1.     Introduction                          

This Data Privacy Policy outlines how Rintral Trading S.L.U., trading as Nebeus, collects, uses, discloses, and safeguards your personal data across all our websites, mobile applications, service platforms, and related operational environments. It applies to all individuals who interact with our services, including customers, users, partners, and visitors. This Policy must be read in conjunction with our Terms of Use, Cookie Policy, Data Erasure Policy, and any product-specific disclosures.

Nebeus processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), as well as with Spanish national data protection laws (LOPDGDD). In addition, due to the nature of our services, covering digital asset custody, crypto-backed lending, e-money accounts, and fiat/crypto payment functionalities, we are also subject to sector-specific legal frameworks. These include the Markets in Crypto-Assets Regulation (MiCA), the Digital Operational Resilience Act (DORA), and anti-money laundering regulations under Spanish Law 10/2010 and corresponding EU directives.

This Policy reflects our operational commitment to data protection by design and by default, and aims to ensure the transparency, accountability, and security of all personal data processed throughout the lifecycle of our services.

By accessing or using our platform, you confirm that you have read and understood this Policy and agree to the data practices described herein.

For the purposes of this Policy, “personal data”, “processing”, “controller”, “processor”, and “data subject” shall have the meanings assigned under Article 4 of the GDPR. References to “crypto-assets” and “CASPs” are interpreted in accordance with the definitions set out in Regulation (EU) 2023/1114 (MiCA).

2.     Data Controller

The entity responsible for determining the purposes and means of processing your personal data is Rintral Trading S.L.U., trading as Nebeus, a private limited liability company incorporated under the laws of Spain, with registered office at Carrer de Llacuna 11, 08003 Barcelona, and tax identification number B66096686. For the purposes of Article 4(7) of the GDPR, Nebeus acts as the data controller of all personal data collected through our platforms, apps, and services.

In cases where Nebeus collaborates with regulated third-party service providers—such as electronic money institutions (EMIs), crypto-asset custodians, or payment processors—each party shall act as an independent controller or processor, as defined by the applicable service-specific agreement and in accordance with Article 28 GDPR.

Nebeus has appointed a Data Protection Officer (DPO) to oversee compliance with data protection regulations, including GDPR, LOPDGDD, MiCA, and relevant ICT obligations under DORA. For any queries, data subject requests, or concerns regarding this Policy or our data practices, you may contact our DPO at:

Email: [email protected]

Postal Address: Carrer de Llacuna 11, 08003 Barcelona, Spain

3.     Data Collection

In accordance with Article 5(1)(c) of the General Data Protection Regulation (GDPR), we only collect personal data that is adequate, relevant, and limited to what is strictly necessary in relation to the specific purposes for which it is processed. The categories of personal data we may collect directly from you, through automated means, or via third-party integrations include:

1. Identity Data: Full name, date of birth, nationality, and government-issued identification numbers (such as ID card, passport, or national tax ID).
2.  Contact Data: Residential address, billing address, email address, and phone number(s).
3.  Financial Data: Bank account details, payment card information, SEPA or IBAN identifiers, wallet addresses, and transaction records related to fiat or crypto assets.
4. Technical Data: IP address, device ID, browser type and version, time zone setting, operating system, platform, and other device/session metadata collected via tracking technologies (see Section 4).
5.  Usage Data: Information on how you interact with our platforms and services, including authentication logs, transaction frequency, session durations, and user navigation flows.
6. Marketing and Communications Data: Your stated preferences regarding the receipt of direct marketing communications, language settings, and interaction history with marketing content.

Depending on the services used, we may also process data related to compliance (e.g., KYC/AML verifications), crypto-asset holdings, risk assessments, or behavioural profiling, where such processing is justified by a legal obligation, contractual necessity, or your explicit consent.

We do not intentionally collect sensitive data (special categories under Article 9 GDPR) unless legally required, and we apply enhanced safeguards where such processing becomes unavoidable.

In line with the principle of accountability under Article 5(2) GDPR, Nebeus maintains detailed internal documentation of all data collection activities, including the purposes, categories, legal bases, and safeguards applied. These records form part of our Record of Processing Activities (ROPA) and are subject to regular internal audits and DPIAs (Data Protection Impact Assessments), especially for high-risk or automated processing operations.

In certain cases, and particularly in the context of fraud prevention, transaction scoring, or regulatory compliance checks, your data may be subject to automated decision-making, including profiling. Such processing is carried out strictly in accordance with Article 22 GDPR and applicable sectoral laws. You have the right to request human intervention, express your point of view, and contest any decision based solely on automated processing.

4.     Methods of Collection

We collect personal data through a combination of direct interactions, automated technologies, and third-party integrations, in full compliance with the principles of lawfulness, fairness, and transparency under the GDPR.

       i.          Direct Interactions: You may provide personal data when you complete registration forms, verify your identity, update your profile, request services, participate in promotions, or communicate with our support team. These interactions may involve the submission of identity documents, utility bills, or other official records, especially for KYC and AML purposes.

      ii.          Automated Technologies: When you interact with our website or mobile application, we automatically collect technical data using cookies, web beacons, device fingerprinting, and similar tracking technologies. This may include details such as your browser type, language settings, operating system, screen resolution, time zone, installed plugins, and other device characteristics which may be used to generate a unique identifier. Device fingerprinting is used for purposes such as fraud prevention, security enhancement, and analytics. Where this processing is not strictly necessary for the provision of a service explicitly requested by you, it is carried out only with your explicit consent, in accordance with Article 6(1)(a) of the GDPR. Please refer to our Cookie Policy for further information on the technologies we use and how to manage your consent preferences.

    iii.          Biometric Identification: Where applicable, biometric data (such as facial features) may be collected and processed via secure third-party providers to verify your identity during onboarding (e.g., face matching with identity documents). This processing is based on your explicit consent and is subject to enhanced safeguards in accordance with Article 9(2)(a) GDPR and national biometric data laws.

    iv.          Server Logs and Access Data: We collect access logs including IP addresses, timestamps, and user-agent details to detect unauthorized access attempts, monitor system performance, and ensure service continuity, in line with our obligations under DORA for digital operational resilience.

      v.          Mobile App Data: Our apps may collect device-related data and usage statistics, including crash logs and performance metrics, to help us optimize your user experience and address technical issues. You may manage in-app permissions at any time.

    vi.          Third-Party Sources: We may receive data from regulated service providers, such as electronic money institutions, KYC verification platforms, blockchain monitoring tools, or sanction screening databases. These providers act as processors or independent controllers depending on the specific relationship, governed by GDPR-compliant agreements.

5.     Data Usage

We use your personal data in strict compliance with the principles of purpose limitation, data minimisation, and legal accountability as outlined in the GDPR. Each processing activity is based on a clearly identified legal ground under Article 6(1) GDPR and, where applicable, aligned with sector-specific obligations under MiCA, DORA, and Spanish law. The purposes for which we process your data include:

1.  Service Provision: To provide, operate, and maintain your access to our platform and services, including e-wallets, crypto-backed loans, IBAN accounts, or other regulated financial features. This processing is necessary for the performance of a contract with you (Article 6(1)(b) GDPR).

1. Transaction Processing: To execute and record transactions—both in fiat and digital assets—and to issue related documentation such as confirmations, invoices, or settlement reports. This includes smart contract interaction where applicable. Legal basis: performance of a contract (Article 6(1)(b)).
2. Account Management: To manage your account lifecycle, including onboarding (KYC/KYB), ongoing verification, profile updates, authentication, and secure access controls.
3. Service Improvement: To analyse usage data and system interactions in order to develop new features, fix issues, and improve user experience. This is done on the basis of our legitimate interest to ensure continuous service improvement (Article 6(1)(f)).
4. Customer Communication: To respond to your inquiries, provide technical support, resolve complaints, and notify you of changes to our services or terms. This includes transactional and account-related messaging (Article 6(1)(b) or (c) depending on context).
5. Marketing Communications: To send you promotional content, service updates, and targeted offers, but only where you have provided explicit consent (Article 6(1)(a)). You may withdraw your consent at any time without affecting prior communications.
6. Compliance and Risk Management: To fulfil legal obligations under GDPR, MiCA, Spanish AML laws, and other regulatory frameworks. This includes fraud detection, sanction screening, audit trail retention, and cooperation with competent authorities (Article 6(1)(c) and, where necessary, (f)).
7. Security and Operational Resilience: To monitor platform integrity, ensure ICT continuity, detect anomalies, and comply with DORA requirements for incident management and digital resilience (Article 6(1)(f) GDPR; Regulation (EU) 2022/2554).

In specific scenarios, we may use aggregated behavioural data to support fraud detection or operational monitoring using automated systems. These processes do not result in decisions producing legal effects or similar significant impact without human intervention, unless otherwise stated and consented to under Article 22 GDPR.

6.     Accountability and DPIA Governance

In line with Article 5(2) and Article 35 GDPR, Nebeus maintains full documentation of its processing activities through a central Record of Processing Activities (ROPA), which is reviewed by the Data Protection Officer. All high-risk processing, including biometric verification, employee monitoring, and cross-border data flows, are subject to a Data Protection Impact Assessment (DPIA). DPIAs are reviewed annually and updated following changes in technology, regulations, or processing scope.

7.     Data Sharing

We may share your personal data with third parties strictly for legitimate and defined purposes, and only where appropriate safeguards are in place to ensure GDPR compliance and data security. Each data transfer is subject to contractual, technical, and organisational controls in line with Articles 28–30 GDPR and, where applicable, sectoral regulations such as MiCA and DORA. The categories of third parties with whom we may share your data include:

1.  Service Providers (Processors): We engage third-party vendors to support the delivery and operation of our services, including identity verification (KYC/KYB), payment processing, crypto-asset custody, transaction settlement, analytics, cloud hosting, customer communication tools, and compliance screening platforms. These providers process data on our behalf under written Data Processing Agreements (DPAs) as required by Article 28 GDPR, and are subject to periodic audits and security reviews.

1. Regulated Business Partners (Joint Controllers or Independent Controllers): In certain cases, we collaborate with regulated financial institutions, such as Electronic Money Institutions (EMIs), Crypto-Asset Service Providers (CASPs), and Payment Service Providers (PSPs), who act as independent or joint controllers for specific services (e.g., card issuance, IBAN provision, staking, or lending). In such cases, you will be informed of the partner’s identity and their data protection role at the point of onboarding or activation.
2. Legal Authorities and Supervisory Bodies: Where required by law, or when necessary to protect our legal rights, we may disclose your personal data to courts, law enforcement agencies, financial regulators, or supervisory authorities (such as SEPBLAC, CNMV, or the AEPD), in accordance with Article 6(1)(c) GDPR. This includes disclosures related to AML/CFT compliance, sanctions screening, tax reporting, or judicial orders.
3. Corporate Transactions: If Nebeus is involved in a merger, acquisition, restructuring, or asset transfer, your personal data may be transferred to the acquiring entity as part of the transaction. Any such transfer will be carried out in full compliance with GDPR obligations regarding purpose limitation, data minimisation, and data subject notification.
4. Professional Advisors: We may also share your data with legal, accounting, or audit professionals acting under confidentiality obligations, where necessary to ensure compliance with applicable laws or to defend our interests in legal proceedings.

A current list of sub-processors, is maintained by our ICT Governance Committee and made available upon request. All sub-processors are subject to formal data processing agreements and undergo regular due diligence audits, including review of ISO/SOC/PCI certifications and incident response capabilities.

We do not sell, rent, or disclose your personal data to unauthorised third parties. Where data is shared across borders or outside the EEA, such transfers are subject to appropriate safeguards as outlined in Section 7 (International Transfers).

8.     International Transfers

In certain circumstances, your personal data may be transferred to, stored in, or accessed from jurisdictions outside of Spain or the European Economic Area (EEA), including when we work with international service providers, cloud infrastructure vendors, or regulatory bodies operating in third countries.

Such transfers are carried out strictly in accordance with Chapter V of the GDPR, and only where one or more of the following appropriate safeguards are in place:

1.  Standard Contractual Clauses (SCCs) approved by the European Commission, which impose obligations on the recipient to ensure an adequate level of protection;
   
2. An adequacy decision from the European Commission confirming that the destination country provides a level of protection essentially equivalent to the GDPR
   
3. Binding Corporate Rules (BCRs) in cases involving intra-group data transfers within multinational entities;
   
4. Derogations under Article 49 GDPR, such as your explicit consent or the necessity of the transfer for the performance of a contract.
   

Before any such transfer, Nebeus performs a Transfer Impact Assessment (TIA) to evaluate the legal risks in the destination country and to adopt supplementary measures, where necessary, such as encryption, pseudonymisation, or access restrictions.

Where international transfers involve critical ICT or financial infrastructure providers (as defined under the Digital Operational Resilience Act - DORA), Nebeus ensures that additional resilience, monitoring, and subcontracting controls are in place in line with applicable supervisory expectations. You may request further information on the applicable safeguards by contacting our Data Protection Officer at [email protected].

9.     Data Security

We implement a comprehensive set of technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of personal data, in full alignment with Article 32 of the GDPR and the principles of digital operational resilience under the Digital Operational Resilience Act (DORA). Our security framework includes, but is not limited to:

1.  Data Encryption: All personal data is encrypted both in transit (TLS) and at rest using strong, industry-standard cryptographic protocols to prevent unauthorised access or disclosure.

1. Access Controls and Identity Management: We enforce role-based access controls (RBAC), strong authentication mechanisms (including multi-factor authentication), and strict user privilege segregation to ensure that personal data is only accessible by authorised personnel on a need-to-know basis.
2. Regular Security Assessments and Audits: We conduct internal and third-party security audits, vulnerability scans, and penetration tests on a regular basis. Identified risks are documented, prioritised, and mitigated through formal remediation workflows.
3. System Monitoring and Intrusion Detection: Our systems are monitored in real time to detect anomalies, unauthorised access attempts, or operational failures. Incident logs are retained in secure environments and reviewed by dedicated security teams.
4. Data Segregation: Personal data is logically segregated by user and service layer to minimise exposure and support containment strategies in the event of a breach.
5. Business Continuity and Disaster Recovery (BC/DR): We maintain robust backup procedures, recovery plans, and service continuity protocols to ensure data availability and integrity even during major incidents or outages.
6. Third-Party Security Controls: All service providers processing personal data on our behalf are contractually bound to apply equivalent technical and organisational security measures. Providers are vetted and continuously monitored in accordance with our third-party risk management policies.

In the event of a personal data breach, we follow a documented Incident Reporting Protocol aligned with Articles 33 and 34 GDPR and DORA. The protocol mandates breach notification to the supervisory authority within 72 hours and, where applicable, to affected data subjects without undue delay.

10.  Data Retention

We retain personal data for no longer than is necessary to fulfil the specific purposes for which it was collected or to comply with statutory, contractual, or regulatory obligations, in line with the storage limitation principle under Article 5(1)(e) of the GDPR.

Our retention framework follows a purpose- and risk-based approach and is documented in our internal Record of Processing Activities (ROPA) and supporting Data Erasure Policy. Retention periods are determined by considering:

1. the legal basis for processing (e.g. contract, consent, legal obligation);
2. the nature and sensitivity of the data;
3. operational needs (e.g. audit trail, fraud detection, dispute resolution);
4. applicable laws and sector-specific requirements (including MiCA, AML/CFT, and DORA);
5. limitation periods under commercial, tax, and civil law.

Examples include:

1. Client Identification and AML Data: Retained for a minimum of 10 years following termination of the business relationship, in compliance with Spanish Law 10/2010 and EU AML Directives;
2. Transactional and Financial Records: Retained for at least 6 to 10 years, depending on the type of service and jurisdiction, to satisfy tax, audit, and supervisory requirements;
3. Consent Records and Marketing Preferences: Retained until withdrawn or no longer relevant, subject to auditability under Article 7 GDPR;
   
4. Security Logs, Access Records, and System Events: Retained in accordance with DORA-aligned operational resilience timelines, to ensure auditability, traceability, and breach notification capabilities;
   
5. Contracts, Communications, and Support Tickets: Retained for the duration of the contractual relationship and a statutory post-termination period (typically 5–6 years) to support legal defence or compliance reviews.

Where personal data is processed by third-party providers (e.g., AWS, Stripe), their retention and deletion procedures are subject to contractual controls aligned with our offboarding and data erasure standards, including API-based deletion and audit trace confirmation.

11.  Your Rights

As a data subject, you have specific rights under Chapter III of the GDPR, which Nebeus is fully committed to respecting and facilitating. These rights empower you to understand and control how your personal data is used, and they are supported by our internal procedures, technical controls, and governance framework. You have the right to:

1. ​Access (Article 15 GDPR): Request confirmation as to whether or not personal data concerning you is being processed, and if so, obtain access to such data along with relevant information about the processing.
2. Rectification (Article 16): Request correction of inaccurate personal data or completion of incomplete data, without undue delay.
3. Erasure (‘Right to be Forgotten’, Article 17): Request the deletion of your personal data where one of the conditions under GDPR applies, such as withdrawal of consent, unlawful processing, or expiry of retention obligations.
4. Restriction of Processing (Article 18): Request that we limit the processing of your data under certain conditions (e.g., contestation of accuracy, objection to processing), whereby the data will only be stored but not further processed.
5. Data Portability (Article 20): Receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and request that it be transmitted to another controller where technically feasible.
6. Objection (Article 21): Object, on grounds relating to your particular situation, to the processing of your personal data based on our legitimate interests, or for direct marketing purposes, including profiling.
7. Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before its withdrawal.
8. Not to be Subject to Automated Individual Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, unless such decision is necessary for entering into, or performing, a contract, is authorised by law, or is based on your explicit consent.

We may require identity verification before fulfilling any rights request, to prevent unauthorised access to your personal data. If you believe that we have not adequately addressed your request or that your rights have been infringed, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or your local supervisory authority.

12.  Changes to This Privacy Policy

We may update this Privacy Policy from time to time in response to evolving legal, regulatory, technical, or operational developments. All updates are made in accordance with our commitment to transparency and accountability under Article 12 GDPR.

In the event of any material change, such as a new purpose for processing, change in legal basis, or addition of new data categories, we will provide you with prior notice through appropriate channels (e.g., email notification, in-app message, or platform dashboard alert) and, where required, request renewed consent.

The version number and effective date of this Privacy Policy are clearly indicated at the top of the document. We encourage you to review the Policy periodically to stay informed of how we protect your personal data.

Continued use of our services following the publication of an updated Privacy Policy constitutes acceptance of the revised terms, unless otherwise stated or legally required.

13.  Contact Us

 If you have any questions, concerns, or requests related to this Privacy Policy or to the processing of your personal data, you may contact us through the following official channels:

Controller Name: Rintral Trading S.L.U., trading as Nebeus

Registered Office: Carrer de Llacuna 11, 08003 Barcelona, Spain

General Contact Email: [email protected]

Phone: +34 645099077

For matters specifically relating to data protection, please contact our appointed Data Protection Officer (DPO) at:

Email: [email protected]

Our DPO is registered with the Agencia Española de Protección de Datos (AEPD) and is responsible for overseeing our data protection compliance across all processing activities.

We aim to respond to all data protection inquiries within one month, in accordance with Article 12 GDPR. Complex or multi-step requests may require additional time, in which case you will be duly informe