Privacy Policy

Effective Date: May 2025 — Last Updated: March 2026

1. Introduction

IronBrand Sociedad de Responsabilidad Limitada ("IronBrand SRL", "we", "us", or "our") operates a digital-asset trading platform that enables users to buy, sell, and exchange cryptocurrencies. Protecting your privacy and personal data is central to our mission.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information in accordance with:

• Law No. 8968 of 2011 — Protection of the Person Regarding the Processing of their Personal Data ("Law 8968");
• Law No. 7786 — Law on Narcotic Drugs, Psychotropic Substances, Drugs of Unauthorized Use, Related Activities, Money-Laundering and Terrorist Financing ("Law 7786") and its SUGEF regulations;
• Any future regulations that may govern Virtual Asset Service Providers ("VASPs") in Costa Rica; and
• International best practices, including the Financial Action Task Force (FATF) Recommendations.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.

2. Scope

This Policy applies to:

• All visitors to ironbrand.io;
• Individuals who register for an IronBrand account; and
• Any person who contacts us, requests information, or otherwise interacts with our Services.

3. Key Definitions

• Personal Data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on Personal Data, such as collection, storage, use, transfer, or deletion.
• Sensitive Personal Data — data revealing racial or ethnic origin, political opinions, religious beliefs, health data, etc., as defined in Law 8968.

4. Information We Collect

Category	Examples	Purpose
Identification	Full name, date of birth, national ID/passport, selfie or video verification	Account creation (KYC/AML)
Contact	Email, phone number, residential address	Communication, security alerts
Financial	Bank details, card numbers, blockchain wallet addresses, transaction history	Processing deposits, withdrawals & trades
Usage	IP address, browser type, device identifiers, referral URL, session logs	Platform security, analytics, fraud prevention
Marketing	Preferences, survey responses	Optional newsletters & promotions

Minors — Our Services are not directed to persons under 18. We do not knowingly collect data from children.

5. How We Use Your Data

1. Contractual necessity — to provide, maintain, and improve our exchange services.
2. Legal obligations — to comply with AML/CFT screening, transaction monitoring, and reporting requirements under Law 7786.
3. Consent — for optional marketing communications or where expressly required by Law 8968.
4. Legitimate interests — to detect and prevent fraud, secure our platform, and develop new features.

6. Cookies & Similar Technologies

We use cookies, pixels, and local storage to:

• Authenticate sessions;
• Remember user preferences; and
• Compile anonymous analytics.

You can adjust your browser to refuse cookies, but this may limit functionality.

7. Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF) & Costa Rican Regulation

While Costa Rica currently has no specific licensing regime for VASPs, IronBrand SRL:

• Adheres to Law 7786 and SUGEF Agreement 12-21 on AML/CTF preventive measures;
• Applies the FATF travel rule thresholds for crypto transfers;
• Conducts KYC verification, risk scoring, and ongoing monitoring; and
• Files Suspicious Transaction Reports ("STRs") with the Unidad de Inteligencia Financiera (UIF) when warranted.

8. Disclosures & International Transfers

We may share Personal Data with:

• Cloud hosting, analytics, payment, and KYC vendors operating under written agreements;
• Banking partners, liquidity providers, and blockchain monitoring services;
• Government authorities or regulators (e.g., SUGEF, BCCR, PRODHAB) when legally required; and
• Professional advisers (auditors, legal counsel).

If we transfer data outside Costa Rica, we rely on:

• Data subject consent;
• Contractual safeguards (standard clauses); or
• Adequacy mechanisms permitted by Law 8968.

9. Data Security

We implement technical and organizational measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256);
• Role-based access controls & multi-factor authentication;
• Regular third-party penetration testing; and
• Continuous monitoring & incident response.

10. Data Retention

Personal Data is retained for seven (7) years after account closure or as required to:

• Satisfy AML/CTF record-keeping under Law 7786; or
• Defend or establish legal claims.

11. Your Rights

Under Law 8968 you may exercise ARCO rights:

1. Access — know what data we hold;
2. Rectification — request corrections to inaccurate or incomplete data;
3. Cancellation — request deletion when processing is unlawful or unnecessary;
4. Opposition — object to certain processing activities.

To exercise these rights, contact us at support@ironbrand.io with sufficient proof of identity. We will respond within 10 business days.

12. Automated Decision-Making & Profiling

We use automated risk-scoring tools to meet AML/CTF obligations. Decisions with legal or similar significant effects are always reviewed by human compliance officers.

13. Third-Party Services & Links

Our platform may reference third-party sites or decentralized applications (DApps). We are not responsible for their privacy practices. Please review their policies before sharing data.

14. Changes to This Policy

We may update this Policy to reflect legal or operational changes. Material revisions will be notified via email or in-platform notice at least 10 days prior to taking effect.

15. Contact & Complaints

Email: support@ironbrand.io

If you believe we have infringed your data-protection rights, you may lodge a complaint with PRODHAB (Agencia de Protección de Datos de los Habitantes).

---

© 2025 IronBrand SRL — All rights reserved.