Privacy Policy

Stables Technologies FZ-LLC (“Company,” “we,” “us,” or “our”), a company registered under the laws of Ras Al Khaimah, United Arab Emirates, with Registration No. 0000004061328, is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you access or use our website, mobile application, and related technology platform (collectively, the “Platform”).

By using the Platform, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not use the Platform.

1. Data Collection

1.1 Information You Provide Directly: When you register on Our platform, you provide certain identifiers and credentials, including:

Photograph (a recent head-and-shoulders image) for account verification;
Mobile phone number and email address for account setup, authentication, and notifications;
Any other information you choose to submit during registration or profile updates.

In addition, to complete identity verification (“KYC”), you must grant the Platform access to your device’s camera. This access is used solely for live image capture (selfie) and ID- document scanning; images are temporarily processed for liveness checks and then stored or forwarded as described below.

1.2 Information Collected Automatically: We automatically collect certain information when you use the platform, including your IP address, browser type, operating system, device identifiers, and usage data through cookies and similar technologies. This data helps us understand user behaviour, improve the platform, and enhance your user experience.

1.3 Information Shared with VASPs: As part of your use of the platform, you will be required to undergo identity verification (KYC) directly with the Virtual Asset Service Providers (“VASPs”) integrated into the platform. The platform itself does not collect or store KYC documents unless you explicitly authorize us to do so or we are required to store KYC to provide any future services or on behalf of any other third party VASP . Any personal data you submit during the KYC process is governed by the privacy policies of the respective VASPs or by The company for use in relation to any future product launches with any other registered or regulated entity, whether a VASP or not.

2. Use of Information

We use the information we collect to:

Authenticate and secure your account (e.g., multi-factor prompts to your phone or email), to enable your registration, authentication, and access to platform features and services.
Facilitate transactions: To enable communication and integration with VASPs for onboarding, identity verification, and transaction facilitation. Facilitate KYC by forwarding photographs, live selfies, and document images to on-ramp/off-ramp VASPs or store it within our services for and on behalf of a VASP or for provision of future services by The company;
Improve the platform: To analyse usage patterns, diagnose technical issues, and enhance platform functionality and user experience.
Compliance and legal obligations: To comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.
Communicate with you: To send important notices, updates, customer support responses, and marketing communications (with your consent, where required).
Security: To protect the platform and users against fraud, abuse, and unauthorized access.

3. Data Sharing and Disclosure

3.1 Sharing with Virtual Asset Service Providers (VASPs):To facilitate your transactions and comply with regulatory requirements, we share your personal information with the VASPs you engage with through the platform, these details include your name, photograph, live-selfie capture, ID-document images. Further we may also store your email address and phone number for account linkage and transaction alerts. Each VASP operates under its own privacy and compliance policies, and The company is not responsible for their data practices.

3.2 Service Providers and Partners: We may share your information with third-party service providers who perform services on our behalf, such as hosting, analytics, customer support, and security. These providers are contractually obligated to protect your data and use it solely for the purposes we specify. In addition, we may share your phone number and email with SMS and email gateway providers solely to deliver security codes, transaction confirmations, and customer support communications.

3.3 Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal requests by public authorities, including to meet national security or law enforcement requirements.

3.4 Business Transfers: In the event of a merger, acquisition, or sale of all or part of our assets, your personal data may be transferred as part of the business transaction. We will notify you via email or a prominent notice on Our platform of any such change in ownership or control.

3.5 With Your Consent: We may share your information with your explicit consent or as otherwise disclosed at the time of data collection.

4. Data Security:

We take the security of your personal information seriously and implement reasonable technical, administrative, and organizational measures designed to protect your data from unauthorized access, disclosure, alteration, or destruction. These measures include, but are not limited to:

Encryption of sensitive data during transmission and storage where applicable.
Use of secure servers and firewalls.
Regular security assessments and vulnerability testing.
Access controls limiting data access to authorized personnel only.
Incident response protocols to address and mitigate data breaches promptly.

Despite these efforts, no method of transmission or storage over the internet is completely secure. Therefore, we cannot guarantee absolute security of your information and encourage you to take steps to protect your account credentials.

5. User Rights and Choices:

Depending on your jurisdiction, you may have certain rights regarding your personal information, including:

Access: You can request access to the personal data we hold about you.
Correction: You may request correction of inaccurate or incomplete data.
Deletion: Where applicable, you can request deletion of your personal information, subject to certain legal or operational limitations.
Objection: You may object to our processing of your data for certain purposes, such as direct marketing.
Data Portability: You may have the right to receive your personal data in a structured, commonly used format.
Consent Withdrawal: You can withdraw your consent to processing activities based on consent, without affecting the lawfulness of prior processing.

6. Cookies and Tracking Technologies:

Our platform uses cookies and similar tracking technologies to enhance your user experience, analyse usage, and improve our services.

What Are Cookies? Cookies are small text files stored on your device by your web browser.They help us recognize your device and remember your preferences.
Types of Cookies We Use:

Essential Cookies: Necessary for the basic functioning of the platform.
Performance and Analytics Cookies: Help us understand how users interact with the platform to improve functionality.
Functional Cookies: Remember your preferences and settings to provide a more personalized experience.

Managing Cookies: Most browsers allow you to manage or disable cookies through your browser settings. However, disabling essential cookies may affect your ability to use certain features of the platform.

By continuing to use the platform, you consent to the use of cookies as described.

7. Third-Party Service Providers and Data Sharing:

7.1 The Platform operates as a technology intermediary and does not itself undertake custody, transfer, or exchange of funds or virtual assets. In connection with the services facilitated by the Platform, certain personal information, including but not limited to identity verification data, transaction details, and compliance-related information, may be shared with third-party service providers, including Virtual Asset Service Providers (“VASPs”) located in the United States, India, and other jurisdictions.

7.2 These VASPs are independently responsible for the collection, storage, processing, and protection of personal data in accordance with their own privacy policies, regulatory obligations, and applicable laws. The company expressly disclaims any control over or liability for the privacy practices, data security measures, or regulatory compliance of these third-party entities.

7.3 Users acknowledge and agree that by utilizing the platform and engaging with the VASP partners, they are subject to the privacy policies and terms of use of such third parties. We strongly encourage all users to carefully review these policies before providing personal information or transacting via these entities.

7.4 The company shall not be held liable for any loss, damages, or claims arising from the acts, omissions, or data handling practices of such third-party service providers.

8. Cross-Border Data Transfers and Jurisdictional Compliance

8.1 Given the inherently international nature of the Platform’s services, personal data collected through the Platform may be transferred, stored, processed, and accessed in jurisdictions outside of your country of residence, including but not limited to Europe (under GDPR), UK (under UK GDPR), Singapore (under PDPA), Australia (under APPs), India (under DPDP), and the United States (under CCPA).

8.2 We undertake reasonable and appropriate measures to ensure that all international transfers of personal data comply with applicable data protection laws, including but not limited to the Information Technology Act, 2000 read with Digital Personal Data Protection Act (India), the General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act (“CCPA”), where applicable.

8.3 Such measures include, but are not limited to, standard contractual clauses, data processing agreements, and ensuring that third-party recipients maintain adequate safeguards for personal data protection. Notwithstanding these measures, users acknowledge that cross-border data transfers inherently involve risks, including potential government access requests and differing standards of data protection.

9. Data Security and Safeguards

9.1 The Company is committed to implementing and maintaining commercially reasonable technical, administrative, and organizational safeguards designed to protect personal information from unauthorized access, disclosure, alteration, loss, or destruction.

9.2 These safeguards include encryption, access controls, secure server environments, regular security audits, and employee training on data privacy and security.

9.3 However, users expressly acknowledge and accept that no method of electronic transmission or data storage can be guaranteed to be absolutely secure. Therefore, while we strive to protect your personal information, we cannot and do not warrant or guarantee the complete security of your data transmitted or stored via the Platform.

9.4 Users bear responsibility for safeguarding their account credentials and immediately notifying the Company of any unauthorized use or security breach.

10. Data Retention and Deletion

10.1 The Company retains personal data collected through the Platform only for as long as necessary to fulfil the purposes for which it was collected, including account administration, service provision, regulatory compliance, and dispute resolution. In jurisdictions where data protection laws apply, including Article 44 of UAE Federal Decree- Law No. 45 of 2021 (PDPL), GDPR, or CCPA, data retention shall align with applicable legal standards.

10.2 Upon the expiration of the applicable retention period or upon user request, where legally permissible, personal data will be securely deleted or anonymized in accordance with best practices and applicable law.

10.3 Users acknowledge that personal data held by VASPs pursuant to their regulatory obligations will be subject to separate retention and deletion policies, over which the Company exercises no control or influence.

11. Data Breach Notification and Response

11.1 In the event of a confirmed or suspected data breach involving personal information collected or maintained by The company, we shall undertake prompt and reasonable measures to investigate, contain, and remediate the incident.

11.2 Where required by applicable law or regulation, The company will notify affected users, data protection authorities, and other relevant stakeholders without undue delay, providing sufficient information about the nature of the breach, potential impacts, and recommended protective actions.

11.3 The company commits to continuous improvement of its data security practices to mitigate risks of future incidents and shall cooperate fully with any investigations or enquiries arising from data security incidents.

12. Storage and Retention of KYC Data:

The company may store KYC-related data, including photographs, identification documents, and biometric captures (such as selfies), only to the extent necessary for complying with applicable laws, regulatory obligations, and contractual requirements with Virtual Asset Service Providers (VASPs).

12.1 Such storage will be carried out in accordance with stringent security protocols to protect your personal data against unauthorized access, loss, or misuse.

12.2 The company commits to retaining KYC data for no longer than the period prescribed by applicable law or as required for audit, compliance, product launches and dispute resolution purposes.

12.3 Upon expiration of the retention period or upon your request (where applicable under law), KYC data will be securely deleted or anonymized unless continued storage is mandated by legal or regulatory authority.

12.4 You expressly consent to this limited storage of KYC data by using the platform, and acknowledge that such data may be shared with and stored by third-party VASPs and regulatory authorities as required.

12.5 The company shall not use your KYC data for any purpose other than compliance, verification, and facilitation of transactions with VASPs, and shall not sell or rent such information to third parties.

13. Changes to This Privacy Policy

13.1 We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technology. When we make material changes, we will notify you by posting the updated policy on the platform and, where appropriate, providing additional notice.

13.2 Your continued use of the platform after such updates constitutes your acceptance of the revised Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

14. Contact Information:

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through our customer support. We will make every effort to address your inquiries promptly and thoroughly.

POLICY STATEMENT

Stable Technologies FZ-LLC ("the Company"), a company registered under the laws of Ras Al Khaimah, United Arab Emirates, with Registration No. 0000004061328, provides a technology platform enabling users to transfer digital assets globally in partnership with licensed Virtual Asset Service Providers (VASPs) and/or Money Transmitter License (MTL) holders in the United States, India, and such other applicable jurisdictions. This policy outlines the Company’s commitment to identifying, preventing, and reporting money laundering, terrorism financing (Countering the Financing of Terrorism - CFT), fraud, and other financial crimes.

This document has been designed in compliance with all applicable KYC, AML and CFT guidelines issued by Intelligence agencies of countries serviced by the company including, but not limited to, the guidelines issued by the Financial Action Task Force (FATF), and those applicable under the laws of jurisdictions in which the Company operates or may operate:

The Financial Action Task Force (FATF) Recommendations.
UAE - Virtual Assets Regulatory Authority (VARA) regulations.
U.S. - Financial Crimes Enforcement Network (FinCEN) guidance.
Financial Intelligence Unit - India (FIU-IND) VASP registration framework.
Global and Industry best practices adopted by regulated Institutions.

I. DEFINITION

For the purposes of this Policy, the following terms shall have the meanings set forth below:

Beneficial Owner: The natural person(s) who ultimately owns or controls a customer and/or the person on whose behalf a transaction is conducted.
CDD (Customer Due Diligence): The process of verifying the identity of a customer and assessing associated risks.
EDD (Enhanced Due Diligence): Additional verification procedures applied to high-risk customers or transactions.
PEP (Politically Exposed Person): An individual entrusted with a prominent public function, including their immediate family and close associates.
VASPs (Virtual Asset Service Providers): Entities that conduct virtual asset-related services including exchange, transfer, custody, or administration.
Unhosted Wallets: Wallets not maintained by a VASP, typically controlled directly by individuals.
STR (Suspicious Transaction Report): A report filed to authorities in the event of suspected ML/TF activity.

II. SCOPE

This policy applies to all users and third-party partners engaged by/with Stable Technologies FZ-LLC and covers:

Customer Onboarding and Identity Verification
Risk Assessment and Customer Categorisation
Ongoing Transaction Monitoring
Reporting of Suspicious Activity
Data Retention and Record-Keeping
Employee Training
Governance and Policy Review

III. CUSTOMER DUE DILIGENCE (CDD)

A. Individuals: The following information is collected and verified during onboarding:

Full Legal Name.
Date of Birth.
Nationality.
Proof of Identity (e.g., government-issued passport or National ID card).
Tax Identification Number (e.g., ITIN, SSN, PAN, TAN etc., as applicable).
Residential Address (verified through utility bill or bank statement).
Live facial biometric scan (selfie with liveness check).
Purpose and nature of the relationship, If transfer to other than self-owned accounts.
Source of funds and expected volume/frequency of transactions.
Email, phone number, and IP address.
Geolocation and device fingerprinting.
Periodic re-verification shall be conducted at least once every 24 months or earlier if suspicion arises.

B. Corporate/VASP Clients:

Registered company name, legal entity identifier (LEI).
Business registration certificate.
Valid license or registration issued by the relevant authority of each jurisdiction (e.g. MAS, FIU, VARA, FinCEN etc.)
Names and ID proof of directors, signatories, and Ultimate Beneficial Owners (UBOs) owning 10% or more.
Corporate structure diagram.
A board resolution authorising the signatory must be obtained.
Business address and principal place of business.
Written AML policy and compliance officer details, if applicable and required.
Sanctions screening and adverse media checks shall be conducted on all directors, UBOs, and authorized signatories.

IV. RISK-BASED CUSTOMER CLASSIFICATION

The company adopts a risk-based approach (RBA) to assess and classify customers as:

Low Risk: Occasional transfers from verified users to relatives or own accounts.
Medium Risk: High-frequency users, small businesses, dual-residency clients with high frequency of transfers.
High Risk: Politically Exposed Persons (PEPs), users from high-risk jurisdictions, crypto-to-crypto clients

Risk level determines the level of CDD/EDD and frequency of account reviews* .

*Monetary thresholds are fixed for each level of RBA and are modified periodically to reflect the changing market dynamics and user profile.

Enhanced Due Diligence (EDD) triggers include:

Transfers exceeding USD 25,000 or such other threshold as per Risk profiles provided by local partner VASPs.
Use of anonymizing tools (e.g., TOR, VPN, Mixers, Privacy blockchains).
Unhosted wallet interactions with potential Sanction flag.
Source of funds flagged as unverifiable or not backed by tax returns.
Connections to sanctioned or high-risk countries.
Associations with terrorism-financing networks, flagged NGOs or entities.

V. PROHIBITED USERS AND JURISDICTIONS

Stable Technologies will not onboard or transact with:

Entities or individuals from FATF blacklisted countries.
Users on UAE, UN, OFAC, EU, Indian or such other sanctions lists as per the country.
Users refusing to provide KYC or exhibiting high-risk behaviour.
Users utilizing privacy coins, mixers, or unverified unhosted wallets.
Entities suspected of direct or indirect ties to terrorism or terrorism-financing entities.
The Company also prohibits access via VPNs, proxy servers, or anonymization tools that mask a user's geolocation, especially if such tools indicate access from embargoed jurisdictions. IP-based geofencing and device fingerprinting will be used to enforce restrictions.

VI. TRANSACTION MONITORING

Real-time screening for suspicious patterns including but not limited to:

Smurfing or structured nature of transactions.
High-velocity transfers inconsistent with the risk and income profile of the user.
Use of a new wallet address for every new transaction.
Transfers to multiple unrelated beneficiaries in high volume.
Unusual geographic routing or activity linked to CFT risks.

The Company utilizes a transaction scoring engine with defined alert thresholds. Transactions that exceed pre-set thresholds or trigger risk flags are subject to human review within 24 hours. Investigations will be completed within 7 working days, and outcomes logged in the internal case management system.

Automated real-time alert systems integrated with compliance dashboard for immediate review and flagging of accounts.
Manual escalation and secondary review by the compliance Team, if required.
Integration with blockchain analytics tools including but not limited to Chainalysis, TRM Labs, Notabene etc.
Transaction volume and behaviour benchmarked to the initial risk profile, constantly updated.

VII. SUSPICIOUS TRANSACTION REPORTING (STR)

Internal escalation of flagged activity within 6-24 working hours.
STRs filed with:

FIU-IND (through Indian VASP partner)
FinCEN (via U.S. MSB partner, if applicable)

Regulatory cooperation in cross-border cases involving dual oversight.
Reports maintained with detailed case notes, risk scoring, and action taken.
Mandatory reporting of any terrorism-financing red flags to competent authorities without delay.

All STRs shall be approved by the Compliance Officer (or designated alternate) before submission. Staff members are strictly prohibited from informing customers about STR filings or related investigations, pursuant to applicable anti-tipping-off laws.

VIII. COUNTER-TERRORISM FINANCING (CFT) CONTROLS

Screening all users and transactions against UN, OFAC, OFSI, EU and any other Sanctions Lists.
Cooperation with national and international counter-terrorism enforcement agencies.
Immediate freeze and report of assets linked to sanctioned entities or designated terrorist organizations.
Enhanced background checks on NGOs, charities, and high-risk cross-border donations.
Regular CFT risk assessment and typology reviews in line with evolving threats.
Designation of a dedicated CFT officer or integration with AML officer responsibilities.
Employees must escalate any suspected links to terrorist organizations, watch listed entities, or suspicious charitable entities to the CFT Officer within 24 hours. Such cases shall be prioritized for STR evaluation and escalated to relevant authorities as required.

IX. DATA RETENTION AND PRIVACY

All KYC and transaction data shall be securely retained for a minimum period of 5 years following account closure or the completion of the transaction, in accordance with Article 44 of the UAE Data Protection Law or other appliable local law of the transacting Jurisdiction. Regulatory authorities may request data access without user consent under lawful disclosure procedures.
Data stored in encrypted format with access logs and access controls.
Compliance with UAE Personal Data Protection Law and applicable cross-border privacy rules (e.g., GDPR if EU users involved).

X. EMPLOYEE TRAINING AND AWARENESS

AML training provided to all employees upon hiring and refreshed annually. All staff must complete an annual AML/CFT certification exam with a minimum passing score of 80%. The Company may conduct random internal testing or red team exercises to assess staff readiness and policy compliance.
Training includes:

Red flags for crypto-based laundering.
EDD triggers and escalation protocol.
Use of blockchain forensic tools.
Alert system for customer support team – ex. Account used by husband in wife’s name etc.

Training logs maintained and monitored by the Compliance Team.

XI. GOVERNANCE AND COMPLIANCE STRUCTURE

Appointment of Compliance Officer (CCO), if applicable and required.
Formation of a Compliance Oversight Committee over the period of the next 6-12 months.
Monthly compliance reviews and reporting to the management team.
Annual Independent audit of a AML program.
A designated Compliance Officer shall be appointed no later than 30 days from the commencement of regulated operations. The Compliance Officer shall report directly to the Board of Directors and maintain autonomy from operational departments.

XII. POLICY REVIEW AND UPDATES

This policy will be reviewed quarterly and updated to align with:

Regulatory changes in UAE, India, USA or any jurisdiction in which company operates.
Revised FATF guidance.
Partner obligations under local AML laws.
Internal audit and external legal review findings.