Privacy Policy

This Privacy Policy applies to krypco — the protocol operator behind the krypco hybrid blockchain and the kEUR / kUSD on-chain stablecoins. Once incorporated (planned summer 2026), krypco will operate as a Cyprus Ltd registered with the Cyprus Securities and Exchange Commission (CySEC) for crypto-asset service activities under MiCA. Until incorporation, references to “krypco” mean the founding team operating the protocol from within the EU.

For the purposes of GDPR, krypco is the data controller for personal data collected through krypco.eu (and the future krypco.app), and via our KYC / AML processes. Contact for privacy matters: privacy@krypco.eu.

We collect the minimum data required to provide our services and comply with EU law:

• Identity data (KYC): full name, date of birth, nationality, residential address, identity document (passport or national ID), liveness selfie, proof of address. Required by 5AMLD/6AMLD before we can issue a personal IBAN.
• Wallet data:public wallet address(es) you connect to our services. This is on-chain data — we don't custody your private keys.
• Banking data: for withdrawals, the destination IBAN you allowlist. We do not access balances or transaction history at any other bank.
• Transactional data: records of deposits, withdrawals, swaps and presale purchases linked to your wallet. On-chain by nature.
• Technical data: IP address, browser type, device characteristics, language, time-zone. Collected automatically via server logs.
• Analytics data: page views and anonymised session events through self-hosted Umami. No third-party trackers, no cross-site profiles.

We process personal data on the following GDPR lawful bases:

• Legal obligation (Art. 6(1)(c)): KYC / AML verification, sanctions screening, transaction monitoring, DAC8 reporting, record-keeping. Required by 5AMLD/6AMLD, MiCA and DAC8.
• Contract performance (Art. 6(1)(b)): issuing your IBAN, processing SEPA payouts, executing on-chain transactions you sign with your wallet.
• Legitimate interest (Art. 6(1)(f)): fraud prevention, abuse detection, system security, anonymous usage analytics.
• Consent (Art. 6(1)(a)): for optional marketing emails (you can withdraw consent at any time).

Identity documents are encrypted at rest using AES-256 and stored in a dedicated KYC vault accessed only by authorised compliance staff and our regulated banking partner. KYC documents never touch the chain— only a boolean “KYC verified” status is recorded in the KrypcoFiatRegistry contract.

Operational systems run inside the EU (Hostinger and Leaseweb data centres in EU jurisdictions). Backups are encrypted. Production access uses hardware-key MFA. Code goes through review and third-party security audit before mainnet.

• KYC records and transaction logs: 5 years from end of business relationship (mandated by 5AMLD).
• On-chain data:permanent — it's a blockchain. We can't delete it. Only the wallet-to-IBAN mapping in our off-chain registry can be marked inactive.
• Server logs / analytics: 30 days, then aggregated.
• Marketing consent records: until withdrawn + 3 years (proof of consent).

We share personal data only with:

• Regulated banking partners who issue your IBAN and execute SEPA transfers — strictly limited to the data needed for those operations.
• Regulated stablecoin issuers for kEUR and kUSD reserve operations.
• Auditors and regulators (CySEC, financial supervisors, tax authorities under DAC8) when legally required.
• Sub-processors for infrastructure (encrypted backups, email delivery) under DPA agreements.

We never sell personal data. We do not use third-party advertising or tracking SDKs. Analytics are self-hosted.

Data stays inside the EU/EEA where possible. If a sub-processor requires transfer outside the EEA, we apply the European Commission's Standard Contractual Clauses (2021/914) and conduct a Transfer Impact Assessment. A list of current sub-processors is available on request.

Under GDPR you have the right to:

• → Access the personal data we hold about you
• → Correct inaccurate data
• → Erase data, where a legal obligation does not require us to keep it
• → Restrict or object to processing
• → Data portability (machine-readable export)
• → Withdraw consent (for consent-based processing)
• → Lodge a complaint with your supervisory authority — for Cypriot operations, the Office of the Commissioner for Personal Data Protection

To exercise any of these rights, email privacy@krypco.eu. We respond within 30 days.

krypco may collect aggregate, non-identifying usage data — including page views, session duration and navigation patterns — through a privacy-respecting analytics service operated within the EU. This data is used solely to maintain and improve the Services.

We do not employ third-party advertising trackers, behavioural profiling, fingerprinting or cross-site tracking technologies. Only strictly necessary cookies are placed for the site to operate (session, security and user-preference cookies). A detailed cookie notice is presented on first visit, and your choices can be reviewed and updated at any time.

We may update this policy when our services change or the law requires it. The “Last updated” date at the top of the page reflects the most recent revision. Material changes are announced via the site and, where appropriate, by email.