Privacy Policy

Qiro ("we," "our," "us") is committed to protecting the privacy of our investors, borrowers, partners, and platform users. This Privacy Policy explains how we collect, use, store, and share information when you interact with our services, including the Qiro platform (qiro.fi), our smart contracts, wallets, and related financial services supporting tokenized credit investments.

By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your information as described herein.

1. Information We May Collect

We may collect the following categories of information:

1.1 Personal Information Provided by Investors and Borrowers

• Full name, date of birth, nationality, and identification documents (passport, ID card, driver's license)

• Contact details (email address, phone number, residential address)

• Financial and professional information required for KYC/AML checks

• Accredited/qualified investor certifications (where applicable)

1.2 Wallet and Transaction Data

• Blockchain wallet addresses used for investments and repayments

• Details of subscriptions, token holdings, disbursements, and repayment transactions

• Smart contract interactions (Investor contract, Borrower contract, Distributor contract, SPV wallets)

1.3 Institutional and Borrower Data

• Legal entity details, incorporation certificates, beneficial ownership disclosures

• Loan origination and asset performance data

• Collateral and receivable information provided under Security Agreements

1.4 Platform and Technical Data

• IP addresses, device identifiers, and browser information

• Usage data from the Qiro platform and dashboards

• Cookies and similar technologies (if applicable)

2. How We Use Information

Qiro Platform uses the collected information for the following purposes:

• Regulatory Compliance: To perform AML/KYC checks and comply with applicable laws

• Fund Flow Execution: To process subscriptions, issue tokens, disburse loans, and route repayments

• Risk Management: To verify borrower eligibility, enforce security pledges, and manage investor protections

• Platform Operations: To provide dashboards, investor reporting, and marketplace services

• Security: To prevent fraud, unauthorized transactions, and malicious activities

• Communications: To provide investors and borrowers with reports, notices, and disclosures

3. Legal Basis for Processing

We process personal data on the following bases:

• Consent: Where you have given explicit consent

• Contractual Necessity: To perform obligations under the Subscription Agreement, Loan Agreement, or related contracts

• Legal Obligations: To comply with AML, KYC, tax, and regulatory requirements

• Legitimate Interests: To safeguard platform integrity, investor protections, and operational efficiency

4. Cross-Border Data Transfers and Third Party Services

We may share your personal information with carefully selected third-party service providers to help us operate, provide, and improve our services. These third parties may include:

• Identity verification and compliance providers for Know-Your-Customer (KYC) and Anti-Money Laundering (AML) obligations

• Cloud hosting, storage, and IT providers to securely manage data

• Payment processors, custodians, and banking partners to facilitate transactions

• Analytics, fraud prevention, and security services to maintain the integrity of our platform

We require all third parties to process your information in accordance with applicable data protection laws and our instructions. They are prohibited from using your information for their own purposes.

Because we operate internationally, your personal information may be transferred to and processed in jurisdictions outside of your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction.

Where such cross-border transfers occur, we implement appropriate safeguards to protect your personal information, including:

• Standard Contractual Clauses (SCCs) approved under the General Data Protection Regulation (GDPR)

• Binding contractual obligations requiring recipients to safeguard personal data

• Technical and organizational measures such as encryption and restricted access

For residents of the European Economic Area (EEA), United Kingdom, or Switzerland, we will only transfer your personal data to jurisdictions recognized as providing adequate protection or subject to legally valid transfer mechanisms.

For residents of California, we comply with the California Consumer Privacy Act (CCPA), ensuring you have the right to know, access, delete, and opt out of the sale or sharing of your personal data. We do not sell your personal information.

Cross-Border Processing by Issuers and SPVs

Personal data may also be processed by Issuers or Special Purpose Vehicles (SPVs) incorporated in Panama or other jurisdictions where Qiro structures transactions. In such cases:

• Contractual Safeguards: We require all Issuers and SPVs to adhere to binding contractual obligations, including Standard Contractual Clauses (SCCs) where applicable, ensuring that equivalent data protection standards are applied

• Purpose Limitation: Data shared with Issuers or SPVs is limited to what is strictly necessary for executing contractual obligations

• Access Controls: Only authorized personnel of the Issuer or SPV, subject to confidentiality undertakings, may access personal data

• Further Sharing: These entities may in turn disclose data to trustees, security agents, escrow providers, auditors, or regulators solely for compliance with legal or contractual obligations

• User Rights: You continue to retain all rights provided under applicable data protection laws regardless of where processing takes place

• Legal Disclosure: Where required by applicable law or supervisory authority, we may share relevant data without additional notice, but will limit disclosure to the minimum necessary

By using our services, you acknowledge and agree to such transfers and processing of your personal data in accordance with this Privacy Policy.

6. Data Retention

We retain data for as long as necessary to:

• Fulfill the purposes outlined in this policy

• Comply with legal and regulatory obligations

• Enforce contractual rights and resolve disputes

Investor and borrower identity records are typically retained for 7 years post-termination of the business relationship, subject to jurisdictional requirements.

7. Data Security

Qiro employs a comprehensive framework of technical, organizational, and administrative safeguards designed to protect personal data and other confidential information from unauthorized access, disclosure, alteration, or destruction. Our security program is aligned with industry standards and financial services best practices and includes, without limitation:

• Encryption protocols for data in transit and at rest, where applicable

• Strict access controls and multi-factor authentication to ensure that only authorized personnel may access sensitive information

• Segregation of duties and role-based permissions to minimize risks of internal misuse

• Regular monitoring, vulnerability assessments, and audits to identify and address emerging threats

• Secure infrastructure and storage solutions, including third-party service providers that are contractually bound to adhere to equivalent security measures

Further to demonstrate our commitment to the highest standards of security and regulatory compliance:

• Independent Audits: We engage reputable third-party firms to perform annual smart-contract and system security audits

• Responsible Disclosure: We maintain a responsible vulnerability disclosure program that allows security researchers to report issues in a safe, coordinated, and legally protected manner

• Breach Notification: In the unlikely event of a personal data or system security breach, Qiro will notify affected individuals and competent supervisory authorities without undue delay, in accordance with applicable law

• Continuous Monitoring: Our systems are subject to ongoing monitoring, penetration testing, and incident-response protocols to identify and address emerging threats in real time

• Blockchain and Decentralized Network Considerations: Certain information, such as wallet addresses and on-chain transaction records, may be publicly recorded on decentralized networks

Residual Risk and User Responsibility: While we strive to apply appropriate safeguards in accordance with applicable laws and regulatory obligations, no method of transmission or storage is entirely secure. Accordingly, we cannot guarantee absolute protection of personal data. Users are responsible for maintaining the confidentiality of their access credentials, private keys, and devices used to engage with our services.

8. Your Rights

Depending on your jurisdiction (e.g., GDPR in the EU, PDPA in Singapore), you may have rights to:

• Access, correct, or update your personal data

• Request deletion, subject to legal retention obligations

• Restrict or object to processing of personal data

• Request a copy of your data in portable format

Requests can be submitted to [email protected]

9. Cookies and Web Tracking

Qiro platform uses cookies, tracking technologies, and similar tools to enhance functionality, improve user experience, and collect information about how our services are used. These technologies allow us to:

• Recognize and remember users' preferences and settings

• Facilitate secure login and account management

• Monitor website traffic, usage patterns, and performance

• Conduct analytics and market research to improve our services

• Comply with legal and regulatory obligations, including fraud detection and security monitoring

Types of Cookies and Tracking Technologies

• Strictly Necessary Cookies: Essential for the operation of our platforms

• Functional Cookies: Enhance usability by remembering preferences or settings

• Analytics and Performance Cookies: Collect aggregated information about user activity to help us improve services

• Security Cookies: Assist in fraud prevention and authentication

We do not use cookies for targeted advertising without obtaining appropriate user consent.

Most web browsers allow you to control or disable cookies through settings. Please note that if you disable or reject certain cookies, some features of our services may not function as intended.

10. Updates to Privacy Policy

We may update this Privacy Policy from time to time. Updates will be posted on qiro.fi and the "Last Updated" date will be revised accordingly.

11. Disclaimer

Please note that blockchain data is public and immutable. Wallet addresses, balances, transaction hashes, and smart-contract events are recorded on decentralized ledgers that are publicly visible and cannot be altered or erased. As a result, certain data-subject rights do not apply to on-chain records. We will, however, respect your rights with respect to any off-chain personal data that we process.

12. Complaints

We take very seriously any complaints we receive about our use of Personal Information. Questions, comments, requests, or complaints regarding this Privacy Notice, or wish to discuss your data protection rights with us, please contact using the information below.

13. Contact Us

To exercise any of your rights or if you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us using the following information:

Email: [email protected]