English
Access
OriginMissionBricks Meets Blocks
THE BRANDVAULTBLUEPRINTCLARITYOWNER OPERATORASSETS LOCATORPLATFORM ACCESS
Real World Asset
Tokenization
Onchain infrastructure
Partners & Custodians
RegulatorInsights
Privacy PolicyTerms & ConditionsSocialSitemap
LANGUAGE
ENFRESARJAKOCN

PRIVACY POLICY

Link

1. Introduction

Starblocks (“we”, “us”, “our”, or the “Platform”) is committed to protecting the privacy and personal data ofusers, investors, advisors, owner-operators, and visitors (“you”, the “user”) of the website accessible atstarblocks.io and of any related services (together, the “Services”).This Privacy Policy describes how we collect, use, share, store, and protect your personal data when you visitstarblocks.io, request access, complete KYC or KYB procedures, subscribe to tokenized instruments, orotherwise interact with Starblocks. It applies in addition to the Terms of Use and the Risk Factors of thePlatform.

We process personal data in accordance with the General Data Protection Regulation (Regulation (EU)2016/679, “GDPR”), the French Data Protection Act (Loi Informatique et Libertés), the Personal DataProtection Law of the Kingdom of Bahrain (Law No. 30 of 2018), and any other applicable data protectionlegislation.

2. Data Controller

Starblocks acts as the data controller for the personal data processed through the Platform, including datacollected for KYC, KYB, AML, sanctions screening, investor onboarding, and the operation of the Services.Where Starblocks operates jointly with affiliated entities (which share leadership with the FoncièreRenaissance group), with the issuing securitization vehicles, or with third-party service providers (such ascustodians, banking distributors or identity-verification providers), the respective roles of each party(controller, joint controller or processor) are defined contractually in line with applicable law.

To exercise your rights or to contact our data protection function, please use the contact details set out insection 12. Where required by applicable law, a Data Protection Officer (DPO) may be designated and his orher contact details will be made available on starblocks.io.

3. Categories of personal data we collect

Depending on your relationship with Starblocks (visitor, prospective investor, onboarded investor, advisor,owner-operator, partner, candidate), we may collect and process the following categories of personal data:• Identification data: full name, date and place of birth, nationality, photograph, copy of identitydocument, passport or national ID number, signature.• Contact data: postal address, email address, telephone number, professional contact details.

• Professional and financial data: profession, employer, professional status (e.g., professionalclient, family office, advisor, HNWI, UHNWI, institution, bank, owner-operator), source of funds,source of wealth, investment objectives, knowledge and experience, financial capacity, taxresidence, tax identification number.

• KYC, KYB and compliance data: documents and information required to comply with AML,counter-terrorism financing, and sanctions obligations, including beneficial ownership informationfor legal entities, politically exposed person (PEP) status, and the results of sanctions and adversemedia screening.

• Wallet and on-chain data: public blockchain addresses linked to your account, transaction historyrelating to the tokens you hold or transfer on the Platform, and associated metadata.

• Account and authentication data: username, hashed password, authentication factors, securityquestions, login history, IP addresses.

• Usage and technical data: device information, browser type, operating system, language, timezone, pages visited, features used, referral URLs, clickstream, log files, error reports

• Communication data: emails, messages, calls, recordings (where permitted and with prior notice),correspondence with our teams, feedback, complaints, and any content you submit throughforms on the Platform.

• Cookies and similar technologies: as described in section 8.We do not knowingly collect special categories of personal data (e.g., data relating to health, religion,political opinions) unless strictly necessary and permitted by law, in particular where required by AMLregulations (for example, certain information about politically exposed persons). We do not knowinglycollect personal data from minors; the Platform is reserved for adult eligible investors.

4. Source of Data

We collect personal data primarily directly from you, in particular when you:

• Browse starblocks.io or interact with our content.

• Request access to the Platform or complete onboarding and KYC or KYB procedures.

• Subscribe to or transact in tokenized instruments.

• Contact us, sign up for communications, or interact with us at events.

We may also collect data from third parties, including:

• Identity-verification, KYC, KYB, AML, and sanctions-screening service providers.

• Public registers (e.g., commercial registers, beneficial ownership registers, sanctions lists).

• Banking distributors, custodians, paying agents, auditors, and other partners involved in ouroperations.

• Publicly available sources (e.g., professional networks, official websites, public blockchains).

• Your representatives, advisors, or the entity on whose behalf you act.

5. Purpose and legal bases of processing

We process personal data only where we have a valid legal basis under the GDPR (or the equivalent underapplicable local law). The main purposes and legal bases are as follows:

5.1 Operating the Platform and providing the Services

Legal basis: performance of a contract, or pre-contractual steps taken at your request (Article 6(1)(b) GDPR).

We process data to create and manage your account, verify your eligibility, deliver access to the Platform,manage subscriptions to tokenized instruments, distribute yields, generate and electronically sign (viaeIDAS-compliant tools) subscription bulletins, bond issuance documentation and other contractualdocuments, maintain the register of bondholders on the distributed ledger technology (DLT) device, andprovide reporting through the Vault and Clarity dashboards.

5.2 Compliance with legal and regulatory obligations

Legal basis: compliance with a legal obligation. We process data to comply withapplicable laws and regulations, including AML and counter-terrorism financing obligations, sanctionsscreening, MiCA-related obligations where relevant, French rules applicable to Shared Electronic RecordingSystems (DEEP), securitization rules, accounting and tax obligations, the obligations of the Central Bank ofBahrain Rulebook where applicable, the automatic exchange of tax information (FATCA, CRS), and theresponse to legitimate requests from competent authorities.

5.3 Fraud prevention, security and risk management

Legal basis: legitimate interest and/or compliance with a legal obligation (Article 6(1)(f) and 6(1)(c) GDPR).We process data to detect, prevent, and investigate fraud, abuse, cyberattacks, unauthorized use of thePlatform, and other activities that may threaten the security of users, partners, or Starblocks. Our legitimateinterest is the protection of the integrity of the Platform and of our users.

5.4 Communications and marketing

Legal basis: legitimate interest or, where required, consent (Article 6(1)(f) or 6(1)(a) GDPR). We may useyour contact data to send you operational notifications, updates regarding the Platform, your account, yourinvestments, and, where appropriate, information about new offerings, events, or insights. By creating anaccount or subscribing to a tokenized instrument, you accept that communications, including notices ofmeetings, convocations and contractual notifications, may be addressed to you by electronic means atthe email address you have provided. You undertake to immediately notify Starblocks of any change ofemail address. You may at any time revoke this acceptance and request to receive communications onpaper support by postal mail, in accordance with applicable law.

5.5 Improvement of the Platform and analytics

Legal basis: legitimate interest (Article 6(1)(f) GDPR). We process usage data and technical data tounderstand how the Platform is used, to monitor performance, to debug issues, and to improve the userexperience, security, and content of our Services. Our legitimate interest is the continuous improvement ofthe Platform for the benefit of all users.

5.6 Establishment, exercise or defense of legal claims

Legal basis: legitimate interest (Article 6(1)(f) GDPR). We may process data to handle disputes, complaints,regulatory inquiries, audits, or litigation involving Starblocks or its affiliates, including the issuingsecuritization vehicles.

6. Recipients and sharing of personal data

We share personal data only where necessary and on a need-to-know basis. Recipients may include:

• Affiliated entities sharing leadership with the Foncière Renaissance group, including the issuingsecuritization vehicles and Owner Operators, where required to deliver the Services.

• Auditors and statutory bodies of the issuing entities, including statutory auditors (commissairesaux comptes / réviseurs d’entreprises agréés) and the Representative of the Bondholders’ Mass,where required to perform their statutory functions.

• Technical service providers operating the bondholders’ register, including the DLT registryproviders, the electronic-signature providers (eIDAS), the custodians and the paying agents, allbound by appropriate confidentiality undertakings.

• Banking institutions for payment operations, including the banks holding cash accounts, thebanking distributors (such as our authorised distributors under the partnership agreements), andthe correspondent banks.

• Service providers and processors acting on our behalf, including hosting providers, cloudinfrastructure providers, KYC, KYB and identity-verification providers, AML and sanctionsscreening providers, tokenization service providers, communication tools, analytics tools, andprofessional advisors (legal, audit, accounting, tax).

• Public authorities, regulators (including the Luxembourg Commission de Surveillance du SecteurFinancier (CSSF), the French Autorité des Marchés Financiers (AMF), the Central Bank of Bahrain(CBB) where applicable, and the Personal Data Protection Authority of the Kingdom of Bahrain), tax authorities, courts, and law-enforcement agencies, where required by law or to defend ourrights.

• Counterparties involved in a corporate transaction (e.g., merger, acquisition, restructuring),subject to appropriate confidentiality undertakings.

Our processors are bound by contractual obligations under Article 28 GDPR, which require them to processpersonal data only on our documented instructions and to implement appropriate technical andorganizational measures.

Public blockchain disclosure. By design, public blockchains are open and transparent. Wallet addresses andon-chain transactions associated with your activity may be publicly visible to any party with access to therelevant blockchain. We strive to minimize the personal data recorded on-chain; however, you should beaware that combining on-chain data with off-chain information may, in some cases, allow others to inferinformation about you. By using the Platform, you acknowledge and accept this characteristic of publicblockchain infrastructure.

7 . International transfers

Some of our service providers, group entities, or counterparties may be located outside the EuropeanEconomic Area (EEA), including in jurisdictions where we operate or where we tokenize assets (e.g., theUnited Kingdom, the United States, Switzerland, the United Arab Emirates, the Kingdom of Bahrain, Japan,Singapore, Monaco).

When personal data is transferred outside the EEA, we ensure that an appropriate level of protection is inplace, in particular by relying on: (i) adequacy decisions adopted by the European Commission; (ii) theStandard Contractual Clauses adopted by the European Commission (Decision 2021/914); (iii) other legallyrecognized safeguards (such as Binding Corporate Rules where applicable); and, where appropriate,supplementary measures to address risks identified in the recipient country in accordance with the SchremsII case law.

You may request a copy of the safeguards in place by contacting us as indicated in section 12.

8. Cookies and similar technologies

The Platform uses cookies and similar technologies (web beacons, pixels, local storage) to operate thewebsite, ensure its security, measure audience and performance, and, where you consent, personalizecontent or perform analytics.Strictly necessary cookies are used without your prior consent, as they are essential to provide the Servicesyou request.

Other cookies (analytics, audience measurement, functional, marketing) are only set after youhave given your consent through the cookie banner. You can withdraw or modify your consent at any timeusing the cookie-preferences settings available on starblocks.io.

A dedicated Cookie Policy, available on starblocks.io, provides more detailed information about each cookieused, its purpose, its provider, and its duration.

9. Your rights

Subject to applicable law (including the GDPR and, where relevant, the Personal Data Protection Law of theKingdom of Bahrain), you have the following rights regarding your personal data:

• Right of access: you can ask whether we process personal data about you and obtain a copy ofsuch data.

• Right to rectification: you can ask us to correct inaccurate or incomplete personal data.

• Right to erasure: you can ask us to delete your personal data, subject to legal retentionobligations (for example, AML records and bondholder registers).

• Right to restriction of processing: in certain circumstances, you can ask us to limit the processingof your data.

• Right to object: you can object, on grounds relating to your particular situation, to processingbased on our legitimate interests, and you can object at any time to direct-marketing processing.

• Right to data portability: where processing is based on consent or on a contract and is carried outby automated means, you may receive your data in a structured, commonly used, and machinereadable format.

• Right to withdraw consent: where processing is based on consent, you can withdraw it at anytime, without affecting the lawfulness of processing before the withdrawal.

• Right to provide instructions regarding the fate of your data after death, where applicable underFrench law (Article 85 of the French Data Protection Act).

• Right not to be subject to a decision based solely on automated processing, including profiling,that produces legal effects or similarly significantly affects you. Starblocks does not currently takesuch decisions on a fully automated basis without human review.

• Right to lodge a complaint with the competent supervisory authority, in particular theCommission Nationale de l'Informatique et des Libertés (CNIL) in France, the Personal DataProtection Authority of the Kingdom of Bahrain, or any other competent authority in your countryof residence.

To exercise your rights, please contact us using the details in section 12. We may ask you to provideadditional information to verify your identity before responding. We will respond within one (1) month,extendable to three (3) months for complex requests, in accordance with Article 12(3) GDPR.

Please note that certain rights may be limited or excluded by law, in particular where processing is requiredto comply with legal obligations (e.g., AML record-keeping, statutory bondholder register maintenance) orfor the establishment, exercise, or defense of legal claims. In addition, by design, transactions recorded onpublic blockchains are immutable: where personal data is recorded on-chain, the right to erasure orrectification may be limited; in such cases, we will use reasonable means (e.g., decoupling, encryption, offchain corrections) to mitigate the impact.

10. Special situations

Death of the user. In the event of the death of an individual user who holds tokenized instruments, the legalheirs or executors must notify their identity and contact details to the relevant issuer within three (3)months following the death, in order to obtain the registration of the bond instruments in their name. In theabsence of such notification within this period, the yields generated by the relevant instruments will beconsigned until the situation is regularised, in accordance with the bond issuance documentation.

Legal incapacity. In the event of the placement of a user under guardianship (tutelle), curatorship (curatelle)or any similar measure of legal protection, the legal representative must be declared to the issuer and mustjustify of his or her powers to exercise the rights attached to the tokenized instruments. The personal data ofthe user and of the legal representative will be processed for the purposes of administering the position andcomplying with applicable legal obligations.

During the periods described in this section, personal data relating to the deceased user, the heirs, or thelegal representative may be retained and processed by Starblocks and the issuing entities for the strictpurposes of administering the position, complying with applicable legal obligations, and protecting thelegitimate interests of the parties concerned.

11. Data Retention

We retain personal data only for as long as necessary to achieve the purposes set out in this Privacy Policy, inparticular:

  • KYC, KYB and AML data: for the duration of the business relationship and for the legal retentionperiod thereafter (typically five (5) years after the end of the relationship, or longer whererequired by law).
  • Bondholder register data: for the duration of the holding of the bond instruments and, afterredemption or cancellation of the instruments, archived in accordance with applicable legalprescription periods.
  • Accounting and tax data: for the legal retention periods applicable in the relevant jurisdictions(typically ten (10) years in France and Luxembourg).
  • Contractual and subscription data: for the duration of the contract and the applicable limitationperiods (typically five (5) years after termination).
  • Marketing data: until you withdraw consent or object, and in any event for a maximum of three(3) years after the last contact.
  • Technical and log data: for periods consistent with security and audit needs, typically twelve (12)months.

At the end of the applicable retention period, personal data is either deleted, anonymized, or archived inaccordance with our retention policy. Data archived for legal-defense purposes is subject to accessrestrictions and is destroyed at the end of the applicable limitation period.

12. Security and data breach notification

Starblocks implements appropriate technical and organizational measures to protect personal data againstunauthorized access, alteration, disclosure, loss, or destruction. These include access controls, segregationof duties, encryption in transit and at rest where appropriate, regular security testing, monitoring of thePlatform, multi-layer security on custody systems, and third-party audits.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, Starblocks willnotify the competent supervisory authority without undue delay and, where feasible, within seventy-two(72) hours, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to yourrights and freedoms, you will be informed without undue delay, in accordance with Article 34 GDPR.

Despite our measures, no system can guarantee absolute security. You play an essential role in protectingyour data by using strong and unique passwords, protecting your authentication factors, safeguarding your wallet credentials and private keys, and immediately reporting any suspicion of unauthorized access to your account.

13. Contact and coordination with the issuing entities

For any question regarding this Privacy Policy or to exercise your rights, please contact Starblocks via the official contact channels available on starblocks.io or by email at contact@starblocks.io.

Investors should note that certain personal data is also processed by the Luxembourg securitization vehiclesoperating as issuers of the bond instruments, which act as data controllers in their own capacity for thepurposes of issuing, managing and redeeming the bond instruments.

The investor relationship with suchissuers is governed by the relevant bond issuance documentation and subscription bulletin. For matters specifically relating to the bond instruments held (e.g., bondholder register, payment of yields), contact mayalso be made to the issuer at the contact details set out in the relevant offering documents. Starblocks andthe issuers cooperate to ensure consistent processing of personal data and respond to data subject requests in a coordinated manner.

14. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our activities, our serviceproviders, the technologies used, or applicable laws. The updated version will be made available onstarblocks.io with a new “Last updated” date. Where the changes are material, we will inform you throughthe Platform or by other appropriate means and, where required by law, will obtain your consent.