# Privacy Policy

**Last updated:** 26/12/2025

### 1. Introduction and scope

This Privacy Policy (“Policy”) explains how POUND PAYMENTS LTD Sp. z o.o., operating under the brand Bitray (“Bitray”, “we”, “us”, “our”), collects, uses, shares and stores personal data, and what rights Clients have in relation to that processing.

We process personal data in line with but not limited to:

* Regulation (EU) 2016/679 (“GDPR”);
* Polish data protection laws;
* applicable AML/CFT, sanctions and crypto-asset regulations;
* Travel rules requirements and procedures;
* comply with accounting, tax and corporate law obligations;
* respond to requests from supervisory authorities, law enforcement and courts;
* establish, exercise or defend legal claims;

Bitray (Website: [https://bitray.io](https://bitray.io/)) operates as a virtual asset service provider (“VASP”). Our services involve, in particular:

* processing crypto transactions,
* holding virtual assets on a limited operational basis to route and settle transactions,
* facilitating crypto-to-crypto exchange via external regulated liquidity providers,
* and others.

This Policy applies to personal data we process in connection with provision of Bitray’s services to “Clients”. In this Policy, “Client” covers any person whose data we process because of our services, in particular:

* persons who act on behalf of our customers (such as directors, beneficial owners, signatories or contact persons),
* persons interacting with our website, dashboard or API,
* persons whose information appears in transaction data or Travel Rule data where required by law.

By using our services, visiting our website or otherwise providing personal data to us, you acknowledge that you have been informed about our processing as described in this Policy.

### 2. Who is responsible for your data?

The Data Controller is POUND PAYMENTS LTD Sp. z o.o.

### 3. What data we process

We process only the personal data that is necessary for clearly defined purposes and based on appropriate legal grounds under GDPR and strictly necessary to provide you with the services in compliance with all applicable regulations.

The data we collect may include but not be limited to personal and business identification details, contacts, transaction metadata (time, date, amount, currency, blockchain/network, transaction hash), wallet identifiers, purpose of transaction, website, dashboard and API usage data (IP address, device and browser information, basic technical data about your visit etc).

### 4. Sources of data and blockchain analysis

We obtain personal data mainly from:

* from you during onboarding process and throughout the relationship;
* publicly available registers (such as company registers and beneficial-ownership registers);
* regulated third-party providers;
* competent authorities and regulated financial institutions where they are legally permitted to share information.

Where permitted and required by law, we may receive limited information about you from:

* business partners and service providers;
* other regulated institutions involved in transactions;
* providers of analytics or advertising services, if we choose to use them in the future and, where required, based on your consent.

Any such information will be used only for the purposes to provide the services you have orders and in accordance with applicable data-protection rules.

### 5. Third-party websites and external services

Our website, dashboard or communications may contain links to third-party websites, services or content that are not operated by Bitray.

If you follow such a link, your use of those third-party services will be governed by their own privacy policies and terms, not by this Policy. We are not responsible for the content, security or privacy practices of those third parties.

### 6. Cookies and similar technologies

At the time of this Policy, Bitray’s website and dashboard use only cookies and similar technologies that are necessary for:

* providing the service (such as keeping you logged in),
* ensuring security (for example, protecting against misuse or attacks),
* basic technical functionality.

We do not use cookies for targeted advertising or behavioural tracking.

### 7. How we share personal data

Bitray does not sell personal data and does not allow third parties to use personal data obtained through our services for their own marketing, unless you have clearly agreed to such use where applicable law requires your consent.

We share personal data only where it is necessary, lawful and subject to appropriate safeguards. We may be required to share personal data with, for example:

* financial intelligence units and other AML/CFT authorities;
* law-enforcement authorities, prosecutors and courts;
* financial and sanctions regulators;
* banks and payment institutions participating in settlement flows;
* regulated liquidity providers and other crypto-asset service providers;
* Travel Rule and blockchain analytics providers;
* Service providers (processors-KYC/KYB and identity-verification providers, document management and similar systems, legal, tax and compliance advisers etc)

We use carefully select service providers to support our operations. These providers act as processors and may only process personal data on our instructions. We enter into contracts with them that include data-protection requirements in line with GDPR, including confidentiality obligations. They are not permitted to use your personal data for their own marketing or other unrelated purposes.

### 8. International transfers of personal data

Our goal is to process and store personal data primarily within the European Economic Area (EEA).

However, some of our service providers, partners or authorities may be located outside the EEA, or may process data in non-EEA countries. In such cases we will ensure that appropriate safeguards are in place, such as:

* a decision by the European Commission that the country in question ensures an adequate level of protection, or
* the use of Standard Contractual Clauses (SCCs) or other mechanisms recognised under GDPR.

Upon request, we can provide more information about relevant safeguards for a particular transfer, where permitted by law and confidentiality obligations.

### 9. How long we keep personal data and deletion

We do not keep personal data longer than necessary for the purposes described in this Policy or as required by law.

Data collected and processed for AML/CFT, sanctions and transaction-monitoring purposes, transaction monitories, contract details, technical data is retained for the period required by applicable AML/CFT legislation, travel rules and financial monitoring. This usually means a minimum of five (5) years from the end of the business relationship or from the date of an occasional transaction, and may be extended where authorities or law (for example, AML/CFT regulations or requests from competent authorities) require it.

During this mandatory retention period, we obliged to keep your data.

#### 9.1 Deletion and anonymisation

When data is no longer needed and no legal retention obligation applies, we either:

* securely delete it, or
* anonymise it so that it no longer relates to an identified or identifiable person.

If you request deletion of your personal data, we will consider your request and, where legally possible, delete or anonymise the relevant data. However, we may retain certain information if we are required or permitted to do so by law or if it is necessary to protect our rights or those of others.

### 10. Your rights under GDPR

Subject to applicable law (including AML/CFT restrictions), Clients whose personal data we process have the following rights:

* Right of access – to obtain confirmation whether we process your personal data and to receive information about that processing.
* Right to rectification – to have inaccurate personal data corrected and incomplete data completed.
* Right to erasure – to request deletion of your personal data in cases listed in Art. 17 GDPR, subject to legal retention obligations.
* Right to restriction of processing – to request restriction of processing in situations listed in Art. 18 GDPR.
* Right to data portability – to receive certain personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
* Right to object – to object, on grounds relating to your particular situation, to processing based on our legitimate interests, including profiling for those purposes.
* Right to withdraw consent – where processing is based on consent, to withdraw that consent at any time; this does not affect the lawfulness of prior processing.
* Right to complain – to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or alleged infringement. In Poland, this is the President of the Personal Data Protection Office (Prezes UODO).

#### 10.1 AML/CFT-related limitations

Certain rights may be limited where exercising them would:

* prevent us from complying with AML/CFT or sanctions obligations,
* interfere with investigations or requests from competent authorities, or
* breach prohibitions on “tipping-off”.

In particular:

* we cannot erase or restrict processing of data that we are legally required to keep for AML/CFT purposes;
* we may not be able to provide access to specific records connected with suspicious-activity reporting or internal AML investigations.

Where we rely on such limitations, we will provide as much information as the law allows.

### 11. Automated decision-making

We use automated tools to support:

* sanctions and PEP screening,
* transaction monitoring and risk assessment,
* detection of unusual or potentially suspicious activity.

These tools help us identify cases that may require further attention. As a rule, decisions that have legal or similarly significant effects in relation to Clients involve human review and judgement by our staff.

If we introduce forms of decision-making that fall within the scope of Art. 22 GDPR (purely automated decisions with legal or similarly significant effects), we will update this Policy and provide any notices required by law.

### 12. How we protect personal data

We apply appropriate physical, electronic, organisational and technical measures to protect personal data against unauthorised access, loss, misuse or alteration. These measures include, among others:

* Physical safeguards: storing records containing personal data in locations and facilities with controlled access.
* Electronic safeguards: storing personal data in systems protected by access controls and other security technologies, and using secure channels (such as encrypted connections) for data transmission where appropriate.
* Organisational safeguards: limiting access to personal data to authorised staff who need it for their duties and are bound by confidentiality obligations.
* Technical safeguards: using measures such as network security controls, firewalls and other industry-standard protection mechanisms.

We review and adapt these measures as needed, taking into account legal requirements and the state of the art.

### 13. Reporting security issues

If you believe you have discovered a vulnerability, weakness or other security issue related to our website, dashboard, API or systems, we encourage you to notify us as soon as possible so that we can investigate and address it.

Please contact us at: <compliance@bitray.io> and include sufficient details to help us understand the issue. We ask that you act responsibly, avoid accessing data you are not authorised to access, and not publicly disclose details of the issue until it has been addressed.

### 14. How to contact us

For any questions, requests or concerns regarding this Policy or our processing of personal data, you can contact:

Compliance / AML function\
Email: <compliance@bitray.io>

To help us handle your request, please:

* indicate who you are and, where relevant, your relationship with Bitray,
* describe your request clearly.

You also have the right to contact or lodge a complaint with a competent supervisory authority, as described in section 10.

### 15. Changes to this Policy

We may update this Policy from time to time, for example due to:

* changes in law or regulatory expectations,
* guidance from supervisory authorities,
* changes in our services or internal processes.

The latest version will always be available on our website and will indicate the “Last updated” date. Where changes are significant, we may also inform customers through appropriate channels (for example, by email or via our dashboard).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bitray.gitbook.io/bitray-docs/privacy-policy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.