Cookie Policy
Official Page
Data Controller & Legal Basis
Institutional Digital Asset Custody Inc. (IDAC) acts as a data controller under GDPR (Art. 4(7)) and CCPA. Processing of personal data is based on contractual necessity (Art. 6(1)(b) GDPR) for custody services, and legitimate interest for fraud prevention (Art. 6(1)(f) GDPR). Data subjects have rights under Art. 15-22 GDPR including erasure and portability, subject to recordkeeping requirements under MiFID II and SEC Rule 17a-4.
Categories of Data Processed
- Identity data: government-issued ID, beneficial ownership structures, and wallet addresses.
- Transaction data: on-chain analysis, IP logs, and counterparty metadata.
- Compliance data: PEP screening results, sanctions alerts, and risk scoring.
Data Retention & Deletion
Personal data is retained for the duration of the contractual relationship plus 7 years post-termination to meet AML/KYC obligations (FATF Recommendation 16). Anonymized transaction data may be retained indefinitely for blockchain analytics. Deletion requests are processed within 30 days, except where legal hold applies.
International Transfers
Data may be transferred to service providers in jurisdictions deemed adequate by EU Commission Decision 2021/914 (Standard Contractual Clauses). We maintain a register of sub-processors, updated quarterly, accessible via DPA request.
Security Measures
Encryption at rest (AES-256) and in transit (TLS 1.3). Access controls follow least privilege with mandatory hardware-based 2FA. Breach notification within 72 hours per Art. 33 GDPR.
Cookie Policy
We use strictly necessary cookies (session IDs) and analytics cookies from Plausible (no fingerprinting). Consent is obtained via CMP for non-essential cookies. Opt-out available via browser DNT headers.