Legal

Privacy Policy

Last updated: 2026-06-19

A short summary of this policy. It does not replace the full text below.

1. Data Controller

The legal entity and the DPO contact. See Contact.

2. Data We Collect

We do not collect more than we need; the list below is to be reconciled with the actual database models. Account: email, password (hash), 2FA secrets, Telegram identifiers (if linked). Usage: projects, API keys (metadata), payments (amounts, addresses, statuses, externalId, metadata), withdrawals. Technical: IP, device, logs, cookies. See the Cookie Policy.

3. How We Use Data

Providing the Service, security and anti-fraud, AML/KYC obligations (see AML/KYC), and communications.

4. Legal Bases (GDPR Art. 6)

We rely on four legal bases: contract (to provide the Service), legitimate interests (security and anti-fraud), consent (cookies and optional communications), and legal obligation (AML/KYC and record-keeping).

5. Cookies and Tracking

A brief summary, plus a link to the Cookie Policy.

6. Third Parties / Processors

We use a small set of processors: DigitalOcean for hosting (fra1 region, EU) and Resend for transactional email. We use no third-party analytics in v1. Processors that do not exist are not listed.

7. International Transfers

Hosting is located in the EU (DigitalOcean, fra1 region). Where data is transferred outside the EEA, we rely on Standard Contractual Clauses to keep the level of protection.

8. Data Retention

We keep data by category, and AML data is retained longer as required by law. The table below sets out each retention period.

9. Your Rights

Access, correction, deletion, portability, objection; and how they are exercised (profile PATCH /v1/users/me, deletion DELETE /v1/users/me; other requests via Contact).

10. Data Security

Encryption, 2FA, access control, multi-tenancy. See Security.

11. Children's Privacy

The Service is not intended for minors.

12. Changes to This Policy

How changes to this policy are made and announced.

13. Contact / Complaints

Data controller / DPO contact: CryLabs Org, privacy@suward.com. You also have the right to lodge a complaint with a supervisory authority.

Data category	Purpose	Legal basis	Retention
Account data	Service provision	Contract (Art. 6(1)(b))	Lifetime of the account + 30 days
Payment data	Service provision, AML	Contract + Legal obligation	5 years (AML requirement)
Technical / logs	Security, anti-fraud	Legitimate interests (Art. 6(1)(f))	12 months
Cookies / preferences	UX, analytics	Consent (Art. 6(1)(a))	Up to 12 months

Data category → purpose → legal basis → retention