1. Identity of the Data Controller
The processing of personal data provided by users is carried out by:
Rintral Trading S.L.U.
C/ Llacuna 11, 3rd floor, 08005 Barcelona, Spain
CIF: B66096686
For any inquiries related to data protection or the exercise of rights, users may contact:
Rintral has appointed a Data Protection Officer (DPO), responsible for monitoring regulatory compliance and ensuring that data processing is carried out with the highest guarantees. The DPO can be reached at:
Through this address, we respond directly, transparently, and diligently to any request or concern regarding privacy.
2. Data We Process
Rintral only processes the personal data necessary to provide the services offered through the platform and to comply with our legal and contractual obligations. Depending on the service used and the required verification level, we may process the following categories of data:
• Identification data
Name, surname, date of birth, nationality, identity document (ID/NIE/passport), and contact details (email address, phone number).
• Data derived from the use of the Platform
Information related to the customer’s activity within Rintral, including:
▪ Encrypted credentials and access data
▪ History of transactions carried out
▪ Usage preferences and account settings
• Data required for regulatory compliance (AML/KYC)
As a company subject to anti-money laundering regulations, we must collect and retain additional information to verify the user’s identity and assess risk. This includes:
▪ Information verified through authorized KYC providers
▪ Results of automatic or semi-automatic screenings against mandatory lists (PEPs, sanctions, prohibited lists)
▪ Documentary evidence required by applicable regulations
• Financial data
Data related to the services used:
▪ Information about the payment methods used by the user (limited and handled in accordance with PCI-DSS, where applicable)
▪ Records of transactions and movements within the platform
• Technical data
Information necessary to ensure service security and continuity:
▪ IP address, connection logs, device type, browser, technical behavior, and performance metrics
▪ Data generated by our protection systems (anti-fraud, security, and monitoring)
• Data from external providers
When necessary for service delivery or information verification, we may receive data from:
▪ Identity verification providers
▪ Financial or custodial institutions involved in transaction execution
▪ Platforms enabling electronic signatures, internal communications, or technical support
3. Purposes of Processing
Rintral processes users’ personal data solely for legitimate, explicit purposes directly related to the secure and compliant provision of its services. The main purposes include:
• Provision of services through the platform
We manage the data necessary to create and maintain the user account, ensure secure access, process requests, execute transactions, and deliver a seamless user experience.
• Compliance with legal and regulatory obligations
As an entity subject to financial and anti-money laundering regulations, we process data to:
▪ Verify users’ identities (KYC)
▪ Prevent fraud, money laundering, and terrorism financing (AML/CFT)
▪ Retain mandatory evidence and records
▪ Respond to requests from competent authorities when legally required
This processing is based on applicable European legislation, including Regulation (EU) 2016/679 (GDPR), Law 10/2010, Law 34/2002, and sectoral regulations derived from MiCA.
• Platform security and operational continuity
We process technical and usage data to:
▪ Detect unauthorized access, security incidents, or anomalous behaviors
▪ Protect infrastructure, prevent attacks, and ensure service resilience
▪ Generate technical logs needed for security audits, forensic analysis, and operational compliance
• Administrative and contractual management
This includes handling user requests, operational communications, invoicing where applicable, and maintaining the contracted service.
• Handling inquiries, claims, or rights requests
We use the data provided by users to respond to requests submitted through official channels (support, legal assistance, privacy, or technical issues).
• Prevention and detection of unlawful or unauthorized activities
Rintral uses automated systems and manual checks to identify irregular patterns, prevent fraud, and ensure appropriate use of the service.
• Legitimate interest purposes
In certain cases, Rintral may process data based on its legitimate interests, always assessed through a balancing test:
▪ Enhancing service security
▪ Detecting operational errors
▪ Optimizing platform functionalities
Under no circumstances are decisions made solely on automated processing that produce significant legal effects for users without meaningful human involvement.
4. Legal Basis for Processing
Rintral processes personal data only when there is a valid legal basis in accordance with Regulation (EU) 2016/679 (GDPR). Primarily, processing is necessary for the performance of the contract entered into with the user, as it enables the establishment of the relationship, identity verification, secure access to the platform, and provision of the services available through Rintral’s environment. Without such processing, it would not be possible to deliver the contracted functionalities or ensure their operational continuity.
Additionally, Rintral must process certain data to comply with applicable legal obligations, including those arising from anti-money laundering and terrorism financing regulations, the MiCA Regulation, the DORA framework, and other accounting, tax, and commercial laws. These obligations involve document verification, record retention, transaction analysis, and, when applicable, responding to administrative or judicial requests.
In some cases, processing is based on Rintral’s legitimate interest, always assessed through a balancing test and limited to strictly necessary and proportionate purposes such as fraud prevention, platform security, technical monitoring to ensure service stability, or responding to operational inquiries. This legitimate interest never overrides the user’s rights and freedoms, and users may object to such processing when applicable.
Processing based on consent is used only when the user provides it expressly and voluntarily, for example, to receive marketing communications, accept non-essential cookies, or participate in optional initiatives. Consent may be withdrawn at any time without affecting the ordinary use of the service.
Lastly, in specific situations requiring it, Rintral may process data in the context of the public interest, particularly for the prevention, detection, or investigation of potential fraudulent or unlawful activities, always in accordance with applicable legal provisions and in cooperation with competent authorities.
Rintral applies enhanced security and logging controls in accordance with Regulation (EU) 2023/1114 (MiCA) and the DORA digital resilience framework. These include obligations related to transaction traceability, extended log retention, segregation of critical functions, end-to-end encryption, ICT incident management, and periodic operational resilience testing.
5. Categories of Personal Data Processed
Rintral processes only the data strictly necessary to provide its services and comply with applicable legal obligations. The categories of data handled may include identification data such as name, surname, date of birth, nationality, postal address, contact information, and official documents required for identity verification.
Data collected during the onboarding and verification process (“KYC”) may also include images or copies of documents, non-identifiable biometric information used for automated validation, and results from document authenticity checks.
During the use of the platform, contractual and operational data necessary for service execution is generated and processed, such as access logs, encrypted credentials, security settings, authentication tokens, transaction details, and data associated with permitted operations within Rintral. These data ensure proper service delivery, activity traceability, and the integrity of technical records.
For regulatory compliance purposes, Rintral may process additional information relevant to the prevention of money laundering and terrorist financing, including data on the origin of funds, risk classification, transaction analysis, checks against official lists, and supporting documentation required by AML/CFT regulations.
Additionally, technical data generated from the use of the application and IT systems is processed, such as IP addresses, device identifiers, activity logs, browser information, diagnostics and monitoring data, and other elements necessary to ensure the platform’s security, stability, anomaly detection, and technical resilience.
Rintral does not request or process special categories of data unless strictly necessary to comply with a legal request or to verify identity under exceptional circumstances, in which case such processing is carried out only under the conditions permitted by European regulations and with appropriate safeguards.
6. Source of the Data
The personal data we process originates primarily from the user, who provides it directly during the platform registration, identity verification process (“KYC”), contractual relationship formalization, and use of the services offered by Rintral. This information may include identification data, contact details, official documentation, and any other data necessary to verify identity and comply with applicable legal requirements.
Certain data are generated automatically through the use of the platform and Rintral’s technological systems, including access logs, technical identifiers, device information, security metrics, operational logs, and elements derived from interactions with our services. These data are used to ensure system security, integrity, traceability, and availability, as well as to prevent unauthorized access and fraudulent activities.
For regulatory compliance purposes, Rintral may receive information from providers specialized in document verification, fraud detection, or official list screening, always within the legal framework and under appropriate data protection agreements. This information complements the initial verification provided by the user and allows Rintral to meet anti-money laundering and counter-terrorism financing obligations.
Additionally, data relating to transactions or financial activities may be obtained from regulated providers integrated into the platform, to the extent strictly necessary for executing contracted services and ensuring operational security. In all cases, Rintral does not receive or access information beyond what is required for service provision and compliance with applicable regulations.
7. Recipients
Personal data may only be disclosed to third parties whose involvement is necessary for the proper delivery of services, for compliance with legal obligations, or for the protection of the legitimate interests of Rintral and its users.
In the ordinary course of operations, certain data may be processed by technology providers and regulated entities acting as data processors. These may include identity verification service providers, anti-fraud solutions, custodial and execution services offered by regulated third parties, secure messaging platforms, EU-based cloud service providers, and other essential services supporting Rintral’s infrastructure. All such third parties operate under specific data processing agreements, with appropriate guarantees regarding security, confidentiality, and adherence to documented instructions.
Data may also be disclosed to competent authorities, regulatory, judicial, or administrative, when legally required, particularly in matters relating to anti-money laundering, financial supervision, fraud detection, or compliance with formal legal requests. Under no circumstances is information provided to third parties for commercial, advertising, or purposes unrelated to the contractual relationship with the user.
Beyond these scenarios, Rintral does not transfer or share data with any other entity, and any future transfers will only be made after informing the user and ensuring all measures required by Regulation (EU) 2016/679 and applicable Spanish law are in place.
8. International Transfers
Rintral does not carry out international data transfers on a regular or systematic basis. All core processing infrastructure, including servers, databases, authentication systems, operational logs, and internal tools, is hosted within the European Union and operated by providers that comply with European data protection standards.
Only in exceptional cases, and strictly when necessary for the provision of certain technological services, might there be occasional access from outside the European Economic Area by providers acting as data processors. In such cases, Rintral ensures that any transfer is conducted in accordance with Articles 44 to 49 of Regulation (EU) 2016/679, applying mechanisms such as Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), enhanced confidentiality obligations, and additional technical measures, including pseudonymization or robust encryption.
Rintral does not disclose personal data to third parties located outside the EU for commercial, marketing, or non-service-related purposes. All transfers are strictly limited to what is necessary, properly documented, and subject to continuous oversight by the Data Protection Officer.
9. Data Retention
Rintral retains personal data only for as long as strictly necessary to fulfill the purposes for which it was collected and to meet applicable legal, regulatory, and operational obligations relevant to an entity undergoing authorization under MiCA.
Retention periods are determined based on necessity, proportionality, and time limitation criteria, and are applied differently depending on the nature of each data type:
- Identification, contact, and KYC verification data: retained for 10 years after the termination of the contractual relationship, in accordance with anti-money laundering and counter-terrorism financing regulations (Law 10/2010 and its Regulation).
- Operational data and transaction records: stored for 10 years, in compliance with audit, operational security, and traceability requirements under MiCA, DORA, and Spanish financial regulations.
- Contractual data and communications with users: retained for 6 years to address potential tax, contractual, or legal claims.
- Data related to commercial or informational purposes: retained as long as valid consent exists, and until the user requests deletion or revokes consent.
- Technical logs, metadata, and security records: retained for 12 to 24 months, according to operational requirements defined in the ICT Policy, Security Monitoring Framework, and ENS regulations.
Once the relevant retention periods have expired, data is securely deleted using technical procedures documented in our Information Management Policy, including encrypted deletion, database cleansing, or irreversible anonymization where full deletion is not technically feasible.
In all cases, retention periods are applied in accordance with the principles of time limitation and data minimization under Regulation (EU) 2016/679, and are reviewed annually by the Data Protection Officer to ensure that no data is retained longer than necessary.
10. User Rights
As a user of Rintral, you may exercise your rights at any time as recognized by Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD). We handle all requests transparently, free of charge, and within the legally established deadlines.
The rights you may exercise include:
- Right of access: to request confirmation as to whether we process your personal data and to obtain a copy of the stored information.
- Right to rectification: to request the correction of inaccurate, incomplete, or outdated data.
- Right to erasure (“right to be forgotten”): to request the deletion of your data when it is no longer necessary for the purposes for which it was collected or when you withdraw your consent.
- Right to object: to object to the processing of your data in certain circumstances, particularly for processing based on legitimate interests or commercial purposes.
- Right to restriction of processing: to request the temporary suspension of processing while a request for rectification, objection, or complaint is being evaluated.
- Right to data portability: to receive your data in a structured, commonly used, and machine-readable format, or to request its direct transfer to another controller.
- Right to withdraw consent: if the processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making: we ensure that no user is subject solely to automated decisions that produce legal effects without meaningful human involvement.
How can you exercise your rights?
You can submit your request through any of the following channels:
- Email: [email protected]
- Data Protection Officer (DPO): [email protected]
- Postal address: Rintral Trading S.L.U., C/ Llacuna 11, 3rd floor, 08005 Barcelona, Spain
To ensure security, we may request identity verification before processing any personal data-related requests.
If you believe your request has not been properly addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).
Rintral implements a security model designed to protect the confidentiality, integrity, availability, and authenticity of personal data in accordance with the GDPR, the Spanish National Security Framework (ENS), and the operational standards required by MiCA and DORA.
Our technological infrastructure and internal processes are secured through technical, organizational, and procedural controls, which are continuously reviewed by the ICT Governance Committee. Key measures include:
- Data encryption in transit and at rest using industry-standard protocols (TLS 1.2/1.3, AES-256 or equivalent), ensuring that all information remains protected during both communication and storage.
- Enhanced authentication systems, including multi-factor authentication (MFA) for all personnel accessing critical systems, and strict password management policies.
- Role-based access control (RBAC) and the principle of least privilege, with regular reviews approved by the ICT Committee.
- Continuous monitoring and logging of events, access, and relevant activities using logging tools, alerts, and user behavior analytics (UEBA), managed by the IT team and supervised by the DPO when personal data is involved.
- Threat and malware protection, with up-to-date antimalware tools, automated vulnerability scans, and both internal and external penetration tests.
- Infrastructure segmentation and resilience, relying on European cloud providers certified under ISO 27001 and GDPR, with geographic redundancy, encrypted backups, and regular recovery testing.
- Formal security incident management, under the “Incident Response Protocol”, which defines response times, escalation procedures, and regulatory obligations, ensuring a rapid and controlled reaction to any event.
- Ongoing assessment of critical vendors, in line with the “Third-Party Risk Management Policy”, ensuring that all third parties with data access meet equal or higher standards.
All these measures are part of Rintral’s cybersecurity and ICT risk management framework, which is regularly reviewed, updated, and validated to maintain an adequate level of protection against emerging threats.
12. Minors
Rintral’s services are not intended for individuals under the age of 18. We do not permit the registration, access, or use of the platform by minors, and specific controls are applied during the identity verification (KYC) process to prevent it.
If, in exceptional circumstances, we detect that an account has been created using a minor’s data:
- the account will be immediately blocked,
- the data will be securely deleted, and
- the individual who initiated the registration will be informed that the service cannot be provided.
If a parent or legal guardian believes that a minor may have provided us with personal data inappropriately, they can contact us at any time at
[email protected] to request a review and removal of the data.
13. Changes to the Policy
Rintral may update this Privacy Policy when necessary to reflect relevant legal, operational, or technical changes. When such modifications are substantial or significantly affect the processing of personal data, users will be informed with reasonable notice through the usual channels (email, in-platform notification, or informational banner).
The updated version will always be accessible at
www.nebeus.com, including the date of the last revision. Continued use of the services after the changes come into effect will imply acceptance of the updated version.
14. Applicable Law and Jurisdiction
This Privacy Policy is governed by Spanish and European data protection laws, including Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD).
Any disputes relating to its interpretation or application shall fall under the jurisdiction of the Courts and Tribunals of Barcelona, unless otherwise established by mandatory applicable law.
This Policy enters into force on the indicated date and remains valid until formally updated.
For any questions related to this Policy or your personal data, you may contact us at:
- general: [email protected]
- DPO: [email protected]
- Postal address:C/ Llacuna 11, 3ª planta, 08005 Barcelona, España