Dear Visitor,

Thank you for visiting our website and for your interest in our services. In the course of operating this website and providing our services, we process personal data that you provide to us. The protection of such data is extremely important to us.

This document contains information regarding the processing of your personal data and information about your rights under Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”), and Act No. 110/2019 Coll., on the Processing of Personal Data (hereinafter the “Act”).

This document also includes information about the cookies used on our websites, in accordance with Act No. 127/2005 Coll., on Electronic Communications, as amended.

When we refer to AML regulations in this document, we primarily mean Act No. 253/2008 Coll., on

Certain Measures Against the Legalisation of Proceeds of Crime and Financing of Terrorism, as amended, as well as related national and European binding legal regulations concerning AML and the application of international sanctions.

1. Data Controller and Data Protection Officer

ILAVO GROUP a.s., having its registered office at Pražákova 1024/66a, Štýřice, 639 00 Brno, Company ID No.: 223 77 301, registered with the Commercial Register maintained by the Regional Court in Brno under file no. B 9042 (hereinafter “we” or “ILAVO”), acts as the data controller within the meaning of the GDPR and the Act, determining the purposes and means of processing your personal data as a data subject.

Processing of personal data under this document applies to any processing of data by ILAVO, primarily through the websites https://kvapay.com/, https://kvakomat.com, Ilavo Group - Innovative cryptographic fintech solutions in the EU | Ilavo Group, as well as through the automated device – Kvakomat (Bitcoin ATM).

In connection with the processing of personal data, our company has appointed a Data Protection Officer in accordance with the GDPR, who may be contacted via email at: gdpr@kvapay.com.

The Data Protection Officer oversees the personal data protection system within ILAVO. His responsibilities include providing advice to us and our processors involved in personal data processing regarding their obligations in the field of data protection. He also serves as the contact point for the supervisory authority.

2. Extent, Purposes, and Legal Basis for the Processing of Personal Data

ILAVO processes your personal data in the following situations:

• For the purpose of creating your client account on kvapay.com as a payment gateway for digital assets (pre-contractual relations), we process your first and last name, date of birth or personal identification number, if assigned to you, permanent residence address or another address in the scope of street, building number, municipality, postal code and country, citizenship, email address, and phone number. We process this data so that we can conclude a contract with you for the establishment of an account on the above-mentioned websites. The legal basis for the processing of personal data under the GDPR is the performance of a contract pursuant to Art. 6(1)(b) GDPR.
• For the purpose of creating your digital wallet, we process your first and last name, date of birth or personal identification number, if assigned to you, permanent residence address or another address in the scope of street, building number, municipality, postal code and country, citizenship, email address, and phone number. We process this data so that we can conclude a contract with you for the establishment of your virtual wallet. The legal basis for the processing of personal data is the performance of a contract pursuant to Art. 6(1)(b) GDPR.
• For the purpose of fulfilling obligations arising from AML regulations, in particular for the purpose of your identification when concluding a contract with us and during individual transactions, we process your first and last name, date of birth or personal identification number, if assigned to you, permanent residence address or another address in the scope of street, building number, municipality, postal code and country, citizenship, type and number of identity document (ID card, passport), and an image of your face. The legal basis for the processing of personal data is the fulfilment of obligations under AML regulations pursuant to Art. 6(1)(c) GDPR.
• For the purpose of creating statistics and developing new products, we process data about your use of our websites and our services. This mainly includes data about the services you view on our websites, the links you click, how you navigate our website, as well as data about the device from which you access our website, such as IP address, location derived from it, device identification, its technical parameters, and information from cookies and similar technologies. The legal basis for the processing of personal data in this case is our legitimate interest pursuant to Art. 6(1)(f) GDPR.
• For the purpose of fulfilling the contract with you and providing our services, we process information about your transactions, their execution, information about payments within transactions, and similar data. Without this processing, we would not be able to provide our services to you. The legal basis for the processing of personal data in this case is the performance of a contract with you pursuant to Art. 6(1)(b) GDPR.
• For the purpose of handling your requests and communicating with you, we process information about your requests, your email address, first and last name, and possibly your phone number. The legal basis for the processing of personal data in this case is our legitimate interest pursuant to Art. 6(1)(f) GDPR.
• For the purpose of fulfilling our legal obligations in the field of accounting, taxation, document management, and registers, we process data on the performance of contracts with you, your first and last name, address, and possibly other data required by legal regulations. The legal basis for the processing of personal data in this case is the fulfilment of obligations established by legal regulations pursuant to Art. 6(1)(c) GDPR.
• For the purpose of protecting our interests and legitimate claims, we process your first and last name, address, as well as data on the performance of contracts with you and data on the services we have provided to you. The legal basis for the processing of personal data is our legitimate interest pursuant to Art. 6(1)(f) GDPR.
• For the purpose of promoting our services and our company through newsletters, we process your first and last name, email address, based on your consent, or if you create an account with us or order a service and do not refuse the sending of commercial communications, also in accordance with legal regulations without your consent. The legal basis for the processing of personal data is either your consent or our legitimate interest pursuant to Art. 6(1)(f) GDPR.
• For the purpose of analysing the behaviour of users of our websites (cookie analytics), improving UX, and website optimisation, we process data in the scope of: IP address, device and browser data, mouse movement/scrolling, clicks, time spent on our websites, anonymised identifiers. The legal basis for the processing of personal data is your consent pursuant to Art. 6(1)(a) GDPR.

The purpose of processing personal data also includes the implementation of security measures to prevent fraud.

If the processing of your personal data is based on the performance of contractual (or pre-contractual) obligations arising from a contract with you, or on compliance with legal obligations—especially those under AML regulations—such processing is a prerequisite for us to provide our services. If you do not provide the required personal data, we cannot offer our services.

Personal data is collected directly from data subjects, but to the necessary extent it may also be obtained from publicly available registers and sanctions lists for the purpose of fulfilling legal obligations.

If the processing of your personal data by us is based on legitimate interest, the processing is carried out on the basis of balancing tests of proportionality prepared by our company. If you did not provide the data, we would not be able to pursue this interest. When processing your personal data, we pay attention to your rights, respect the principle of data minimisation with regard to the purpose of processing, and follow the conducted balancing tests.

For the purposes listed in the table, we rely on the legal basis of legitimate interest pursuant to Art. 6(1)(f) GDPR. Below you will find a more detailed explanation of the legitimate interests we pursue. ILAVO does not pursue the legitimate interests of third parties.

If, despite the above, you believe that this processing violates your rights, you may object to the processing of your personal data based on legitimate or public interest, as well as to processing for direct marketing purposes, including objection to related profiling pursuant to Art. 21 GDPR. In such a case, we will restrict the processing of your personal data until we demonstrate the existence of legitimate grounds for processing that override your right not to be subject to such processing. If we do not demonstrate these grounds, we will no longer process your personal data for the given purpose. If you object to processing for direct marketing purposes, we will immediately cease processing for that purpose.

If you have given consent to the processing of personal data, you have the right to withdraw this consent at any time, while the withdrawal does not affect the lawfulness of the processing of personal data obtained before the withdrawal of consent.

Your other rights as a data subject are further specified in Article 7 of this Information.

Telephone calls

Telephone calls made through support to the phone numbers listed on our websites (www.kvapay.com / www.kvakomat.com / www.ilavo.io) or at any Kvakomat may be recorded and stored in accordance with the purpose of their collection.

The legal bases for the processing of personal data for call recording are:

• AML regulations pursuant to Art. 6(1)(c) GDPR,
• performance of the contract between the client and ILAVO pursuant to Art. 6(1)(b) GDPR,
• protection of the legitimate interests of ILAVO pursuant to Art. 6(1)(f) GDPR.

During a telephone call, we create an audio recording which we store for the period necessary to fulfil the purpose of the telephone conversation in accordance with Article 5 of this Information. The legitimate interest of the controller is to ensure customer care, increase customer satisfaction, ensure proper fulfilment of obligations (legal and contractual), create an audio recording for the purpose of improving the services provided, and also to verify the information provided during calls in case of complaints/claims/customer inquiries.

Audio recordings may be systematically processed and evaluated and may also be used in the handling of complaints or in the event of a dispute.

The client is informed at the beginning of each call that telephone calls are recorded and stored, primarily for the protection of customer deposits and ensuring service quality. If the client does not agree with the creation and storage of an audio recording, they should terminate the telephone connection after being informed about the recording and choose another form of communication.

3. To whom do we disclose your personal data?

In most cases, we process your personal data for purposes defined by us as the data controller. In such cases, processing is carried out by our employees. Occasionally, we must use external service providers to ensure proper delivery of our services. These service providers process your personal data on our behalf for purposes we define, including:

• providers of services necessary for your identification and fulfilment of obligations under AML regulations;
• providers of analytical and statistical tools;
• providers of cloud services and other technology and support vendors;
• providers of marketing tools.
In certain cases, we transfer your personal data to other parties acting as data controllers. This occurs when a third party’s service is required to provide our services to you, and such third party determines the purposes of processing independently. These are primarily:
• payment system providers to facilitate payment processing, especially card payments; and
• providers of legal services, auditors, and tax advisors.

If a third party acts as a processor, it processes personal data exclusively on the basis of our instructions and under a personal data processing agreement pursuant to Art. 28 GDPR. If it acts as an independent controller, it processes personal data in its own name and on its own responsibility.

If your personal data is processed via social media, we act as joint controllers with the operators of the respective social media platforms (especially Facebook, Instagram). In such cases, we are obligated to inform you about such processing and provide a lawful basis for the processing of personal data. For more information regarding processing of personal data on Facebook and Instagram, see:

• Facebook: https://www.facebook.com/policy.php
• Instagram: https://help.instagram.com/519522125107875

Where required by generally binding legal regulations, we are also obliged to disclose your personal data to competent public and administrative authorities, in particular to regulatory authorities, law enforcement agencies, tax authorities, and other government institutions. However, in such cases, we only disclose your data to the necessary extent required by law.

The list of recipients of personal data is always specified in the relevant legal regulation that obliges us to provide personal data (e.g. courts, law enforcement authorities, bailiffs, insolvency administrators, public authorities, the National Bank of Slovakia, banks), or is stated directly in the consent, if personal data is processed on the basis of the data subject’s consent. If personal data is provided on the basis of a contract between ILAVO and the client, or based on the client’s instruction, the recipients are specified in that contract or instruction.

4. Cross-border transfer of personal data

Most of the processing of personal data by our company and its partners takes place within the EU, the European Economic Area, the United Kingdom of Great Britain and Northern Ireland, or Switzerland. However, in some cases, we may transfer your data to third countries when transferring them to processors, which do not ensure an adequate level of personal data protection. ILAVO uses the services of certain providers such as Google, LLC., Facebook, Inc., and Microsoft Corporation, mainly for marketing and statistical purposes. These providers are located in the United States of America, which constitutes a third country. However, companies that have certified under the so-called EU-US Data Privacy Framework (DPF) mechanism are, according to the decision of the European Commission, considered to provide an adequate level of personal data protection comparable to that in the EU.

The transfer of personal data to third countries (including the United States of America) is carried out on the basis of the European Commission’s adequacy decision within the EU-US Data Privacy Framework (DPF), or on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

5. Retention Period of Personal Data

ILAVO retains your personal data only for as long as necessary to achieve the purposes of processing, or as long as required by applicable legal regulations. If you have provided consent for data processing, your personal data will be processed until you withdraw that consent. The duration may vary depending on the purpose, but we always ensure data minimization and only process data that is necessary for the specific purpose. Once the purpose ceases, your data is deleted or anonymized.

We process your personal data for the following durations:

• data necessary for the performance of the contract between you and our company is processed for the duration of the contract and thereafter for the period of the general limitation period under applicable legislation, extended by one year;
• data necessary for the fulfilment of our obligations under AML regulations is processed for a period of 10 years from the moment of identification; after this period, the data is securely deleted or anonymised, unless a legal regulation provides otherwise.
• data necessary for handling your requests and communication with us is processed for the period necessary to resolve the request and thereafter for the period of the general limitation period extended by one year; if we must also retain this data under AML regulations, we retain it for the period specified above;
• data necessary for fulfilling our obligations in the field of accounting, taxation, document management, and registers is processed for a maximum period of 10 years;
• data necessary for the protection of our interests and legitimate claims is processed for the duration of the general limitation period extended by one year and further for the duration of proceedings related to disputed claims.

6. Automated Decision-Making and Profiling

Within the fulfilment of obligations under AML regulations, ILAVO uses automated decision-making, including profiling within the meaning of Art. 22 GDPR.

Automated decision-making takes place mainly in:

• verification of the client’s identity through biometric comparison of a facial image (so-called liveness check) with an identity document,
• assessment of the client’s and transactions’ risk level (so-called AML risk assessment),
• screening the client against sanctions and risk lists,
• identification of unusual or suspicious transaction patterns.

Based on algorithmic evaluation, the system:

• compares biometric facial features,
• verifies the authenticity of the identity document,
• analyses data consistency,
• evaluates risk factors (e.g. geographical risk, transaction risk, sanctions lists).

Based on these parameters, a risk rating is assigned to the client or the registration may be automatically rejected, a transaction suspended, or the contractual relationship with the controller terminated.

The legal basis for the processing of biometric data as a special category of personal data is Art. 9(2)(g) GDPR, as the processing is necessary for reasons of substantial public interest on the basis of Union or Member State law, specifically for the purpose of fulfilling obligations under AML regulations.

Automated decision-making is carried out:

• as necessary for compliance with the controller’s legal obligations under AML regulations (Art. 6(1)(c) GDPR in conjunction with Art. 22(2)(b) GDPR),
• or as necessary for the performance of a contract (Art. 6(1)(b) GDPR in conjunction with Art. 22(2)(a) GDPR).

In some cases, the automated decision is subsequently subject to manual review by an employee of ILAVO. In case of rejection, you have the right to request that the decision be reviewed by a human.

7. Your Rights

As a data subject, under Articles 12 et seq. of the GDPR and relevant national law, you have a range of rights concerning the processing of your personal data by ILAVO.

Your primary right is the right to information about the processing of personal data. ILAVO fulfils this obligation through this document, which contains all key details.

Other rights under the GDPR include:

• the right of access to personal data, i.e. the right to obtain confirmation as to whether personal data concerning you is being processed by ILAVO pursuant to Art. 13 et seq. GDPR;
• the right to rectification pursuant to Art. 16 GDPR if personal data concerning you is inaccurate;
• the right to erasure of personal data pursuant to Art. 17 GDPR if there is no longer a purpose or legal basis for processing the personal data concerning you, or such processing is unlawful, has been ordered by a supervisory authority, or you have objected to the processing and there are no overriding legitimate grounds for the processing of personal data;
• the right to restriction of processing pursuant to Art. 18 GDPR if, in your opinion, the personal data is inaccurate until we correct it, there is no legal basis for processing but the data has not been erased, we do not need the personal data for processing but you require it for the establishment, exercise, or defence of legal claims, or you have objected to the processing and we are verifying whether overriding legitimate grounds exist to continue processing the personal data;
• the right to data portability pursuant to Art. 20 GDPR if the processing of data is based on your consent or on a contract concluded with you and is carried out by automated means. In such a case, we will provide your data in a structured, commonly used, and machine-readable format for the purpose of transmitting it to another controller;
• the right to object pursuant to Art. 21 GDPR if the processing of data is based on legitimate interest, in which case we will restrict processing until the existence of overriding legitimate grounds for processing your personal data is assessed, or in the case of processing for direct marketing purposes, we will immediately cease processing your personal data for that purpose;
• the right to have a decision reviewed by a human in the context of automated individual decision-making if such automated individual decision-making takes place;
• the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection, with its registered office at Námestie 1. mája 18, 811 06 Bratislava.

8. Cookie Policy

Definition of cookies

Cookies are small text files that are downloaded to your electronic device (e.g., smartphone, tablet, or computer) when you visit a website. The purpose of cookies is to enhance the overall user experience and to enable certain website functionalities (depending on the type of cookie used).

Cookies essential for the proper functioning of our website may be set and used without your consent (so-called essential cookies). All other cookies require your explicit consent before they are activated. While cookie files themselves cannot be directly linked to an identifiable person, data derived from them may be associated with a specific individual. For more information on the processing of such data, please refer to Section 2 above.

The processing of cookies themselves and the data obtained from them may be assigned to a specific person. More about the processing of such data can be found above in Article 2.

Types and Purposes of Cookies Used

By duration, we distinguish between:

• Session cookies: These are temporary cookies that are activated each time you visit our website and are deleted after you close your browser.
• Persistent cookies: These remain stored in your browser until their set expiration date or until manually deleted.

We use both session and persistent cookies on our website.

By function, we distinguish between:

• Essential cookies: These enable core functionalities of the website. They allow you to navigate the website and use basic features. Disabling these in your browser may significantly impair or entirely prevent access to the site. These cookies do not collect any information for marketing purposes or remember your browsing history. Use of these essential cookies is based on our legitimate interest, so your consent is not required, although you can still disable them in your browser settings. Please note, however, that without these cookies, we cannot guarantee the full functionality of our website.