Privacy Policy

1. Personal data we collect

When you create an order on the Service we collect the following information: - Full name (as provided by you). - Email address. - Optional WhatsApp or Telegram identifier (where provided). - Receiving crypto wallet address (no on-chain identification is performed). - Source IBAN used to fund the SEPA transfer (collected automatically when the operator matches the incoming payment). - The IP address from which the order was placed (collected automatically by Cloudflare and used for abuse prevention). - A record of all status transitions and operator notes related to your order.

2. How we use your personal data

We use your personal data only: - To execute the order you have created. - To communicate with you about the order (email and, where you provided one, WhatsApp or Telegram). - To comply with our AML and sanctions screening obligations (see AML Policy). - To prevent and investigate abuse, fraud, or security incidents. - To meet record-retention obligations described in Section 5.

We do not use your personal data for marketing. We do not sell or share your personal data with third parties for advertising, profiling, or analytics.

3. Sub-processors

We engage the following third parties to operate the Service: - Fly.io (United States) — application hosting and database hosting. - Cloudflare (United States) — DNS, edge proxy, and DDoS protection. - Postmark (United States, ActiveCampaign LLC) — transactional email. - Sentry (United States) — error tracking, with PII scrubbing enabled. - Meta Platforms Ireland Ltd. (Ireland, with onward transfer to Meta in the United States under the EU-US Data Privacy Framework) — advertising measurement and retargeting via the Meta Pixel. Loaded only if you accept the cookie consent banner on first visit. When active, it shares: your IP address, browser user-agent, the URL of the page you visited, and the event name (e.g. PageView). It does not receive your name, email, wallet, IBAN, or order details. Retention follows Meta's policies (typically 90 days for ad-attribution data). You can revoke consent at any time by clearing your browser storage for this site. - CoinGecko (Singapore) — public reference price feed; no personal data is sent to CoinGecko. - The customer's selected crypto-asset network and any associated nodes / explorers — used to broadcast the outbound transaction.

Where personal data is transferred outside the customer's country of residence, the transfer is made on the basis of the standard contractual clauses adopted by the relevant data-protection authority or on the basis of contractual necessity (Article 6(1)(b) GDPR where applicable).

4. Cookies

The Service uses only strictly-necessary cookies (session cookies for the operator panel and CSRF protection for the order form). We do not use advertising, analytics, or tracking cookies. A consent banner is shown on first visit.

5. Retention

We retain your order data, including the personal data in Section 1, for not less than five (5) years from the date of the relevant order, in line with AML record-retention guidance referenced in our AML Policy. After this period, personal data is anonymised in our records.

6. Your rights

Subject to applicable law (including, where applicable, the GDPR), you have the right to: - Request a copy of the personal data we hold about you. - Request correction of inaccurate personal data. - Request deletion of your personal data (subject to AML retention). - Object to the processing of your personal data (subject to AML retention). - Lodge a complaint with a data-protection supervisory authority.

To exercise any of these rights, please contact us using the details in Section 8. We will respond within thirty (30) days.

7. Security

We store personal data on encrypted volumes at our hosting provider, behind a strict network perimeter and with operator access protected by hardware- backed two-factor authentication. We use industry-standard hashing (Argon2id) for any credential we hold. We do not store crypto private keys on our infrastructure.

8. Contact

For questions about this policy or to exercise the rights in Section 6, please contact legal@klyroswap.com or use the channels listed on the Contacts page.

Document control (internal): - Pending review and finalisation by qualified counsel.