of art. 6, para 1 of the GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you such marketing, which includes profiling to the extent that it is related to such direct marketing.

12. How can I exercise my rights?

To exercise your rights, please contact us by mail (to "Kleos Ireland Sr Limited, ith registered office at The Black Church, St. Mary's Place, Dublin 7, Ireland D07 P4AX – To the kind attention of Data Protection Officer") or by email to the address dpo@kleos-capital.com.

13. Have you appointed a Data Protection Officer (DPO) and how can I contact the DPO?

We have appointed a DPO, who can be contacted by email to the address dpo@kleos-capital.com.

Effective Date: 7 July 2025