Privacy Policy

P-02 (02.2)Privacy Policy (EN)
This page displays the legal document content in a web format.

Privacy Policy app.maritimedao.com Ref: 02.2 | Version 2 | 26 March 2026 This Privacy Policy ("Policy") explains how Maritime DAO LLC ("we", "us", or "our") collects, uses, discloses, and protects personal data when you access or use app.maritimedao.com (the "Platform"). We are committed to protecting your privacy and comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Latvian national data protection laws, and other applicable regulations. The Platform operates exclusively as a technical distribution platform for tokenized bond instruments issued by independent client special purpose vehicles. We act as data controller to the extent described below. 1. Who we are and your EU representative Data controller Maritime DAO LLC, Reg. No. -10087-24, 852 Long Island Rd, Majuro, Marshall Islands MH 96960 General contact welcome@maritimedao.com — for all data protection queries, use subject: "Data Protection Request" EU Representative (GDPR Art. 27) Digi Creative SIA, Krasta iela 8C, Iecava, Bauskas nov., LV-3913, Latvia — contact: welcome@maritimedao.com with subject "GDPR EU Representative". EU residents and supervisory authorities may address all GDPR-related issues to this representative. Supervisory authority Latvian Data State Inspectorate (Datu valsts inspekcija) — www.dvi.gov.lv. You have the right to lodge a complaint at any time. Your GDPR rights as an EU resident As an EU data subject you have rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object. You may exercise these rights at any time by contacting us. You also have the right to lodge a complaint with the Latvian Data State Inspectorate (www.dvi.gov.lv) or the supervisory authority in your EU Member State of residence. 2. Personal data we collect Identity and KYC/AML data Full name, date of birth, nationality, country of residence, ID/passport details, proof of address documents — collected during registration to comply with AML/CTF law. Contact and account data Email address, username (if any), encrypted password hash, wallet address(es). Transaction data Wallet addresses linked to bond purchases, allocation instructions provided by the bond Issuer (Digi Creative SIA). Technical and usage data IP address, browser type, device information, access logs, session data. Cookies — see Cookie Policy (02.3). Communications data Messages or support requests you send to us. We do not collect special category data (Article 9 GDPR) unless strictly required for AML purposes, in which case it is processed under Article 9(2)(g) (substantial public interest). Blockchain transaction data (on-chain) is public and not under our control; we process only off-chain personal data you provide to us directly.

-- 1 of 3 --

3. Purposes and lawful bases (GDPR Article 6) Purpose Lawful basis Details KYC/AML compliance Legal obligation (Art. 6(1)(c)) Mandatory under EU/Latvian AML law — cannot be opted out of. Platform access and token purchases Performance of contract (Art. 6(1) (b)) Processing necessary to provide Platform services and facilitate bond purchases. Platform security and fraud prevention Legitimate interests (Art. 6(1)(f)) Balanced against your rights. You may object — see Section 7. Non-essential cookies and analytics Consent (Art. 6(1)(a)) Freely given and withdrawable at any time via Cookie Settings. We do not use automated decision-making with legal or similarly significant effects (Article 22 GDPR) without explicit consent and appropriate safeguards. 4. How we share personal data We share personal data only when necessary and always under appropriate legal safeguards: • With Digi Creative SIA (bond Issuer) — for profit distribution, bond register updates, and allocation instructions you have authorised. • With KYC/AML service providers — acting as data processors under GDPR Article 28 data processing agreements. • With regulatory authorities and law enforcement — where legally required (e.g., AML suspicious activity reporting). • In the event of Platform operator transfer — to the new operator, who will be bound by equivalent GDPR obligations. We will notify you before any such transfer takes effect. We do not sell your personal data to third parties. We do not transfer personal data outside the EEA without appropriate safeguards (adequacy decision or Standard Contractual Clauses). 5. Data retention KYC/AML identity data Retained for 5 years after the end of the business relationship (or longer if required by applicable AML law — up to 10 years where mandated). Account and contact data Until account deletion, or 2 years after your last activity on the Platform, whichever is later. Transaction data 5 years after the relevant transaction, in accordance with Latvian AML requirements. Technical/usage logs 90 days (standard security logs); 12 months for aggregated analytics. Complaint records 5 years minimum — see Complaints Handling Policy (02.6). You may request deletion of your personal data at any time. We will comply unless retention is required by law (e.g., AML/CTF obligations override erasure requests for the mandatory retention periods). 6. Security We implement appropriate technical and organisational measures to protect your personal data, including encryption of data in transit and at rest, strict access controls and authentication, regular security testing and vulnerability assessments, and staff training on data protection. However, no system is 100% secure. Blockchain elements carry inherent public transparency risks — on-chain transaction data is publicly visible and cannot be erased.

-- 2 of 3 --

7. Your rights — how to exercise them Access (Art. 15) Request a copy of all personal data we hold about you. Rectification (Art. 16) Request correction of inaccurate or incomplete data. Erasure (Art. 17) Request deletion of your data, subject to legal retention obligations. Restriction (Art. 18) Request that we limit processing of your data in certain circumstances. Portability (Art. 20) Receive your data in a structured, machine-readable format. Object (Art. 21) Object to processing based on legitimate interests at any time. Withdraw consent (Art. 7(3)) Withdraw cookie/analytics consent at any time via Cookie Settings — does not affect prior lawful processing. Lodge a complaint Latvian Data State Inspectorate (www.dvi.gov.lv) or your local EU supervisory authority. To exercise any right: contact welcome@maritimedao.com with subject "Data Rights Request". We respond within one calendar month (extendable by 2 months for complex requests, with notice). 8. Operator transfer We may transfer Platform operations and associated personal data to another entity. We will provide at least 30 days advance notice to users via email and Platform notification before any such transfer. The new operator will be bound by obligations equivalent to those in this Policy and by GDPR where applicable. 9. Governing law This Policy is governed by a split structure consistent with the Terms of Use (02.1): technical platform matters are governed by Marshall Islands law; your GDPR rights and EU data protection obligations are governed by EU law and enforced through Latvian supervisory authorities. Nothing in this Policy limits your rights under the GDPR or applicable Latvian data protection law. 10. Changes to this policy We may update this Policy. For material changes, we will provide at least 14 days advance notice via email or Platform notification. The updated version will be posted with a new "Last Updated" date. Your continued use after the notice period constitutes acceptance. Document details Reference: 02.2 Marketplace Privacy Policy v2 — 26 March 2026 | Maritime DAO LLC, Reg. No. -10087-24, 852 Long Island Rd, Majuro, Marshall Islands MH 96960 | welcome@maritimedao.com | Last updated: 26 March 2026

-- 3 of 3 --