Skyline Digital Privacy Notice

Skyline Digital ("Skyline" or "we") is committed to protecting the privacy of our customers ("Customers" or "you"), and we take our data protection responsibilities with the utmost seriousness.

This Privacy Notice describes how Skyline collects and processes your personal data through the Skyline websites and applications that are referenced in this Privacy Notice. This Privacy Notice applies to all Personal data processing activities carried out by us, across platforms, websites, and departments of Skyline. To the extent that you are a customer or user of our services, this Privacy Notice applies together with any terms of business and other contractual documents, including but not limited to any agreements we may have with you. Only persons of legal age are permitted to use the services of Skyline and register for an account. Therefore, we are not knowingly collecting personal data from minors. So, if you are under the age of 18 years, please do not use Skyline's platform and do not provide us with any personal data.

‍

A. About This Privacy Notice

Privacy and the security of transactions are core elements of cryptocurrencies, blockchain technology and its whole global movement. Skyline really appreciates the trust Customers have in us when trading cryptocurrencies and other digital assets on our platform. For this reason, privacy and data security have an enormously high priority for Skyline. It is very important to us that you feel safe during your visit to our website and while using our services as well as over the course of all other business transactions with us. As soon as you make use of products and/or services of Skyline, you entrust us with the processing of your personal data. Skyline wants to give you the best possible experience with our platform to ensure that you enjoy the usage of our products and services now and in the future.

Therefore, in this Privacy Notice, we want to transparently inform you which personal data we collect from you, how we process it and to whom we might forward it in detail. Furthermore, we would like to inform you which precautions we take to protect your personal data, which rights you have in this context and to whom you can turn for data protection concerns.

‍

1. Controller

Who is responsible for the processing of your personal data and whom can you contact in case of necessity?

Skyline is aware that both the protection and the careful handling of your personal data are very important. Skyline will solely use the personal data provided by you in compliance with the applicable data protection requirements, this Privacy Notice and your consent.

The Skyline operating entity you contract with determines the means and purposes of processing of your personal data in relation to the services provided to you:

• The controller is Skyline Digital AG, a Swiss company with registration number CHE-382.867.550.

The Skyline companies may share your personal data with each other and if they do so they will use it consistently with this Privacy Notice. If you have any questions in connection with the processing of your personal data and the exercising of your rights under European General Data Protection Regulation ("GDPR") or the Swiss Federal Act on Data Protection ("FADP"), you can contact our privacy team: legal@skylinedigital.xyz. Please note that for certain requests, we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.

‍

2. Data Categories and Sources

From which sources does the data originate?

We process first and foremost personal data which we have received from you.

Insofar as we receive personal data from third parties, this concerns the following persons / organizations in particular:

• Financial institutes and intermediaries.
• Business partners, in association with the provision of contractual services.
• Business introducer, based on your interaction with such introducers.

In some cases, we collect personal data from public registers (such as Zefix), public administration or other third-party sources, such as fraud prevention agencies, services and providers specialized in collecting and providing data related to money laundering and terrorist financing, the media and the Internet.

What personal data and special categories of personal data do we process?

Subject to the products or services we provide to you, we collect and process personal data received from you within the scope of the business relationship. The following personal data might be processed:

• Contact data: personal details such as your name, address, date of birth, phone number, e-mail-address.
• Verification data: when an account is verified, also depending on the level of verification, therefore we might process Know Your Client ("KYC") documents, for example, screenshots of national identity documents, like passport, driving license, ID card, and identification data from these documents, utility bill details for residence verification, data about status of political exposed persons, video data from the video authentication process, biometric data for verification, among others.
• Financial information: over the course of the products or services provided, we might process payment and transaction records, information relating to your source of wealth and funds such as about your assets, financial statements, liabilities, bank information, transaction-ID, among others, specially including information related to your fiat and digital asset transactions.
• Company information: we might process for example: commercial register reports, data of or concerning beneficial owners, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company, client or account number, tax-related documents and information, among others.
• Information of funds: if proof of funds is necessary, we might process for example: banking statements or any other details provided by banks or financial institutions, contracts of sales or contracts in general, or any other suitable data to prove or determine the origin of funds, among others.
• Communications: we might process records of phone calls, emails and the content of instant messages between you and us and consultation protocols if required, including support requests and other data that may be directly provided by you through any communication meant to us.
• Where permitted by law, special categories of personal data, such as your political opinions, religious beliefs, health data, or information relating to criminal convictions or offenses.

Where relevant for the products or services we provide to you, we may also collect and further process personal data about third parties, such as beneficial owners, representatives, dependents or family members. Please send a copy of this Privacy Notice to these third parties, before providing us with this information.

‍

3. Purpose and Legal Basis for Using Personal Data

For which purposes and based on which legal basis do we process your personal data?

All processing is performed in accordance with the GDPR and the FADP on the basis of your consent. Processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing. Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.

All processing is performed on at least one of the following legal basis:

• For the performance of contractual obligations. Processing of personal data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract.
• For compliance with legal and regulatory obligations. Processing of personal data might be necessary to comply with various legal obligations, including KYC and monitoring for prevention of fraud, among others.
• For the purposes of the legitimate interests pursued by us or by a third party. Processing of personal data might be necessary to maintain the legitimate interests of Skyline or a third party, and this might take place beyond the performance of the contract.

In light of the above-listed legal basis, processing of personal data might be purported for:

• Customer onboarding process, e.g., by analysis of your KYC documents and performance of client assessments.
• Providing products and services to you, e.g., by analysis of your eligibility of specific products and services; or by executing payments to and from your accounts.
• Managing our relationship with you, e.g., by documenting our interactions and collecting additional information from you related to specific transactions or the relationship in general; or by communicating with you on service-related questions and complaints.
• Adhering to our legal, regulatory and compliance obligations, e.g., AML, counter terrorist financing and anti-fraud provisions, tax law control and reporting obligations, client segmentation, client interaction and other documentation requirements.
• Assessment and optimization of the products and services you receive, e.g., by learning more about you as a customer and the products and services you use, including profiling, and contacting you for other products and services we think might be of interest to you.

‍

4. Recipients of Personal Data

Who receives your personal data?

The protection and confidentiality of your personal data is important to Skyline. Therefore, we transfer your personal data only to the extent described below or within the scope of an instruction at the time the data is collected from you. In addition, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties.

4.1 Skyline Group. Within the Skyline Group, the offices or employees will receive your personal data who need it to fulfill the contractual and legal obligations and legitimate interests. We transfer personal data for the purpose of our daily business operations like account management and other operations requested by you as well as to conduct internal administrative activities efficiently in a shared way and to maintain as well as improve our products and services.

4.2 Third parties. Skyline might transfer your personal data to any third parties acting on your behalf or involved in a transaction, such as payment recipients, correspondent banks, clearing houses, stock exchanges, fund managers, brokers, Virtual Asset Service Providers (VASP). Also, Skyline might transfer your personal data to any other person with your consent to the disclosure or the purpose of performing a contract or in order to take steps at the request of the data subject prior to entering into a contract.

4.3 Processors. To a limited extent, where deemed appropriate by us, we also transmit personal information to processors who perform services for us including Group companies, such as IT providers, marketing providers, debt recovery, fraud prevention, credit reference agencies and advisors/contractors bound by legal and contractual confidentiality obligations. We also use cloud services for the purpose of office automation and customer relationship management automation. The data centers of the cloud service providers for the services rendered to us will be located in Switzerland and/or the EU. Further details can be found in Annex A.

4.4 Public bodies and institutions and auditors. We might also transfer your personal data to public bodies and institutions and external regulatory/statutory auditors, including regulatory/supervisory authorities, such as the Swiss Financial Market Supervisory Authority FINMA or Criminal Prosecution Authorities (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.

‍

5. International Data Transfer

Is your data transferred to third countries or international organizations?

As a matter of principle, your data will be stored in Switzerland. We will only transfer or grant access to your personal data to recipients outside of Switzerland, if it is necessary for the execution of your orders (e.g., for fiat or digital asset transactions), prescribed by law or regulations (e.g., the exchange of sender/recipient transaction data or for regulatory purposes), or if you have provided us with your consent.

In such cases, subject to legal or contractual authorizations, we process or have personal data processed in a third country only where the conditions of the GDPR and FADP are met. For example, the processing and the transfer shall be carried out based on special safeguards, such as the adherence to a code of conduct or certification mechanism together with binding and enforceable commitments from the recipient in the third country to apply the appropriate safeguards to protect the data or compliance with officially recognised special contractual obligations published by the European Commission.

‍

6. Retention and Deletion Periods

For how long is my personal data stored and when will it be deleted?

We process and store (retain) your personal data as long as it is necessary for the fulfillment of our contractual, legal and regulatory obligations.

Unless expressly stated in this Privacy Notice, personal data processed by us shall be erased as soon as they are no longer required for their intended purpose and the erasure does not conflict with any statutory retention obligations, including the ones resulting from Commercial and Tax Laws, the Swiss Federal Act on Banks and Savings Banks, Swiss Federal Act on Combating Money Laundering and Terrorist Financing and related ordinances as well as other applicable laws and regulations. The prescribed periods for such further retention range in general between two and ten years. Furthermore we may retain your personal data if this is necessary for the preservation of evidence in the event of an anticipated or occurring litigation.

‍

7. Data Subject Rights

What data protection rights do you have?

You are entitled to the following rights associated with the processing of your personal data:

• Right of access: you have the right to request confirmation from us as to whether we are processing personal data concerning you. Where personal data concerning you is being processed, you have the right to receive information from us within a reasonable time regarding the personal data stored about you and to receive a copy of the personal data concerning you which is undergoing processing.
• Right to rectification: you shall have the right to request the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
• Right to erasure: you shall have the right to request from Skyline the erasure of personal data concerning you, where one of the following grounds applies and if no further processing is required: the personal data is no longer necessary in relation to the purposes for which they were collected; you withdraw your consent on which the processing was based and where there is no other legal basis or overriding legitimate interest for the processing; the personal data have been unlawfully processed; or erasure of the personal data is required for compliance with a legal obligation. Requests for the erasure of personal data must include the respective ground.
• Right to restrict processing: you shall have the right to request from us the restriction of processing where one of the following conditions applies: you contest the accuracy of the personal data; the processing of your personal data was unlawful and you oppose the erasure; Skyline no longer requires your personal data for the purposes of the processing, but you require them for the assertion, exercise or defence of legal claims; or you have objected to processing of your personal data and it has not yet been determined whether the legitimate grounds of Skyline override your own.
• Right to data portability: you shall have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You shall also have the right to request that we transfer these data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others.
• Right to object, and in particular, the right to object at any time to the processing of your Personal Data for marketing purposes, which includes profiling to the extent that it is related to direct marketing. If you have objected to processing, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the assertion, exercise or defense of legal claims.
• Rights in relation to automated decision making and profiling.
• Right to lodge a complaint with the supervisory authority.
• Right to withdraw a consent at any time with effect for the future. Any processing carried out prior to the withdrawal of your consent will not be affected.

‍

8. Obligation to Provide Personal Data Within the Business Relationship

Am I subject to an obligation to provide personal data?

Within the scope of our business relationship, you must provide that personal data which is required for the initiation, execution and termination of a business relationship, or that we are legally or regulatory obligated to collect. In particular, provisions of money laundering laws and regulations require that we verify your identity before entering into a business relationship, for example, by means of your identity card or passport, and record your name, place and date of birth, nationality and your residential address. In order to comply with these regulatory and statutory obligations, you must provide us with this personal data and corresponding documents and notify us without undue delay of any changes that may arise in the course of the business relationship. As a rule, without this data we must reject the conclusion or performance of an order/a transaction, or are no longer able to carry out an existing order/transaction and therefore may be forced to terminate the business relationship.

‍

9. Automated Decision-Making

As a rule, we do not perform decision-making based solely on automated processing pursuant to the GDPR and the FADP to establish or terminate a business relationship. Should we use such a process in individual cases, we will inform you separately, where this is legally prescribed. In such a case and under certain circumstances, you will have a right to object to such procedures.

‍

10. Profiling

To what extent do we perform profiling?

Under certain circumstances we may process your personal data automatically with the aim of evaluating certain of your personal aspects (profiling), for example:

• To comply with legal and regulatory provisions, such as anti-money laundering, anti-fraud and anti-terrorism financing measures and ongoing risk management.
• To provide you with targeted information and individual offering of products and services.
• To protect our platform and comply with our Terms of Service as part of our contractual commitment to you.

‍

11. Data Security

How do we protect your personal data?

The security of data is very important to Skyline and we are committed to protecting data we collect. We maintain comprehensive administrative, technical and physical measures designed to protect your personal data against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. These measures meet the highest international safety standards and are regularly reviewed regarding their effectiveness and suitability for achieving the intended safety objectives.

‍

12. Updates of This Privacy Notice

We, Skyline, are committed to upholding the principles of data protection up to date. For this reason, we regularly review and update our Privacy Notice. This is to ensure that it is correctly and clearly displayed on our website, contains appropriate information about your rights and our processing activities (also with regard to technical changes or business development) and is implemented in accordance with applicable law, thus complying with data protection requirements. We update this Privacy Notice from time to time when required, in order to take current circumstances into account. If we make significant changes to this Privacy Notice, we will notify you after the login into your account and provide you with the updated version of the Privacy Notice. If it is required by applicable law, Skyline will obtain your express consent to significant changes.

‍

Annex A — List of Third-Party Processors

To support Skyline in delivering its services, Skyline engages service providers and sub-processors to assist Skyline with its data processing activities on behalf of Skyline. A non-exhaustive list with key third-party processors can be found below:

MongoDB, Inc. — Location: Switzerland — Purpose: Database and hosting services — Privacy Notice: https://www.mongodb.com/legal/privacy-policy

Bubble Group, Inc. — Location: United States — Purpose: Software development platform — Privacy Notice: https://bubble.io/privacy — GDPR information: https://bubble.io/dpa

Sumsub LTD — Location: Cyprus — Purpose: Software contributing to identity verification and KYC/B services — Privacy Notice: https://sumsub.com/privacy-notice/

ComplyAdvantage (IVXS UK Limited) — Location: United Kingdom — Purpose: Software contributing to AML screening — Privacy Notice: https://complyadvantage.com/privacy-notice/

Elliptic Enterprises Limited — Location: United Kingdom — Purpose: Software contributing to AML screening — Privacy Notice: https://www.elliptic.co/privacypolicy