RAILS TECHNOLOGY INC.

Last Updated: March 2026

Framework: BVI Data Protection Act (DPA) & GDPR Standards

1. COMMITMENT TO DATA PRIVACY

Rails Technology Inc. (“Rails”) recognizes the sensitive nature of the information processed within the Rails Hub. This policy outlines our rigorous standards for handling personal and corporate data in our capacity as a Data Processor.

2. DATA CONTROLLER VS. DATA PROCESSOR

• Client as Controller: Our clients are the Data Controllers, responsible for collecting consent and determining the purpose of data submission.

• Rails as Processor: Rails acts as the Data Processor. We handle data strictly under the instructions of our clients to facilitate compliance and institutional onboarding.

3. INFORMATION WE PROCESS

We process information necessary for international compliance (KYC/KYB), including:

• Identity Data: Passports, IDs, and facial biometric data (where applicable).

• Corporate Data: Articles of incorporation, registry extracts, and UBO (Ultimate Beneficial Owner) structures.

• Financial Data: Proof of origin of funds, tax statements, and invoices.

• Technical Logs: Metadata, IP addresses, and audit trails of platform activity.

4. SECURITY & DATA INTEGRITY

We implement “Institutional-Grade” security measures:

• Encryption: Data is encrypted using AES-256 at rest and TLS 1.2+ for all data in transit.

• Infrastructure: Data is hosted in Tier 3/4 secure data centers (AWS/Azure) with 24/7 monitoring.

• Auditability: Every interaction with the Rails Hub is logged in an immutable audit trail to support regulatory reviews.

5. DATA SHARING & THIRD PARTIES

Rails does not sell, lease, or trade your data. Information is shared only with:

• Institutional Partners: Banks, PSPs, and regulated entities explicitly chosen by the Client for onboarding purposes.

• Screening Providers: World-class compliance tools (e.g., Dow Jones, Refinitiv) to verify sanctions and adverse media.

6. DATA RETENTION

In compliance with international AML/CTF standards and BVI regulations, compliance-related data is retained for a period of 5 years following the termination of the business relationship. After this period, data is securely deleted or anonymized.

7. INTERNATIONAL DATA TRANSFERS

As a global infrastructure provider, data may be stored or processed in jurisdictions with equivalent data protection standards. We ensure all transfers comply with the BVI DPA and GDPR through Standard Contractual Clauses (SCCs).

8. DATA SUBJECT RIGHTS

Under applicable laws, you have the right to access, rectify, or request the erasure of your data. Requests must be sent to compliance@railstechnology.xyz. Rails will coordinate with the Data Controller to respond to such requests within the legal timeframe.

9. CONTACT

For inquiries regarding our privacy practices or data security, please contact our Compliance Department at: compliance@railstechnology.xyz.