Legal - Catena Digital Privacy Policy

Catena Digital Privacy Policy / Privacy Notice

V.1.0
Effective date: 01/03/26
Last updated: 01/03/26

Privacy Summary

Catena Digital, a trading name of Where Ltd, collects and processes personal data to operate its website and services, onboard users, carry out AML/KYC, identity verification, sanctions and fraud screening, administer platform access, and comply with legal and regulatory obligations. Approved users may then create or connect self-custody wallets for permitted platform use. For full details of how we process personal data, please see our full Privacy Policy / Privacy Notice.

1. Introduction
This Privacy Policy / Privacy Notice explains how Catena Digital collects, uses, stores, shares, and otherwise processes personal data in connection with its website, onboarding processes, compliance procedures, platform services, and related business activities.

Catena Digital is a trading name of Where Ltd (Company Number SC732881), whose registered office is at:
9 High Street, Aberdour, Burntisland, Scotland, KY3 0SH
Where Ltd is registered with the Information Commissioner’s Office (“ICO”).
ICO registration number: C1894948

In this notice, references to “Catena Digital”, “we”, “us”, or “our” mean Where Ltd trading as Catena Digital. We are committed to handling personal data lawfully, fairly, transparently, and securely.

2. Who this notice applies to
This notice applies to personal data relating to:
• visitors to our website;
• prospective customers;
• individual customers;
• representatives, directors, beneficial owners, and authorised users of business
customers;
• counterparties, partners, and service providers;
• individuals whose personal data is provided to us as part of onboarding, compliance, due diligence, or ongoing business relationships.

3. What Catena Digital does

Catena Digital is a compliance-led digital asset onboarding and infrastructure platform. As part of our services, we may onboard individual and business clients, carry out identity verification, AML/KYC and related compliance screening, and, where appropriate, permit approved users to create or connect self-custody wallets for use in connection with permitted platform functionality.
We do not permit anonymous onboarding where identity verification and compliance checks are required.

4. Data controller
For the purposes of applicable data protection law, Where Ltd trading as Catena Digital is the data controller of the personal data described in this notice, except where this notice expressly states otherwise.

If you have any questions about this notice or how your personal data is handled, please contact us at:

Email: privacy@catena.digital
Post: Where Ltd t/a Catena Digital, 9 High Street, Aberdour, Burntisland, Scotland, KY3 0SH

5. The personal data we collect

We may collect, use, store, and process the following categories of personal data.

5.1 Identity and personal information
• full name;
• date of birth;
• nationality;
• residential address;
• country of residence;
• government-issued identification details;
• photographs and image data used for identity verification;
• information contained in passports, driving licences, identity cards, and other
identification documents.

5.2 Contact information
• email address;
• telephone number;

• correspondence address;
• other contact details you provide to us.

5.3 Verification and compliance information
• copies of identification documents;
• proof of address documents;
• selfie and liveness-check data;
• AML/KYC screening results;
• sanctions screening results;
• politically exposed person (“PEP”) screening results;
• adverse media screening results;
• fraud-prevention and risk signals;
• source of funds and source of wealth information, where required;
• enhanced due diligence materials;
• internal notes and assessments relating to onboarding, risk, and compliance
decisions.

5.4 Business customer and corporate information
Where the customer is a company, trust, partnership, fund, or other organisation, we may collect:
• company name and registration details;
• registered office and trading address;
• details of directors, officers, authorised signatories, shareholders, and beneficial
owners;
• constitutional and due diligence documents;
• ownership and control information;
• business activity and business model information;
• tax, compliance, and regulatory information.

5.5 Technical and device information
• IP address;
• device identifiers;

• browser type and version;
• operating system;
• usage logs;
• access times;
• geolocation derived from IP address where relevant;
• information about how you interact with our website or platform.

5.6 Wallet and platform-related information
• wallet addresses;
• account identifiers;
• onboarding status;
• records of interactions with our services;
• information linked to the creation or connection of self-custody wallets;
• transaction-related information where relevant to compliance, security, or service administration.

5.7 Communications and correspondence
• emails, messages, support requests, and other communications with us;
• records of calls, meetings, or compliance queries where kept for audit, training,
evidential, or regulatory purposes.

6. How we collect personal data

We may collect personal data:
• directly from you;
• from forms you complete through our website or platform;
• during onboarding and due diligence processes;
• from identity verification and compliance providers;
• from publicly available sources;
• from sanctions, PEP, fraud, and adverse media databases;
• from your company, employer, advisers, or authorised representatives;
• from service providers, business partners, or professional advisers;
• through cookies and similar tracking technologies on our website.

7. How we use personal data

We may process personal data for the following purposes:
• to provide access to our website and services;
• to register and onboard users;
• to verify identity and conduct customer due diligence;
• to carry out AML, KYC, sanctions, PEP, adverse media, anti-fraud, and other
compliance checks;
• to assess whether an application should be approved, rejected, restricted, or
escalated for further review;
• to create, manage, and administer accounts and platform access;
• to enable approved users to create or connect self-custody wallets for permitted use on our platform;
• to monitor compliance and risk on an ongoing basis;
• to detect, prevent, investigate, and address fraud, money laundering, sanctions
evasion, suspicious activity, misuse, security incidents, or unlawful conduct;
• to communicate with you in relation to onboarding, compliance, account
administration, support, or legal matters;
• to comply with legal, regulatory, tax, audit, accounting, and reporting obligations;
• to establish, exercise, or defend legal rights and claims;
• to maintain the security, integrity, and resilience of our systems and services;
• to improve our products, services, controls, and operational processes;
• to carry out internal record-keeping, audit, governance, and business administration.

8. Legal bases for processing
We process personal data only where we have a lawful basis to do so. Depending on the circumstances, we may rely on one or more of the following legal bases:

8.1 Compliance with legal obligations
We may process personal data where necessary to comply with legal and regulatory obligations, including obligations relating to anti-money laundering, customer due diligence, fraud prevention, record-keeping, sanctions compliance, law enforcement cooperation, and regulatory reporting.

8.2 Contract

We may process personal data where necessary for the performance of a contract with you, or in order to take steps at your request before entering into a contract.

8.3 Legitimate interests
We may process personal data where necessary for our legitimate interests or those of a third party, including:
• operating and administering our business and services;
• preventing fraud and abuse;
• protecting the security of our platform;
• conducting compliance oversight and risk management;
• exercising and defending legal rights.
Where we rely on legitimate interests, we do so only where those interests are not
overridden by your rights and interests.

8.4 Consent
In limited cases, we may rely on consent where consent is the appropriate legal basis. Where we do so, you may withdraw consent at any time, although this will not affect the lawfulness of processing carried out before withdrawal.

9. Identity verification, AML/KYC, and compliance screening

As part of our onboarding and compliance processes, we may require users to undergo identity verification and related compliance screening.
This may include:
• verification of identity documents;
• facial comparison and liveness checks;
• proof of address verification;
• sanctions screening;
• PEP screening;
• adverse media screening;
• fraud detection;
• source of funds and source of wealth review;
• enhanced due diligence for higher-risk applicants or situations.

We reserve the right to refuse, suspend, restrict, or terminate onboarding or access to our services where:
• identity verification cannot be completed satisfactorily;
• AML/KYC or sanctions concerns arise;
• fraud or other unlawful activity is suspected;
• information provided is inaccurate, incomplete, or misleading;
• we are otherwise required or permitted to do so by law, regulation, or internal risk policy.

10. Use of third-party verification and compliance providers

We use specialist third-party service providers to support our identity verification,
compliance, fraud prevention, and onboarding processes.
These providers may process personal data on our behalf in order to:
• verify identity documents;
• perform biometric and liveness checks;
• screen individuals and entities against sanctions, PEP, and adverse media data
sources;
• identify fraud indicators and risk signals;
• support our AML/KYC and compliance obligations.

Such providers may include Sumsub, Thomson Reuters, Smartsearch, and other companies and divisions thereof and other specialist verification, screening, or compliance service providers engaged from time to time.

We require our processors and service providers to process personal data only on our instructions, to maintain appropriate security, and to comply with applicable data protection requirements.

11. Automated processing and decision-making

As part of our onboarding, compliance, and fraud-prevention processes, we may use automated tools, screening systems, and risk indicators to assess identity, detect anomalies, identify sanctions or compliance risks, and help determine whether an application should be approved, rejected, restricted, or escalated for manual review.

Automated systems are used as part of our compliance and risk framework, but significant decisions may also involve human review.

Where required by applicable law, you may contact us for further information about relevant automated processing and your rights in connection with it.

12. Cookies and similar technologies
Our website may use cookies and similar technologies to:
• operate and secure the website;
• remember user preferences;
• understand website usage and performance;
• support fraud prevention and security monitoring;
• improve our services and user experience.

You can manage cookies through your browser settings and, where applicable, through any cookie settings tools made available on our website.
A separate Cookie Policy may also apply where published.

13. Disclosure of personal data
We may share personal data with:
• identity verification, compliance, fraud prevention, and screening providers;
• IT, hosting, cloud storage, cybersecurity, and software providers;
• payment service providers and banking partners where relevant;
• professional advisers, including lawyers, auditors, accountants, insurers, and
compliance consultants;
• affiliated service providers and contractors supporting our business operations;
• regulators, governmental authorities, courts, tribunals, tax authorities, law
enforcement agencies, or supervisory bodies where required by law or where
necessary for compliance, reporting, investigation, or legal rights;
• counterparties or transaction participants where disclosure is necessary for a
legitimate business or legal purpose;
• actual or potential purchasers, investors, funders, or acquirers of all or part of our business, subject to appropriate confidentiality arrangements.

We do not sell personal data.

14. International transfers

Personal data may be processed in countries outside the United Kingdom or outside the country in which you are located.

Where personal data is transferred internationally, we take steps to ensure that appropriate safeguards are in place in accordance with applicable data protection law. These safeguards may include:
• adequacy regulations;
• data transfer agreements or standard contractual clauses;
• contractual obligations requiring appropriate protection of personal data;
• other lawful transfer mechanisms.

15. Data retention
We retain personal data for as long as reasonably necessary for the purposes described in this notice, including for legal, regulatory, tax, accounting, audit, anti-money laundering, fraud prevention, dispute resolution, and record-keeping purposes.
This may include retaining:
• onboarding records;
• identity documents and verification materials;
• sanctions, PEP, fraud, and compliance screening results;
• internal compliance assessments and case notes;
• communications and account records;
• wallet-related onboarding records and associated audit information.
Retention periods may vary depending on the nature of the data, the purpose for which it was collected, legal or regulatory requirements, and whether a dispute, investigation, or regulatory inquiry is ongoing or reasonably anticipated.
Where personal data is no longer required, we will take reasonable steps to delete, anonymise, or securely destroy it.

16. Security
We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.
These measures may include:
• access controls;

• encryption and secure transmission methods where appropriate;
• system monitoring and logging;
• role-based access restrictions;
• supplier due diligence and contractual controls;
• internal policies and compliance procedures.
No method of transmission over the internet or electronic storage is completely secure. While we take reasonable steps to protect personal data, we cannot guarantee absolute security.

17. Your rights
Depending on applicable law and subject to legal and regulatory limitations, you may have the right to:
• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request erasure of personal data;
• request restriction of processing;
• object to certain processing;
• request portability of personal data in certain circumstances;
• withdraw consent where processing is based on consent;
• lodge a complaint with a supervisory authority.
These rights are not absolute. In particular, we may need to retain and continue processing personal data where required for compliance with legal or regulatory obligations, for fraud prevention, for the establishment or defence of legal claims, or for other lawful grounds. To exercise your rights, please contact us using the details set out above.

18. Complaints
If you have concerns about how we process your personal data, we ask that you contact us first so that we can try to resolve the issue.
You also have the right to complain to the Information Commissioner’s Office in the United Kingdom if you believe that your personal data has been handled unlawfully.
Information about how to contact the ICO is available on its official website.

19. Third-party websites and services

Our website or platform may contain links to third-party websites, platforms, or services. We are not responsible for the privacy practices, content, or security of third-party sites or services. You should review their privacy notices before providing personal data to them.

20. Children
Our services are not directed at children, and we do not knowingly collect personal data from children unless legally permitted and specifically required in an exceptional context. If we become aware that personal data has been collected from a child unlawfully, we will take appropriate steps to delete it.

21. Changes to this notice
We may update this Privacy Policy / Privacy Notice from time to time to reflect changes in law, regulation, guidance, technology, our services, or our data handling practices.

Any updated version will be posted on our website with a revised effective date. Where appropriate, we may also notify users by email, through the platform, or by other suitable means.

22. Contact details
If you have any questions about this Privacy Policy / Privacy Notice or our use of personal data, please contact:
Where Ltd t/a Catena Digital
9 High Street
Aberdour
Burntisland
Scotland
KY3 0SH
Email: privacy@catena.digital
Website: www.catena.digital