Privacy Policy

SUPA HUB SPC (“SUPA HUB”, "SUPA", "S U P A", “we”, “us”, or “our”) is a segregated portfolio company incorporated in the Cayman Islands, with registration number 359688 and registered address at Harbour Centre 4/F, 42 North Church Street, George Town, KY1-1107, Cayman Islands. We provide digital asset registry and infrastructure services exclusively through partnerships with licensed financial institutions. We do not provide banking, advisory, or other financial services ourselves. Digital assets are not insured. SUPA HUB SPC acts as the official issuer and registrar of all documents generated through its platform. Each such document is executed using a qualified electronic signature with full legal effect, and its authenticity and integrity can be verified at any time at https://app.supahub.co/veri.

This Privacy Policy sets out how we collect, use, disclose, and protect your personal data when you interact with our website, platform, or any other online or offline services we provide (collectively, the “Services”). We are committed to processing personal data in compliance with the Data Protection Act, 2017 (as revised) of the Cayman Islands (“DPA”) and other applicable data protection laws. As a Cayman Islands entity, our processing activities are primarily governed by the DPA, which establishes principles for the fair and lawful handling of personal data.

We may resell certain services from third-party providers, including but not limited to SUPA RED LTD (a Category A Registrant under Hong Kong Cap. 615 (Anti-Money Laundering and Counter-Terrorist Financing Ordinance), registration number A-B-24-11-08324, address: 10/F YF Life Tower, Unit HD106, 33 Lockhart Rd, Wan Chai, Hong Kong; company registration/tax number: 76874833). We may also purchase services from other third-party suppliers, including financial service providers, and resell them to our clients. However, SUPA HUB SPC itself does not render any financial services.

1. Personal Data We Collect

We collect only the personal data that is strictly necessary for the purposes outlined in this Policy. Personal data means any information relating to an identified or identifiable individual. This may include:

Directly from You
- Full name, date of birth, nationality, and other personal identifiers.
- Contact details, such as email address, telephone number(s), and postal address.
- Identity and address verification documents (e.g., passport, driving licence, utility bills).
- Any other information you voluntarily provide to us.

Automatically When You Use Our Services
- Technical data, including IP address, device identifiers, browser type, and operating system.
- Usage data, such as pages visited, time spent on the site, and referring website.
- Information from cookies and similar technologies (please refer to our separate Cookie Policy for details).

From Third Parties
- Information received from our partner licensed financial institutions or other service providers.
- Data from publicly available sources and sanctioned-party screening databases for anti-money laundering (AML) and compliance purposes.

We do not intentionally collect sensitive personal data (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, or health) unless strictly required by law or for the prevention or detection of crime. All collection is conducted in accordance with the data protection principles under the DPA, ensuring that data is obtained fairly and lawfully.

2. How We Use Your Personal Data

We process your personal data solely for legitimate purposes and in compliance with the DPA's data protection principles, which require that processing be fair, lawful, and limited to what is necessary. We process your personal data for the following purposes and on the following lawful bases:

To facilitate your access to digital asset registry and infrastructure services through our partnerships with licensed financial institutions. Lawful basis: Necessary for the performance of a contract with you or our legitimate interests in providing the Services.

To conduct identity verification, AML checks, and sanctions screening. Lawful basis: Compliance with a legal obligation.

To provide, maintain, and improve our Services, including troubleshooting and enhancing functionality. Lawful basis: Our legitimate interests in operating and developing our business.

To communicate with you, including service updates, support responses, and (where you have provided consent) marketing materials. Lawful basis: Our legitimate interests or your consent, as applicable.

To detect and prevent fraud, illegal activity, or security breaches. Lawful basis: Compliance with a legal obligation and our legitimate interests.

To comply with applicable laws, regulations, and reporting requirements, including those under anti-money laundering legislation. Lawful basis: Compliance with a legal obligation.

For anonymised statistical analysis and business improvement, ensuring no individual can be identified. Lawful basis: Our legitimate interests.

We ensure that all processing is proportionate, accurate, secure, and respects the rights of data subjects as prescribed by the DPA. Processing is not undertaken in a manner incompatible with the specified purposes, and we regularly review our activities to maintain compliance.

3. Disclosure of Your Personal Data

We disclose personal data only where necessary and in accordance with the DPA, always ensuring appropriate safeguards and confidentiality. Disclosures may occur:

- To our partner licensed financial institutions, who may act as independent data controllers once they receive your data for the provision of their services.
- To carefully selected third-party service providers acting as data processors on our behalf (e.g., for IT hosting, compliance screening, or customer support), bound by contractual obligations to protect data.
- To professional advisers, auditors, and insurers, where required for legal or operational purposes.
- To regulatory authorities, law enforcement agencies, or courts where required or permitted by law, including for the prevention or detection of crime.
- In the event of a corporate restructuring, merger, or sale of our business, subject to equivalent data protection standards.

We do not sell your personal data or share it with third parties for their own marketing purposes. Where we engage third parties such as SUPA RED LTD or other suppliers, they process data solely to support the services we provide to you and are required to adhere to the DPA's principles. All disclosures are minimised and documented to ensure accountability.

4. International Transfers

Personal data may be transferred to and processed in countries outside the Cayman Islands, including Hong Kong, the United Kingdom, the European Union, the United States, and the United Arab Emirates. Under the DPA, we ensure that such transfers occur only to countries or territories that provide an adequate level of protection for the rights and freedoms of data subjects, or with appropriate safeguards in place. These may include contractual clauses, binding corporate rules, or other mechanisms approved under the DPA to protect data integrity and security during transfer.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, as outlined in this Policy, and to comply with legal obligations under the DPA and other applicable laws. Typically, client-related data is retained for at least seven years after the end of our relationship with you, in line with regulatory requirements for record-keeping and auditing. After this period, personal data is securely deleted, destroyed, or anonymised in a manner that prevents re-identification, ensuring compliance with the DPA's principles of data minimisation and storage limitation.

6. Your Rights

As a data subject under the DPA, you have certain rights in relation to your personal data, subject to applicable exemptions and conditions. These rights are exercised in accordance with the procedures set out in the DPA and may involve interaction with the Office of the Ombudsman (the data protection authority in the Cayman Islands). We will facilitate the exercise of these rights to the extent required by law. Your rights include:

- The right to access your personal data: You may request confirmation as to whether your personal data is being processed and, if so, obtain details about the data, its purposes, recipients, and other relevant information, subject to a written request and any prescribed fee.
- The right to require cessation of processing: You may, by written notice, require us to cease or not begin processing your personal data for a specified purpose or in a specified manner, unless such processing is necessary for contractual, legal, or vital interest reasons.
- The right to object to processing for direct marketing: You may require us to cease or not begin processing your personal data for direct marketing purposes.
- Rights in relation to automated decision-making: If a decision significantly affecting you is based solely on automated processing, you may require that it not be made in this way or request reconsideration.
- The right to rectification, blocking, erasure, or destruction: If you believe your personal data is inaccurate, you may complain to the Ombudsman, who may order us to rectify, block, erase, or destroy the data if the complaint is upheld.

These rights do not include data portability or an absolute "right to be forgotten," as such are not provided under the DPA. To exercise any applicable rights, please contact us using the details in Section 9. We will respond in accordance with the timelines and requirements of the DPA, typically within 30 days. If your request is refused, we will provide reasons, and you may complain to the Ombudsman. We do not offer rights beyond those mandated by the DPA.

7. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, as required by the DPA. These measures include encryption, access controls, regular security audits, and employee training. We review and update these measures periodically to address evolving risks, ensuring the confidentiality, integrity, and availability of personal data.

8. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The latest version will always be posted on our website.