Privacy

April 2025 1. Data Controller and Contact Details Data Controller: Solstice Labs AG

2. Overview

Solstice Labs is committed to protecting the privacy and security of your personal and institutional information. Our privacy policy (this “Privacy Policy”) explains how we collect, use, store, and disclose your personal data when you access or use the website, the platform provided on the website, the services or the Solstice tokens, or any related services, tools, and features (collectively, the "Solstice Services"). We process your personal data in accordance with applicable l data protection legislation, including the General Data Protection Regulation (the “GDPR”). Please read this Privacy Policy carefully. By using, accessing, or downloading any of the Solstice Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use, access, or download any of the Solstice Services. Regarding the terms used in this Privacy Notice, such as “processing” or “controller”, we refer to the definitions of the GDPR.

3. Personal Data Collection

When you register for an Account, access, or use the Solstice Services, we may collect (directly or through third-party providers) various types of personal data about you from a variety of sources. This includes personal data provided during “Know Your Customer” (“KYC”) and Anti-Money Laundering (“AML”) processes, as well as data generated through your transactions on the Platform. Specifically, we may collect: a. Basic information: name, address, date of birth, nationality, country of residence, phone number, email address; b. Identification information: utility bills (or other proof of address), photographs, government-issued identification (such as identification cards, passports, driver’s licenses, etc.), tax ID number, employment information, proof of residency, visa information, organizational documents, and information regarding ultimate beneficial owners; c. Financial information: income/net assets/wealth verification statements, transaction history, and any other relevant financial data; d. Blockchain information: publicly available blockchain data, such as wallet addresses, transaction history, holdings, purchases, sales, or transfers of tokens, which may subsequently be associated with the information you provide to us; and e. Technical information: log files, IP addresses, browser type, operating system, and usage data collected automatically when you use Solstice Services.

4. Legal Basis for Processing Personal Data

We process your personal data in accordance with the applicable data protection legislation. This includes the GDPR and the following legal basis: a. Performance of contractual obligations: To provide the Solstice Services and fulfil contractual obligations, such as verifying your identity during KYC/AML procedures (Art. 6(1)(b) GDPR); b. Legal Obligations: To comply with legal and regulatory requirements, including financial regulations, AML laws, and tax obligations (Art. 6(1)(c) GDPR); c. Legitimate Interests: To ensure the security and stability of the Solstice Services, prevent fraud, improve our Services, and conduct limited promotional activities (Art. 6(1)(f) GDPR); and d. Consent: For activities that require your explicit consent, such as sending marketing communications (Art. 6(1)(a) GDPR). You can withdraw your consent at any time without affecting the lawfulness of prior processing as mentioned below in section 13 in this Privacy Policy. Please note that the withdrawal of the consent does not affect the lawfulness of processing personal data based on consent before its withdrawal.

5. Data Use

We use your personal data to provide, maintain, and improve the Solstice Services, to communicate with you, to comply with legal and regulatory requirements, and for other purposes as described in our Privacy Policy. Specifically, we use your personal data to: a. identify you as a user on our platform; b. identify your place of residence, or registered office; c. provide access to and use of the Solstice Service; d. improve the administration of the Solstice Service and enhance your experience; e. provide customer support and respond to your requests and inquiries; f. investigate and address conduct that may violate the applicable terms; g. detect, prevent, and address fraud, violations of the applicable terms, and/or other harmful or unlawful activity; h. send you administrative notifications, such as security, support, and maintenance advisories; i. send you newsletters, promotional materials, and other notices related to the Solstice Services or third parties' goods and services; j. respond to your inquiries related to employment opportunities or other requests; k. comply with applicable laws, cooperate with investigations by law enforcement or other authorities of suspected violations of law, and/or to pursue or defend against legal threats and/or claims; and l. act in any other way we may describe when you provide personal data.

6. Data Transfer

We may transfer your personal data to third parties in certain circumstances if a legal basis applies. This may be due to your contract with us, our legitimate interests, your prior consent or a legal obligation. Such circumstances include: a. Service Providers: engaging blockchain analysis providers, KYC/AML service providers, data analytics vendors, and cloud service providers; b. Compliance with Laws and Regulations: complying with legal obligations, including cooperation with law enforcement, court orders, or regulatory investigations; c. Business Transactions: facilitating business transactions such as mergers, acquisitions, financing, bankruptcy proceedings, or asset sales, during which your information may be transferred as part of the transaction. If our business or assets are acquired by another entity, they will inherit the rights and responsibilities regarding your information as outlined in this Privacy Policy; d. Ensuring Compliance and Security: enforcing the applicable terms or ensuring the safety and security of our platform and its users; e. Affiliated Entities: sharing personal data with parent companies, subsidiaries, joint ventures, or other affiliated entities under common ownership, provided they adhere to this Privacy Policy; and f. Professional Advisors: disclosing personal data to professional advisors, including auditors, legal counsel, accountants, or KYC service providers.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include: a. data encryption during transmission and storage; b. regular security audits and vulnerability assessments; c. access controls to limit data access to authorized personnel; and d. secure storage solutions for sensitive information. Despite our efforts, no security measures are perfect or impenetrable, and we cannot guarantee "perfect security". You are responsible for securing your digital wallets and keeping your account credentials confidential. In the event of a data breach, we will notify affected individuals and relevant authorities in accordance with applicable laws.

8. Data Retention

We retain your personal data only as long as absolutely necessary to fulfill the purposes outlined in this Privacy Policy or as long as statutory retention periods exist. Specifically: a. Account-Related Data: retained for as long as your account remains active; b. Regulatory Requirements: retained for the duration specified by legal and regulatory obligations (e.g., financial and AML requirements); and c. Dispute Resolution: retained as necessary to resolve disputes or enforce agreements. Once your data is no longer required for these purposes, we will delete or anonymize it. Note that blockchain data (e.g., transaction history) cannot be altered or deleted due to the immutable nature of blockchain technology.

9. Your Rights as Data Subject

If the GDPR is applicable, you have the following rights: a. Access: the right to request access to your personal data we process in accordance with Art. 15 GDPR; b. Correction: the right to request correction of inaccurate or incomplete information at any time in accordance with Art. 16 GDPR; c. Deletion: the right to request deletion of your personal data, subject to legal and regulatory retention obligations in accordance with Art. 17 GDPR; d. Restriction: the right to request restriction of processing in certain circumstances in accordance with art. 18 GDPR; e. Portability: the right to request a copy of your data in a structured, commonly used, and machine-readable format in accordance with Art. 20 GDPR; f. Objection: the right to object to processing based on legitimate interests or for direct marketing purposes in accordance with Art. 21 GDPR; g. Withdrawal of Consent: the right to withdraw your consent at any time for activities requiring consent in accordance with Art. 7(3) GDPR; and h. Lodging Complaints: the right to lodge a complaint with a supervisory authority if you believe your rights have been violated. To exercise your rights or to learn more about our Privacy Policy, please contact us at info@solsticelabs.io. We may require additional information to verify your identity.

10. Social Media

We maintain an online presence within social media platforms to communicate with interested parties, and users who are active there and to be able to inform them there about Solstice Services. When accessing the relevant social media platforms, the terms and conditions of business and the data processing guidelines of their operators apply. Unless otherwise stated in this Privacy Policy, we process user data if they communicate with us within social media platforms, e.g., contributions to our online presence or sending messages. At the same time, this personal data will also be processed by the social media platform itself according to their own privacy policy, and we have no influence on this. Social media platforms might track your behaviour (e.g. what content you clicked on or what websites you opened) when you are logged in to your account. To prevent such associations, you may want to log out of your social media accounts. We have no control and no responsibility over the general activities of social media platforms and your behaviour and will therefore not assume any liability for damages incurred by them using your personal data. For a detailed explanation of the respective processing and the possibilities of exercising data subject rights and opting out of tracking with providers of social media networks, we refer to the respective privacy notices of the providers. Social media platforms and their privacy policy on our social media pages https://x.com/solstice_io

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance the functionality of Solstice Services, analyze usage patterns, and personalize your experience. These include essential, performance, and marketing cookies. You can manage your cookie preferences through your browser settings. You may generally opt out of the use of the cookies used for the purposes of online marketing in the case of many services, above all with respect to tracking, via the US-based website http://www.aboutads.info/choices/ or via the EU-based website https://www.youronlinechoices.com/. In addition, the retention of cookies may be achieved by deactivating them in the browser settings. However, please note that disabling cookies may limit certain features of the Solstice Services. Additionally, our platform does not currently respond to "Do Not Track" signals from browsers.

12. Automated Decision-Making and Profiling

We do not use personal data for automated decision-making, including profiling within the meaning of Art. 22 of the GDPR.

13. International Transfers

Your personal data may be transferred to and processed in countries outside of your jurisdiction, where data protection laws may differ. If this is the case, we will rely on appropriate data transfer mechanisms according to Art. 44 et seq. GDPR. This might be: - any adequacy decision by the European Commission; - standard contractual clauses as published by the European Commission; or - binding corporate rules.

14. Declaration of Consent:

You have the right to withdraw your consent at any time to Solstice Labs AG, or via email to info@solsticelabs.io. If you withdraw your consent, we might not be able to provide all Solstice Services to you anymore. Please keep in mind, that the withdrawal of the consent does not affect the lawfulness of processing personal data based on consent before its withdrawal.

15. Changes to Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any significant changes by posting a notice on our website or through other appropriate means. Your continued use of the Solstice Services after any such changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to any changes in the Privacy Policy, you must stop using the Solstice Services.