EscroWallet

    Privacy Policy

    1. General provisions and identification of the Company

    1.1. This Privacy Policy (hereinafter — the "Policy") sets out how personal data of users of the software available on the domains escrowallet.io and its subdomains (hereinafter — the "Platform", the "Software") are collected, processed, stored, protected and transferred.

    1.2. The party responsible for processing the personal data of Platform users (hereinafter — the "Company"), and also the operator of personal data within the meaning of Russian Federal Law No. 152-FZ of 27 July 2006 "On personal data" (hereinafter — "152-FZ") and the data controller within the meaning of Regulation (EU) 2016/679 (GDPR), is:

    • Full legal name: LLC "Sluzhba zanyatosti"
    • OGRN: 1206200006352
    • INN/KPP: 6229095902 / 622901001
    • Registered and correspondence address: 390046, Russian Federation, Ryazan, Mayakovsky St., 1A, office 515
    • Email address for personal data processing enquiries: support@escrowallet.io

    1.3. EscroWallet is the designation used by the Company to brand the Platform.

    1.4. The Policy has been drafted taking into account 152-FZ, the GDPR and applicable data-protection law in the users' jurisdictions.

    1.5. Effective date: 3 May 2026. Version: 2.0.

    2. Legal status of the Platform

    2.1. The Platform is software that implements a digital asset escrow protocol. Access to the Platform is provided to users under the licence set out in the Terms of Use.

    2.2. The Company is not:

    • a credit, financial, payment or microfinance institution;
    • an operator for accepting, holding or transferring money;
    • an exchange operator for digital financial assets or an information system operator within the meaning of Federal Law No. 259-FZ of 31 July 2020;
    • a party to deals entered into by users via the Platform.

    2.3. Digital assets are held in escrow on the Platform's technical infrastructure. Transfers of held assets between Users are executed based on their aligned instructions or on rulings issued through the dispute resolution process.

    2.4. The Company does not provide investment advice and does not assess the economic merits of users' deals.

    2.5. Digital assets (cryptocurrencies, tokens) are not money within the meaning of Russian law.

    2.6. Personal data are processed by the Company exclusively in connection with providing users with access to the Platform and operating it.

    3. Definitions

    User — a natural person at least 18 years old using the Platform.

    Personal data — any information relating, directly or indirectly, to an identified or identifiable User.

    Processing — any action or set of actions on personal data, including collection, recording, organisation, accumulation, storage, refinement, retrieval, use, transfer, anonymisation, blocking, deletion or destruction.

    AML — Anti-Money Laundering, a set of automated checks on digital assets and addresses for links to unlawful activity.

    4. Categories of data processed

    4.1. Technical data

    • IP address and its geolocation (country, region)
    • device, OS, browser type and its language settings
    • device and session identifiers
    • access logs: date, time, requests to the Platform
    • information about the User's actions on the Platform (clickstream)

    4.2. Registration and contact data

    • email address
    • display name or alias
    • password (stored as a cryptographic hash)
    • Telegram identifier (when using Telegram sign-in)
    • email verification token

    4.3. Deal-related data

    • public addresses of crypto wallets used in Deals
    • transaction hashes (tx hash), amounts, network identifiers, confirmation times
    • Deal statuses and the history of their changes
    • the texts of the Deal terms entered by the User
    • the chat between participants in the Deal

    4.4. Data processed in the course of AML checks

    • risk scores of crypto wallet addresses and transactions
    • analytical information about the origin of funds provided by the AML vendor
    • status and results of the check

    4.5. Data from support requests and disputes

    • the content of requests to support
    • documents and materials voluntarily provided by the User as part of a dispute
    • correspondence with the arbiter during the dispute resolution process

    4.6. Payment data

    The Company does not collect or store bank-card data, account details or other payment credentials of Users. All settlements are made in digital assets using the Platform's infrastructure.

    5. Purposes of processing and legal bases

    5.1. Each category of data is processed on one or several of the following legal bases:

    • Performance of a contract (clause 5 part 1 art. 6 of 152-FZ; art. 6(1)(b) GDPR) — to provide access to the Platform and its features;
    • Consent of the data subject (clause 1 part 1 art. 6 of 152-FZ; art. 6(1)(a) GDPR) — for mailings, analytics, marketing cookies;
    • Legal obligation (clause 2 part 1 art. 6 of 152-FZ; art. 6(1)(c) GDPR) — to meet legal requirements, including anti-money-laundering ones;
    • Legitimate interest of the Company (clause 7 part 1 art. 6 of 152-FZ; art. 6(1)(f) GDPR) — to keep the Platform secure, prevent fraud and resolve disputes.

    5.2. Purpose-to-basis mapping:

    • Registration and provision of access to the Platform — performance of a contract
    • Creating and handling Deals, executing escrow operations — performance of a contract
    • Confirmation of incoming digital assets — performance of a contract
    • Notifications of events on Deals — performance of a contract
    • AML checks on digital assets — legal obligation and legitimate interest
    • Dispute resolution between Users — performance of a contract and legitimate interest
    • Technical security, threat monitoring — legitimate interest
    • Analytics of Platform usage — consent
    • Marketing mailings and targeted advertising — consent (revocable)
    • Responding to government authority requests — legal obligation

    6. Sources of data

    The Company obtains personal data from the following sources:

    • directly from the User during registration, use of the Platform and support requests;
    • from public distributed ledgers (blockchain networks) — information on transactions for addresses specified by the User;
    • from blockchain-infrastructure providers (network nodes, indexers);
    • from engaged AML-analytics providers — the results of automated checks on digital assets;
    • from automated Platform security monitoring systems;
    • from providers of social sign-in services (e.g. Telegram), if the User chose such a sign-in method.

    7. Transfer of data to third parties

    7.1. The Company engages processors to keep the Platform running. Transfers are made to the minimum extent necessary and under contracts that oblige the processors to maintain confidentiality and apply appropriate security measures.

    7.2. Categories of recipients of data

    • Hosting providers for the app and the database (jurisdictions: USA, EU). What is transferred: technical data, registration data, deal data, access logs.
    • AML analytics providers for digital assets (jurisdictions: USA, EU, UK). What is transferred: public addresses of crypto wallets, transaction hashes, amounts, networks.
    • Blockchain node and indexer providers (various jurisdictions). What is transferred: public wallet addresses and transaction hashes.
    • Social sign-in service providers (e.g. Telegram) — when the User picks the relevant sign-in method.

    7.3. Web-analytics and conversion-measurement systems

    Unlike other processors, analytics systems are disclosed by name because they can be identified by the User via network requests and browser protections:

    • Google Analytics 4 (Google LLC, USA) — analysis of Platform usage;
    • Yandex Metrica (LLC Yandex, Russia) — analysis of Platform usage;
    • Google Ads (Google LLC, USA) — conversion measurement for ad campaigns;
    • Yandex Direct (LLC Yandex, Russia) — conversion measurement for ad campaigns.

    These systems receive technical data, anonymised identifiers and event data on the Platform.

    7.4. Transfers during dispute resolution

    When a dispute arises on a Deal, the dispute materials and related correspondence are passed to the arbiter chosen by the Users or appointed under the Terms of Use. The arbiter is an independent specialist not employed by the Company.

    7.5. The Company does not transfer or sell personal data to third parties for marketing purposes other than those provided for in this Policy.

    7.6. An up-to-date list of engaged processors is provided to a User on request sent to support@escrowallet.io.

    8. Cross-border data transfers

    8.1. Because the Company relies on the infrastructure of providers located outside the Russian Federation, processing of Users' personal data involves cross-border transfers, including to the territory of:

    • the United States of America;
    • EU member states;
    • other states in which the data centres of the engaged providers are located.

    8.2. The United States of America is not on the list, approved by Roskomnadzor, of states that provide adequate protection of personal data subjects' rights. Transfers of data to such states are made only with the User's consent given under part 4 art. 12 of 152-FZ at registration on the Platform.

    8.3. For cross-border transfers to countries that do not provide an adequate level of protection under the GDPR, the Company uses Standard Contractual Clauses approved by the European Commission or other mechanisms provided by the GDPR.

    9. Retention periods

    9.1. Retention periods are set for each category of data:

    • Registration data (email, password hash) — for the life of the account and 90 calendar days after its deletion;
    • Deal data and the chat between Deal participants — 5 years from completion of the Deal (to resolve potential claims and for AML purposes);
    • AML check results — 5 years from the check (consistent with art. 7 of Federal Law No. 115-FZ of 7 August 2001);
    • Access logs and technical logs — 12 months;
    • Correspondence with support — 3 years from closing the request;
    • Consents and withdrawals of consent to processing — throughout the term of consent and 3 years after its withdrawal;
    • Data of analytics systems — according to the terms set by the providers of those systems (typically 14–26 months).

    9.2. After the retention period, data are destroyed or anonymised, except where extended retention is required by law or is needed to defend the Company's rights in court.

    9.3. Data placed in public distributed ledgers (blockchain networks) are public by nature and cannot be deleted by either the Company or the User.

    10. Cookies and analytics systems

    10.1. The Platform uses the following categories of cookies:

    • Strictly necessary — ensure authentication, session security and correct operation of basic features. They do not require consent, and disabling them makes the Platform unusable.
    • Analytics — Google Analytics 4, Yandex Metrica. Used to analyse User behaviour and improve the Platform. They are set after consent has been given.
    • Advertising / conversion — Google Ads, Yandex Direct. Used to measure the effectiveness of ad campaigns. They are set after consent has been given.

    10.2. On the first visit to the Platform the User is shown a consent banner for the "Analytics" and "Advertising" cookie categories. The User may accept or decline these categories separately.

    10.3. Consent to the use of cookies may be withdrawn at any time via the Platform's cookie settings or by clearing cookies in the browser.

    10.4. Detailed cookie policies of third-party providers are available at: Google — policies.google.com/privacy, Yandex — yandex.ru/legal/confidential.

    11. Automated decision-making

    11.1. To prevent the use of the Platform for unlawful activity, the Company applies automated AML-scoring of digital assets based on data from engaged analytics providers.

    11.2. Following an automated check, the system may assign a high risk level to a transaction or address, which results in a temporary suspension of operations and escalation of the Deal for manual review.

    11.3. The User has the right to:

    • receive an explanation of the reasons for measures taken following an automated check;
    • challenge the result of an automated check by contacting support;
    • request that the matter be reviewed with the involvement of an authorised Company employee.

    11.4. The final decision to restrict a User's access to the Platform's features is made with the involvement of an authorised Company employee, not exclusively by automated means.

    12. Data security. Incident notification

    12.1. The Company applies legal, organisational and technical measures to protect personal data, including:

    • transferring data over a secure channel (TLS/HTTPS);
    • storing passwords as cryptographic hashes;
    • separating access rights to administrative features;
    • keeping access logs;
    • regular infrastructure updates and vulnerability remediation;
    • concluding confidentiality agreements with processors.

    12.2. If an incident is detected that has led, or could lead, to unauthorised access to personal data, the Company:

    • notifies the competent authority for personal data subjects' rights within 24 hours of detecting the incident and provides additional information within 72 hours under art. 21 of 152-FZ;
    • notifies affected Users without undue delay if the incident could cause material harm to their rights and interests, in accordance with art. 34 of the GDPR.

    12.3. Despite the measures taken, no method of transferring or storing data guarantees absolute protection. The Company is not liable for incidents that occurred solely through the User's fault (compromise of their credentials, loss of a device, etc.).

    13. Age restrictions

    13.1. The Platform is intended exclusively for persons at least 18 years old.

    13.2. The Company does not knowingly collect personal data of persons under 18. If a minor is found to have registered, such an account is blocked and the data deleted.

    14. Rights of the data subject

    14.1. The User has the right to:

    • obtain confirmation of the processing of their data and information on the conditions of processing;
    • request rectification, blocking or destruction of data if they are inaccurate, outdated or processed unlawfully;
    • withdraw any previously given consent to processing (including consent to marketing mailings and analytics cookies);
    • object to processing carried out on the basis of the Company's legitimate interest;
    • request a restriction of processing;
    • receive their data in a structured, commonly used, machine-readable format (right to data portability);
    • not be the subject of a decision based solely on automated processing and producing legal effects, as described in section 11;
    • complain about the actions or omissions of the Company to a supervisory authority.

    14.2. The exercise of rights listed in clause 9.3 is limited for data placed in public distributed ledgers: such data technically cannot be amended or deleted.

    14.3. The exercise of the right to erasure is limited by the retention periods set out in section 9 of this Policy to the extent retention is required by law.

    15. How to submit a request and the right to lodge a complaint

    15.1. Requests to exercise the rights provided for in section 14 are sent to support@escrowallet.io or by post to the Company's address specified in section 1.

    15.2. The request must contain information that identifies the User (the email address of the Account, and, if necessary, other details) and the substance of the request.

    15.3. The Company reviews the request and provides a response within 30 calendar days of receipt. In exceptional cases requiring additional verification the deadline may be extended with a notice to the User.

    15.4. If the User disagrees with the Company's actions, they have the right to apply:

    • to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) — for data subjects in the Russian Federation;
    • to the data-protection supervisory authority in their country of habitual residence — for data subjects covered by the GDPR;
    • to the court that has jurisdiction under applicable law.

    16. Changes to the Policy

    16.1. The Company may amend this Policy. The current version is published on the Platform with the effective date and version number stated.

    16.2. The Company notifies Users of material changes affecting their rights (expansion of the purposes of processing, addition of categories of recipients of data, changes to retention periods) at least 30 calendar days before they take effect, by sending a notice to the email address provided at registration and by posting the notice on the Platform.

    16.3. If the changes require the User's consent, continued use of the Platform after they take effect is possible only after such consent has been obtained.

    16.4. Minor changes (clarifications of wording, fixing typos, updating contact details) take effect upon publication of the updated version.

    17. Company details

    • LLC "Sluzhba zanyatosti"
    • OGRN 1206200006352
    • INN 6229095902, KPP 622901001
    • Registered and correspondence address: 390046, Ryazan, Mayakovsky St., 1A, office 515
    • Email: support@escrowallet.io