Last updated: April 23, 2019

References in this Agreement to “BlockState”, “we”, “our” or “us”, are to BlockState depending on the context. BlockState with its Website respect and protect the privacy of visitors and our customers who use our services. To ensure transparency, this Privacy Policy describes our information handling practices when you access content we own or operate on the web- sites located at BlockState.com, or any other websites, pages, features, or content we own or operate (collectively, the “Site(s)”) and/or when you use the BlockState mobile app, any BlockState or API or third party applications relying on such an API, and related services (referred to collectively hereinafter as “Services”).

Please take a moment to read this Privacy Policy carefully. If you have any questions about this Privacy Notice, please contact us at [email protected]

ACCEPTANCE OF PRIVACY POLICY

By accessing and using our Services, you signify acceptance to the terms of this Privacy Policy. Where we require your consent to process your personal information, we will ask for your con- sent to the collection, use, and disclosure of your personal information as described further below. BlockState may provide additional “just-in-time” disclosures or additional information about the data collection, use and sharing practices of specific Services. These notices may supplement or clarify BlockState’s privacy practices or may provide you with additional choices about how BlockState processes yourdata.

If you do not agree with or you are not comfortable with any aspect of this Privacy Policy, you should immediately discontinue access or use of our Services.

CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time, and when required by law, we will notify you of changes to this Privacy Policy. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on our Services prior to the change becoming effective.

OUR RELATIONSHIP TO YOU AND BLOCKSTATE

BlockState AG is a private limited company incorporated in Switzerland with company number CHE-301.798.106 and whose registered office is Baarerstrasse 10 in 6300 Zug Switzerland. BlockState is the name of the brand. BlockState AG is the legal entity that is the sole owner of BlockState brand and all its intellectual property.

As data controllers, we determine the means and purposes of processing data in relation to the BlockState website. If you have any questions about your BlockState Account, your personal information or this Privacy Policy, please direct your questions to [email protected]

THE PERSONAL INFORMATION WE COLLECT

Personal information is data that can be used to identify you directly or indirectly, or to contact you. Our Privacy Policy covers all personal information that you voluntarily submit to us and that we obtain from our partners. This Privacy Policy does not apply to anonymized data, as it cannot be used to identifyyou.

You may be asked to provide personal information anytime you are in contact with BlockState. BlockState may share your personal information within the BlockState ecosystem and use it consistent with this Privacy Policy. They may also combine it with other information to provide and improve our products, services, and content (see the section below).

Except as described in this Privacy Policy, BlockState will not give, sell, rent or loan any personal Information to any third party.

PERSONAL INFORMATION COLLECTED

We collect personal information to provide you with our Services. When we require certain personal information from users it is because we are required by law to collect this information or it is relevant for specified purposes. Any information you provide to us that is not required is voluntary. You are free to choose whether to provide us with the types of personal information requested, but we may not be able to serve you as effectively or offer you all of our Services when you do choose not to share certain information with us.

For example, we collect personal information which is required under the law to open an ac- count, or add a payment method. We also collect personal information when you use or re- quest information about our Services, subscribe to marketing communications, request sup- port, complete surveys, or sign up for a BlockState events. We may also collect personal information from you offline, such as when you attend one of our events, or when you contact customer support. We may use this information in combination with other information we collect about you as set forth in this Policy.

We collect the following types of information:

• Personal Identification Information: Full name, date of birth, age, nationality, gender, signature, utility bills, photographs, phone number, home address, and/or email.
• Financial Information: Bank account information, payment card primary account num- ber (PAN), transaction history, and/or tax identification.
• Online Identifiers: Geo location/tracking details, browser fingerprint, OS, browser name and version, and/or personal IPaddresses.

Usage Data: Survey responses, information provided to our support team, public social networking posts, authentication data, security questions, user ID, click-stream data and other data collected via cookies and similar technologies.

HOW YOUR PERSONAL INFORMATION IS USED

Our primary purpose in collecting personal information is to provide you with a secure, smooth, efficient, and customised experience. In general, we use personal information to create, develop, operate, deliver, and improve our Services, content and advertising, and for loss prevention and anti-fraud purposes. We may use this information in the following ways:

• To maintain legal and regulatory compliance

Some of our core Services are subject to laws and regulations requiring us to collect and use your personal identification information, financial information, online identifiers, and/or usage data in certain ways.

• To enforce our terms in our user agreement and other agreements

BlockState handles very sensitive information, such as your payment information, so it is very important for us and our customers that we are actively monitoring, investigating, preventing and mitigating any potentially prohibited or illegal activities, enforcing our agreements with third parties, and/or violations of our posted user agreement or agreement for other Services. In addition, we may need to collect fees based on your use of our Services. We collect information about your account usage and closely monitor your interactions with our Services. We may use any of your personal information collected on our Services for these purposes. The consequences of not processing your personal information for such purposes is the termination of your account as we can- not perform our Services in accordance with our terms.

• To provide BlockState’s Services

We process your personal information in order to provide the Services to you.

• To provide Service communications

We send administrative or account-related information to you to keep you updated about our Services, inform you of relevant security issues or updates, or provide other transaction-related information. Without such communications, you may not be aware of important developments relating to your account that may affect how you can use our Services.

• To provide customer service

We process your personal information when you contact us to resolve any questions, disputes, collect fees, or to troubleshoot problems. We may process your information in response to another customer’s request, as relevant. Without processing your personal information for such purposes, we cannot respond to your requests and ensure your uninterrupted use of the Services.

• To ensure quality control

We process your personal information for quality control and staff training tomake sure we continue to provide you with accurate information. If we do not process per- sonal information for quality control purposes, you may experience issues on the Ser- vices such as inaccurate transaction records or other interruptions. Our basis for such processing is based on the necessity of performing our contractual obligations with you.

• To ensure network and information security

We process your personal information in order to enhance security, monitor and verify identity or service access, combat spam or other malware or security risks and to com- ply with applicable security laws and regulations. The threat landscape on the internet is constantly evolving, which makes it more important than ever that we have accurate and up-to-date information about your use of our Services. Without processing your personal information, we may not be able to ensure the security of our Services.

• For research and development purposes

We process your personal information to better understand the way you use and inter- act with BlockState’s Services. In addition, we use such information to customise, measure, and improve BlockState’s Services and the content and layout of our website and applications, and to develop new services. Without such processing, we cannot ensure your continued enjoyment of our Services. Our basis for such processing is based on legitimate interest.

• To enhance your website experience

We process your personal information to provide a personalised experience, and implement the preferences you request. For example, you may choose to provide us with access to certain personal information stored by third parties. Without such processing, we may not be able to ensure your continued enjoyment of part or all of our Services.

• To facilitate corporate acquisitions, mergers, or transactions

We may process any information regarding your account and use of our Services as is necessary in the context of corporate acquisitions, mergers, or other corporate trans- actions. You have the option of closing your account if you do not wish to have your personal information processed for such purposes.

• To engage in marketing activities

Based on your communication preferences, we may send you marketing communications to inform you about our events or our partner events; to deliver targeted marketing; and to provide you with promotional offers based on your communication preferences. We use information about your usage of our Services and your contact information to provide marketing communications. You can opt-out of our marketing communications at any time.

We will not use your personal information for purposes other than those purposes we have disclosed to you, without your permission. From time to time we may request your permission to allow us to share your personal information with third parties. You may opt out of having your personal information shared with third parties, or allowing us to use your personal information for any purpose that is incompatible with the purposes for which we originally collected it or subsequently obtained your authorisation. If you choose to so limit the use of your personal information, certain features or BlockState Services may not be available to you.

COLLECTION & USE OF INFORMATION COLLECTED AUTOMATICALLY

We receive and store certain types of information automatically, such as whenever you interact with the Sites or use the Services. This information does not necessarily reveal your identity directly but may include information about the specific device you are using, such as the hard- ware model, device ID, operating system version, web-browser software (such as Firefox, Safari, or Internet Explorer) and your Internet Protocol (IP) address/MAC address/device identifier.

For example, we automatically receive and record information on our server logs from your browser, including how you came to and used the Services; your IP address; device type and unique device identification numbers, device event information (such as crashes, system activityandhardwaresettings,browsertype,browserlanguage,thedateandtimeofyourrequest and referral URL), broad geographic location (e.g. country or city-level location) and other technical data collected through cookies, pixel tags and other similar technologies that uniquely identify your browser. We may also collect information about how your device has interacted withourwebsite,includingpagesaccessedandlinksclicked.Wemayuseidentifiers to recognise you when you arrive at the Site via an external link, such as a link appearing on a third party site.

WHY WE SHARE PERSONAL INFORMATION WITH OTHER PARTIES

We take care to allow your personal information to be accessed only by those who really need to in order to perform their tasks and duties, and to share with third parties who have a legitimate purpose for accessing it. BlockState will never sell or rent your personal information. We will only share your information inthe following circumstances:

• We may share your information with service providers under contract who help with parts of our business operations such as bill collection, marketing, and technology services. Our contracts require these service providers to only use your information in connection with the services they perform for us, and prohibit them from selling your information to anyone else.
• We share your information with financial institutions with which we partner to process payments you have authorised.
• We may share your information with companies or other entities that we plan to merge with or be acquired by. Should such a combination occur, we will require that the new combined entity follow this Privacy Policy with respect to your personal information. You will receive prior notice of any change in applicable policies.
• We may share your information with companies or other entities that purchase BlockState assets pursuant to a court-approved sale under U.S. bankruptcy law and / or where we are required to share your information pursuant to insolvency law in the Switzerland or in any other jurisdiction;

We may share your information with law enforcement, officials, or other third parties when we are compelled to do so by a subpoena, court order, or similar legal procedure, or when we believe in good faith that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of our User Agreement or any other applicable policies.

If you establish a BlockState Account indirectly on a third party website or via a third party application, any information that you enter on that website or application (and not directly on a BlockState website) will be shared with the owner of the third party website or application and your information will be subject to their privacy policies.

HOW PERSONAL INFORMATION IS SHARED WITH THIRD-PARTY SITES AND SERVICES

Please note that merchants you interact with may have their own privacy policies, and BlockState is not responsible for their operations, including, but not limited to, their information practices. Information collected by third parties, which may include such things as contact details or location data, is governed by their privacy practices. We encourage you to learn about the privacy practices of those thirdparties.

If you authorise one or more third-party applications to access your BlockState Account, then information you have provided to BlockState may be shared with those third parties. Unless you provide further authorisation, these third parties are not allowed to use this information for any purpose other than to facilitate your transactions using BlockState Services.

HOW WE PROTECT AND STORE PERSONAL INFORMATION

We understand how important your privacy is, which is why BlockState maintains (and requires its service providers to maintain) appropriate physical, technical and administrative safe- guards to protect the security and confidentiality of the personal information you entrust to us.

We may store and process all or part of your personal and transactional information, including certain payment information, such as your encrypted bank account and/or routing numbers, in the Switzerland and elsewhere in the world where our facilities or our service providers are located. We protect your personal information by maintaining physical, electronic, and procedural safeguards in compliance with the applicable laws and regulations.

For example, we use computer safeguards such as firewalls and data encryption, we enforce physical access controls to our buildings and files, and we authorise access to personal information only for those employees who require it to fulfill their job responsibilities. Full credit card data is securely transferred and hosted off-site by a payment vendor in compliance with Payment Card Industry Data Security Standards (PCI DSS). This information is not accessible to BlockState staff.

However, we cannot guarantee that loss, misuse, unauthorised acquisition, or alteration of your data will not occur. Please recognise that you play a vital role in protecting your own personal information. When registering with our Services, it is important to choose a password of sufficient length and complexity, to not reveal this password to any third-parties, and to immediately notify us if you become aware of any unauthorised access to or use of your account.

Furthermore, we cannot ensure or warrant the security or confidentiality of information you transmit to us or receive from us by Internet or wireless connection, including email, phone, or SMS, since we have no way of protecting that information once it leaves and until it reaches us. If you have reason to believe that your data is no longer secure, please contact us at the email address, mailing address or telephone number listed at the end of this Privacy Policy.

HOW YOU CAN ACCESS OR CHANGE YOUR PERSONAL INFORMATION

You are entitled to review, correct, or amend your personal information, or to delete that information where it is inaccurate. You may do this at any time by logging in to your account and clicking the Profile or My Account tab.

If you close your BlockState Account, we will mark your account in our database as “Closed,” but will keep your account information in our database for a period of time described above. This is necessary in order to deter fraud, by ensuring that persons who try to commit fraud will not be able to avoid detection simply by closing their account and opening a new account. However, if you close your account, your personal information will not be used by us for any further purposes, nor sold or shared with third parties, except as necessary to prevent fraud and assist law enforcement, as required by law, or in accordance with this Privacy Policy.

RIGHTS IN RELATION TO THE USE OF YOUR PERSONAL INFORMATION

Rights of access, correction and deletion

You have a right of access to the personal information that we hold about you under European data protection legislation, and to some related information. You can also require any inaccurate personal information to be corrected or deleted.

Right to object

You can object to our use of your personal information for direct marketing purposes at any time and you may have the right to object to our processing of some or all of your personal information (and require them to be deleted) in some other circumstances.

If you wish to exercise any of these rights, please contact us as set out below.

RETENTION OF PERSONAL INFORMATION

We store your personal information securely throughout the life of your BlockState Account. We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting obligations or to resolve disputes. While retention requirements vary by jurisdiction, information about our typical retention periods for different aspects of your personal information are described below.

• Contact Information such as your name, email address and telephone number for marketing purposes is retained on an ongoing basis until you un-subscribe. Thereafter we will add your details to our suppression list indefinitely.
• Content that you post on our website such as support desk comments, photographs, videos, blog posts, and other content may be kept indefinitely after you close your account for audit and crime preventionpurposes.
• Recording of our telephone calls with you may be kept for a period of up to six years.
• Information collected via technical means such as cookies, webpage counters and other analytics tools is kept for a period of up to one year from expiry of the cookie.

CHILDREN’S PERSONAL INFORMATION

We do not knowingly request to collect personal information from any person under the age of 18. If a user submitting personal information is suspected of being younger than 18 years of age, BlockState will require the user to close his or her account and will not allow the user to continue using the Services of BlockState. We will also take steps to delete the information as soon as possible. Please notify us if you know of any individuals under the age of 18 using our Services so we can take action to prevent access to our Services.

INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

While BlockState AG is based in Switzerland (which is not within the EEA), our service providers may store, transfer, and otherwise process your personal informationin countries outside of the country of your residence, including the United States, the Philippines, and possibly other countries. We use approved Model Contractual Clauses for the international transfer of personal information collected in the European Economic Area and Switzerland, or require that any third party located in the U.S. receiving your personal information is certified under the E.U.-U.S. and/or the Swiss-U.S. Privacy Shield Frameworks and require that the third party agree to at least the same level of privacy safeguards as required under applicable data protection laws.

If you have a complaint about our privacy practices and our collection, use or disclosure of personal information please contact us at [email protected]

EEA USERS & DATA

If you are a resident of the EEA, BlockState is a controller with respect to your personal information.

Legal bases for processing personal information

Our legal bases for processing under EEA Data Protection Law are described above in the sections entitled “How Your Information Is Used” and “Information From Third Party Partners.” We may process your personal information if you consent to the processing, to satisfy our legal obligations, if it is necessary to carry out our obligations arising from any contracts we entered with you, or to take steps at your request prior to entering into a contract with you, or for our legitimate interests to protect our property, rights or safety of BlockState, our customers or others.

Direct Marketing

If you are a current customer residing in the EEA, we will only contact you by electronic means (email or SMS) with information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you.

If you are a new customer and located in the EEA, we will contact you if you are located in the EU by electronic means for marketing purposes only if you have consented to such communication. If you do not want us to use your personal information in this way, or to pass your personal information on to third parties for marketing purposes, please go to the Privacy Rights Dashboard in your account to opt-out or contact us at [email protected] You may raise such objection with regard to initial or further processing for purposes of direct marketing, at any time and free of charge. Direct marketing includes any communications to you that are only based on advertising or promoting products and services

Individual Rights

EEA Residents have the following rights, which can be exercised by going to your Privacy Rights Dashboard or contacting us at [email protected] so that we may consider your request under applicable law.

Our Privacy Rights Dashboard allows you to set your communication preferences and make individual rights requests relating to your personal information. We encourage you to make any individual rights requests through the Privacy Rights Dashboard because it ensures that you have been authenticated already. Otherwise, when we receive an individual rights request via email we may take steps to verify your identity before complying with the request to protect your privacy and security.

• Right to withdraw consent. You have the right to withdraw your consent to the processing of your personal information collected on the basis of your consent at anytime. Your withdrawal will not affect the lawfulness of BlockState’s processing based on consent before your withdrawal.

• Right of access to and rectification of your personal information. You have a right to request that we provide you a copy of your personal information held by us. This information will be provided without undue delay subject to some fee associated with gathering of the information (as permitted by law), unless such provision adversely affects the rights and freedoms of others. You may also request us to rectify or update any of your personal information held by BlockState that is inaccurate. Your right to access and rectification shall only be limited where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.
• Right to erasure. You have the right to request erasure of your personal information that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing that you previously consented, but later withdraw such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. If we have made your personal information public and are obliged to erase the personal information, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other parties that are processing your personal information that you have re- quested the erasure of any links to, or copy or replication of your personal information. The above is subject to limitations by relevant data protection laws.
• Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another “controller”, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others. A “controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of your personal information.
• Right to restriction of or processing. You have the right to restrict or object to us processing your personal information where one of the following applies:

  (a) You contest the accuracy of your personal information that we processed. In such instances, we will restrict processing during the period necessary for us to verify the accuracy of your personal information.

  (b) The processing is unlawful and you oppose the erasure of your personal information and request the restriction of its use instead.

  (c) We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise or defense of legal claims.

  (d) You have objected to processing, pending the verification whether the legitimate grounds of BlockState’s processing override your rights.

  Restricted personal information shall only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if the restriction is lifted.

You can also complain about our processing of your personal information to the relevant data protection authority. You can complain in the EU member state where you live or work, or in the place where the alleged breach of data protection law has taken place. In Switzerland, the relevant data protection authority is the Eidgenössischer Datenschutz- und Oeffentlichkeitsbeauftragter (EDÖB).

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter

Feldeggweg 1

3003 Bern

Switzerland