Privacy Policy (GDPR-ready)
This template provides a GDPR-aligned baseline Privacy Policy for tokenization and digital asset platforms. It outlines categories of data, legal bases, user rights, and international transfers.
When you need this
If your platform processes personal data of EU residents — whether investors, issuers, or staff — GDPR applies. A clear Privacy Policy is also required under MiCA, AMLD5/6, and consumer protection frameworks.
Key sections covered
- Data Categories — identity, KYC docs, transaction data, technical logs.
- Purposes & Legal Bases — onboarding (legal obligation), AML checks (public interest), marketing (consent), analytics (legitimate interest).
- User Rights — access, rectification, erasure, restriction, portability, objection, automated decision-making.
- Data Retention — KYC = 5–10 years, marketing = until consent withdrawn, logs = [X months].
- International Transfers — SCCs, adequacy decisions, risk assessments.
- Security Measures — encryption, segregation, access controls, monitoring.
- Third Parties — custodians, KYC providers, payment processors.
- Complaints — contact DPO, escalate to data protection authority.
How to customize
- Insert your
[Company Legal Name],[Jurisdiction], DPO contact details, and supervisory authority reference. - Map your actual data flows: which data you collect, for which purpose, on what legal basis.
- Check retention periods: align with AML/CFT, accounting, and local law.
- List sub-processors: KYC vendor, cloud provider, analytics tools.
- Adapt transfer language: add SCC references if using US-based cloud or KYC provider.
Download & next steps
This skeleton is GDPR-ready, but should be adapted to your processing map and regulator guidance. We can draft a customized Privacy Policy covering MiCA, AIFC, VAITOS, or other frameworks.