← Back to TAPLYLEGAL · PRIVACY NOTICE · v1.0

Privacy Notice.

How we collect, use, store and share personal data of pre-sale participants, professional clients and website visitors. We collect only what's necessary to onboard, verify, and communicate with you, and to comply with our legal obligations.

Version v1.0Effective 16 May 2026Controller TAPLY Foundation (BVI)

—— 01Who we are

This Privacy Notice is issued by TAPLY Foundation, a foundation company incorporated in the British Virgin Islands ("we", "us", the "Foundation" or the "Controller").

For all matters relating to personal data, you may contact our Data Protection Officer at privacy@taply.network.

This Notice applies in addition to, and does not replace, applicable local privacy laws including the UK GDPR, the EU GDPR, and the Data Protection Act 2018, where relevant to a participant.

—— 02Data we collect

We collect personal data only where necessary to onboard, verify, and communicate with pre-sale participants and to comply with our legal obligations.

Category
Examples
Identity
Full legal name, date of birth, nationality, government-issued ID number, photographic ID, selfie / liveness check.
Contact
Email address, phone number, postal address, employer / firm name.
Financial & KYC
Source of funds declaration, professional-investor certification, proof of address, bank statements where required for source of funds.
Sanctions screening
Results of AML / sanctions / PEP checks performed by our KYC vendor.
Wallet & transaction
Public wallet address, on-chain transaction hashes, settlement amount, settlement chain, stablecoin used.
Communications
Email correspondence, data-room access logs, calls (recorded only with consent).
Technical
IP address, browser type, device type, pages viewed (where you interact with our website).

—— 03Purposes and legal bases

Purpose
Legal basis
Onboarding — KYC, identity, source of funds.
Performance of a contract (Token Purchase Agreement) and compliance with our legal obligations.
Sanctions, AML and PEP screening.
Legal obligation under applicable AML regulations.
Communications regarding the pre-sale, vesting, and token delivery.
Performance of a contract.
Tax reporting where required.
Legal obligation.
Detecting and preventing fraud, money laundering, terrorism financing.
Legitimate interests & legal obligation.
Investor relations updates and quarterly reports.
Legitimate interests / consent (opt-out available).
Website analytics and security.
Legitimate interests.

—— 04On-chain data — important notice

Once Tokens are issued to your wallet, certain data is recorded on a public blockchain (Ethereum or Solana). This includes your public wallet address, the amount of Tokens issued or transferred, and the timestamp.

Public-blockchain data is, by design, permanent, public, immutable and global. The Foundation cannot delete, modify or restrict blockchain entries. Your right to erasure under Article 17 GDPR cannot apply to on-chain data because the data is not held by us — it is held by a public, decentralised network.

You acknowledge this irreversibility before submitting a wallet address. We strongly recommend you use a wallet address that you do not associate with any sensitive off-chain identity.

—— 05Sharing with third parties

We share personal data only with carefully selected processors and partners, under appropriate contractual safeguards:

  • KYC / AML providers — for identity verification, sanctions and PEP screening.
  • Custody and treasury partners— for the security of the Foundation's wallets.
  • Cloud hosting — for the secure storage of records.
  • Legal, audit and tax advisors — under professional confidentiality.
  • Regulators, courts, and law-enforcement agencies — where we are legally required to disclose.
  • Acquirers or successors — in the event of a corporate reorganisation, subject to the same obligations.

We do not sell personal data. We do not share data with advertising networks.

—— 06International transfers

Personal data may be transferred outside your jurisdiction, including to the British Virgin Islands, the United Kingdom, the European Economic Area, and other jurisdictions where our processors are located. Where required, transfers are protected by Standard Contractual Clauses, an adequacy decision, or an equivalent safeguard.

—— 07Retention periods

  • KYC records: retained for the duration of the relationship plus 5 years after termination (UK AMLR, EU AMLR equivalent).
  • Transaction records: 7 years from the transaction date.
  • Investor communications: 3 years from last contact.
  • Marketing email lists: until you unsubscribe, or maximum 2 years from last interaction.
  • On-chain data: permanent — see Section 4.

—— 08Your rights

Subject to applicable law (UK GDPR, EU GDPR or local equivalent), you may have the following rights in respect of off-chain personal data we hold about you:

  • Access — receive a copy of your data;
  • Rectification — correct inaccurate data;
  • Erasure — request deletion, subject to legal retention obligations;
  • Restriction — limit our processing in certain circumstances;
  • Portability — receive your data in a structured machine-readable format;
  • Objection — object to processing based on legitimate interests;
  • Withdraw consent — where processing is based on consent.

To exercise any right, contact privacy@taply.network. We will respond within one month.

—— 09Cookies & analytics

Our public website uses only essential cookies and privacy-friendly analytics (no third-party advertising cookies). A cookie banner is presented to first-time visitors where required by applicable law.

—— 10Security

We apply technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit and at rest, strict access controls, multi-factor authentication, segregation of duties, and regular security audits. No system is completely secure; we encourage you to use strong passwords and unique credentials.

—— 11Contact & complaints

Questions, requests or complaints: privacy@taply.network.

You also have the right to lodge a complaint with the data protection authority in your jurisdiction (in the UK, the ICO; in the EU, your national supervisory authority).