Cask Capital

CASK CAPITAL PRIVACY POLICY

Last Updated: 18/01/2026

Effective Date: 01/01/2024

Scope

This Privacy Policy applies to www.caskcapital.io, the Cask Capital marketplace platform, and any associated applications, services, and tools operated by Cask Capital (collectively, the "Services"). Whether you are browsing our website, subscribing to our newsletter, or using our trading platform, this policy explains how we handle your personal information.

1. Who We Are

Cask Capital ("we," "us," or "our") operates a digital marketplace for tokenized cask-aged assets including whisky, wine, rum, and tequila.

Company Details:

  • Registered Name: Cask Capital B.V.
  • Registration Number: [NUMBER]
  • Registered Address: [ADDRESS]
  • Country of Incorporation: Netherlands

Privacy Contact:

  • Email: info@caskcapital.io

If you are located in the European Economic Area (EEA), we are the data controller responsible for your personal information.

2. About This Policy

This Privacy Policy explains how we collect, use, store, and protect your personal information when you:

  • Visit our website at www.caskcapital.io
  • Use our marketplace platform
  • Create an account with us
  • Purchase or trade tokenized assets
  • Subscribe to our communications
  • Contact us for support

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

Age Restriction: Our services are only available to individuals aged 18 years or older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected information from someone under 18, we will delete it promptly.

3. Information We Collect

3.1 Information You Provide Directly

| Category | Examples | Purpose | |----------|----------|---------| | Account Information | Name, email address, password, date of birth | Account creation, communication, age verification | | Contact Information | Phone number, postal address | Delivery of documents, customer support | | Identity Verification | Government-issued ID, passport, proof of address | Regulatory compliance (KYC/AML) | | Financial Information | Payment method details, bank account information, transaction history | Processing purchases, refunds, compliance | | Profile Information | Preferences, communication settings | Personalizing your experience | | Communications | Emails, support tickets, chat messages | Customer service, dispute resolution |

3.2 Information Collected Automatically

| Category | Examples | Purpose | |----------|----------|---------| | Device Information | IP address, browser type, operating system, device identifiers | Security, fraud prevention, analytics | | Usage Data | Pages visited, features used, time spent, clickstream data | Improving our services, analytics | | Location Data | Country, region (derived from IP address) | Compliance, localization | | Cookies and Tracking | Session cookies, analytics cookies | Functionality, performance measurement |

3.3 Information from Third Parties

| Source | Information | Purpose | |--------|-------------|---------| | Identity Verification Providers | Verification results, risk scores | KYC/AML compliance | | Payment Processors | Transaction confirmations, payment status | Order fulfillment | | Blockchain Networks | Transaction records, wallet activity | Ownership verification |

3.4 Blockchain and Distributed Ledger Data

When you purchase or trade assets on our platform, certain information is recorded on blockchain networks:

  • Wallet Address or Account Identifier: A pseudonymous identifier linked to your account
  • Ownership Records: Records of assets you own
  • Transaction History: Purchases, sales, and transfers
  • Timestamps: When transactions occurred

Important Notice About Blockchain Data:

  • Blockchain records are public — anyone can view transaction data
  • Blockchain records are immutable — they cannot be modified or deleted
  • Blockchain records are permanent — they persist as long as the network operates

While your wallet address or account identifier does not directly reveal your identity, it is linked to your account in our systems. This means blockchain data, combined with your account information, could potentially identify you.

We cannot delete blockchain data. If you exercise your right to erasure (see Section 8), we will delete your personal information from our systems, but blockchain records will remain. This is a technical limitation inherent to blockchain technology that you accept by using our services.

4. How We Use Your Information

4.1 To Provide Our Services

  • Creating and managing your account
  • Processing transactions and payments
  • Recording and verifying ownership of assets
  • Facilitating marketplace activities (buying, selling, trading)
  • Communicating about your account, transactions, and assets
  • Providing customer support

4.2 To Comply with Legal Obligations

  • Verifying your identity (Know Your Customer / KYC)
  • Preventing money laundering and financial crime (AML)
  • Maintaining records as required by law
  • Responding to lawful requests from authorities
  • Complying with tax reporting requirements

4.3 To Protect Our Services and Users

  • Detecting and preventing fraud
  • Monitoring for suspicious activity
  • Enforcing our terms of service
  • Protecting the security of our platform
  • Investigating potential violations

4.4 To Improve Our Services

  • Analyzing how users interact with our platform
  • Identifying and fixing technical issues
  • Developing new features and services
  • Conducting research and analytics

4.5 To Communicate With You

  • Sending service-related notifications (required for your account)
  • Sending marketing communications (with your consent)
  • Responding to your inquiries
  • Providing updates about our services

5. Legal Basis for Processing (EEA Users)

If you are located in the European Economic Area, we process your personal information based on the following legal grounds:

| Legal Basis | When We Use It | |-------------|----------------| | Contract Performance | Processing necessary to provide our services to you (e.g., account management, transactions, customer support) | | Legal Obligation | Processing required by law (e.g., KYC/AML verification, tax reporting, record keeping) | | Legitimate Interests | Processing for our legitimate business interests where not overridden by your rights (e.g., fraud prevention, security, service improvement, analytics) | | Consent | Processing based on your explicit consent (e.g., marketing communications, optional cookies) |

You may withdraw consent at any time where we rely on it. This will not affect the lawfulness of processing before withdrawal.

6. How We Share Your Information

6.1 Service Providers

We share information with trusted third parties who help us operate our business:

| Provider Type | Purpose | Data Shared | |---------------|---------|-------------| | Platform Providers | Marketplace infrastructure | Account data, transaction data | | Identity Verification | KYC/AML compliance | Name, ID documents, address | | Payment Processors | Payment processing | Payment details, transaction amounts | | Cloud Services | Data storage and hosting | All data categories | | Analytics Providers | Service improvement | Usage data, device information | | Communication Services | Email, notifications | Email address, name | | Customer Support Tools | Support ticket management | Account data, communications |

All service providers are contractually bound to protect your information and may only use it for the purposes we specify.

6.2 Blockchain Networks

Transaction data is published to blockchain networks as described in Section 3.4. This data becomes publicly accessible.

6.3 Legal and Regulatory Disclosure

We may disclose your information:

  • To comply with applicable laws, regulations, or legal processes
  • To respond to lawful requests from government authorities
  • To enforce our terms of service or protect our rights
  • To protect the safety of our users or the public
  • In connection with a merger, acquisition, or sale of assets (with notice to you)

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

6.5 What We Do Not Do

  • We do not sell your personal information to third parties
  • We do not share your information for third-party marketing without your consent
  • We do not disclose your identity verification documents except as required for compliance

7. International Data Transfers

Your information may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection.

For EEA Users:

When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:

  • Adequacy Decisions: Transfers to countries the European Commission has deemed adequate
  • Standard Contractual Clauses (SCCs): EU-approved contractual terms with recipients
  • Binding Corporate Rules: For transfers within corporate groups with approved rules

You may request a copy of the safeguards we use by contacting us.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 General Rights

| Right | Description | |-------|-------------| | Access | Request a copy of the personal information we hold about you | | Rectification | Request correction of inaccurate or incomplete information | | Erasure | Request deletion of your personal information (subject to limitations) | | Restriction | Request that we limit how we use your information | | Portability | Receive your data in a structured, machine-readable format | | Objection | Object to processing based on legitimate interests or for marketing | | Withdraw Consent | Withdraw consent where processing is based on consent | | Complaint | Lodge a complaint with your local data protection authority |

8.2 How to Exercise Your Rights

To exercise any of these rights, contact us at:

  • Email: info@caskcapital.io

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

8.3 Limitations on Erasure

We may not be able to delete all your information in certain circumstances:

| Reason | Retention Period | |--------|------------------| | Legal Compliance (AML/KYC) | Identity records retained for 5-7 years after relationship ends | | Legal Compliance (Tax/Financial) | Transaction records retained for 7-10 years | | Legal Claims | Information relevant to actual or potential legal proceedings | | Blockchain Records | Cannot be deleted due to immutability (see Section 3.4) |

We will inform you if we cannot fully comply with an erasure request and explain the reasons.

9. Data Retention

We retain your personal information only as long as necessary for the purposes described in this policy:

| Data Category | Retention Period | |---------------|------------------| | Account Information | Duration of account + 30 days after deletion request | | Identity Verification (KYC) | 5-7 years after relationship ends (legal requirement) | | Transaction Records | 7-10 years (legal/tax requirement) | | Payment Information | As required by payment processor + our records for 7 years | | Communications (Support) | 3 years after resolution | | Marketing Preferences | Until you unsubscribe + 30 days | | Analytics/Usage Data | 24 months | | Security Logs | 12 months |

After retention periods expire, we securely delete or anonymize your information.

10. Cookies and Tracking Technologies

10.1 What We Use

| Cookie Type | Purpose | Duration | |-------------|---------|----------| | Essential | Required for site functionality, security, authentication | Session or up to 1 year | | Functional | Remember your preferences | Up to 1 year | | Analytics | Understand how visitors use our site | Up to 2 years | | Marketing | Deliver relevant advertisements (if enabled) | Up to 2 years |

10.2 Your Choices

  • Browser Settings: You can configure your browser to reject cookies
  • Consent Banner: Where required, we will ask for your consent before setting non-essential cookies
  • Opt-Out: You can opt out of analytics tracking [LINK TO PREFERENCE CENTER]

Disabling certain cookies may affect the functionality of our services.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

Technical Measures:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication mechanisms
  • Regular security assessments and penetration testing
  • Access controls and logging

Organizational Measures:

  • Staff training on data protection
  • Access limited to authorized personnel
  • Incident response procedures
  • Vendor security assessments

Your Responsibilities:

  • Keep your account credentials secure
  • Use strong, unique passwords
  • Enable two-factor authentication if available
  • Report any suspected security issues to us immediately

While we take security seriously, no system is completely secure. We cannot guarantee absolute security of your information.

12. Third-Party Links and Services

Our platform may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We recommend reviewing their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • We will update the "Last Updated" date at the top
  • For material changes, we will notify you via email or prominent notice on our platform
  • Your continued use of our services after changes constitutes acceptance

We encourage you to review this policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy Contact:

  • Email: info@caskcapital.io

For EEA Users:

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. A list of EEA data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

15. Additional Information for Specific Regions

15.1 United Kingdom

If you are located in the UK, references to the GDPR in this policy include the UK GDPR as incorporated into UK law. You may contact the Information Commissioner's Office (ICO) at https://ico.org.uk for concerns.

15.2 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to Know: Categories and specific pieces of personal information collected
  • Right to Delete: Request deletion (subject to exceptions)
  • Right to Opt-Out: Opt out of "sale" of personal information (we do not sell your data)
  • Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact privacy@caskcapital.io or call [PHONE NUMBER].

15.3 Other Jurisdictions

We comply with applicable data protection laws in the jurisdictions where we operate. Contact us for specific information relevant to your location.

This Privacy Policy was last reviewed on 18/01/2026.