Privacy Policy

Introduction

Surus Inc., and its subsidiaries, including, but not limited to, Surus Trust Company, LLC (collectively “Surus”, “Company”, “we”, “us”, or “our”) are committed to respecting your privacy. Surus provides a cryptonative trust services platform (the “Platform”) offering asset management, tokenization, compliance, and fiduciary services to those building next generation financial products. While the www.surus.io website and various subdomains or mobile applications we provide (collectively, the “Website”) are accessible to anyone, our primary customers are users of the Platform who must go through rigorous onboarding requirements that include financial screening and background checks.

This Privacy Policy (the “Policy”) explains how and why Surus collects, stores, uses, discloses, shares, or otherwise processes personal information via the Website, Platform, and any other means of interacting with us that we provide. If you are or become a customer with access to the products and services we offer (collectively, the “Services”) via the Platform, we may supplement this Policy with additional terms and conditions and certain disclosures, including with respect to our privacy practices, that are applicable to the particular Services you utilize.

If you are an individual U.S. consumer obtaining financial products and services offered by Surus, please also see our GLBA Privacy Notice.

Table of Contents

1. Personal Information We Collect

2. How We Collect Personal Information

3. How We Use Personal Information

4. How We Share Personal Information

5. Data Subject Rights

6. Protection of Personal Information

7. Retention of Personal Information

8. Children’s Online Privacy

9. Automated Decision Making

10. International Transfers

11. California Consumer Privacy Act

12. Modification of this Privacy Policy

13. Contact Information

‍

1. Personal Information We Collect

We collect several types of information from and about users, including the following:

Customer Data/Contact Information: This may include name, postal address, e-mail address, telephone number, and IP address. US residents may be asked to provide their social security numbers.
Commercial information: This may include documentation pertaining to the legal incorporation, ownership, formation and governance of business entities.
Internet or other electronic network activity: This may include usage details, device information, IP address, and similar information collected through cookies, web beacons, and other tracking technologies.
Financial Information: This may include banking/brokerage account information and other information not specified below that we collect related to our provision of the Services.
Account Information: This may include Platform account username, password, and other information that is generated by your account activity.
Transactional Information: To the extent that this information is identifiable, this may include information about the transactions made on the Platform (e.g., sender, recipient, date, etc.).
Identity Verification Information: This may include date of birth, marital status, tax identification number, government-issued photo ID data, public criminal and credit histories, and photos that identity verification services may generate. US residents may be asked to provide their social security numbers.

Certain personal information that we collect and use may be considered “sensitive” under applicable privacy laws, in which case, we will use such personal information in accordance with such laws, adhering to any additional restrictions or requirements.

2. How We Collect Personal Information

We process the categories of personal information listed above from various sources. This section lists and describes those sources.

Directly from you. We process personal information collected directly from you when you provide it to us, for example, when you submit the appropriate information to complete both know your

customer (“KYC”) and anti-money laundering (“AML”) screening process and/or accredited investor verification (collectively, the “Screenings”), request information or contact us with inquiries by email or via the Platform or Website; subscribe to email updates; or otherwise submit material to us.

From third parties. Much of the personal information we process is collected by third parties, either at your request or for our business purposes. These third-party sources vary, but could include the following:

Other Users: Trust originators may use the Platform to invite prospective interest holders to setup an account and submit the appropriate information to complete the Screenings. To facilitate this process, certain initial information may be provided by the originator.
Blockchains: We may collect Transactional Information and other data such as IDs, timestamps, and amounts, digital signatures, wallet addresses, and beneficiaries in connection with our Services.
Public and Commercially Available Sources: Such as public databases like the United Nations Sanctions List or other public sources of personal information, as well as commercially available sources, such as KYC/AML vendors and other types of due diligence vendors.
Service Providers: We work with a variety of third-party service providers to enhance and provide the Website and the Platform. Our service providers may provide the Screenings, website hosting, marketing, website usage analytics, advertising, and maintenance services. Many of these categories overlap with the indirectly collected personal information described below. In working with our service providers, we may share personal information with them and receive personal information back from them so that we may improve your interaction with us.

Indirectly from you. We process personal information collected automatically from you when you engage with us via the Platform through the use of tracking technologies or by other passive means. This “passively collected” information helps us to improve our offerings and allows us to ensure our Services work as designed. Some examples include:

Log Information: Through the use of analytics tools, we may automatically record information that your browser or mobile device sends when you access the Platform. This information may include information such as your type, browser language, your computer operating system, name of your internet service provider/mobile carrier, the date and time of your request, etc.
Cookies and Similar Tracking Technologies: When you access the Platform, we may utilize cookies (small text files containing a string of characters sent to your computer) or similar tracking technologies that uniquely identify your browser to track your activity and hold certain information. Cookies can be necessary for site navigation and performance, or used for advertising. We use the following types of cookies:some text
- Necessary Cookies help you access the Platform and facilitate features we provide. For example, these cookies may be used to assist with Platform navigation.
- Functional Cookies support additional functionalities on the Platform to provide an even smoother experience.
- Performance Cookies help us understand the behavior of our customers. This enables us to keep improving our Services.

Most web browsers accept cookies automatically but can be configured not to do so or to notify the user when a cookie is being sent. If you wish to disable cookies, refer to your browser help menu to learn how to disable cookies. Please note that disabling all cookies could impact the performance of our Services.

3. How We Use Personal Information

We use personal information for the purposes identified in the table set out below.

To open your account and provide our Services to you

Customer Data/Contact Information
Commercial information
Internet or other electronic network activity
Financial Information
Account Information
Transactional Information

Consent: Processing is carried out after obtaining your consent to processing for this purpose.
Contract Performance: Processing to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing, payment, and collection.
Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by Surus or a third party.

To analyze and improve our Services

Customer Data/Contact Information
Commercial information
Internet or other electronic network activity
Financial Information
Account Information
Transactional Information

Vital Interest: Processing is necessary in order to protect vital interests
Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by Surus or a third party.

To comply with our legal obligations

Customer Data/Contact Information
Commercial information
Internet or other electronic network activity
Financial Information
Account Information
Transactional Information

Legal Obligation: Processing is necessary for compliance with a legal obligation to which Surus is subject.

To contact you about our Services

Customer Data/Contact Information

Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by Surus or a third party.

To manage risk and promote the safety, security, and integrity of our Services

Customer Data/Contact Information
Commercial information
Internet or other electronic network activity
Financial Information
Account Information
Transactional Information

Vital Interest: Processing is necessary in order to protect vital interests.
Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by Surus or a third party.

Where required by law, we will provide notice and consent before processing your personal information for other materially different purposes. If we rely on your consent as the legal basis for processing your personal information, you have the right to withdraw your consent at any time. Note, however, that where your consent is not the sole legal basis for processing of certain information, we may continue to process that information for the limited purposes permitted by other applicable bases.

When we rely on legitimate interests, these interests are detailed in the “Processing Purpose” column in the table above.

4. How We Share Personal Information

We may share your data with third-party vendors, service providers, contractors, or other third-parties (collectively, “third parties”) who perform services for us on our behalf and require access to such information to do that work. The categories of third parties we may share personal information with for this purpose include, but are not limited to, providers of:

Data Analytics Services
Cloud Computing Services
Performance Monitoring Tools
Website Hosting Services

We may also disclose or share the information we collect with the following recipients and/or under the following circumstances:

Other Financial Service Providers. When providing our Services, we may disclose personal information to other financial institutions to process transactions that you have authorized.
Government and Legal Authorities. We may disclose personal information in response to lawful requests by governmental and other legal authorities, including requests from national security agencies, consumer protection agencies, courts, and similar authorities.
Business Transfers/ Transactions. In the event of a merger, acquisition, bankruptcy or other sale of all or a portion of our assets, any user information owned or controlled by us may be one of the assets transferred to third parties.
Safety, Fraud, and Government Requests. We reserve the right to use and disclose your personal and non-personal information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law.

5. Data Subject Rights

Surus would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access: You have the right to request that we provide you with copies of your personal information. We may charge you a small fee for this service.
The right to rectification: You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that Surus complete any information you believe is incomplete.
The right to erasure: You have the right to request that we erase your personal information, under certain conditions.
The right to restrict processing: You have the right to request that we restrict the processing of your personal information, under certain conditions.
The right to object to processing: You have the right to object to our processing of your personal information, under certain conditions.
The right to data portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
The right to withdraw consent: As aforementioned, if we rely on your consent as the legal basis for processing your personal information, you have the right to withdraw your consent at any time

Under applicable privacy laws, we typically have one month to respond to you. If you would like to exercise any of these rights, please contact us using the information provided below:

Email us: privacy@surus.io

Call us: [PLACEHOLDER]

Or write to us: 1 Page Avenue, Asheville, NC 28801

6. Protection of Personal Information

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to the Platform, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to us online. Any transmission of personal information is at your own risk. We are not, and cannot be, responsible for circumvention of any privacy settings or security measures contained within the Platform.

7. Retention of Personal Information

We will retain your personal information collected via the Website or the Platform for as long as we deem reasonably necessary or desirable unless any applicable law, rule, or regulation requires a different retention period. We reserve the right to delete or destroy any information collected, including personal information, at any time.

8. Children’s Online Privacy

Our Services are not intended for persons under the age of 18. We will not permit persons under 18 to setup accounts on the Platform.

We do not knowingly collect personal information from children under 13. If we learn we have collected or received personal information from a child under 13, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us right away.

9. Automated Decision Making

Certain steps in the application and account processes utilize automated screenings for credit and fraud prevention, as well as KYC/AML, economic sanctions, and counter-terrorism financing. These screenings involve checking customer information against lists provided by governmental authorities. This may sometimes cause a transaction to be flagged or terminated, and/or result in the suspension of the user's access to the Platform.

10. International Transfers

As outlined in the “How We Share Personal Information” section, we may disclose personal information within and outside of our business. In some instances, this involves international transfers. We only transfer your personal information to countries that are considered to provide an adequate level of data protection ("Adequate Jurisdiction"). In the absence of such legislation, we ensure adequate protection based on appropriate safeguards, such as standard contractual clauses adopted by the European Commission, to the extent recognized by the competent Data Protection Authority or another statutory exemption provided by local applicable law.

We will transfer personal information from the EEA and UK to other non-EEA/UK countries pursuant to the standard contractual clauses approved by the European Commission, which impose equivalent data protection obligations directly on the recipient unless we are permitted under applicable data protection law to make such transfers without such formalities. If you are an EEA or UK resident, you may request a copy of such clauses.

11. California Consumer Privacy Act

To the extent applicable, California residents may be entitled to certain privacy disclosures and rights under the California Consumer Privacy Act (“CCPA”). Please reference the “Personal Information We Collect” section for disclosures about the types of personal information we have collected in the past 12 months. Disclosures about our data use and sharing practices over the last 12 months are included in the sections entitled “How We Use Personal Information” and “How We Share Personal Information.”

‍

This section supplements other important information in our Privacy Policy (e.g., disclosures about data subject rights, data retention, etc.). For CCPA purposes, please note that our data processing practices do not constitute “selling” or “sharing.”

12. Modification of this Privacy Policy

This policy is subject to modification by Surus at any time. If you are an account holder and log in after we modify this policy, we will notify you of the update. We will also notify you about material changes to this policy by sending a notice to the email address registered with your account. All other users will receive notice by the posting of an updated Policy on our website. Material changes will go into effect no less than 30 days after we notify you. Non-material changes or clarifications will take effect immediately upon posting of the updated policy on our website.

13. Contact Information

To ask questions or comment about this Policy and our privacy practices, please contact us using the information provided below: