Privacy Policy

Last updated:
January 26, 2026

1. Introduction

Evergon Labs B.V. ("Evergon", "we", "us", or "our") is committed to protecting personal data and complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Dutch data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our website, platforms, and services, including tokenisation infrastructure, white-label solutions, and compliance and regulatory software.

This Policy applies to all users, clients, partners, issuers, investors, and visitors.

2. Data Controller

Evergon Labs B.V. is the data controller for the purposes of the GDPR.

Registered Address:

Radonweg 2D, 3542 AN Utrecht, The Netherlands

Email: hello@evergonlabs.com

3. Data Protection Officer

We have appointed an external Data Protection Officer (DPO):

XpertDPO Ltd.6 Mount Street Upper, Dublin, D02 VF44, Ireland

Email: dpo@evergonlabs.com

Phone: +353 1 678 8997

4. Our Role Under GDPR

Depending on the context and services provided:

- We act as a Data Controller when determining the purposes and means of processing personal data.

- We act as a Data Processor when processing personal data on behalf of clients under a Data Processing Agreement. Where we act as a processor, our clients remain responsible as controllers.

5. Categories of Personal Data

We may collect and process the following categories of personal data.

5.1 Identification and Contact Data

● Name

● Job title

● Company name

● Email address

● Telephone number

● Postal address

5.2 Professional and Business Data

● Employer and affiliation details

● Account and platform credentials

● User role and permissions

● Client and issuer information

5.3 Financial and Transaction Data

● Billing and payment details

● Bank and wallet information (where applicable)

● Transaction records

5.4 Technical and Usage Data

● IP address

● Device identifiers

● Browser type and version

● Log files

● Platform activity

● Cookies and similar technologies

5.5 Communication Data

● Emails and correspondence

● Support tickets

● Recorded calls (where lawful)

● Chat and messaging data

5.6 Compliance and Due Diligence Data

● Identity verification data

● KYC/AML documentation

● Sanctions screening results

● Risk and suitability assessments

● Regulatory reporting data

6. Special Categories of Data

We do not intentionally collect special categories of personal data under Article 9 GDPR, unless required by law and subject to appropriate safeguards.

7. Criminal Offence and Regulatory Data

Where required for compliance with applicable laws, we may process data relating to criminal convictions, offences, and regulatory investigations, particularly in connection with AML, counter-terrorism financing, and sanctions obligations.

Such data is processed in accordance with Article 10 GDPR and applicable national law.

8. Children’s Data

Our services are not directed to individuals under 18 years of age. We do not knowingly processchildren’s data.

9. Purposes and Legal Bases for Processing

We process personal data for the following purposes and rely on the corresponding legal base sunder Article 6 GDPR.

Purpose Description Legal Basis
Service provision Delivery and administration of our platforms and services Performance of a contract
Onboarding and verification Identity checks, due diligence, account setup Legal obligation / Contract
Compliance monitoring AML, sanctions, transaction monitoring Legal obligation
Customer support Handling inquiries and incidents Legitimate interests / Contract
Billing and payments Financial administration Contract / Legal obligation
Platform security Fraud prevention, cybersecurity Legitimate interests
Product development Improving and optimising services Legitimate interests
Marketing Newsletters and promotions Consent / Legitimate interests
Legal claims Dispute management and enforcement Legitimate interests / Legal obligation
Business operations Internal reporting and governance Legitimate interests

Where consent is relied upon, it may be withdrawn at any time.

10. Legitimate Interests Assessment

Where processing is based on legitimate interests, Evergon conducts documented balancingtests to ensure that our interests do not override the rights and freedoms of data subjects.You may request further information about these assessments by contacting our DPO.

11. Automated Decision-Making and Profiling

We may carry out limited profiling in connection with regulatory compliance, fraud prevention, andrisk management.No decisions producing legal or similarly significant effects are based solely on automatedprocessing without appropriate human review, unless permitted by law.

12. Data Retention

Personal data is retained only for as long as necessary for the purposes described in this Policy.

Indicative retention periods include:

● Client and transaction records: up to 6–10 years (regulatory requirements)

● KYC and compliance files: as required by AML legislation

● Marketing data: until withdrawal of consent

● Support records: up to 3 years

When no longer required, data is securely deleted or anonymised.

13. Data Sharing and Recipients

We may share personal data with:

● Cloud and infrastructure providers

● Identity verification and compliance vendors

● Payment service providers

● Professional advisers

● Group companies and affiliates

● Regulators, courts, and authorities

All recipients are subject to contractual and statutory confidentiality and security obligations.

14. International Data Transfers

Personal data may be transferred outside the European Economic Area (EEA) only where appropriate safeguards are in place, including:

● European Commission adequacy decisions

● Standard Contractual Clauses (SCCs)

● Binding corporate rules

Transfer impact assessments are conducted where required.

15. Data Security and Governance

We implement technical and organisational measures in line with industry standards, including:

● Encryption at rest and in transit

● Role-based access controls

● Network and application security monitoring

● Vendor risk assessments

● Regular internal audits

● Incident response procedures

Evergon maintains ISO 27001-aligned information security controls.

16. Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with our Cookie Policy and applicable Privacy rules.

Non-essential cookies are deployed only with valid consent.

17. Your Rights

Under the GDPR, you have the right to:

● Access your personal data

● Rectify inaccurate data

● Request erasure

● Restrict processing

● Object to processing

● Data portability

● Withdraw consent

● Lodge a complaint

18. Exercising Your Rights

Requests may be submitted to:Email: dpo@evergonlabs.com

We will respond within one month, subject to lawful extensions.

19. Supervisory Authority

You may lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens

PO Box 93374, 2509 AJ The Hague

www.autoriteitpersoonsgegevens.nl

20. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated where required by law. The latest version will always be available on our website.

21. Contact

For questions regarding this Policy, please contact:

Evergon Labs B.V.Email: hello@evergonlabs.com

Footer Img
Products
HomeWhitelabel MarketplaceComplianceOnboarding & MonitoringBusiness OnboardingTransaction Monitoring
Solutions
Real EstateCommoditiesFundVestingCrowdfundingSukuk Financing
Resources
Audit ReportsBlogDocumentationContact Us
Developers
DocumentationFraction ProtocolStaking Protocol
Social Connects
LinkedInXRedditDiscordhello@evergonlabs.com
All Copyrights reserve at Evergon Labs
Terms and ConditionsComplaints Management PolicyCookie PolicyPrivacy Policy