Policies

1. Overview & Scope

This document constitutes the consolidated policy framework of WeChange (operated by NETSOR International s.r.o., a private limited company established under the laws of the Czech Republic). It describes how we handle personal data, how we comply with anti-money-laundering (AML) and counter-terrorist-financing (CTF) obligations, how we verify customer identity, how we monitor transactions, and how we secure our infrastructure and customer information.

The policies herein apply to all users of the WeChange platform (wechange.com and connected applications) and to all employees, contractors, and third parties acting on behalf of WeChange. They are designed to be consistent with the EU General Data Protection Regulation 2016/679 (“GDPR”), the EU Anti-Money-Laundering Directives (5AMLD, 6AMLD), the Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114, “MiCA”), and applicable Czech national legislation including Act No. 253/2008 Coll. on Selected Measures Against Money Laundering.

Where WeChange interacts with U.S.-regulated payment infrastructure through its processor Bridge Technology, Inc., the U.S. Bank Secrecy Act (“BSA”) and FinCEN guidance apply to the processor. WeChange’s own internal controls are designed to be compatible with BSA-equivalent standards through that relationship.

2. Service Operator & Regulatory Status

Operator. WeChange is operated by NETSOR International s.r.o., registered at Školská 689/20, Nové Město, 110 00 Praha 1, Czech Republic, Company Registration Number 22109153, Tax ID CZ22109153 (“WeChange”, “we”, “us”).

Role. WeChange operates a technology interface that connects users with licensed third-party providers for fiat payment processing (Bridge Technology, Inc.) and qualified custody/wallet infrastructure (Fireblocks Inc.). WeChange itself is not a bank, does not hold a banking licence, is not a deposit-taking institution, does not provide investment advice, and does not offer interest-bearing accounts.

Regulatory Status. WeChange operates under the EU MiCA framework as it applies to crypto-asset service providers. Fiat on-ramp and off-ramp services are executed through Bridge Technology, Inc., which is registered with the U.S. Financial Crimes Enforcement Network (FinCEN) as a Money Services Business (“MSB”) and operates under applicable U.S. state money transmitter laws. Cryptocurrency custody during transaction execution is provided through Fireblocks Inc., an SOC 2 Type II audited qualified custody technology provider.

Supervisory Authority for Privacy. The Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, “ÚOOÚ”) is the supervisory authority for personal data matters concerning WeChange. Users in other EU/EEA member states may also contact their local supervisory authority.

3. Definitions

• “Personal Data” has the meaning given in Article 4(1) GDPR.
• “Processing” has the meaning given in Article 4(2) GDPR.
• “Bridge” means Bridge Technology, Inc., operating bridge.xyz, WeChange’s fiat payment-rail and KYC processor.
• “Persona” means Persona Identities Inc., the identity-verification provider used by Bridge to conduct biometric and document checks.
• “Fireblocks” means Fireblocks Inc., WeChange’s qualified custody technology provider operating MPC-secured digital-asset vaults.
• “Sub-processor” means any third party engaged by WeChange to process Personal Data on its behalf.
• “Transaction” means any on-ramp (fiat→crypto), off-ramp (crypto→fiat) or crypto-to-crypto conversion initiated through the WeChange platform.

4. Privacy Policy — Data We Collect

WeChange collects only the personal data necessary to operate the Platform, comply with applicable AML/CTF obligations, and provide customer support. The categories below reflect the data actually persisted in our systems.

4.1 Account & Identity Data

• First and last name
• Email address
• Phone number (optional)
• Country of residence
• Username (optional, user-chosen)
• Avatar URL (optional, user-supplied)

4.2 Authentication & Security Data

• Password (stored only as a hash
• Two-factor authentication secret (TOTP secret, stored for verification)
• Password-reset tokens and refresh tokens (time-limited, server-side)
• Session metadata: session-token hash, IP address, user-agent string, expiry timestamp
• Email-verification codes (time-limited, single-use)
• Push-notification device tokens (Expo), platform, optional device label

4.3 KYC Reference Data

The substantive identity-verification data (government-issued ID images, selfies, biometric checks, date of birth, residential address) is collected and stored by Bridge and its identity-verification provider Persona. WeChange receives and stores only the following references:

• Bridge customer identifier
• KYC link identifier and current KYC status
• KYC uplift flag and completion timestamp (for MiCA re-verification cohorts)

4.4 Payment & Transaction Data

• Bank account references — the Bridge external-account identifier, the label/bank name supplied by the user, the currency, and the last four characters of the account or IBAN. Full IBAN, BIC, and account-holder name are transmitted to Bridge for processing but not retained locally on the bank-account record.
• Crypto wallet addresses — user-supplied (self-custody) or Bridge-managed wallet addresses, blockchain identifier, an optional label, and verification status.
• Per-transaction records — source amount and currency, target amount and currency, exchange rate, fee breakdown, transaction status, processor identifiers (Bridge transfer ID, Fireblocks swap/transfer IDs), on-chain transaction hash, destination wallet address, destination chain, failure reason where applicable.
• Per-transaction payment details — for each fiat-leg transaction we retain the payment rail (SEPA/ACH/WIRE/PIX/SPEI), the routing details supplied by Bridge for that transaction (account holder name, bank name, BIC, IBAN or account number), the reference code, and the currency. This record is required for transaction reconciliation, regulatory recordkeeping, and dispute resolution.
• Virtual-account deposit details — for users assigned a Bridge-issued virtual deposit account, we retain the IBAN, BIC, account number, routing number, bank name, account-holder name as displayed, and country. These details identify the WeChange/Bridge-issued deposit account, not the user’s personal bank account.

4.5 Loyalty & Activity Data

• Points balance and lifetime swap volume
• Referral codes, referral relationships, referral rewards
• Communication and product-update email preferences
• In-app notifications

4.6 Webhook & Audit Data

We persist webhook events received from Bridge and Fireblocks (including the raw event payload) for the purpose of idempotent processing, dispute resolution, and audit. These payloads can contain transaction-scoped information such as amounts, customer and wallet identifiers, KYC status changes, and on-chain references.

4.7 Technical & Diagnostic Data

Operational logs may include user identifiers, transaction identifiers, and limited payment metadata (e.g., the IBAN of the deposit virtual account associated with a transaction) for the purpose of debugging and incident response. Operational logs are access-controlled and retained on a rolling basis.

5. Privacy Policy — Data We Do Not Collect

By design, the following categories of personal data are not collected and not stored by WeChange:

• Government-issued identification documents (passport, ID card, driving licence) — collected and held by Bridge / Persona.
• Selfie and biometric data used for liveness checks — collected and held by Persona.
• Date of birth, nationality, full residential address as supplied during KYC — held by Bridge.
• Source-of-funds documentation provided during enhanced due diligence — held by Bridge.
• Full IBAN, BIC, and account-holder name of the user’s personal bank accounts as a standing record (only the last four characters and a reference identifier are retained at the bank-account level; full details are sent to Bridge and only re-appear per transaction for reconciliation purposes).
• Card numbers — WeChange does not accept card payments directly.
• Plaintext user passwords — only a bcrypt hash is stored.
• Health, racial, religious, political, sexual-orientation, or trade-union data (special-category data under Article 9 GDPR) — not collected.
• Private keys for self-custody crypto wallets — never collected, never transmitted, never stored. WeChange has no access to user-controlled wallet keys.

6. Lawful Bases & Purposes (GDPR)

We process Personal Data on the following lawful bases under Article 6(1) GDPR:

• Contract (Art. 6(1)(b)) — account creation, transaction execution, customer support, fee collection, settlement, refund handling.
• Legal obligation (Art. 6(1)(c)) — AML/CTF customer due diligence, sanctions screening, transaction recordkeeping (Act No. 253/2008 Coll. requires 10-year retention of certain records), suspicious-activity reporting, tax recordkeeping.
• Legitimate interests (Art. 6(1)(f)) — fraud prevention, platform security, abuse detection, service improvement based on aggregated metrics, defending legal claims. A balancing test is documented for each legitimate-interest use.
• Consent (Art. 6(1)(a)) — marketing emails, non-essential cookies, optional product-update notifications. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

7. Data Retention

Retention periods are set to the minimum necessary to fulfil the purposes above and to meet regulatory recordkeeping obligations:

• Active account data — for the lifetime of the account.
• Transaction records and AML evidence — retained for at least 10 years after the calendar year in which the relevant transaction or business relationship ended, as required by Czech AML legislation and Article 40 of Directive (EU) 2015/849.
• Closed/deactivated accounts — non-AML personal data is deleted or anonymised within a reasonable period after account closure, subject to AML/tax retention overrides.
• Session and authentication artefacts — time-bounded (refresh tokens, reset tokens, verification codes expire automatically); session records are revoked or pruned on logout or expiry.
• Webhook event payloads — retained as part of the transactional audit record; subject to the AML retention rule above.
• Operational logs — retained on a rolling short-term basis (typically 30–90 days) sufficient for incident investigation.

8. Data Subject Rights

You have the following rights under the GDPR with respect to your personal data:

• Right of access (Art. 15) — to obtain confirmation of whether we process your data and a copy of that data.
• Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — to request deletion, subject to overriding legal retention obligations (notably AML recordkeeping).
• Right to restriction (Art. 18) — to limit how we process your data in defined circumstances.
• Right to data portability (Art. 20) — to receive a structured, commonly used and machine-readable copy of data you have provided.
• Right to object (Art. 21) — to object to processing based on legitimate interests, including profiling.
• Rights related to automated decisions (Art. 22) — we do not subject users to solely automated decisions producing legal effects without human review.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint — with the Czech ÚOOÚ or your local EU/EEA data-protection authority.

To exercise any of these rights, contact us at [email protected]. We will respond within one month of a verified request, extendable by two further months for complex or numerous requests with notice to you.

Note: requests relating to data held by Bridge (KYC documents, biometric data, source-of-funds files) will be coordinated with Bridge as a separate data controller for those datasets. We will provide a contact route in our response.

9. International Data Transfers

WeChange uses sub-processors located outside the European Economic Area, principally in the United States. International transfers are conducted under one or more of the following safeguards:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where appropriate;
• EU–US Data Privacy Framework certifications where the sub-processor is certified;
• Transfer-impact assessments documented per the EDPB recommendations.

A copy of the relevant transfer mechanism applicable to a particular sub-processor is available on request at [email protected].

10. Sub-processors

The following sub-processors process Personal Data on behalf of WeChange in connection with the Platform:

• Bridge Technology, Inc. (United States) — fiat payment processing, customer identity onboarding, virtual-account issuance, on-ramp and off-ramp settlement, AML/sanctions screening on the fiat leg.
• Persona Identities, Inc. (United States) — identity-document verification, liveness and biometric checks, sub-engaged by Bridge.
• Fireblocks Inc. (United States, with infrastructure in multiple regions) — MPC-based digital-asset custody, swap execution, on-chain transfer orchestration during transaction execution.
• Twilio SendGrid, Inc. (United States) — transactional and notification email delivery.
• Google LLC (United States) — OAuth single-sign-on for users who choose Google login.
• Microsoft Corporation (United States) — OAuth single-sign-on for users who choose Microsoft login.
• Amazon Web Services, Inc. (EU region) — hosting, managed database, networking, storage.
• Expo (650 Industries, Inc.) (United States) — push-notification delivery for the mobile application.

We update this list when sub-processors change. Material changes will be notified in advance via the platform or by email where appropriate.

11. Cookie Policy

The WeChange marketing website (wechange.com) and the authenticated application use a limited set of cookies and similar local-storage technologies. Cookie categories used:

• Strictly necessary cookies — required for authentication, session continuity, security (CSRF protection), and the basic functioning of the platform. These do not require consent.
• Functional cookies — remember user preferences (theme, language). Used only with consent or where strictly necessary.
• Analytics cookies (where deployed) — aggregate usage metrics. Used only with prior user consent obtained through the cookie banner.
• Marketing cookies — used only with prior consent.

The detailed cookie inventory and consent controls are described in the dedicated Cookie Policy.

12. AML/BSA Compliance Statement

WeChange is committed to preventing the use of its Platform for money laundering, terrorist financing, sanctions evasion, fraud, and other financial crime. This statement describes how the Platform’s controls map onto applicable AML and Bank Secrecy Act–equivalent requirements.

12.1 Applicable Framework

• EU Directive 2015/849 (5AMLD) and Directive 2018/843, transposed into Czech law by Act No. 253/2008 Coll. on Selected Measures Against Money Laundering.
• EU Directive 2018/1673 (6AMLD) on criminalisation of money laundering.
• EU Regulation 2023/1113 on information accompanying transfers of funds and certain crypto-assets (the “Travel Rule”).
• EU Regulation 2023/1114 (MiCA).
• EU and UN sanctions lists; OFAC SDN list via the processor.
• U.S. Bank Secrecy Act and FinCEN guidance — applicable to our fiat-rail processor Bridge as a registered MSB; WeChange’s internal controls are designed for compatibility through this relationship.

12.2 Governance

• Management of NETSOR International s.r.o. is responsible for approving and maintaining this AML programme.
• A designated Compliance Officer is responsible for the day-to-day operation of the programme, reachable at [email protected].
• Material changes to AML controls are documented and version- controlled.

12.3 Three Lines of Defence

• First line — operational controls embedded in the onboarding and transaction flow (KYC gates, payment-rail restrictions, sanctions checks).
• Second line — Compliance Officer oversight, periodic control testing, exception review.
• Third line — independent review (currently performed internally; an independent external review is on the compliance roadmap).

12.4 Training

All personnel with access to customer or transaction data receive AML training at onboarding and annually thereafter. Training records are retained as part of the compliance file.

12.5 Recordkeeping

AML-relevant records (customer due-diligence evidence, transaction records, screening outcomes, internal escalations) are retained for at least ten (10) years after the end of the business relationship or the date of the relevant transaction, consistent with Czech AML law and Article 40 of Directive (EU) 2015/849.

13. Know-Your-Customer (KYC) Policy

13.1 Customer Due Diligence

Every user must complete Customer Due Diligence (“CDD”) before initiating any fiat-leg transaction. CDD is executed through Bridge using its embedded identity-verification workflow (Persona). The standard CDD set comprises:

• Identification of the natural person (name, date of birth, nationality, residential address).
• Government-issued photo identification check (document authenticity, OCR, MRZ/PDF417 verification).
• Biometric liveness check (selfie comparison with ID photograph).
• Sanctions, PEP, and adverse-media screening at onboarding.
• Country-risk assessment based on the user’s country of residence.

13.2 KYC Levels

• Standard KYC — required for all on-ramp / off-ramp users; sufficient up to the transaction thresholds defined by Bridge and applicable EU/EEA limits.
• Enhanced Due Diligence (EDD) — applied where higher-risk indicators are present (high transaction values, PEP status, high-risk jurisdiction, complex ownership structures). EDD may include source-of-funds and source-of-wealth documentation.
• MiCA uplift — when Bridge notifies that a customer cohort must re-verify under updated MiCA requirements, WeChange surfaces the uplift requirement to the user via persistent in-app and email prompts until the uplift is completed.

13.3 Ongoing Due Diligence

• Periodic re-screening against sanctions and PEP lists.
• Re-verification of identity at intervals defined by Bridge or upon trigger events.
• Document refresh on expiry of government-issued ID.

13.4 Onboarding Refusal & Account Restriction

WeChange may refuse onboarding, suspend an account, or block a specific transaction where: KYC cannot be satisfactorily completed; sanctions or PEP matches cannot be cleared; risk indicators exceed defined thresholds; or the user is resident in a jurisdiction we do not serve.

14. Transaction Monitoring & Sanctions Screening

14.1 Monitoring Objectives

Transactions on the Platform are monitored on a real-time and post-event basis to detect patterns consistent with money laundering, terrorist financing, sanctions evasion, fraud, and abuse.

14.2 Layered Monitoring

• Fiat-leg monitoring — Bridge applies its own transaction-monitoring controls to inbound and outbound fiat flows on regulated payment rails (SEPA, ACH, WIRE, PIX, SPEI). Suspicious activity detected by Bridge is escalated through Bridge’s regulated channels.
• Crypto-leg monitoring — Fireblocks applies on-chain analytics and policy controls on vault operations and outbound transfers; transactions to flagged or sanctioned addresses are blocked.
• Platform-level monitoring — WeChange’s internal controls include velocity limits, structuring detection, geographic risk filters, and state-machine integrity checks across the two legs.

14.3 Sanctions Screening

• Onboarding screening of customers against EU consolidated sanctions list, UN sanctions, OFAC SDN, and HMT lists via Bridge.
• Ongoing rescreening on list updates.
• Wallet-address screening against Fireblocks’ risk-rated address lists prior to transfer execution.
• Geographic blocking of jurisdictions we do not serve.

14.4 Indicators Triggering Review

• Sudden change in transaction size, frequency, or pattern.
• Apparent structuring to remain below regulatory thresholds.
• Transactions involving high-risk jurisdictions or sanctioned counterparties.
• Address heuristics consistent with mixers, darknet markets, or known illicit clusters.
• Use of multiple accounts apparently linked to the same beneficial owner.
• KYC inconsistencies surfaced post-onboarding.

15. AML Risk Assessment

15.1 Approach

WeChange maintains an enterprise-level AML/CTF risk assessment that is reviewed at least annually and on the occurrence of any material change to products, jurisdictions, customer base, or applicable regulation. The assessment is risk-based, consistent with the methodology recommended by the Financial Action Task Force (FATF) and EU 5AMLD/6AMLD.

15.2 Risk Categories Assessed

• Customer risk — natural persons resident in EU/EEA jurisdictions, with PEP and adverse- media factors elevating risk; legal persons are not currently onboarded as direct customers.
• Geographic risk — country of residence is screened against FATF high-risk and monitored-jurisdiction lists and the EU list of high-risk third countries.
• Product / service risk — fiat on-ramp, fiat off-ramp, and crypto-to-crypto conversion; bearer-instrument and cash-handling risk is not present because all fiat flows occur on regulated bank rails through Bridge.
• Delivery-channel risk — fully remote onboarding with biometric verification (Bridge/ Persona) substituting for face-to-face contact.
• Asset risk — supported digital assets are limited to established, regulated, or liquidity-screened tokens (e.g., USDC, USDT, EURC, ETH, SOL); privacy-coins are not supported.
• Counterparty / sub-processor risk — Bridge and Fireblocks are evaluated as risk-mitigating partners with their own audited control environments.

15.3 Outputs

• An overall residual-risk rating for the business.
• A control matrix mapping identified risks to mitigants.
• A remediation plan for any gaps surfaced.
• Inputs to staff training content and to onboarding-flow design.

16. Suspicious Activity Reporting

Personnel encountering activity that appears suspicious must escalate without delay to the Compliance Officer at [email protected]. The Compliance Officer evaluates the escalation and, where the suspicion is confirmed, files a Suspicious Activity Report (“STR/SAR”) with the Czech Financial Analytical Office (Finanční analytický úřad, “FAÚ”) under Act No. 253/2008 Coll., or coordinates the equivalent filing through Bridge where the activity sits on the fiat rail.

Tipping-off is prohibited: under no circumstances may the user or any third party be informed that a report has been filed or that an investigation is underway. Internal escalation records are retained as part of the AML file for the regulatory retention period.

17. Information Security Policy

17.1 Programme

WeChange operates an information-security programme designed to protect the confidentiality, integrity, and availability of customer data and the Platform’s operations. The programme is aligned with the principles of ISO/IEC 27001 and SOC 2. Formal external certification (SOC 2 Type II or ISO/IEC 27001) is on the compliance roadmap; the programme is currently operated and assessed internally.

17.2 Control Domains

• Access control — role-based access; principle of least privilege; mandatory multi-factor authentication for administrative access; individual named accounts; periodic access reviews; immediate revocation on role change or departure.
• Authentication of users — passwords stored only as bcrypt hashes; optional TOTP-based two-factor authentication; password-reset and refresh tokens are time-limited; sessions tracked with hashed tokens and revocable on demand.
• Cryptography — TLS in transit for all client-server and server-to-server traffic; managed database encryption at rest; sensitive secrets (Fireblocks API key, Bridge API key, webhook signing keys) held in restricted-access secret stores; webhook signatures verified (Bridge RSA-SHA256 with timestamp freshness check; Fireblocks RSA-SHA512).
• Network & hosting — EU-region hosting on AWS; segmented networks; managed database with restricted ingress; container images built from hardened base images.
• Vulnerability management — dependency monitoring; security patches applied on a prioritised basis; periodic security review of changes.
• Change management — source-controlled deployments; code review on protected branches; reproducible build and deployment pipeline.
• Logging & monitoring — operational logs include identifiers and limited payment metadata for incident response; logs are access-controlled; webhook events are persisted with idempotency keys to support reconstruction of event chains.
• Backups & recovery — managed database snapshots; documented recovery procedure; point-in-time recovery within the managed-database retention window.
• Personnel security — background checks where lawful and proportionate; confidentiality undertakings; security and AML training at onboarding and annually.
• Third-party risk — sub-processors selected on the basis of demonstrable security certifications (SOC 2 / ISO 27001 / industry-recognised equivalent) and contractually bound to appropriate security and data-protection terms.

17.3 Roadmap to External Certification

WeChange is evaluating formal SOC 2 Type II and ISO/IEC 27001 certification. No fixed audit date is currently committed; the roadmap is reviewed quarterly and progress is reported to management. In the interim, the internal control set described above is operated, documented, and reviewed.

18. Custody Model

WeChange is designed to be non-custodial at the endpoints: final digital assets are delivered to a user-controlled wallet address on on-ramp transactions, and final fiat is delivered to a user-controlled bank account on off-ramp transactions. WeChange does not offer interest-bearing balances, does not rehypothecate customer assets, and does not provide consumer-deposit-style accounts.

During transaction execution, digital assets transit a WeChange-controlled Fireblocks vault for the time required to perform the conversion and forward settlement. This transient custody is necessary to execute the swap and the on-chain transfer, and is performed using Fireblocks’ multi-party- computation (MPC) key infrastructure with policy-based transfer controls.

For self-custody wallets supplied by the user, WeChange has no access to and never holds private keys. For wallets managed through Bridge, the relevant terms of Bridge apply to the custody of those wallets.

19. Incident Response & Breach Notification

WeChange maintains an incident-response process covering detection, containment, eradication, recovery, and post- incident review. Where an incident affects personal data and is likely to result in a risk to the rights and freedoms of natural persons, WeChange will:

• Notify the Czech ÚOOÚ without undue delay, and where feasible within 72 hours of becoming aware of the personal-data breach, as required by Article 33 GDPR.
• Communicate the breach to affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 GDPR.
• Maintain an internal register of all personal-data breaches irrespective of notification obligation.
• Coordinate with affected sub-processors and require their cooperation under contractual incident-notification clauses.

Suspected security incidents may be reported responsibly to [email protected].

20. Updates & Contact

This policy document is reviewed at least annually and may be updated to reflect changes in our services, legal obligations, or sub-processors. Material changes will be notified through the Platform or by email where appropriate. The current effective date and version are shown at the top of this page.

Children: the Platform is not directed to, and we do not knowingly collect personal data from, persons under the age of 18.

For any questions or to exercise any right described above:

• Privacy / DPO: [email protected]
• Compliance / AML: [email protected]
• General support: [email protected]
• Postal: NETSOR International s.r.o., Školská 689/20, Nové Město, 110 00 Praha 1, Czech Republic.