This Data Privacy Policy outlines how Rintral Trading S.L.U., trading as Nebeus, collects, uses, discloses, and safeguards your personal data across all our websites, mobile applications, service platforms, and related operational environments. It applies to all individuals who interact with our services, including customers, users, partners, and visitors. This Policy must be read in conjunction with our Terms of Use, Cookie Policy, Data Erasure Policy, and any product-specific disclosures.
Nebeus processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), as well as with Spanish national data protection laws (LOPDGDD). In addition, due to the nature of our services, covering digital asset custody, crypto-backed lending, e-money accounts, and fiat/crypto payment functionalities, we are also subject to sector-specific legal frameworks. These include the Markets in Crypto-Assets Regulation (MiCA), the Digital Operational Resilience Act (DORA), and anti-money laundering regulations under Spanish Law 10/2010 and corresponding EU directives.
This Policy reflects our operational commitment to data protection by design and by default, and aims to ensure the transparency, accountability, and security of all personal data processed throughout the lifecycle of our services.
By accessing or using our platform, you confirm that you have read and understood this Policy and agree to the data practices described herein.
For the purposes of this Policy, “personal data”, “processing”, “controller”, “processor”, and “data subject” shall have the meanings assigned under Article 4 of the GDPR. References to “crypto-assets” and “CASPs” are interpreted in accordance with the definitions set out in Regulation (EU) 2023/1114 (MiCA).
The entity responsible for determining the purposes and means of processing your personal data is Rintral Trading S.L.U., trading as Nebeus, a private limited liability company incorporated under the laws of Spain, with registered office at Carrer de Llacuna 11, 08003 Barcelona, and tax identification number B66096686. For the purposes of Article 4(7) of the GDPR, Nebeus acts as the data controller of all personal data collected through our platforms, apps, and services.
In cases where Nebeus collaborates with regulated third-party service providers—such as electronic money institutions (EMIs), crypto-asset custodians, or payment processors—each party shall act as an independent controller or processor, as defined by the applicable service-specific agreement and in accordance with Article 28 GDPR.
Nebeus has appointed a Data Protection Officer (DPO) to oversee compliance with data protection regulations, including GDPR, LOPDGDD, MiCA, and relevant ICT obligations under DORA. For any queries, data subject requests, or concerns regarding this Policy or our data practices, you may contact our DPO at:
Email: [email protected]
Postal Address: Carrer de Llacuna 11, 08003 Barcelona, Spain
In accordance with Article 5(1)(c) of the General Data Protection Regulation (GDPR), we only collect personal data that is adequate, relevant, and limited to what is strictly necessary in relation to the specific purposes for which it is processed. The categories of personal data we may collect directly from you, through automated means, or via third-party integrations include:
Depending on the services used, we may also process data related to compliance (e.g., KYC/AML verifications), crypto-asset holdings, risk assessments, or behavioural profiling, where such processing is justified by a legal obligation, contractual necessity, or your explicit consent.
We do not intentionally collect sensitive data (special categories under Article 9 GDPR) unless legally required, and we apply enhanced safeguards where such processing becomes unavoidable.
In line with the principle of accountability under Article 5(2) GDPR, Nebeus maintains detailed internal documentation of all data collection activities, including the purposes, categories, legal bases, and safeguards applied. These records form part of our Record of Processing Activities (ROPA) and are subject to regular internal audits and DPIAs (Data Protection Impact Assessments), especially for high-risk or automated processing operations.
In certain cases, and particularly in the context of fraud prevention, transaction scoring, or regulatory compliance checks, your data may be subject to automated decision-making, including profiling. Such processing is carried out strictly in accordance with Article 22 GDPR and applicable sectoral laws. You have the right to request human intervention, express your point of view, and contest any decision based solely on automated processing.
We collect personal data through a combination of direct interactions, automated technologies, and third-party integrations, in full compliance with the principles of lawfulness, fairness, and transparency under the GDPR.
i. Direct Interactions: You may provide personal data when you complete registration forms, verify your identity, update your profile, request services, participate in promotions, or communicate with our support team. These interactions may involve the submission of identity documents, utility bills, or other official records, especially for KYC and AML purposes.
ii. Automated Technologies: When you interact with our website or mobile application, we automatically collect technical data using cookies, web beacons, device fingerprinting, and similar tracking technologies. This may include details such as your browser type, language settings, operating system, screen resolution, time zone, installed plugins, and other device characteristics which may be used to generate a unique identifier. Device fingerprinting is used for purposes such as fraud prevention, security enhancement, and analytics. Where this processing is not strictly necessary for the provision of a service explicitly requested by you, it is carried out only with your explicit consent, in accordance with Article 6(1)(a) of the GDPR. Please refer to our Cookie Policy for further information on the technologies we use and how to manage your consent preferences.
iii. Biometric Identification: Where applicable, biometric data (such as facial features) may be collected and processed via secure third-party providers to verify your identity during onboarding (e.g., face matching with identity documents). This processing is based on your explicit consent and is subject to enhanced safeguards in accordance with Article 9(2)(a) GDPR and national biometric data laws.
iv. Server Logs and Access Data: We collect access logs including IP addresses, timestamps, and user-agent details to detect unauthorized access attempts, monitor system performance, and ensure service continuity, in line with our obligations under DORA for digital operational resilience.
v. Mobile App Data: Our apps may collect device-related data and usage statistics, including crash logs and performance metrics, to help us optimize your user experience and address technical issues. You may manage in-app permissions at any time.
vi. Third-Party Sources: We may receive data from regulated service providers, such as electronic money institutions, KYC verification platforms, blockchain monitoring tools, or sanction screening databases. These providers act as processors or independent controllers depending on the specific relationship, governed by GDPR-compliant agreements.
We use your personal data in strict compliance with the principles of purpose limitation, data minimisation, and legal accountability as outlined in the GDPR. Each processing activity is based on a clearly identified legal ground under Article 6(1) GDPR and, where applicable, aligned with sector-specific obligations under MiCA, DORA, and Spanish law. The purposes for which we process your data include:
In specific scenarios, we may use aggregated behavioural data to support fraud detection or operational monitoring using automated systems. These processes do not result in decisions producing legal effects or similar significant impact without human intervention, unless otherwise stated and consented to under Article 22 GDPR.
In line with Article 5(2) and Article 35 GDPR, Nebeus maintains full documentation of its processing activities through a central Record of Processing Activities (ROPA), which is reviewed by the Data Protection Officer. All high-risk processing, including biometric verification, employee monitoring, and cross-border data flows, are subject to a Data Protection Impact Assessment (DPIA). DPIAs are reviewed annually and updated following changes in technology, regulations, or processing scope.
We may share your personal data with third parties strictly for legitimate and defined purposes, and only where appropriate safeguards are in place to ensure GDPR compliance and data security. Each data transfer is subject to contractual, technical, and organisational controls in line with Articles 28–30 GDPR and, where applicable, sectoral regulations such as MiCA and DORA. The categories of third parties with whom we may share your data include:
A current list of sub-processors, is maintained by our ICT Governance Committee and made available upon request. All sub-processors are subject to formal data processing agreements and undergo regular due diligence audits, including review of ISO/SOC/PCI certifications and incident response capabilities.
We do not sell, rent, or disclose your personal data to unauthorised third parties. Where data is shared across borders or outside the EEA, such transfers are subject to appropriate safeguards as outlined in Section 7 (International Transfers).
In certain circumstances, your personal data may be transferred to, stored in, or accessed from jurisdictions outside of Spain or the European Economic Area (EEA), including when we work with international service providers, cloud infrastructure vendors, or regulatory bodies operating in third countries.
Such transfers are carried out strictly in accordance with Chapter V of the GDPR, and only where one or more of the following appropriate safeguards are in place:
Before any such transfer, Nebeus performs a Transfer Impact Assessment (TIA) to evaluate the legal risks in the destination country and to adopt supplementary measures, where necessary, such as encryption, pseudonymisation, or access restrictions.
Where international transfers involve critical ICT or financial infrastructure providers (as defined under the Digital Operational Resilience Act - DORA), Nebeus ensures that additional resilience, monitoring, and subcontracting controls are in place in line with applicable supervisory expectations. You may request further information on the applicable safeguards by contacting our Data Protection Officer at [email protected].
We implement a comprehensive set of technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of personal data, in full alignment with Article 32 of the GDPR and the principles of digital operational resilience under the Digital Operational Resilience Act (DORA). Our security framework includes, but is not limited to:
In the event of a personal data breach, we follow a documented Incident Reporting Protocol aligned with Articles 33 and 34 GDPR and DORA. The protocol mandates breach notification to the supervisory authority within 72 hours and, where applicable, to affected data subjects without undue delay.
We retain personal data for no longer than is necessary to fulfil the specific purposes for which it was collected or to comply with statutory, contractual, or regulatory obligations, in line with the storage limitation principle under Article 5(1)(e) of the GDPR.
Our retention framework follows a purpose- and risk-based approach and is documented in our internal Record of Processing Activities (ROPA) and supporting Data Erasure Policy. Retention periods are determined by considering:
Examples include:
Where personal data is processed by third-party providers (e.g., AWS, Stripe), their retention and deletion procedures are subject to contractual controls aligned with our offboarding and data erasure standards, including API-based deletion and audit trace confirmation.
As a data
subject, you have specific rights under Chapter III of the GDPR, which Nebeus
is fully committed to respecting and facilitating. These rights empower you to
understand and control how your personal data is used, and they are supported
by our internal procedures, technical controls, and governance
framework. You have the right to:
We may require identity verification before fulfilling any rights request, to prevent unauthorised access to your personal data. If you believe that we have not adequately addressed your request or that your rights have been infringed, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or your local supervisory authority.
We may update this Privacy Policy from time to time in response to evolving legal, regulatory, technical, or operational developments. All updates are made in accordance with our commitment to transparency and accountability under Article 12 GDPR.
In the event of any material change, such as a new purpose for processing, change in legal basis, or addition of new data categories, we will provide you with prior notice through appropriate channels (e.g., email notification, in-app message, or platform dashboard alert) and, where required, request renewed consent.
The version number and effective date of this Privacy Policy are clearly indicated at the top of the document. We encourage you to review the Policy periodically to stay informed of how we protect your personal data.
Continued use of our services following the publication of an updated Privacy Policy constitutes acceptance of the revised terms, unless otherwise stated or legally required.
If you have any questions, concerns, or requests related to this Privacy Policy or to the processing of your personal data, you may contact us through the following official channels:
Controller Name: Rintral Trading S.L.U., trading as Nebeus
Registered Office: Carrer de Llacuna 11, 08003 Barcelona, Spain
General Contact Email: [email protected]
Phone: +34 645099077
For matters specifically relating to data protection, please contact our appointed Data Protection Officer (DPO) at:
Email: [email protected]
Our DPO is registered with the Agencia Española de Protección de Datos (AEPD) and is responsible for overseeing our data protection compliance across all processing activities.
We aim to respond to all data protection inquiries within one month, in accordance with Article 12 GDPR. Complex or multi-step requests may require additional time, in which case you will be duly informe