Privacy Policy.
By accessing or using any services provided by Block Zero (the "Services"), you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must not use the Services.
01About Us
Block Zero is a digital asset infrastructure firm. References to "Block Zero," "we," "us," or "our" in this policy refer to Block Zero and its affiliates.
02Consent
By submitting information to us, engaging with our verification process, or otherwise using the Services, you expressly consent to the collection, use, processing, storage, transfer, and disclosure of your personal data as described in this Privacy Policy. This consent extends to all data collected directly by us or through third-party service providers acting on our behalf.
You acknowledge that the provision of personal data, including identity verification data, is a condition of using the Services.
03Information We Collect
We may collect the following categories of information in connection with client onboarding, verification, and ongoing service delivery:
Full legal name, date of birth, nationality, government-issued identity documents (including passport, national ID, and driving licence), proof of address documentation, source of funds information, source of wealth information.
Facial geometry and liveness verification data collected during the identity verification process. Biometric data is collected solely for the purpose of verifying your identity. It is not sold, leased, or traded to any third party. Biometric data is processed by our verification provider and is retained only for as long as necessary to complete verification and satisfy our compliance obligations, after which it is permanently destroyed. By submitting to our verification process, you expressly consent to the collection and use of biometric data as described in this section.
Corporate registration documents, articles of incorporation, beneficial ownership information, director and officer details, corporate structure documentation.
Email address, name, correspondence records, wallet addresses.
IP address, browser type, device information, access logs, and basic website analytics.
We reserve the right to collect additional information as reasonably required for compliance, risk management, or service delivery purposes.
04How We Use Your Data
We use personal data for the following purposes:
- Client identity verification and due diligence (KYC/KYB)
- Compliance with applicable anti-money laundering (AML), counter-terrorism financing (CTF), and sanctions obligations
- Risk assessment and ongoing monitoring
- Service delivery, administration, and communication
- Maintaining records required by applicable law or regulation
- Protecting our legitimate business interests, including the enforcement of our agreements
- Any other purpose necessary for compliance, risk management, or the performance of our Services
05Disclosure to Third Parties
We may disclose your personal data to:
- Verification providers (including Didit) for identity and document verification processing
- Cloud and infrastructure providers for secure data storage and processing
- Legal, compliance, and professional advisors
- Regulatory authorities, law enforcement, or governmental bodies where required or requested by applicable law, regulation, court order, or governmental inquiry
- Any party in connection with a corporate transaction, including merger, acquisition, reorganisation, or sale of assets
We may disclose personal data to third parties in any jurisdiction, including jurisdictions that may not provide the same level of data protection as your country of residence.
06Third-Party Processors
Certain services, including identity verification, are provided through third-party processors. These processors operate their own systems, security infrastructure, and data handling procedures.
While we take reasonable steps to engage reputable service providers, to the extent permitted by applicable law, we do not accept liability for the acts, omissions, security practices, or data handling of any third-party processor. Your data, once transmitted to a third-party processor, is subject to that processor's own policies and procedures.
Any claim arising from a third-party processor's handling of your data should be directed to that processor in the first instance. By consenting to this Privacy Policy, you acknowledge and accept this limitation.
07Data Retention
We retain personal data for a minimum of five (5) years following the termination of our business relationship or the completion of the relevant transaction, whichever is later. This retention period is aligned with our regulatory obligations.
We may retain data for longer where required by applicable law, regulation, or ongoing legal proceedings, or where we determine in our sole discretion that retention is necessary for compliance or risk management purposes, provided that retention shall not exceed ten (10) years unless a longer period is required by law.
Data submitted in connection with incomplete or abandoned verification processes may be retained for up to twelve (12) months before deletion.
Following the applicable retention period, we will take reasonable steps to securely delete or anonymise personal data, unless further retention is required or permitted by law.
08Data Security
We implement commercially reasonable technical and organisational measures to protect personal data. However, no system of data transmission or storage is guaranteed to be fully secure. We do not warrant or guarantee the security of any information transmitted to or stored by us or our service providers, and you provide personal data at your own risk.
To the fullest extent permitted by law, we shall not be liable for any unauthorised access to, or breach of, personal data except where such breach is caused directly by our gross negligence or wilful misconduct.
09Your Rights
You may request access to, correction of, or deletion of your personal data by contacting us at [email protected].
All requests are subject to:
- Our regulatory and legal retention obligations
- Verification of your identity
- Our reasonable discretion as to the form and timing of any response
We will acknowledge requests within thirty (30) days. We reserve the right to decline requests that are vexatious, unreasonable, or that would conflict with our legal or compliance obligations.
We are not obligated to delete data where retention is required for compliance, legal, regulatory, or legitimate business purposes.
10International Transfers
Your personal data may be transferred to, stored in, and processed in any jurisdiction in which we or our service providers operate. These jurisdictions may not provide the same level of data protection as your country of residence.
By using the Services, you expressly consent to such international transfers.
11Changes to This Policy
We may update this Privacy Policy at any time and without prior notice. The most current version will be available at this URL. Your continued use of the Services following any changes constitutes acceptance of the revised policy.
12Limitation of Liability
To the fullest extent permitted by applicable law, Block Zero, its officers, directors, employees, and agents shall not be liable for any loss, damage, or harm arising from or in connection with the collection, use, disclosure, storage, or processing of personal data under this Privacy Policy, except where such loss is caused directly by our gross negligence or wilful misconduct.
13Governing Law and Jurisdiction
This Privacy Policy shall be governed by and construed in accordance with the laws of the British Virgin Islands, without regard to conflict of law principles. Any dispute arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of the British Virgin Islands.
14Do Not Sell
We do not sell, lease, or rent personal data to third parties as defined under any applicable law, including the California Consumer Privacy Act (CCPA).
15Supplemental Notice for EEA and UK Residents
This section applies to individuals located in the European Economic Area (EEA) or the United Kingdom. Where this section conflicts with the main body of this Privacy Policy, this section takes precedence for EEA and UK residents.
/ Data Controller
Block Zero acts as the data controller for personal data collected through the Services.
/ Legal Basis for Processing
We process personal data on the following legal bases under the UK GDPR and EU General Data Protection Regulation:
| Processing Activity | Legal Basis |
|---|---|
| Identity verification (KYC/KYB) | Legal obligation (Art. 6(1)(c)) |
| Biometric data (liveness/selfie) | Explicit consent (Art. 9(2)(a)) |
| Risk assessment & monitoring | Legitimate interest (Art. 6(1)(f)) |
| Service delivery & communication | Performance of contract (Art. 6(1)(b)) |
| Record-keeping | Legal obligation (Art. 6(1)(c)) |
/ Your Rights Under GDPR
In addition to the rights described in Section 9, EEA and UK residents have the right to:
- Data portability — receive your personal data in a structured, commonly used, machine-readable format
- Restriction of processing — request that we limit how we use your data in certain circumstances
- Object to processing — object to processing based on legitimate interests, subject to our right to demonstrate compelling legitimate grounds
- Withdraw consent — where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal
- Lodge a complaint — file a complaint with a supervisory authority in your country of residence
Requests can be made by contacting [email protected]. We will respond within thirty (30) days. Where requests are complex or numerous, we may extend this period by a further sixty (60) days with notice.
Note that certain rights are subject to limitations where we are required to retain data for compliance with legal obligations, including AML/CTF regulations. Where this applies, we will inform you of the specific restriction and the reason for it.
/ International Transfers
Where personal data is transferred outside the EEA or UK, we rely on one or more of the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The UK International Data Transfer Agreement or Addendum, where applicable
- Any adequacy decision issued by the European Commission or UK Secretary of State
/ Data Protection Enquiries
For data protection enquiries specific to EEA or UK processing, contact: [email protected]
16Contact
For questions regarding this Privacy Policy or your personal data: