Privacy Policy

1. Information We Collect

Account data: When you register for our services, we collect your name, email address, company name, role, and other information you provide during onboarding or KYC/KYB verification.

Usage data: We automatically collect information about how you interact with our platform, including API call logs, wallet activity, transaction metadata, IP addresses, device identifiers, and timestamps.

Cookies: We use cookies and similar tracking technologies to maintain sessions, remember preferences, and collect analytics data. See Section 7 for details.

2. How We Use Information

Service provision: We use your data to operate, maintain, and improve our infrastructure — including BROsettlement, BROwallet, and BROcard products — and to fulfill our contractual obligations to you.

Security: Transaction data and behavioral signals are used to detect fraud, prevent unauthorized access, and comply with AML/CFT obligations including real-time screening against OFAC and FATF sanctions lists.

Analytics: Aggregated, anonymized usage data helps us understand platform performance and prioritize product improvements.

3. Data Sharing

No sale of data: We do not sell, rent, or trade your personal data to third parties for marketing purposes. Your data is not a product.

Service providers: We share data with sub-processors (cloud infrastructure, KYC providers, AML screening services, Chainalysis) under strict data processing agreements. All sub-processors are GDPR-compliant.

Legal requirements: We may disclose data when required by applicable law, court order, regulatory authority, or to protect the rights and safety of BroLabel and its users.

4. Data Security

We implement industry-leading security controls including AES-256 encryption at rest, TLS 1.3 in transit, and hardware security module (HSM) protection for cryptographic keys.

Access controls: Role-based access control (RBAC) with least-privilege principles. All administrative access is logged, monitored, and subject to multi-factor authentication.

MPC infrastructure: Our Multi-Party Computation (MPC) 2-of-3 threshold signing ensures that private keys are never held in full by any single party — including BroLabel. This architectural approach eliminates the most common vector for custodial breaches.

5. Data Retention

Account data: Retained for the duration of your contract with BroLabel, plus 7 years following termination to comply with Anti-Money Laundering (AML) record-keeping requirements under EU Directive 2015/849 (AMLD5) and Estonian Money Laundering and Terrorist Financing Prevention Act.

Transaction records, KYC/KYB documentation, and AML screening results are retained for a minimum of 5 years from the date of the transaction or the end of the business relationship, whichever is later.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

Right of access: Request a copy of the personal data we hold about you.

Right to rectification: Request correction of inaccurate or incomplete data.

Right to erasure: Request deletion of your personal data, subject to legal retention obligations.

Right to data portability: Receive your personal data in a structured, machine-readable format.

To exercise any of these rights, contact us at privacy@brolabel.io.

7. Cookies

Session cookies: Required for authentication and maintaining your login state. These are deleted when you close your browser.

Analytics cookies: We use Google Analytics (GA4) to understand aggregate usage patterns. IP addresses are anonymized. You may opt out via your browser settings or the Google Analytics Opt-out Add-on.

Functional cookies: Used to remember your preferences such as language selection and theme. These persist across sessions. See our Cookie Policy for full details.

8. Contact

For privacy-related inquiries, data subject requests, or to reach our Data Protection Officer, contact us at privacy@brolabel.io.