Privacy Policy

Kupros Ltd. is the data controller responsible for your personal data.

For questions about this Privacy Policy or our data practices, contact our Data Protection Officer at dpo@kupros.com.

We process your personal data on the following legal bases:

• Contractual necessity (Art. 6(1)(b)): Processing required to provide the Platform, facilitate transactions, manage your account, and communicate with you about your use of the Platform.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with AML/CTF regulations, sanctions screening, tax reporting obligations, and responses to lawful requests from authorities.
• Legitimate interests (Art. 6(1)(f)): Processing for Platform security, fraud prevention, analytics and improvement, direct marketing to business contacts (where permitted), and enforcement of our Terms of Service. We have balanced these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): Processing based on your explicit consent, including marketing communications to non-business contacts and placement of non-essential cookies. You may withdraw consent at any time.

• To create, maintain, and authenticate your account
• To verify your company’s identity and eligibility (KYB process)
• To facilitate listings, inquiries, deal negotiation, escrow, and document exchange between counterparties
• To process the Platform Fee upon deal settlement
• To screen against applicable sanctions lists and conduct ongoing compliance monitoring
• To communicate with you about your account, transactions, Platform changes, and security alerts
• To provide customer support and resolve disputes
• To detect, prevent, and investigate fraud, unauthorized access, and Terms violations
• To analyze Platform usage for improvement, benchmarking, and market intelligence (in anonymized and aggregated form)
• To comply with legal obligations, court orders, and regulatory requests
• To send you relevant marketing communications (where you have consented or where permitted for business contacts)

We do not sell, rent, or trade your personal data. We share data only as follows:

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) and the United Kingdom, including the United States where our hosting infrastructure is located. Where such transfers occur, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs): Approved by the European Commission under Article 46 GDPR, incorporated into our data processing agreements with non-EEA service providers.
• UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom.
• Adequacy decisions: Where a country has been recognized by the European Commission or UK Government as providing an adequate level of data protection.

You may request a copy of the relevant transfer safeguards by contacting us at dpo@kupros.com.

We retain personal data only as long as necessary for the purposes described in this Policy:

• Account data: Retained for the life of your account plus 90 days following account deletion, to allow for reactivation and dispute resolution.
• KYB verification data: Retained for 5 years following the last transaction or account termination, whichever is later, as required by AML/CTF record-keeping obligations.
• Transaction data: Retained for 7 years following deal settlement, for audit, tax, and compliance purposes.
• Communications and support tickets: Retained for 3 years following resolution.
• Log and usage data: Retained for 12 months in identifiable form, then anonymized.
• Marketing consent records: Retained indefinitely as evidence of consent, even after account deletion.

After the applicable retention period, personal data is securely deleted or irreversibly anonymized. Anonymized data may be retained indefinitely for analytics and benchmarking.

We use the following categories of cookies:

• Strictly necessary cookies: Session cookies for authentication (httpOnly, secure), CSRF protection tokens, and server-side state management. These are essential for Platform functionality and cannot be disabled. Legal basis: contractual necessity.
• Functional cookies: Preference storage (language, theme) and UI state persistence. Set only upon your interaction with the relevant feature. Legal basis: legitimate interest.
• Analytics cookies: Anonymized usage measurement for Platform improvement. We do not use advertising cookies, tracking pixels, or third-party marketing cookies. Legal basis: legitimate interest (anonymized only).

You may configure your browser to reject cookies. However, strictly necessary cookies are required for Platform operation; rejecting them will prevent you from logging in or using authenticated features.

We do not respond to “Do Not Track” (DNT) signals, as no consistent industry standard for DNT has been adopted.

Under GDPR and UK data protection law, you have the following rights:

• Right of Access (Art. 15): You may request confirmation of whether we process your personal data and, if so, a copy of that data and information about the processing.
• Right to Rectification (Art. 16): You may request correction of inaccurate personal data or completion of incomplete data.
• Right to Erasure (Art. 17): You may request deletion of your personal data where: it is no longer necessary for the purpose collected; you withdraw consent; you object to processing and there is no overriding legitimate interest; or processing was unlawful. This right is subject to legal retention obligations.
• Right to Restriction (Art. 18): You may request restriction of processing where: you contest accuracy; processing is unlawful but you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of our legitimate grounds.
• Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format for transmission to another controller, where processing is based on consent or contract and is carried out by automated means.
• Right to Object (Art. 21): You may object to processing based on legitimate interests, including profiling for direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Right to Complain (Art. 77): You have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). In the EU, this is the supervisory authority in your member state of residence.

To exercise any of these rights, contact us at dpo@kupros.com. We will respond within one month (extendable by two months for complex requests). We may require proof of identity before processing your request. These rights are not absolute and may be subject to exemptions under applicable law.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Password hashing using bcrypt with a work factor of 12
• httpOnly, secure, and SameSite (Lax) flags on all session cookies
• Parameterized database queries to prevent injection attacks
• Rate limiting on authentication endpoints
• Role-based access control throughout the Platform
• Regular security review of code changes and dependencies
• Document access via signed, time-limited tokens (no direct URLs)

No method of transmission or storage is completely secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and within 72 hours where feasible.

The Platform is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a person under 18, we will delete it promptly.

We do not use your personal data for automated decision-making that produces legal effects or similarly significant effects concerning you. Our compliance screening and verification processes involve human review.

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email or Platform notification at least 14 days before taking effect. The “Last updated” date at the top of this page indicates when this Policy was last revised. Your continued use of the Platform after the effective date constitutes acknowledgment of the updated Policy.