Privacy Policy

Last updated: 18 May 2026 · v2.4

Ubuntu Tribe ("Ubuntu Tribe", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we collect, use, disclose, store, and protect your information when you use Utribe.one, our web and mobile platforms, and related services (collectively, the "Services").

1. Who We Are

Ophir Ubuntu International
Registered Office: c/o Nexus Global Financial Services Limited, 5th Floor, The Core Building No.62, ICT Avenue, Cybercity, Ébène, Mauritius.

We are a digital financial infrastructure provider offering tokenised real-world assets (RWAs), gold-backed digital tokens, wallet services, and decentralised applications.

1.1 Data Controllers

Our Services are offered through operating subsidiaries of Ophir Ubuntu International in multiple jurisdictions. The specific entity responsible for processing your data (the "data controller") depends on your jurisdiction and the services you use.

Details of the data controller applicable to your jurisdiction, including registered address and regulatory authority, are available upon request by contacting [email protected].

1.2 Data Protection Officer

Our Data Protection Officer (DPO) is Louis Sirico, who can be contacted at:

• Email: [email protected]

The DPO also serves as our representative under Article 27 of the EU General Data Protection Regulation (GDPR) for matters relating to the processing of personal data of individuals located in the European Economic Area.

2. Scope of This Policy

This Privacy Policy applies to all users of our website, mobile applications, products, and services worldwide. By using our Services, you agree to the practices described here.

If you do not agree with this Privacy Policy, please do not use our Services.

3. What Information We Collect

3.1 Information You Provide to Us

• Full name

• Email address

• Phone number

• Date of birth

• National ID, passport, or driver's licence (for identity verification)

• Selfie or biometric photograph (for identity verification)

• Wallet address(es)

• Billing and shipping address (if applicable)

• Occupation and source of funds (for regulatory compliance)

• Any additional information you submit through forms or support channels

3.2 Information Collected Automatically

• Device and browser information (type, version, operating system)

• IP address

• Geolocation data (if enabled by your device settings)

• Cookies and similar tracking technologies (see Section 12)

• Application activity logs (pages visited, features used, timestamps)

• Transaction metadata (amounts, timestamps, blockchain addresses — but not private keys)

3.3 Information from Third Parties

We may receive data from:

• Identity verification and compliance screening providers

• Payment service providers (PSPs)

• Blockchain analytics providers

• Exchanges or custodians if you interact with our tokens

• Publicly available blockchain data

Note: We do not disclose the names of our third-party technology providers in this policy. Details are available to regulators and auditors upon request.

4. Why We Collect Your Information and Legal Basis

We process your personal data only where we have a lawful basis to do so. The table below maps each processing purpose to its legal basis:

Purpose Legal Basis (GDPR) Details Identity verification (KYC) Legal obligation (Art. 6(1)(c)) Required by AML/CFT regulations in all operating jurisdictions AML/CFT screening and transaction monitoring Legal obligation (Art. 6(1)(c)) Required by FSC Mauritius, EU AMLD6, UAE AML-CFT Decision, VARA Providing wallet and token services Contractual necessity (Art. 6(1)(b)) Necessary to fulfil our obligations under the Terms of Service Processing transactions (purchase, transfer, redemption) Contractual necessity (Art. 6(1)(b)) Core service delivery Fraud prevention and financial crime detection Legitimate interest (Art. 6(1)(f)) Protecting users and the platform from fraudulent activity Compliance with regulatory obligations Legal obligation (Art. 6(1)(c)) Required by financial regulators across operating jurisdictions Improving user experience and platform features Legitimate interest (Art. 6(1)(f)) Analysing usage patterns to improve service quality Communicating account updates and policy changes Contractual necessity (Art. 6(1)(b)) Necessary for service delivery and regulatory compliance Sending educational or promotional content Consent (Art. 6(1)(a)) Only with your explicit opt-in consent; withdrawable at any time Biometric processing (selfie verification) Explicit consent (Art. 9(2)(a)) Processed only with your explicit consent during KYC onboarding Geolocation processing for sanctions compliance Legal obligation (Art. 6(1)(c)) Required for sanctions screening and geographic access controls

Note on Kenya Data Protection Act 2019: Where we process personal data of users located in Kenya, we are committed to processing such data consistent with the principles of the Kenya Data Protection Act 2019 and its implementing regulations, including lawfulness, purpose limitation, and data minimisation. The lawful bases set out above are aligned with the legal bases recognised under the Kenyan framework, including consent, contractual necessity, legal obligation, and legitimate interest. We are progressing applicable registration and notification steps with the Office of the Data Protection Commissioner where required, and will update this notice as those steps complete. Users in Kenya may exercise their data subject rights through the Office of the Data Protection Commissioner (odpc.go.ke).

Note on Nigeria Data Protection Act 2023: Where we process personal data of users located in Nigeria, we do so in accordance with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR). The lawful bases set out above align with the requirements of the Nigerian framework, including consent, contractual necessity, legal obligation, and legitimate interest as recognised under that Act. Users in Nigeria may exercise their data subject rights through the Nigeria Data Protection Commission (ndpc.gov.ng).

4.1 Automated Decision-Making

Our compliance screening process includes automated decision-making and profiling as part of identity verification and transaction monitoring. This may result in:

• Automated risk scoring during KYC onboarding

• Automated transaction flagging based on pattern analysis

• Automated blocking of transactions involving sanctioned addresses or jurisdictions

You have the right to request human review of any automated decision that significantly affects you. Contact [email protected] to exercise this right.

5. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that present a high risk to individuals' rights and freedoms, including:

• Biometric data processing during identity verification

• Large-scale transaction monitoring and profiling

• Cross-border transfers of personal data

• Automated decision-making in compliance screening

DPIAs are reviewed annually and updated when processing activities change materially.

6. Who We Share Your Data With

We may share your personal data with the following categories of recipients:

Recipient Category Purpose Safeguards Regulatory authorities AML/CFT compliance, regulatory reporting Legal obligation Identity verification providers KYC/KYB screening Data Processing Agreement (DPA) Blockchain analytics providers Transaction monitoring, sanctions screening DPA + encryption in transit Cloud infrastructure providers Hosting and data storage DPA + SCCs + encryption at rest and in transit Payment service providers Transaction processing DPA + PCI DSS compliance Vault and custody operators Physical gold custody verification DPA + regulated entity Law enforcement Upon valid legal request only Legal obligation, logged and audited Professional advisors Legal, audit, tax, insurance NDA + professional duty of confidentiality Affiliated group entities Shared services within Ophir Ubuntu group Binding Corporate Rules / Intra-Group DPA

We never sell your personal information.

All third-party processors are bound by Data Processing Agreements that require them to process data only on our instructions and maintain appropriate security measures.

7. International Data Transfers

Your information may be transferred to, stored, or processed in countries outside your jurisdiction, including Mauritius, the UAE, EU member states, Canada, the United Kingdom, and the United States.

We ensure appropriate safeguards for international transfers through:

• EU Standard Contractual Clauses (SCCs) — for transfers from the EU/EEA to third countries

• Adequacy decisions — where the European Commission has recognised the receiving country provides adequate protection

• Binding Corporate Rules — for intra-group transfers

• UAE PDPL Art. 10 safeguards — for transfers from the UAE, including contractual commitments and data protection assessments

• Local regulatory frameworks — adherence to local data protection requirements in operating jurisdictions, with registration and notification steps progressed as applicable in each jurisdiction

International transfers are carried out using secure channels with encryption and technical safeguards. Cross-border transfers are subject to compliance review, with assessments and documentation maintained in line with applicable safeguards. Where additional registration or notification steps are required by local data protection authorities, these are progressed as part of our ongoing compliance programme.

You may request information about the specific safeguards applied to transfers of your data by contacting [email protected].

8. Data Retention

We retain your personal data in accordance with our Data Retention Policy (POL-ISMS-DR-001), which standardises retention periods to the strictest applicable jurisdiction:

Data Category Retention Period Governing Requirement KYC/KYB records 7 years from end of relationship FSC Mauritius AML/CFT Code 2020, Part III, S.13 Transaction records 7 years FSC Mauritius AML/CFT Code 2020 Suspicious activity reports 10 years Mauritius FIAMLA 2002, S.17; UAE AML-CFT Decision Art. 16(3) Audit logs 7 years FSC Mauritius AML/CFT Code, Part V Contracts and agreements 7 years Mauritius Civil Code limitation period General correspondence 7 years FSC Mauritius AML/CFT Code Operational logs 3 years ISO 27001 A.8.15

When data is no longer required, it is securely deleted using cryptographic erasure or secure deletion methods in accordance with NIST SP 800-88 guidelines.

The retention periods above apply equally to data we are legally required to keep after you exercise your right to erasure (see Section 9.2). In those cases, we retain only what the law requires, for only as long as the law requires, and we tell you in writing what was retained and why.

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Right Description GDPR Article Response Time Access Request a copy of the personal data we hold about you Art. 15 Within 1 month Rectification Correct inaccurate or incomplete data Art. 16 Within 1 month Erasure Request deletion of your data ("right to be forgotten") Art. 17 Within 1 month Restriction Restrict processing of your data in certain circumstances Art. 18 Within 1 month Data portability Receive your data in a structured, machine-readable format (JSON or CSV) Art. 20 Within 1 month Object Object to processing based on legitimate interests or direct marketing Art. 21 Within 1 month Withdraw consent Withdraw consent at any time for consent-based processing Art. 7(3) Immediate effect Automated decisions Request human review of automated decisions that significantly affect you Art. 22 Within 1 month Complaint Lodge a complaint with a supervisory authority Art. 77 N/A

How to exercise your rights: Contact [email protected] with your request. We will verify your identity before processing any request. For requests to delete your account (right to erasure, Art. 17), the fastest route is our self-service deletion portal — see Section 9.2 below.

Note: Some rights may be limited where we are required by law to retain data (e.g., AML/CFT record-keeping obligations).

9.1 Supervisory Authorities

You have the right to lodge a complaint with the data protection authority in your jurisdiction:

Jurisdiction Authority Contact Mauritius Data Protection Office 5th Floor, SICOM Tower, Wall Street, Ebène, Mauritius — dataprotection.govmu.org EU / Czech Republic ÚOOÚ (Úřad pro ochranu osobních údajů) Pplk. Sochora 27, 170 00 Praha 7, Czech Republic — uoou.cz UAE UAE Data Office P.O. Box 1789, Abu Dhabi, United Arab Emirates — uaedataoffice.gov.ae Kenya Office of the Data Protection Commissioner Britam Tower, 16th Floor, Hospital Road, Upper Hill, Nairobi, Kenya — odpc.go.ke Nigeria Nigeria Data Protection Commission (NDPC) No. 18 Aguiyi Ironsi Street, Maitama, Abuja, Nigeria — ndpc.gov.ng

9.2 Your right to request account deletion

You have the right to request that we delete your account and the personal data we have collected directly from you. This right is grounded in GDPR Article 17 (right to erasure, "right to be forgotten"), the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the Mauritius Data Protection Act 2017, and, where applicable, the Kenya Data Protection Act 2019 and the Nigeria Data Protection Act 2023.

How to request deletion

The fastest way to request deletion is through our self-service portal:

https://compliance.utribe.cloud/account-deletion

The portal will ask you to provide:

• The email address registered to your account

• The product or products you want deleted (for example, your GIFT app account, or your subscription to our marketing communications)

• Optional notes you'd like the compliance team to see

How verification works

To protect you from someone else requesting deletion of your account, we verify that the request really came from you:

1. After you submit the form, we email a confirmation link to the address you provided.

2. You have 7 days to click the link. If you do not click within 7 days, the request expires and no data is deleted.

3. As soon as you click the link, we start processing your deletion request.

Our service level

Once you have confirmed your request by clicking the email link, we will complete the deletion within 30 days. This 30-day clock starts at the moment of your email confirmation, not at the moment you submit the form.

The 30-day commitment is consistent with — and in many cases shorter than — the response time the law requires of us. Where a specific jurisdiction grants you a stricter timeline, the stricter timeline applies; you always get whichever rule is more favourable to you.

What we delete, and what we are required to keep

When we complete a deletion request we delete everything we hold about you that we are not required by law to retain.

However, certain records must by law be kept after the relationship ends. The categories most relevant to account deletion are:

• Identity-verification (KYC/KYB) records retained under FSC Mauritius AML/CFT Code 2020, the UAE AML-CFT Decision, the EU AMLD6, and equivalent rules in our operating jurisdictions;

• Transaction records and suspicious-activity reports retained under the same AML/CFT framework and, where applicable, VASP licensing obligations;

• Audit logs and contracts retained for statutory limitation periods.

The full retention schedule is in Section 8 above. Where these obligations apply, we retain only what the law strictly requires, for only as long as the law strictly requires, and we will tell you in writing — at the time we complete your request — exactly what was retained and why. The retained records are placed under access restrictions and are used only for the legal purpose that required their retention.

If the portal does not work for you

If you cannot use the web portal — for example, because you would like to submit your request in a language we do not yet support, or because the portal is unavailable in your jurisdiction — you can request deletion by email at [email protected]. We will verify your identity before acting on any email request.

You can also contact a supervisory authority at any time (see Section 9.1).

Jurisdictional variation

The rights described in this section apply broadly across the jurisdictions where we operate. Some jurisdictions grant rights that are stricter than the ones described above (for example, shorter response windows, or specific retention carve-outs that we are required to follow). In every case, we apply the rule that is most favourable to you as the data subject — the rights in this policy are a floor, not a ceiling.

10. Security of Your Data

We implement technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+ on all connections) and at rest (AES-256)

• Role-based access controls and the principle of least privilege

• Multi-factor authentication for all administrative access

• Annual independent penetration testing and security audits

• Smart contract security assessments before deployment

• ISO 27001:2022-aligned information security management system

• 24/7 security monitoring and incident response capability

• Tamper-evident audit logging with cryptographic integrity verification

Despite our best efforts, no system is 100% secure. We encourage you to use strong passwords and protect your wallet keys.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)

• We will notify affected individuals without undue delay where the breach poses a high risk (GDPR Art. 34)

• Notification will include: the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to mitigate the breach

• All breaches are logged, investigated, and remediated in accordance with our Incident Response Procedure (SOP-SEC-INC-001)

12. Cookies and Tracking Technologies

We use cookies and similar technologies on our website:

Type Purpose Legal Basis Strictly necessary Essential for website functionality (session management, security) Legitimate interest Analytics Understanding how users interact with our site (e.g., page views, session duration) Consent Functional Remembering user preferences (language, region) Consent Marketing Not currently used N/A

Analytics provider: We use a web analytics service to track usage patterns. Analytics data is aggregated and does not identify individual users.

Your choices: You can manage cookie preferences through our cookie consent banner when you first visit the site. You can also disable cookies through your browser settings, but some features may not work properly.

Cookie retention: Strictly necessary cookies expire at the end of your browser session. Analytics and functional cookies are retained for up to 12 months unless you withdraw consent or clear your browser cookies. We do not use persistent tracking cookies for advertising purposes.

Do Not Track: We respect browser Do Not Track (DNT) signals. When DNT is enabled, analytics cookies are not set.

13. Artificial Intelligence

Our website and services may use AI-powered features, including conversational interfaces and automated compliance tools. When AI processes data:

• It operates under the same data protection standards as all other processing

• No personal data is used to train our AI models

• You are not required to use the AI-powered features of our systems. For example: our AI powered chatbot can be bypassed directly to a customer support person

• Automated decisions made by AI are subject to human review (see Section 4.1)

14. Children's Privacy

Our Services are not intended for users under the age of 18. Age is verified during the KYC process. We do not knowingly collect or process personal data from children. If we become aware that we have collected data from a person under 18, we will promptly delete it and notify the relevant supervisory authority if required.

Parents or legal guardians who believe their child has provided personal data to us should contact [email protected] immediately.

14.1 Special Categories of Personal Data

We may process special categories of personal data (such as biometric data for identity verification) only where:

• You have given explicit consent for the specific processing purpose

• Processing is necessary for the establishment, exercise, or defence of a legal right or regulatory requirement

• Processing is necessary to comply with an obligation under applicable law

• You have deliberately made the information public

We do not process special category data for profiling or marketing purposes.

15. Third-Party Links

Our website or app may contain links to third-party platforms, including, but not limited to, social media and news sites. We are not responsible for the privacy practices of those platforms, which operate independently of us. We encourage you to review their privacy policies before providing any personal data.

16. Policy Updates

We may update this Privacy Policy periodically. When we make changes:

• For changes that materially affect how we process your personal data, we will notify you by email or in-app notification at least 30 days before the changes take effect

• For other changes, we may notify you in-app or by updating this page

• The updated version will be published on this page with a new "Last Updated" date

• We will maintain a version history of all changes

17. Roles and Responsibilities

17.1 Data Protection Officer

Ubuntu Tribe appoints a dedicated Data Protection Officer (DPO) who holds primary responsibility for data protection oversight, ensuring ongoing compliance with applicable data privacy laws and regulations. The DPO serves as the main point of contact for supervisory authorities and data subjects exercising their rights.

17.2 Employees

All employees are required to complete mandatory data protection and privacy training during onboarding and on a recurring basis. Staff must adhere to established standard operating procedures, maintain the confidentiality of all personal and sensitive information they handle, and promptly report any actual or suspected data breaches.

17.3 Third-Party Processors

All third-party service providers, partners, and contractors engaged by Ubuntu Tribe must comply with our data protection standards as set out in binding data processing agreements. We regularly review third-party compliance through audits and ongoing monitoring.

18. Contact Us

For questions, data-related requests, or to exercise your rights:

Data Protection Officer
Ubuntu Tribe
Email: [email protected]
Website: https://utribe.one

For legal matters: [email protected]