Data Protection Notice

1 Glossary

Company” means Find Satoshi Lab Limited, a company incorporated in the British Virgin Islands as a BVI Business Company pursuant to the BVI Business Companies Act, 2004, with its registered address at c/o CCS Trustees Limited, Mandar House, 3rd Floor, Johnson's Ghut, Tortola, British Virgin Islands.

“Data Controller” means a person who either alone or jointly or in common with other persons processes any personal data, or has control over, or authorises the processing of any personal data, but does not include a data processor.

Data Processor” means a person who, processes data on behalf of a data controller, but does not include an employee of the data controller.

Data Subject” means a natural person, whether living or deceased. Natural persons who use or participate on the Company’s move2earn NFT Game-Fi Project “STEPN” and acquire game tokens or “GSTs” and/or acquire GMTs and participate in the Company’s profit pool will be Data Subjects.

DPA” means the British Virgin Islands Data Protection Act, 2021, as amended from time to time.

Information Commissioner” means the person appointed for an office established pursuant to DPA, responsible among others for monitoring compliance by public and private bodies with the requirements of DPA and receiving and investigating complaints about alleged violations of the data protection principles and in respect thereof, may make reports to complainants.

Personal Data” means any information in respect of commercial transactions, which (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject;

Processing” means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including the (a) organisation, adaptation or alteration of personal data; (b) retrieval, consultation or use of personal data; (c) disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or (d) alignment, combination, correction, erasure or destruction of personal data;

In accordance with the provisions of the DPA concerning the protection of persons in relation to the processing of personal data, and any law, circular or regulation in the context of DPA, personal data may be processed by the Company and its Data Controller.

3 General Requirements

3.1 Who is the Data Controller and who to contact?

The Company shall be the Data Controller.

The Data Controller collects, stores and process by electronic or other means the data supplied by the Data Subjects, for the purpose of fulfilling the offered services and complying with their legal obligations and specifically in compliance with the provisions of DPA.

Data Subjects who wish to contact the Data Controllers can do it at:

[email protected]

Data Subjects should note that the processors may also act as Data Controllers for their own purposes. In this case Data Subjects may consult the data privacy notices of the relevant processor acting as independent data controller, when available.

3.2 What kind of personal data do we process?

Personal data includes, but it is not limited to, the name, address, passport or identification card details, bank account details of each Data Subject.

In particular the data we may process about you (the “Personal Data”) includes:

• identification data (e.g. name, e-mail, postal address, telephone number, country of residence, passport, identity card, driving licence, tax identification number, bank account details);

• electronic identification data (e.g. IP addressed, cookies, traffic data);

• personal characteristics (e.g. date of birth, marital status);

• banking and financial data (e.g. financial identification, financial situation);

• employment and occupation (e.g. employer, function, title, place of work, specialization);

• tax-related data;

• communications (e.g. exchange of letters with you);

• images and sound (e.g. copies of identifications documents);

• advertisement and sales data (e.g. potential interesting products for you).

3.3 How do we receive your personal data and Recipients and Categories of information?

Certain personal data shall be collected, recorded, stored, adapted, transferred or otherwise processed.

We process data we receive through our business relationship with you. We receive the data directly from you.

The Company may sub-contract to another entity the processing of personal data. Data Subjects must be aware that the personal data may be disclosed (i) other parties who assist the Company with undertaking its duties to the Company (e.g. external processing centers, dispatch or payment agents), including companies based in countries where data protection laws might not exist or be of a lower standard than in the British Virgin Islands or (ii) when required by law or regulation (British Virgin Islands or otherwise).

When the Company uses processors, it shall ensure that such processors provide sufficient guarantees to implement appropriate technical and organizational measures and that such processing on behalf of the Company meets the requirements of the DPA and ensures the protection of the rights of the Data Subjects.

3.4 For which purposes do we process your Personal Data?

We may process personal data about a Data Subject if the processing is necessary for the performance of a contract to which the Data Subject is a party, for the taking of steps at the request of the Data Subject with a view to entering into a contract, for compliance with any legal obligation to which the Data Controller is the subject, other than an obligation imposed by a contract, in order to protect the vital interests of the Data Subject, for the administration of justice, or for the exercise of any functions conferred on a person by or under any law.

3.4.1 For the performance of a contractual obligation

We process your personal data for you to use our services. In this regard Personal Data may be processed for the following purposes: (i) maintaining the register of registered users, (ii) processing subscriptions and payments , (iii) complying with applicable anti-money laundering laws and regulations, and any regulatory requirements applicable to the Company, any of the service providers of the Company or any of its affiliates and professional advisers of those entities in connection with the operations of the Company, its subsidiaries and investments, and to the legal advisors, investment consultants and custodian banks of each of the Company and the financial intermediaries of such Investors, and (iv) more generally providing other services by the Company.

The information required by the Company is necessary to sign up and use services offered by the Company. Failure to provide such information will imply rejection to use our services.

3.4.2 For compliance with laws and regulations

The Company, any of the service providers of the Company and any of their affiliates are subject to various legal obligations in terms of statutory (e.g. laws regulating the financial services sector, anti-money laundering and combatting the financing of terrorism laws, tax laws) and regulatory requirements (e.g. requirements of the British Virgin Islands Financial Services Commission (FSC)).

This covers our processing of your Personal Data for compliance with applicable laws such as the applicable legislation on know-your-Customer (KYC) and anti-money laundering and combatting the financing of terrorism (AML/CFT), compliance with requests from or requirements of local or foreign regulatory enforcement authorities, tax identification and reporting (where appropriate) notably under the OECD’s standard for automatic exchange of financial account information commonly referred to as the Common Reporting Standard or CRS), for Foreign Account Tax and Compliance Act (FATCA) purposes, for the Automatic Exchange of Information (AEOI) and any other exchange of information regime to which we may be subject to from time to time.

Your Personal Data may be shared with tax authorities (or to service providers for the purpose of effecting the reporting on our behalf) and may be forwarded by the latter to foreign tax authorities (failure to provide correct information to us or to respond may result in incorrect or double reporting).

In addition, the Company, any of its advisers and any other party may, subject to all applicable laws, disclose to any governmental, regulatory, taxation or court authority such information relating to Data Subjects as the Company reasonably determines. For the avoidance of doubt, this includes, without limitation, information which in the reasonable determination of the discloser, may be required to be disclosed to such authority or may be necessary to be disclosed pursuant to the Common Reporting Standard approved by the OECD Council on 15 July 2015, as subsequently amended and implemented, and FATCA. Should any such authority require any further information, the Company may require each Data Subject to provide such information to the Company (to the extent such potential Data Subject is in possession of or entitled to receive such information or such information can be acquired without unreasonable effort or expense) and the Company and any of its advisers and any other party may, subject to all applicable laws, disclose such information to any such authority. Such information shall not be passed on to any unauthorized third persons.

3.5 For how long do we keep your Personal Data?

As far as necessary, we will keep your personal data for the duration of your relationship with us and for the length of time required by applicable law. The personal data processed for any purpose will not be kept longer than is necessary for the fulfilment of our services. The British Virgin Islands laws and regulations relating to anti-money laundering requires that documents be retained for a period of at least five (5) years after the relationship has come to an end. The Data Controller will take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

3.6 Automated Decision Making

Data Subjects should note that the data will not be used for direct marketing or profiling.

If any of the data processors uses the data for direct marketing or profiling they will be doing so in their capacity as independent data controller. In that case Data Subjects may consult the data privacy notice of the processors acting as independent data controller, when available.

3.7 Rights of the Data Subject

Each Data Subject has:

a) a right to request the Data Controllers access to his/her personal information being processed.

b) a right to have the Company rectify his/personal data if they are incorrect or incomplete.

c) a right to request the erasure of his/her personal data in accordance with the DPA including in the following situations (i) where the personal data is no longer necessary, (ii) the Data Subject objects to the processing of its data and there are no overriding legitimate grounds for the processing, and (iii) the data has been unlawfully processed.

d) a right to request a restriction of the processing in accordance with the provisions of the DPA.

e) a right to lodge a complaint with the Information Commissioner.

f) a right to receive the personal data concerning him or her or to request that it be transmitted to another data controller, when feasible, in accordance with the DPA.

To make any of the above requests you need to put the request in writing addressing it to the Data Controller at the following email address: [email protected].

4 Transfer of Data outside the British Virgin Islands

Data may be transferred (i) to other companies or entities within the Administrator’s group, where such transfer is necessary for the maintenance of records, administration or provision of services to the Company. In such cases, personal data which are transferred to countries outside of the British Virgin Islands will be protected by appropriate safeguards such as, in this case, standard contractual clauses, or, upon obtaining consent from the Data Subject. You may obtain a copy of such safeguards by contacting the Data Controller at the following email address: [email protected]

5 Additional Information

The Data Controller may request the Data Subject to provide additional or updated identification documents from time to time pursuant to on-going due diligence requirements under relevant laws and regulations, and shall comply with such requests. Data Subjects may in accordance with the DPA lodge a complaint with the Information Commissioner.

Last updated