Schedule 1
Privacy Policy
This Privacy Policy explains how SPY Genesis Corp. (trading as “SpacePay”), a company incorporated under the laws of the Republic of Panama, with registered office at Via Ricardo J. Alfaro, Edificio PH The Century Tower, Office 317, Corregimiento de Betania, District of Panama, Province of Panama, Republic of Panama (the “Company”, “we”, “us” or “our”), collects, uses, stores, shares and protects personal data in connection with our website located at spacepay.com (the “Website”), our application programming interfaces (the “API”), and all related services, tools, and features (collectively, the “Services”).
This Policy is issued in alignment with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the ePrivacy Directive 2002/58/EC (as amended), and all applicable national implementing legislation within the European Economic Area. Where the Company processes personal data on behalf of its business clients (“Operators”), such processing is governed by the Data Processing Agreement set out in Schedule 7.
1. Data Controller
1.1The data controller for the personal data processed through the Website and Services is SPY Genesis Corp., a company incorporated under the laws of the Republic of Panama (Escritura Pública No. 1031), with registered office at Via Ricardo J. Alfaro, Edificio PH The Century Tower, Office 317, Corregimiento de Betania, District of Panama, Province of Panama, Republic of Panama, registered agent Pacífica Legal (CUR No. PJ-0025049167-01432).
1.2Our Data Protection Officer (“DPO”) can be contacted at: Support@SpacePay.co.uk, or by post to the registered office address marked for the attention of the Data Protection Officer.
1.3Where the Company acts as a data processor on behalf of an Operator, the relevant Operator is the data controller. Processing in that capacity is governed exclusively by the Data Processing Agreement between the Company and the Operator.
2. Categories of Personal Data
2.1We may collect and process the following categories of personal data:
(a)Identity Data: full legal name, date of birth, nationality, government-issued identification document numbers, photographs or scans of identification documents.
(b)Contact Data: postal address, email address, telephone number, messaging platform identifiers (including Telegram and similar platforms).
(c)Corporate Data: company name, registration number, jurisdiction of incorporation, registered office, beneficial ownership information, authorised representative details, and gambling licence information.
(d)Financial and Transactional Data: bank account details, IBAN, SWIFT/BIC codes, blockchain wallet addresses (including public keys), transaction hashes, transaction amounts, timestamps, settlement references, and fiat currency conversion data.
(e)Technical Data: Internet Protocol (IP) addresses, browser type and version, device identifiers, operating system, time zone settings, referral URLs, and API authentication tokens.
(f)Usage Data: pages visited, features used, API call logs, session duration, clickstream data, and error logs.
(g)Compliance Data: anti-money laundering screening results (including outputs from Chainalysis), sanctions screening results, politically exposed person assessments, source of funds documentation, and enhanced due diligence records.
(h)Communications Data: records of correspondence, support tickets, chat logs, and any other communications between you and the Company.
3. Lawful Bases for Processing
3.1We process personal data on the following legal bases under Article 6 of the GDPR:
(a)Performance of a contract (Article 6(1)(b)): processing necessary to perform our obligations under the API Terms of Service, Master Service Agreement, or any other agreement between you and the Company.
(b)Compliance with a legal obligation (Article 6(1)(c)): processing necessary to comply with our obligations under anti-money laundering legislation (including AMLD6 and the Transfer of Funds Regulation), MiCA, DORA, tax legislation, and any requirements imposed by the applicable supervisory authority.
(c)Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate interests in fraud prevention, network and information security, business development, and service improvement, except where such interests are overridden by your fundamental rights and freedoms.
(d)Consent (Article 6(1)(a)): where you have provided explicit consent for specific processing activities, including the use of non-essential cookies and direct marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
4. Purposes of Processing
4.1Identity Data, Contact Data, and Corporate Data are processed for the purposes of client onboarding, know-your-customer verification, ongoing due diligence, and regulatory reporting.
4.2Financial and Transactional Data are processed for the purposes of executing and settling payment transactions, reconciling accounts, generating invoices, and meeting record-keeping requirements under MiCA and the Transfer of Funds Regulation.
4.3Technical Data and Usage Data are processed for the purposes of maintaining system security, detecting and preventing fraud, diagnosing technical issues, improving service performance, and conducting anonymised analytics.
4.4Compliance Data are processed exclusively for the purpose of meeting our obligations under applicable anti-money laundering, counter-terrorist financing, and sanctions legislation.
4.5Communications Data are processed for the purpose of responding to enquiries, resolving disputes, and maintaining records as required by law.
5. Recipients and Transfers
5.1We may disclose personal data to the following categories of recipients:
(a)Group companies within the corporate structure of SPY Genesis Corp., subject to internal data sharing agreements.
(b)Sub-processors engaged by the Company to provide infrastructure, analytics, compliance screening, and other services. A current list of sub-processors is available at spacepay.com/legal/sub-processors and is updated no less than thirty (30) days prior to the engagement of any new sub-processor.
(c)Banking partners and payment settlement institutions, to the extent necessary to effect fiat currency settlements.
(d)Blockchain networks, noting that transaction data submitted to public blockchains becomes publicly and irrevocably visible.
(e)Regulatory authorities, law enforcement agencies, and courts of competent jurisdiction, where disclosure is required by law or necessary for the prevention or detection of crime.
(f)Professional advisers, including legal counsel, auditors, and insurers, in connection with the provision of professional services to the Company.
(g)Chainalysis, Inc., for the purposes of blockchain analytics, transaction monitoring, and compliance screening.
5.2Where personal data is transferred to a country outside the European Economic Area that has not been the subject of an adequacy decision by the European Commission, the Company shall ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission pursuant to Article 46(2)(c) of the GDPR, supplemented by a transfer impact assessment where required.
6. Data Retention
6.1Personal data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, subject to the following minimum retention periods:
(a)Anti-money laundering records: a minimum of five (5) years from the date of the last transaction or the termination of the business relationship, whichever is later, or such longer period as required by the applicable National Competent Authority.
(b)Transaction records: a minimum of five (5) years from the date of the transaction, in accordance with MiCA record-keeping obligations and the Transfer of Funds Regulation.
(c)Tax records: as required by applicable tax legislation in the relevant jurisdiction.
(d)Technical and usage data: twelve (12) months from collection, unless required for an ongoing investigation or legal proceeding.
(e)Marketing consent records: for the duration of the consent, plus twelve (12) months following withdrawal.
6.2Upon expiry of the applicable retention period, personal data shall be securely deleted or irreversibly anonymised within ninety (90) days.
7. Data Subject Rights
7.1Under the GDPR, you have the following rights in relation to your personal data:
(a)Right of access (Article 15): the right to obtain confirmation as to whether personal data concerning you is being processed and, where that is the case, access to such data and specified supplementary information.
(b)Right to rectification (Article 16): the right to obtain the rectification of inaccurate personal data and the completion of incomplete personal data.
(c)Right to erasure (Article 17): the right to obtain the erasure of personal data where the grounds set out in Article 17 apply, subject to the exceptions therein, including where processing is necessary for compliance with a legal obligation.
(d)Right to restriction of processing (Article 18): the right to obtain the restriction of processing in the circumstances set out in Article 18.
(e)Right to data portability (Article 20): the right to receive personal data in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller.
(f)Right to object (Article 21): the right to object to processing based on legitimate interests or direct marketing at any time.
(g)Rights relating to automated decision-making (Article 22): the right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you.
7.2To exercise any of the above rights, please contact the DPO using the details set out in clause 1.2. We shall respond to all valid requests within one (1) calendar month of receipt, subject to extension by two (2) further months where the request is complex or we have received a large number of requests, in which case we shall inform you of the extension within the initial one-month period.
7.3You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
8. Security
8.1The Company implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent); access control mechanisms based on the principle of least privilege; multi-factor authentication for all internal systems; regular penetration testing by independent third parties; continuous monitoring and intrusion detection; and documented incident response procedures.
8.2In the event of a personal data breach, the Company shall notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we shall also notify you directly in accordance with Article 34.
9. Amendments
9.1We reserve the right to update this Privacy Policy from time to time. Material changes will be notified via email to the address associated with your account or by prominent notice on the Website at least thirty (30) days prior to the change taking effect. Continued use of the Services following the effective date of any amendment constitutes acceptance of the revised Policy.
Last updated: 16 February 2026