1.1. In this Privacy Notice, the following terms have the following meanings:

• "Affiliate" means, in relation to any person at a given time, any other person that, directly or indirectly, or both, controls, is controlled by or is under common control with such person. For the purposes of this Privacy Notice, "control" (including, with correlative meanings, the terms "controlled by" and "under common control with"), as used with respect to any person, means the possession, directly or indirectly, or both, of the power to direct or cause the direction of the management and policies of such person, whether through the ownership of voting shares, by contract, or otherwise;
• "Data Protection Legislation" means, as applicable, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR"), as well as any other applicable EU legislation and, as applicable, the Swiss Federal Act on Data Protection, as well as any other applicable Swiss legislation;
• "Personal Data" has the meaning prescribed to it in Article 4(1) of the GDPR;
• "Processing" has the meaning prescribed to it in Article 4(2) of the GDPR (and "Process" shall be construed accordingly);
• "Products" means all products or services, or both, which from time to time may be provided by or on behalf of CryptoStake or any of its Affiliate;
• "CryptoStake" means CryptoStake AG, a legal entity incorporated under the laws of the Canton Zug, Switzerland, having its registered address at Alte Steinhauserstrasse 1, 6330 Cham, and having its registered number CHE-248.485.855. In this Privacy Notice, CryptoStake may be also referred to as "we" or "us" or "our";
• "Special Categories of Personal Data" has the meaning prescribed to it in Article 9(1) of the GDPR;
• "Subject" means a natural person, the Personal Data of which is Processed in compliance with this Privacy Notice. In this Privacy Notice, we may, also, refer to the Subject as "you" or "your";
• "Terms" means the General Terms and Conditions of CryptoStake set forth on the Website; and
• "Website" means the website of CryptoStake located at "https://cryptostake.com" or any replacement website notified by CryptoStake.

1.2. In this Privacy Notice:

• a reference to this Privacy Notice or any other document is to this Privacy Notice or such other document as amended, varied or novated from time to time;
• section, part and paragraph headings shall not affect the interpretation of this Privacy Notice;
• a reference to a person includes any individual, company, firm, partnership, joint venture, unincorporated association, organisation, foundation, trust, government, state or agency of a state, in each case whether or not having separate legal personality;
• unless the context otherwise requires, words in singular include the plural and the plural includes the singular;
• the words "including" and "include" mean "including without limitation" and "include without limitation", respectively;
• wherever used herein, a pronoun in the masculine gender shall be considered as including the feminine gender and vice versa, unless the context clearly indicates otherwise; and
• specific words indicating a type, class or category of thing do not restrict the meaning of general words following such specific words, such as general words introduced by the word other or a similar expression. Similarly, general words followed by specific words shall not be restricted in meaning to the type, class or category of thing indicated by such specific words.

2.1. We may from time to time be provided with, or have access to, information of the Subject which may qualify as Personal Data within the meaning of the Data Protection Legislation: (i) during the process of provision of the Products, and (ii) through your use of the Website.

2.2.Such Personal Data may include the following categories of data of the Subject:

• first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender (the "Identity Data");
• address, email address and telephone numbers (the "Contact Data");
• payment card details, virtual assets wallet address, details about payments to and from you (the "Financial Data");
• internet protocol address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use (the "Technical Data");
• information about how you use the Website (the "Usage Data"); and
• your preferences in receiving marketing from us and our third parties and your communication preferences (the "Marketing and Communications Data").

2.3.We do not Process any Special Categories of Subject's Personal Data and information about criminal convictions and offences of the Subject.

2.4.It is important to us that the Subject's Personal Data is accurate and current. If you think or know that we hold your Personal Data, we would be grateful to be kept informed if your Personal Data changes.

Our methods of collection of Subject's Personal Data include the following:

• direct interaction with the Subject;

  We may collect the Personal Data as a result of your registration on the Website, filling in forms or by communicating with us by post, telephone, email or otherwise. This includes Personal Data you provide when you (or a company or other legal person associated with you): (i) register on the Website; (ii) apply to us or pay for the Product; (iii) request from us any information, and (iv) provide us with your answer on our request.

• interaction with third parties;

  We may receive Personal Data about you from various third parties (whether from public or private sources).

• automated technologies.

  During the interaction between the Subject and Website, we may automatically collect Technical Data. We collect it by using cookies, server logs and other similar technologies. Please, see our cookie policy for further details. Cookie policy is set forth in this Privacy Notice in section 11. You can choose to accept or decline cookies. If you do choose to decline cookies, not all elements of the Website may function as intended, so your Website experience may be affected.

We always Process Subject's Personal Data on lawful grounds, including the following:

• the consent of the Subject;
• We always seek to obtain a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Subject's agreement to the Processing of the Personal Data, including by electronic means, e.g. ticking a box when visiting the Website.
• Generally, we do not rely on the consent as a legal basis for processing your Personal Data, but we will ask Subject's separate consent before Processing its Personal Data, unless other legal ground for Processing applies.
• necessity of: (i) the performance of a contract to which the Subject is the party, or (ii) taking steps at the request of the Subject prior to entering into such contract;

  Processing of Personal Data is required for us to provide you with the Products. The Products' provision and entering into the contractual relationships in that regard cannot be performed without Processing of the Personal Data;

• CryptoStake's or third party's legitimate interest;

  The legitimate interests of CryptoStake or third party may provide a legal basis for Processing, provided that the interests or the fundamental rights and freedoms of the Subject are not overriding.

• necessity for compliance with legal obligations to which CryptoStake is subject.

5.1. Below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so are set out. It should be noted that we may Process your Personal Data for more than one legal basis depending on the specific purpose for which we are using the Personal Data.

6.1. CryptoStake may share the Personal Data of the Subject with third parties and transfer it internationally, provided that such third parties are:

• CryptoStake's Affiliates; or
• the following trusted third parties: (i) agents and suppliers, including those who provide CryptoStake with technology services such as data analytics, hosting and technical support; (ii) CryptoStake's professional advisors, auditors and business partners; (iii) regulators, governments and law enforcement authorities, (iv) companies providing services in the areas of fraud, money laundering, terrorism financing and other crime prevention, and companies providing similar services, including financial institutions such as credit reference agencies or other parties for the establishment, exercise or defence of a legal or equitable claim or for the purposes of a confidential alternative dispute resolution process; and (v) other third parties in connection with re-organising all or any part of CryptoStake's business, collectively referred to as the "Transferees".

6.2. The Personal Data may be Processed by the Transferee outside of your home country. Data privacy laws in the countries to which your Personal Data may be transferred may not be equivalent to, or as protective as, the laws in your home country or Data Protection Legislation. We will, however, ensure the transfer complies with the Data Protection Legislation and all personal data will be secure.

6.3. We do ordinarily not transfer the Personal Data outside the European Economic Area (the "EEA"). Should we ever transfer your Personal Data out of the EEA, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following is implemented:

• we will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission. For further details, see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en; and
• where appropriate safeguards referred to in Article 46(2) of the GDPR are implemented.

6.4. In the absence of safeguards referred to in section 6.3 above a transfer or a set of transfers of Personal Data out of the EEA shall take place only on one of the following conditions:

• you have explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers;
• the transfer is necessary for the performance of a contract between you and CryptoStake or the implementation of pre-contractual measures taken at your request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Subject between CryptoStake and another person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims; and
• the transfer is necessary in order to protect Subject's vital interests or of other persons, where the Subject is physically or legally incapable of giving consent.

6.5. Where we use providers based in the United States of America (the "US"), we may transfer Personal Data to them if they are part of the Privacy Shield which requires them to provide similar protection to Personal Data shared between the Europe and the US.

6.6. Please, contact us if you want further information on the specific mechanisms used by us when transferring your Personal Data out of the EEA.

7.1. CryptoStake only retains Subject's Personal Data for no longer than is necessary for the purposes for which the relevant Personal Data are Processed, including for the purposes of satisfying any CryptoStake's legal, regulatory, tax, accounting or reporting requirements. CryptoStake may retain your Personal Data for a longer period in the event of a complaint or if it reasonably believes, there is a prospect of litigation in respect to relationships between the Subject and CryptoStake.

7.2. To determine the appropriate retention period for the Personal Data, CryptoStake considers the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of the Personal Data, the purposes for which we Process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

7.3. We operate no fixed retention periods for Personal Data retention.

7.4. Where your Personal Data is no longer required, we will ensure it is disposed of or deleted in a secure manner. In some circumstances CryptoStake may anonymise Subject's Personal Data (so that they can no longer be associated with the Subject) for research or statistical purposes, in which case CryptoStake may use this information indefinitely without further notice to the Subject.

8.1. CryptoStake implements and maintains appropriate technical and organizational measures (the "Measures") to protect Subject's Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access.

8.2. The Measures include:

• measures for pseudonymisation and encryption of Subject's Personal Data;
• measures to help ensure ongoing confidentiality, integrity, availability and resilience of CryptoStake's systems and services;
• measures to help restore the availability and access to Subject's Personal Data in a timely manner in the event of a physical or technical incident; and
• measures for regular testing, assessing and evaluating the effectiveness of the Measures for ensuring the security of the Processing.

8.3. CryptoStake may update or modify the Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security.

8.4. All of our staff are trained in the importance of protecting personal and other sensitive information. CryptoStake takes reasonable steps to ensure that any person acting under our authority who has access to the Personal Data does not Process them except on instructions from CryptoStake, unless he or she is required to do so by applicable law.

8.5. We require all third parties to respect the security of the Personal Data and to treat them in accordance with the Data Protection Legislation. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to Process your Personal Data for specified purposes and in accordance with this Privacy Notice, Data Protection Legislation and our instructions.

8.6. We cannot guarantee that your Personal Data or private communications will always remain private and secure. We use our reasonable endeavours to put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8.7. Transmission to us of information via the internet or a mobile phone network connection may not be completely secure and any transmission is at your own risk.

9.1. Under the Data Protection Legislation, the Subject has a number of rights with respect to its Personal Data, including the following rights:

• to obtain from CryptoStake confirmation whether CryptoStake Process any of Subject's Personal Data;
• to request for access to Subject's Personal Data Processed by CryptoStake;
• to withdraw of the consent to Processing of Subject's Personal Data at any time (provided that the relevant Personal Data are Processed based on the Subject's consent);
• to obtain from CryptoStake the rectification (correction) of inaccurate Personal Data of the Subject;
• to obtain from CryptoStake the erasure (deletion) of Subject's Personal Data;
• to obtain from CryptoStake the restriction of Processing;
• to receive Subject's Personal Data, which have been provided to CryptoStake, in a structured, commonly used and machine-readable format and to transmit those Personal Data to another controller without hindrance from CryptoStake;
• to object to Processing;
• not to be subject to a decision based solely on automated Processing; and
• to complain to local data protection authority if Subject's privacy rights are violated, or if the Subject has suffered as a result of unlawful Processing of its Personal Data.

9.2. These rights will only apply in certain circumstances. If you wish to exercise any of these rights or become acquainted with circumstances, in which the relevant right is applied, please, contact us. That being the case, CryptoStake may need to request specific information from the Subject to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive them. We may also contact you to ask you for further information in relation to your request to speed up our response.

9.3. Access to the Personal Data is granted free of charge (as well as exercising any of the other rights). However, CryptoStake may refuse to comply with the Subject's request in circumstances where such request is clearly unfounded, repetitive or excessive.

Please, remember that when you use a hyperlink to go from the Website to another website or you request a service from a third party, our Privacy Notice no longer applies. Your browsing and interaction on any other website or your dealings with any other third-party service provider, is subject to that website's or third-party service provider’s own rules and policies. We do not monitor, control, or endorse the information Processing or privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you deal with and to contact them if you have any questions about their respective privacy policies and practices.

11.1. To make our Website work properly, we place small data files called "cookies" on your device. Most big websites do this too.

11.2. A cookie is a small data file that the Website saves on your computer or mobile device when you visit the Website either for only the duration of your visit on the Website or for a fixed period. These collect and store certain information, and these typically involve pieces of information or code that the Website transfers to or accesses from your computer hard drive or mobile device to store and sometimes track information about you. Cookies and similar technologies enable you to be remembered when using that computer or device to interact with the Website and can be used to manage a range of features and content as well as storing searches and presenting personalized content.

11.3. We use cookies to observe how many users access and use our Websites, when users access and use our Website and what pages users access. Our Website uses cookies to distinguish you from other users. This helps us to provide you with a good experience when you use our Website and also allows us to improve our Website, Platform and Services.

11.4. Most web browsers automatically accept cookies and similar technologies, but if you prefer, you can change your browser to prevent that and your help screen or manual will tell you how to do this. However, you may not be able to take full advantage of the Website and Products if you do so.

11.5. A number of cookies and similar technologies we use last only for the duration of your web session and expire when you close your browser. Others are used to remember you when you return to the Website and are stored in your browser until you delete them or your browser deletes them based on the expiration date defined by the cookie's file.

11.6. We use these cookies and other technologies on the basis that they are necessary for the performance of a contract with you, or because using them is in our legitimate interests (where we have considered that these are not overridden by your data protection interests or fundamental rights and freedoms), and, in some cases, where required by law, where you have consented to their use.

11.7. We use the following types of cookies:

• strictly necessary cookies. These are cookies that are required for the operation of our Website. They include, for example, cookies that enable you to log into your Account;
• analytical and performance cookies. They allow us to recognize and count the number of users and to see how users move around our Website when they are using it. This helps us for our legitimate interests of improving the way our Website works, for example, by ensuring that users are finding what they are looking for easily;
• functionality cookies. These are used to recognize you when you return to our Website. This enables us, subject to your choices and preferences, to personalize our content, greet you by name and remember your preferences (for example, your choice of language or region); and
• targeting and advertising cookies. These cookies record your visit to our Website, the pages you have visited and the links you have followed. We will use this information subject to your choices and preferences to make our Website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

11.8. The effect of disabling cookies depends on which cookies you disable but, in general, the Website may not operate properly if all cookies are switched off.

11.9. If you want to disable cookies on our Website, you need to change your browser settings to reject cookies. How you can do this will depend on the browser you use, therefore, please, check with your browser provider to find out how to disable cookies.