ClearToken’s Privacy Policy

This policy sets forth how ClearToken collects, uses and shares the information you provide to us and the information we collect in the course of operating our business and our websites. We comply with applicable data protection laws, in particular the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Where we also process personal data of individuals in the European Economic Area, we comply with EU Regulation 2016/679 (EU GDPR).

This policy may be updated at any time by ClearToken amending this page. We recommend that you check this page on a regular basis to remain aware of any relevant changes made. This policy was last updated in May 2026.

1. General Information

Where we refer to ClearToken or “we”/”us”/”our” we mean primarily ClearToken Services Ltd, incorporated under the laws of England and Wales with company number 14488617. Our registered office is 1 Bow Church Yard, London, United Kingdom, EC4M 9DQ.

The following ClearToken entities are also registered with the UK Information Commissioner’s Office (ICO) as data controllers: ClearToken Holdings Limited (ICO registration number ZB889208); ClearToken Depository Limited (ICO registration number ZB864876); and ClearToken Services Limited (ICO registration number ZB557225).

2. Purpose of this Policy

ClearToken places a strong emphasis on privacy and data protection and is dedicated to safeguarding your personal information and client confidentiality. To ensure adherence to data protection laws and regulations, this policy outlines how ClearToken processes and secures your personal data, the grounds on which we rely, and the rights you have under applicable law. This policy applies whenever we handle your personal data, including interactions on our website or other digital platforms, or when you sign up for our services.

Before using ClearToken’s services or providing any personal data, please familiarise yourself with our practices concerning your personal data, how we handle it, and the circumstances in which it might be disclosed to third parties.

3. Scope — UK and EU Data Subjects

This policy applies to the processing of personal data of individuals located in the United Kingdom, governed by the UK GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, and the DPA 2018.

To the extent that ClearToken processes personal data of individuals located in the European Economic Area (EEA), such processing is also subject to EU GDPR. In those circumstances, references in this policy to “UK GDPR” should be read as including the EU GDPR where applicable.

4. Affiliated Entities and Outsourcing

When ClearToken collects and processes your personal information, it acts as the data controller. ClearToken may transfer your personal data to its affiliated companies located within and outside of the UK, specifically:

• ClearToken Holdings Limited (BVI)
• ClearToken CCP Limited (UK)
• ClearToken Depository Limited (UK)
• ClearToken UK Holdings Limited (UK)
• ClearToken Holdings Limited (UK)

In such cases, ClearToken ensures that appropriate protections are in place for your personal data, as described further in the “International Transfers” section below. Any affiliated entity receiving your data processes it on behalf of ClearToken in accordance with this policy and applicable law.

5. What is Personal Data

“Personal data” encompasses any information that allows us to identify you, including but not limited to your name, email address, or an online identifier such as an IP address that can reasonably be connected to you. When using our digital channels, such as the website, you may be requested to provide personal data.

If you decide to register as a new corporate client or investor, we may collect the following data:

• Company name and company address
• Professional information, e.g., employer and title
• First and last name
• Copy of passport or other government-issued identity document
• E-mail address, phone number and residential address
• Additional information as required, for example the kind of service desired, and open-source intelligence data to ensure compliance with KYC/AML requirements under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (the “MLRs”)

The processing of personal data extends beyond our clients and encompasses suppliers, prospects, website users, employees, job applicants, vendors, and third parties. Our objective is to restrict the processing of this data to the essential minimum and in compliance with relevant laws and regulations.

Updating Your Personal Information

If you need to update or modify your personal information, including your contact details, please inform ClearToken in writing at the contact details provided below as soon as possible.

Third-Party Links

Our website may occasionally include links to third-party websites or digital platforms for your convenience. We advise you to review the privacy and security policies of each website or digital platform you visit, as those policies govern how your information is handled by those third parties.

6. Origin of Personal Data

Personal data provided directly by you

We will process personal data that you give to us, including when you contact us through various channels, such as:

• Signing up for newsletters, webinars, or events
• Participating in discussion boards or social media functions
• Using services provided by us
• Getting in touch with us with enquiries or responding to our communications
• Opening a client account, either on your own behalf or on behalf of the company you represent
• Applying for a role with us, whether directly or through a third-party recruiter

Personal data obtained from other sources

We may also collect personal data from sources other than directly from you. Where we do so, we will take steps to inform you of the relevant categories of data and their source within a reasonable period of obtaining the data, and in any event within one month, unless an exemption applies (for example, where providing notice would prejudice the prevention or detection of crime or where we are under a legal obligation of confidentiality).

Categories of personal data obtained indirectly, and their sources, include:

• Employment history, qualifications, education and references — provided by background screening agencies and third-party recruiters when you apply for a role
• Information from official registers, including criminal records checks or credit history, to assess suitability for a role or for KYC/AML compliance purposes
• Sanctions and watchlist data (e.g. lists issued by HM Treasury, the US Office of Foreign Assets Control (OFAC), and the European Union) — obtained from official and commercial sanctions databases
• Open-source intelligence data relevant to KYC/AML compliance, obtained from publicly accessible sources
• Technical and transactional data transmitted via our infrastructure, including login information, access to document sharing spaces, payment and trading transactions, and data from financial or IT service providers

7. Purpose and Usage of Data

We may process personal data for the following purposes, to the extent legally permitted:

• Enhancing and managing our products and services, and keeping information of individuals with whom we have a business relationship up to date
• Market research, marketing, and business development activities, including sending newsletters, marketing communications, and event invitations
• Compliance, legal and/or regulatory purposes, including fulfilling disclosure, notification, and reporting obligations to relevant authorities, covering anti-money laundering and countering terrorist financing
• Exercising or defending our legal rights, and for legal proceedings involving us, our employees, or our clients
• Reviewing and processing job applications
• Managing, controlling, and monitoring business-related decisions and risks, including processing business operations, investment profiles, limits, and assessing operational and fraud risks

8. Grounds for Processing Your Personal Data

UK GDPR requires that every processing activity has a lawful basis. The table below maps our primary processing purposes to the lawful basis we rely on. Where we rely on legitimate interests, we have carried out a balancing test and are satisfied that our interests are not overridden by your rights and freedoms. You may request a copy of our legitimate interests assessment by contacting us.

Special category and criminal conviction data

Where our KYC, AML, and sanctions screening activities involve the processing of special category personal data (such as information incidentally contained in identity documents) or data relating to criminal convictions and offences (such as PEP screening or adverse media checks), we rely on the following additional conditions under DPA 2018 Schedule 1 and UK GDPR Articles 9 and 10:

• Criminal convictions and offences data (e.g. PEP screening, sanctions checks): processed under DPA 2018 Schedule 1, Part 2, paragraph 6 (statutory and government purposes) and/or paragraph 10 (preventing or detecting unlawful acts), as required by the MLRs 2017
• Other special category data incidentally included in identity documents: processed on the basis of substantial public interest under Article 9(2)(g) UK GDPR and DPA 2018 Schedule 1, Part 2, paragraph 6, solely to the extent required for identity verification

Consent withdrawal

Where we rely on your consent as the lawful basis for processing, you may withdraw it at any time by contacting info@cleartoken.io. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.

9. How We Share Personal Data with Third Parties

From time to time, ClearToken engages third-party service providers and suppliers to deliver certain services. To ensure compliance with this policy, ClearToken establishes Data Processing Agreements (as required by Article 28 UK/EU GDPR) with each provider. These agreements require providers to process your personal data only in accordance with our instructions, this policy, and applicable law.

Third parties who may receive your personal data include:

• IT and communications service providers and website hosting companies (notably, our website is hosted on servers located in the UK and operated by AWS)
• Counterparties to transactions and other professional service providers
• Any person authorised to act on your behalf
• Regulators, government departments, law enforcement authorities, tax authorities, and insurance companies
• Any relevant dispute resolution body or the courts
• Persons or businesses in connection with any sale, merger, acquisition, disposal, reorganisation, or similar change to our business

10. International Transfers of Personal Data

ClearToken may transfer your personal data outside the United Kingdom to affiliated entities and third-party service providers. Where we do so, we ensure that an appropriate safeguard is in place in accordance with UK GDPR Chapter V, as follows:

• Transfers to countries that benefit from UK adequacy regulations are made on that basis
• Transfers to countries without UK adequacy status (including the British Virgin Islands, where ClearToken Holdings Limited (BVI) is incorporated) are made subject to a UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable
• Where ClearToken processes personal data of EEA residents and transfers such data to third countries outside the EEA, transfers are made subject to EU Standard Contractual Clauses adopted by the European Commission, or another appropriate safeguard under EU GDPR Article 46

You may request further information about the safeguards in place for any particular transfer, including copies of the relevant transfer mechanisms, by contacting us at the details provided below.

11. Retention of Personal Data and Data Security

How long we retain your personal data depends on the nature of the data and the purpose for which it is processed. As a general guide, our retention periods are as follows:

Where no specific statutory period applies, we determine the appropriate retention period by reference to the purpose of processing, the nature of the data, and any applicable regulatory guidance. Data is securely deleted or anonymised at the end of the applicable retention period.

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, destruction, or alteration, including encryption, access controls, and regular security reviews. We continuously enhance these measures by reference to technological developments and applicable standards.

12. Your Data Subject Rights

You have several rights under UK GDPR (and EU GDPR where applicable) concerning the personal information we hold about you. These include:

• The right of access to the personal information held about you
• The right to rectification if your personal information is inaccurate or incomplete
• The right to erasure (the “right to be forgotten”), where there is no lawful basis permitting continued processing
• The right to restrict the processing of your personal information in certain circumstances
• The right to object to certain processing of your personal data, including on grounds of legitimate interests
• The right to object to direct marketing at any time, including profiling carried out for direct marketing purposes — this right is absolute and we will cease processing immediately upon receipt of such an objection
• The right to data portability — in certain circumstances, to receive personal data you have provided to us in a structured, commonly used, machine-readable format
• The right to withdraw consent at any time, where consent is the basis for processing (without affecting the lawfulness of processing before withdrawal)
• The right to lodge a complaint with a supervisory authority (see below)

We do not make decisions based solely on automated processing that produce legal or similarly significant effects without human involvement.

Please note that these rights are not absolute in all circumstances. For example, if you exercise your right to erasure or restriction, this may affect our ability to provide you with a full service, and in some cases we may be unable to comply where we have a legal obligation to retain data (for example, under the MLRs 2017).

As required under money laundering law, we are obligated to verify your identity before establishing a business relationship. This may involve requesting documents such as a passport and recording details including your name, date of birth, and address. Failure to provide the necessary information may prevent us from entering into or continuing a business relationship.

How to exercise your rights

To exercise any of your rights, please contact us at info@cleartoken.io. On receipt of your request, you will be referred to ClearToken’s Legal and/or Compliance function, who may need to verify your identity before proceeding.

We will respond to your request within one month of receipt. Where a request is complex or we have received a number of requests, we may extend this period by a further two months; we will notify you within the first month if we intend to rely on this extension and explain the reason for the delay. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.

Supervisory authority complaints

If you are located in the United Kingdom and are not satisfied with our response or the way in which we have handled your personal information, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you are located in the European Economic Area, you also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work. A list of EU data protection authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members_en

13. Automated Decision-Making and Profiling

We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing, without human involvement.

We may carry out automated profiling as part of our KYC, AML, and sanctions screening processes (for example, screening your details against watchlists or adverse media databases). Such profiling assists our compliance team but does not result in a final decision without human review. You have the right to obtain information about any such profiling and to request human review of any outcome that affects you.

14. How to Contact Us

You may contact us in writing using the details below:

• Email: info@cleartoken.io
• Post: ClearToken Services Limited, C/o 60 Cannon Street, London, United Kingdom, EC4N 6NP.

If you are not satisfied with the response you receive from us regarding the handling of your personal information, please let us know so that we may investigate and improve our practices where necessary. You may also escalate your concerns to the ICO as described in Section 12 above.

15. Cookies

At this time, ClearToken does not collect any cookies from website visitors or users. Should this position change, this policy will be updated to include a full cookie notice, explaining the types of cookies used, their purposes, and how you can manage your cookie preferences. We recommend checking this page periodically to stay aware of any changes.