TokenWay s.r.o. Privacy Policy

Version : 1.0

Effective Date : May 23, 2025

1. Introduction
2. Personal Data We Process
3. Purposes and Legal Bases for Processing
4. Cookies and Tracking
5. Data Sharing and Transfers
6. Data Retention
7. Data Security
8. Your Rights
9. Contact Us

1. Introduction

1.1 Purpose

This Privacy Policy explains how TokenWay s.r.o. (IČO: 21761299, registered office: Sokolovská 428/130, Karlín, 186 00 Prague, Czech Republic, registered in the Commercial Register, Municipal Court in Prague, Section C, Insert 406169) processes personal data of:

Users of the TokenWay platform (www.tokenway.io) and related services.
Clients, investors, and business partners engaging in tokenization or other transactions.

We provide this information under Articles 13 and 14 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and in compliance with MiCA (Regulation (EU) 2023/1114) as a Crypto-Asset Service Provider (CASP). “You” refers to individuals or organizations you represent.

1.2 Definitions

Personal Data: Information identifying you (e.g., name, email) or linkable to you (e.g., IP address).
Processing: Any operation involving personal data (e.g., collection, storage, analysis).

1.3 Controller

TokenWay s.r.o. is the data controller, determining how and why your personal data is processed.

1.4 Contact

For questions or to exercise your rights (see Section 8), contact us:

Email: [email protected]
Post: TokenWay s.r.o., Sokolovská 428/130, Karlín, 186 00 Prague, Czech Republic
Datová schránka: [Insert ID, if applicable]

2. Personal Data We Process

We process the following personal data, depending on your interaction with us:

Category	Examples	Processed When
Identification Data	Name, date of birth	You register, contact us, or engage in transactions.
Contact Data	Email, phone number, address	You communicate, register, or enter contracts.
AML Data	ID details, nationality, source of funds, bank details, sanction status	We perform KYC/AML checks for token issuance or client onboarding.
Transactional Data	Token purchase records, payment details, contract terms	You engage in token issuance or other transactions.
E-Behavior Data	IP address, device type, browser, navigation patterns, geolocation	You use our website or platform.
Communications Data	Emails, chat messages, support queries	You communicate with us.
Privacy Control Data	Consents, opt-ins, GDPR rights requests	You manage data preferences or exercise rights.

Sources:

Directly from You: Via platform registration, contracts, or communications.
Automated: E-Behavior Data via cookies or tracking technologies.
Third Parties: AML Data from ComplyCube or public registries for compliance.

Optional Data: Providing data is voluntary, but Identification, Contact, AML, and Transactional Data are required for platform use, token issuance, or legal compliance. Without them, we may be unable to provide services.

3. Purposes and Legal Bases for Processing

We process your data for the following purposes, with GDPR and MiCA-compliant legal bases:

Purpose	Data Categories	Legal Basis
Platform Functionality	E-Behavior Data (necessary cookies)	Contract performance (platform access) (Article 6(1)(b))
Token Issuance and Client Services	Identification, Contact, AML, Transactional, Communications Data	Contract performance or legitimate interest (business operations) (Article 6(1)(b), 6(1)(f))
KYC/AML Compliance	AML, Identification, Contact Data	Legal obligation (Act No. 253/2008 Coll., MiCA) (Article 6(1)(c))
Website Analytics	E-Behavior Data (analytical cookies)	Consent (Article 6(1)(a))
Marketing	Contact Data (newsletters, updates)	Consent or legitimate interest (client relations) (Article 6(1)(a), 6(1)(f))
Legal Defense	Identification, Transactional, Communications Data	Legitimate interest (defending rights) (Article 6(1)(f))
Business Analytics	Anonymized data	Legitimate interest (business insights) (Article 6(1)(f))

MiCA-Specific Processing: For token issuance, we process AML Data to verify client identity and funds, ensuring transparency and compliance with MiCA’s anti-money laundering and client protection requirements. Blockchain transaction data (e.g., wallet addresses) may be processed but is pseudonymized to minimize identifiability.

4. Cookies and Tracking

Our website (www.tokenway.io) uses cookies and tracking technologies to enhance functionality and user experience:

Strictly Necessary Cookies: Enable platform access (e.g., session management). Cannot be disabled.
Analytical Cookies: Monitor usage (e.g., Google Analytics) for performance improvements (with consent).
Marketing Cookies: Deliver relevant ads (with consent).

Cookie Management: Adjust preferences via our cookie banner. Disable cookies in browser settings (e.g., Chrome, Firefox), but this may affect functionality.

Current Cookies:

Type	Name	Purpose	Duration	Party
Necessary	session_id	Platform access	Session	First (TokenWay)
Analytical	_ga	Google Analytics	2 years	Third (Google)
Marketing	_fbp	Ad targeting	3 months	Third (Facebook)

Opt-Out: Disable analytical/marketing cookies via the cookie banner or opt out of Google Analytics at Google Analytics Opt-Out.

5. Data Sharing and Transfers

We share your data only when necessary, with:

Service Providers: ComplyCube (KYC/AML), banks (payments), cloud providers (e.g., AWS EU servers), legal advisors.
Blockchain Partners: For token issuance, pseudonymized data (e.g., wallet addresses) may be shared with blockchain providers, potentially in non-EEA countries (e.g., US), using Standard Contractual Clauses (SCCs) approved by the European Commission.
Authorities: Czech Financial Authority, tax offices, or other regulators for MiCA and AML compliance.
Investors: Limited data for due diligence in M&A, with GDPR safeguards.

All recipients are bound by confidentiality agreements or GDPR-compliant contracts. Non-EEA transfers (e.g., blockchain providers) use SCCs to ensure adequate protection.

6. Data Retention

We retain data only as long as necessary:

Platform Data: Until account deletion or 2 years of inactivity.
AML Data: 5 years post-transaction (Act No. 253/2008 Coll., MiCA).
Transactional Data: 10 years for tax/accounting (Act No. 563/1991 Coll.).
Communications Data: 3 years, unless part of a contract or dispute.
E-Behavior Data: 2 years (cookie duration), then anonymized.

Data is erased, anonymized, or securely archived when no longer needed, unless required by law.

7. Data Security

We protect your data with:

Encryption: SSL/TLS for website and platform data transmission; blockchain data pseudonymized.
Access Controls: Only authorized personnel access data, bound by confidentiality.
Secure Storage: GDPR-compliant cloud services (e.g., AWS EU servers).
MiCA Compliance: Regular audits and secure handling of client funds/data per MiCA standards.

8. Your Rights

Under GDPR, you have:

Access: Confirm processing and obtain a data copy (first copy free).
Rectification: Correct inaccurate/incomplete data.
Erasure: Request deletion if data is unnecessary or unlawful (subject to AML/tax retention).
Restriction: Pause processing (e.g., during accuracy disputes).
Objection: Object to marketing or legitimate interest-based processing.
Data Portability: Obtain data in a machine-readable format.
Complaint: Contact the Czech Office for Personal Data Protection (www.uoou.cz, Pplk. Sochora 727, 170 00 Prague 7).

To exercise rights, contact us (Section 1.4). We respond within 1 month, extendable to 3 months for complex requests. Identity verification may be required.

9. Contact Us

For questions or rights requests:

Email: [email protected]
Post: TokenWay s.r.o., Sokolovská 428/130, Karlín, 186 00 Prague, Czech Republic
Phone: [Insert contact number, if applicable]

Changes: Updates will be posted on www.tokenway.io. Significant changes will be notified via email or platform alerts.

This policy complies with GDPR (Regulation (EU) 2016/679), Act No. 110/2019 Coll., and MiCA (Regulation (EU) 2023/1114).