Data Privacy Policy

1. Introduction

In Mountain Protocol, we are dedicated to safeguarding your privacy and ensuring secure personal and institutional information. This Privacy Policy outlines how we collect, use, store, and protect your data in compliance with the Personal Information Protection Act (PIPA) of Bermuda.

At Mountain Protocol, we aim to provide a secure environment for managing and transacting with the USDM token and other crypto assets. Our commitment extends to transparency, so you can feel confident and informed about how your information is handled when you access or use our platform.

2. Definitions

For the purposes of this privacy policy, the following terms shall have the meanings ascribed to them below:

“Personal Information”: means any information that relates to an identified or identifiable individual. Examples: names, dates of birth, photographs, video footage, email addresses, IP address, cookie identifier, and telephone numbers. Information about organisations (i.e., companies and public authorities) is not personal information.

“Sensitive Personal Information”: includes information relating to such aspects as place of origin, race, colour, national or ethnic origin, sex, sexual life, health, marital status, family status, disabilities, trader union membership, religious beliefs, and biometric and genetic information.

“Informed Consent”: explicit authorization given by an individual for the processing of their personal data, after being informed about how and for what purposes their data will be used.

“Data Processing”: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Right to Withdraw the Consent”: the right of individuals to revoke the consent they have given for the processing of their personal data at any time. Upon withdrawal, the organisation must cease processing the personal data unless processing is permitted or required by law.

“Breach of Security”: it is defined as any incident that results in the loss, unlawful destruction, alteration, unauthorized disclosure of, or access to personal information.

3. Data Protection Principles

Our data management is based on the following fundamental principles:

1. Responsibility and Compliance: Take responsibility for protecting personal data and complying with data protection laws.

2. Conditions for Using Personal Information: Personal data should only be used for specific and legitimate purposes.

3. Sensitive Personal Information: Sensitive personal information must be treated with more excellent care and protection.

4. Fairness: Personal data must be handled in a fair and transparent manner.

5. Privacy Notices: provide clear notices about how personal data is handled.

6. Purpose Limitation: Personal data should only be collected for specific purposes and not used for other purposes without the individual's consent.

7. Proportionality: The collection and use of personal data must be proportional to the purposes for which it is collected.

8. Personal Data Integrity: the company must ensure that personal data is accurate and up-to-date.

9. Security Measures: The company must implement appropriate security measures to protect personal data against unauthorised access.

4. Information we collect

During the onboarding processes and when accessing or using our services we may collect various types of information, including personal information, sensitive personal information, institutional information, and transactional information. This may include, but is not limited to, your name, contact details, identification information, information about your institution, and details about your transactions on the Platform.

5. Data Processing

We use your personal information for the following purposes:

• Legal and Compliance: To comply with our legal and regulatory obligations.

• Service Provision: To provide, operate, and maintain our crypto asset services.

• Service Improvement: To analyse and improve our products and services.

• Communication: To communicate with you about updates, changes to our terms, and other relevant information.

• Security: To protect the integrity and security of our services and your personal information.

• Audits: To conduct audits and ensure compliance with internal and external standards.

6. Integrity of Personal Information

In accordance with the law, we are committed to maintaining the integrity of personal information. We ensure that any personal information we utilise is accurate and kept up to date as necessary for its intended purposes.

To achieve this, we will periodically update the information provided by our clients during the onboarding process, utilising public sources to stay informed of any changes. We will also consult with clients regarding any updates.

Additionally, it is the user's responsibility to notify us of any substantial changes to their personal information to keep this information updated.

Furthermore, we are dedicated to not retaining personal information for longer than is required for those purposes, thereby safeguarding your privacy and ensuring responsible data management.

7. Provision of Privacy Notices

Mountain Protocol is committed to providing individuals with a clear and easily accessible privacy notice about its practices and policies regarding personal information. This notice will always include:

• The use of personal information.

• The purposes for which personal information is used.

• The individuals or organisations to whom personal information may be disclosed.

• The identity and contact information for Mountain Protocol regarding the handling of personal information.

Mountain Protocol takes all reasonably practicable steps to ensure that the privacy notice is provided either before or at the time of collection of personal information, or, where that is not possible, as soon thereafter as is reasonably practicable.

7.1. Exemption from Providing Privacy Notices

7.1.1. Mountain Protocol is not required to provide a privacy notice if all personal information in its possession is publicly available information.

7.1.2. If the information is required by legal authorities.

8. Purpose Limitation

We use your personal information only for the specific purposes for which it was collected and do not use it for other purposes without your prior consent.

9. Data Proportionality

We ensure that the amount of personal information collected is adequate and relevant for the specific purposes of processing.

We strictly adhere to the principle of data minimisation, meaning we only collect the data that is necessary to achieve our legitimate business objectives. By doing so, we reduce the risk of handling unnecessary or excessive information, thereby protecting individual privacy and maintaining compliance with data protection regulations.

10. Security Measures

We implement appropriate technical, administrative, and physical security measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction.

10.1. Physical Protection

Ensure that databases and equipment where data is stored are secured and that access is strictly controlled. Limit physical access to these areas to only those employees who require it for their job functions. Implement measures such as locked rooms, access badges, and surveillance systems to enhance physical security.

10.2.Technical Protection

Employ encryption mechanisms to protect data during transmission and storage. Utilize firewalls, intrusion detection systems, and other advanced security technologies to prevent unauthorised access. Regularly update and patch software to defend against vulnerabilities and cyber threats.

10.3. Administrative Protection

Develop and enforce internal policies and procedures that restrict access to personal data only to employees who need it for their specific job responsibilities. Conduct regular training and awareness programs to ensure that all employees understand data protection principles and their roles in maintaining security. Implement access control measures such as role-based access controls to ensure that employees can only access data necessary for their tasks.

11. Data Breach

In the event of unauthorized access, loss, or disclosure of personal information, we have established internal protocols for immediate notification of the relevant authorities and affected individuals, as outlined in our Privacy Policy. If your personal information is affected, you will be promptly notified of this situation.

Our protocols include detailed assessments of the breach's nature and potential consequences, as well as decisive measures to mitigate its impact. Our dedicated team is trained to handle such situations swiftly and responsibly, ensuring that we uphold our commitment to protecting your personal information and maintaining transparency throughout the process.

12. Data Transfers

If we transfer your personal information to third parties, we ensure that these third parties also comply with PIPA regulations and provide an adequate level of security protection. We only share your information with:

• Service Providers: Which help us operate our business.

• Legal Authorities: When required by law.

The company is responsible for any data transfers made to third parties. These third parties must always meet security requirements before any transfer occurs. The company will inform users or clients about any new third parties to whom data will be transferred, including the purpose of such transfers.

13. Children’s Information

Mountain Protocol does not allow minors to use its platforms. To ensure this, we have implemented identity verification mechanisms that instantly detect any attempts at onboarding by unauthorised users, resulting in the denial of approval. All this under the regulations of Bermuda law.

14. Individual Rights

According to the PIPA regulations and general data protection standards, data subjects have the right to request access, block, delete, or update their information, and even withdraw consent at any time.

The exercise of these rights must always be done in writing. To do so, please contact us at privacy@mountainprotocol.com. Please be advised that this process may require verification of the requestor's identity.

Once the request is sent, our Data Protection Officer (DPO) will contact you shortly to provide more precise information regarding your case.

15. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes through our website or other appropriate means.

You will be notified of any changes to the privacy policy, and if necessary, new consent will be requested.

16. Contact

If you have any questions or concerns about this privacy policy or our data protection practices, you can contact us:

DPO: Erika Gonzalez

Email: privacy@mountainprotocol.com

17. Complaint Procedures with PrivCom Authority

If you have any complaints about how we handle your personal information, you can contact us directly. You also have the right to file a complaint with the Office of the Privacy Commissioner for Bermuda (PrivCom).

PrivCom information: Privacy Commissioner - Alexander White

Email: privcom@privacy.bm

Phone: 1-441-543-7748

18. Providers That Receive Personal Information From Mountain Protocol Customers.