Privacy Notice

Introduction

Stobox Technologies Inc. (“Company”, “we”, “us”, “our”) is the data controller for the purpose of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any other applicable national or international data protection legislation.

This Privacy Notice, together with our Terms of Use, sets out the basis on which any personal data we collect from you — or that you provide to us — will be processed in connection with our services. These services include, but are not limited to: this website (“Website”), the Stobox 4 platform, the Stobox Digital Securities Dashboard (“DS Dashboard”), Stobox DID, and any other software or tools we make available.

Please read the following carefully to understand our practices regarding your personal data and how we will treat it. By visiting our Website or using our services, you accept the practices described in this Privacy Notice.

Data Controller

Stobox Technologies Inc.
Registered entity: Stobox Companies Group
Email: info@stobox.io
Website: https://stobox.io
24/7 Hotline: +44 800 707 4256

For all data protection inquiries, including requests to exercise your rights under GDPR, please contact us at: privacy@stobox.io

Legal Basis and Purpose of Processing

1.1 Legal Basis

We process your personal data only where we have a valid legal basis under applicable law. The primary legal bases we rely on are:

• Contractual necessity (Art. 6(1)(b) GDPR) — processing required to enter into or perform a contract with you, including providing our tokenization services, the Stobox 4 platform, and associated software.
• Legitimate interests (Art. 6(1)(f) GDPR) — processing necessary for our legitimate business interests, including fraud prevention, security, service improvement, and direct marketing to existing clients, where such interests are not overridden by your rights.
• Consent (Art. 6(1)(a) GDPR) — where you have given us clear, specific consent to process your data for a particular purpose (e.g., subscribing to our newsletter or accepting non-essential cookies). You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c) GDPR) — processing required to comply with applicable law, including anti-money laundering (AML), know-your-customer (KYC), financial regulatory obligations, and tax reporting requirements relevant to regulated tokenization services.

1.2 Purposes of Processing

We collect and process your personal data for the following purposes:

• Service delivery — to provide our tokenization services, operate the Stobox 4 platform and DS Dashboard, and fulfill contractual and pre-contractual obligations.
• Communication — to contact you about our services, respond to your inquiries, and send transactional messages including account notifications, security alerts, and service updates.
• Compliance and KYC/AML — to verify your identity, conduct know-your-customer due diligence, comply with anti-money laundering obligations, and meet regulatory requirements applicable to digital securities and asset tokenization.
• Fraud prevention and security — to detect, prevent, and investigate fraudulent activity, unauthorized access, and security incidents.
• Analytics and improvement — to analyze how our services are used, identify technical issues, and improve the quality and performance of our platform.
• Marketing communications — with your consent, to send newsletters, product updates, educational content on tokenization, and event invitations. You may unsubscribe at any time.
• Legal obligations — to comply with applicable laws, respond to lawful requests from regulatory bodies, and enforce our Terms of Use.

Personal Data We Collect

We may collect and process the following categories of personal data:

Identity data
Full name, date of birth, nationality, government-issued identification documents (passport, national ID card, driver’s license), and selfie or liveness-check images where required for KYC verification.

Contact data
Email address, phone number, mailing address, and country of residence.

Account data
Username, password (stored in hashed form), account preferences, and profile settings on Stobox platforms.

Financial and investment data
Wallet addresses, transaction history on Stobox platforms, investment amounts, declared income or wealth information provided for KYC/AML purposes, and bank account details where required for payment processing.

Technical data
IP address, browser type and version, operating system, device identifiers, time zone, referral URLs, pages visited, session duration, and other usage data collected via cookies and similar technologies.

Communication data
Records of correspondence when you contact us via email, contact forms, live chat, or phone, including support tickets and sales inquiry records.

Marketing preferences
Your preferences regarding receiving marketing communications from us and your opt-in or opt-out records.

We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@stobox.io.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve our Website and services. Cookies are small data files stored on your device.

Essential cookies — necessary for the Website to function properly (e.g., session management, authentication). These cannot be disabled without affecting core functionality.

Analytics cookies — help us understand how visitors interact with our Website (e.g., Google Analytics). We use this information to improve user experience and content. We obtain your consent before placing non-essential analytics cookies.

Marketing cookies — used to serve you relevant advertising and measure campaign effectiveness. We obtain your consent before placing marketing cookies.

Personalization cookies — used to remember your preferences (e.g., language, region). We obtain your consent where required.

You can manage your cookie preferences at any time via our cookie consent banner or through your browser settings. Note that disabling certain cookies may affect functionality.

For a full list of cookies used on our Website, please contact privacy@stobox.io.

Sharing and Disclosure of Personal Data

We do not sell your personal data to third parties. We may share your data with:

Service providers and processors — trusted third-party companies that process data on our behalf to operate our services (e.g., cloud hosting, KYC/AML identity verification providers, payment processors, email delivery, analytics). All processors are bound by data processing agreements and may only process data on our instructions.

Regulatory and legal authorities — where required by law, court order, or request from a competent regulatory authority (e.g., financial regulators, tax authorities, law enforcement). This includes disclosures required under AML/KYC regulations applicable to digital securities issuance and trading.

Business partners — where you have consented, or where necessary to deliver a service involving a partner (e.g., licensed broker-dealers, legal or compliance partners involved in a tokenization engagement).

Corporate transactions — in the event of a merger, acquisition, restructuring, or sale of all or part of our business, your data may be transferred to the acquiring entity, subject to equivalent data protection obligations.

Professional advisors — lawyers, auditors, and insurers in the context of professional services engagements, under confidentiality obligations.

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law.

• Account data — retained for the duration of your account and for a period of 5 years after account closure to comply with regulatory obligations.
• KYC/AML records — retained for a minimum of 5 years following the end of the business relationship, or longer where required by applicable financial regulations.
• Transactional records — retained for 7 years to satisfy tax and financial reporting obligations.
• Marketing data — retained until you withdraw your consent or unsubscribe, after which it is deleted or anonymized.
• Support and communication records — retained for up to 3 years after the conclusion of an interaction.
• Technical/log data — typically retained for 12 months.

When personal data is no longer required, we securely delete or anonymize it in accordance with our data lifecycle policies.

Your Rights Under GDPR

As a data subject, you have the following rights under GDPR (and equivalent applicable law):

Right to access — you may request a copy of the personal data we hold about you, along with information about how it is processed.

Right to rectification — you may request correction of inaccurate or incomplete personal data.

Right to erasure (“right to be forgotten”) — you may request deletion of your personal data in certain circumstances (e.g., where it is no longer necessary for the original purpose, or where you withdraw consent). Note that we may be required to retain certain data to comply with legal obligations.

Right to restriction of processing — you may request that we restrict the processing of your data in certain circumstances (e.g., while we investigate the accuracy of data you have contested).

Right to data portability — where processing is based on consent or contract, you may request that we provide your personal data in a structured, commonly used, machine-readable format, or that it be transmitted to another controller.

Right to object — you may object to processing based on our legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.

Rights related to automated decision-making — you have the right not to be subject to a decision based solely on automated processing, including profiling, where this produces significant legal or similarly significant effects on you.

Right to withdraw consent — where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at privacy@stobox.io. We will respond to all legitimate requests within 30 days.

You also have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or where an alleged breach occurred.

Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest where applicable.
• Access controls and authentication mechanisms limiting data access to authorized personnel only.
• Regular security assessments and vulnerability testing of our platforms.
• Employee training on data protection and security practices.
• Incident response procedures for identifying, containing, and reporting data breaches.

Where we have given you (or where you have chosen) a password for access to certain parts of our services, you are responsible for keeping this password confidential.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities in accordance with GDPR obligations (within 72 hours where required).

Blockchain and Tokenization — Special Considerations

Our services involve blockchain-based asset tokenization. This creates specific data privacy considerations:

On-chain data — certain transaction data (e.g., wallet addresses, token transfer records) recorded on a public or permissioned blockchain is immutable by design. This data cannot be deleted or amended once confirmed. We minimize the personal data recorded on-chain and do not record directly identifiable information on public blockchains.

Wallet addresses — blockchain wallet addresses are pseudonymous but may be associated with your identity through our KYC records. We protect this association through appropriate access controls and data minimization practices.

Smart contract interactions — interactions with smart contracts on the Stobox platform are recorded on-chain. We recommend you familiarize yourself with the nature of blockchain data permanence before using tokenization services.

Stobox DID — our decentralized identity product is designed with privacy by design principles. Any personal data associated with a Stobox DID is processed in accordance with this Privacy Notice and the specific terms of the DID service.

Where blockchain functionality is incompatible with certain data subject rights (particularly erasure), we will inform you at the point of data collection and offer alternative approaches where technically feasible.

Third-Party Links and Services

Our Website and communications may contain links to third-party websites, applications, or services. This Privacy Notice does not apply to those third parties. We encourage you to read the privacy notices of any third-party services you access through links on our Website.

We are not responsible for the privacy practices or content of third-party sites and services.

Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, services, or applicable law. Where changes are material, we will notify you via email (if we hold your contact information) or by placing a prominent notice on our Website prior to the changes taking effect.

The “Last revised” date at the top of this notice reflects when it was most recently updated. We encourage you to review this Privacy Notice periodically.

Contact and Complaints

If you have any questions, concerns, or requests regarding this Privacy Notice or the processing of your personal data, please contact us:

Email: privacy@stobox.io
General inquiries: info@stobox.io
Phone: +44 800 707 4256
Website: stobox.io/contact

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

For EU/EEA residents, the lead supervisory authority may be determined by Stobox’s establishment within the EEA. We will provide details of the relevant authority upon request.