At Nebeus, we prioritize your privacy and are committed to complying with the General Data Protection Regulation (GDPR). As part of this commitment, you have the right to request the deletion of your personal data (also referred to as the "right to be forgotten") under Article 17 of the GDPR.

How to Submit a Data Erasure Request

To request the deletion of your personal data, you can contact us in the following ways:

• Customer Support: Email us at [email protected]. Our customer support team will verify your request and forward it to our Data Protection Officer (DPO) for processing.
• Direct Contact with DPO: Alternatively, you can directly email our DPO at [email protected] for handling your request.

Verification Process

Upon receiving your request, we will:

1. Authenticate the Request: We will require you to verify your identity (e.g., a copy of a valid ID or other identification documents) to ensure that the request is legitimate and to avoid any unauthorized access to your personal data.
2. Acknowledge Your Request: We will send an acknowledgment of your request within 10 business days of receiving it.

Legal Deadlines for Processing Requests

Once your request has been authenticated:

• We will complete the request within one month from the date of receipt, as required under Article 12(3) GDPR.
• In cases where the request is complex or if we receive a high volume of requests, we may extend this period by up to two additional months. If this is necessary, we will inform you within the initial one-month period and explain the reason for the delay, as provided under Article 12(3) GDPR.

Data Eligible for Erasure

After verifying your identity, we will:

1. Review Legal Obligations: We will assess whether any data must be retained due to legal obligations, including:
• Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations, which may require us to retain transaction and identification data for a period of up to 5 years as mandated by law.
• Legal or regulatory requirements under Article 6(1)(c) GDPR that necessitate retaining data for compliance purposes.
2. Erase the Following Data (if eligible):
• Personal Information: Your name, date of birth, and identification numbers.
• Contact Information: Email addresses, phone numbers, and physical addresses.
• Account Information: Usernames, account IDs, and passwords.
• Financial Information: Credit card or bank account details, except for financial transactions which may be retained for legal or auditing purposes.
• Cookies and Tracking Data: Preferences, analytics, or behavior-related data collected from your browsing activities.
• Marketing Preferences: You will be removed from mailing lists or marketing databases.

Data That May Not Be Erased

Certain categories of data may need to be retained under GDPR and other legal regulations, including:

• Financial Records: Transactional data required for financial reporting or auditing, retained for up to 5 years under applicable laws.
• Blockchain Data: Due to the immutable nature of blockchain technology, personal data cannot be deleted; however, identifying information tied to blockchain transactions will be anonymized.
• Ongoing Legal Claims: Data may be retained if required for ongoing legal claims or disputes, as allowed under Article 17(3) GDPR.

If any of your data cannot be deleted due to legal obligations, we will notify you of the specific reasons and the duration for which it must be retained.

Third-Party Data Processors

If your personal data has been shared with third-party processors (e.g., marketing platforms or payment processors), we will notify these parties of your request for data erasure in accordance with Article 19 GDPR. We will ensure that these third parties comply with your request and confirm the deletion of your data.

Confirmation of Data Erasure

Once your request has been fulfilled:

• Data Erasure Confirmation: We will notify you that your personal data has been erased within the legally required timeframe.
• Explanation of Retained Data: If some data could not be deleted due to legal reasons, we will provide a clear explanation, including the legal basis and retention period, in compliance with Article 13(2)(d) GDPR.

Your Rights

As a data subject, you retain the following rights under GDPR:

• Right of Access (Article 15 GDPR): You can request access to the personal data we hold about you.
• Right to Rectification (Article 16 GDPR): You can request correction of inaccurate or incomplete data.
• Right to Restriction of Processing (Article 18 GDPR): In certain circumstances, you can request that we restrict the processing of your personal data instead of deleting it.

For any further questions about your rights or this policy, please contact our Data Protection Officer at [email protected].