Privacy Notice

Effective date: 9 May 2026 Controller: Dofamine Holdings Ltd., Nicosia, Cyprus Contact (privacy): privacy@dofamine.io Data Protection Officer: dpo@dofamine.io EU representative (Art 27 GDPR): to be appointed; until then dpo@dofamine.io

This Notice explains how Dofamine collects, uses, discloses and safeguards personal data when (a) merchants and their staff use our dashboard and API ("Merchant Data"), and (b) end-customers transact through our merchants ("End-Customer Data"). It is written to satisfy the EU GDPR (Regulation 2016/679), the UK GDPR and Data Protection Act 2018, and equivalent laws.

We act as controller of Merchant Data and as processor of End-Customer Data on behalf of the merchants. The Data Processing Agreement (DPA) governs our role as processor.

1. Categories of personal data

| Category | Examples | |---|---| | Identification | name, date of birth, ID document image, passport number, photograph of UBO | | Contact | email, phone, postal address | | Account | hashed password, 2FA secret, login IP, login user-agent | | Corporate | role inside merchant, employer, position | | Financial | masked card BIN/last4, IBAN, wallet address, transaction amount, currency | | Behavioural | API usage logs, dashboard clicks (aggregated), error traces | | Risk | fraud signals, sanctions match score, dispute history | | Special categories | none requested; if a passport reveals nationality, that nationality is processed solely for KYB |

2. Sources

Personal data comes from (a) you, when you create an account, complete KYB, or submit a transaction; (b) public registers (commercial registry, sanction lists, PEP lists); (c) connector-side webhooks (Stripe, YooKassa, etc.); and (d) automatically from your device (browser, IP).

3. Purposes and lawful bases

| Purpose | Lawful basis (GDPR) | |---|---| | Account creation, dashboard access | Art 6(1)(b) — contract | | Processing transactions and payouts | Art 6(1)(b) — contract | | KYB, sanctions and PEP screening | Art 6(1)(c) — legal obligation (AMLD), Art 6(1)(f) — legitimate interest in preventing crime | | Fraud detection (rules + scoring) | Art 6(1)(f) — legitimate interest in security | | Dispute and chargeback handling | Art 6(1)(b) — contract; Art 6(1)(f) — defending legal claims | | Aggregated analytics & product improvement | Art 6(1)(f) — legitimate interest | | Service announcements (transactional emails) | Art 6(1)(b) — contract | | Marketing newsletters | Art 6(1)(a) — consent (opt-in only) | | Compliance with court orders, regulators | Art 6(1)(c) — legal obligation |

You may object to processing based on Art 6(1)(f) at any time (§ 8.4).

4. Recipients

We share personal data only as needed:

• Connectors and acquirers: Stripe Inc., Stripe Payments Europe Ltd., YooKassa, USDT/USDC validators, and any other processor enabled in your dashboard. Each is a separate controller for its own processing.
• Sanctions/PEP screener: OpenSanctions / equivalent. They receive names, dates of birth and countries.
• Sub-processors (acting under our instructions): cloud hosting (Hetzner Online GmbH, Germany), database/object storage (managed inside our Hetzner tenancy), email gateway, observability vendor. The current list is in DPA Annex 3 and is updated with 30 days' notice.
• Auditors and lawyers: under confidentiality.
• Public authorities: only when legally compelled (court order, FIU request, AML Suspicious Transaction Report).

We do not sell personal data and we do not use it for cross-context behavioural advertising.

5. International transfers

Our servers are located in the European Economic Area (Hetzner, Nuremberg and Helsinki). Some sub-processors may process data in the United States or the United Kingdom. Transfers outside the EEA rely on:

• the EU Commission's adequacy decisions (UK adequacy, Swiss adequacy) where applicable;
• the 2021 Standard Contractual Clauses (Module 2 controller-to- processor, Module 3 processor-to-processor) supplemented by the UK IDTA Addendum;
• supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256-GCM with envelope keys), pseudonymisation where feasible, and contractual challenge of disproportionate access requests.

A copy of the SCCs is available on request.

6. Retention

| Data | Retention | |---|---| | Active account and dashboard logs | duration of contract | | KYB documents | duration of contract + 5 years (AMLD requirement) | | Transaction, refund, payout records | 10 years (Cyprus VAT and AML rules) | | Sanctions/PEP match decisions | 10 years | | Audit log | 10 years (immutable, append-only) | | Aggregated, non-identifying analytics | up to 24 months | | Marketing list | until opt-out + 30 days reconciliation | | Backup copies | up to 35 days rolling, then automatic deletion |

Where law permits, we anonymise instead of deleting.

7. Security

We apply technical and organisational measures listed in DPA Annex 2, including:

• TLS 1.3 for all traffic; HSTS preload;
• AES-256-GCM envelope encryption for KYB documents and other sensitive fields;
• role-based access control (RBAC) with least privilege and 2FA for staff;
• IP allow-listing for admin operations;
• append-only audit log with database trigger preventing UPDATE/DELETE;
• daily encrypted backups, restore tested quarterly;
• ISO 27001 controls (certification in progress);
• 24-hour breach detection target and 72-hour breach notification per Art 33 GDPR.

8. Your rights

If we hold personal data about you, you have the right to:

1. Access a copy (Art 15);
2. Rectify inaccurate data (Art 16);
3. Erase data ("right to be forgotten", Art 17). We may retain limited data for legal obligations (KYB, AML, accounting). Use the Erase my account button in Account → Privacy or call DELETE /api/account/erase;
4. Restrict processing (Art 18);
5. Portability — receive an export of your data in JSON via GET /api/account/export (Art 20);
6. Object to processing based on legitimate interest (Art 21);
7. Withdraw consent for marketing at any time (link in every email);
8. Lodge a complaint with your local supervisory authority. Cyprus: Office of the Commissioner for Personal Data Protection (https://www.dataprotection.gov.cy).

We respond within 30 days (extendable by 60 days for complex requests) at no cost, unless requests are manifestly unfounded or excessive (Art 12(5)).

9. Automated decision-making

Fraud scoring and sanctions screening involve automated decisions that may result in declined transactions or account suspension. You have the right to obtain human review by contacting support@dofamine.io. We do not run fully automated decisions that produce legal effects without a human in the loop on KYB outcomes.

10. Cookies

Our dashboard and checkout use cookies described in our Cookie Policy. The banner lets you accept analytics and marketing cookies separately. Necessary cookies (session, CSRF token, theme) cannot be disabled because the Service does not function without them. We honour the Sec-GPC: 1 header by treating it as opt-out of analytics and marketing.

11. Children

The Service is not directed to natural persons under 18. We do not knowingly collect personal data from children.

12. Changes to this Notice

Material changes will be announced via email and dashboard banner at least 30 days before they take effect. The version date at the top of this document indicates the latest revision.

Privacy contact: privacy@dofamine.io · DPO: dpo@dofamine.io