Privacy Policy

Stabo (Stable Digital Trading Limited)
Effective Date: 1 April 2026

1. Introduction

Stabo is the trading name of Stable Digital Trading Limited and its affiliates (collectively, ‘Stabo’, ‘we’, ‘our’, or ‘us’). Stable Digital Trading Limited and its group companies operate a stablecoin-powered payment platform that enables customers to deposit stablecoins, access off-ramp services, and use associated financial products including card services.

We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website, platform, and services (collectively, the "Services"). It applies to all users of Stabo's Services globally.

Please read this policy carefully. By accessing or using our Services, you acknowledge that you have read and understood this policy. If you do not agree, please discontinue use of our Services immediately.

2. Data Controller & Contact Information

Stabo acts as the data controller in respect of the personal data it processes. Our designated Privacy Officer can be reached at:
Email: privacy@stabo.io

3. Information We Collect

We collect personal data that is necessary to provide our Services, comply with legal obligations, and improve our platform. The categories of information we collect may include but are not limited to:

3.1 Identity & Verification Data

  • Full legal name
  • Date of birth
  • Government-issued identification (passport, national ID, driver's licence)
  • Selfie / liveness verification images for identity confirmation
  • Tax identification number or equivalent, where required

3.2 Contact Data

  • Email address
  • Phone number
  • Residential and/or mailing address
  • Country and jurisdiction of residence

3.3 Financial & Transaction Data

  • Wallet addresses (stablecoin and other digital asset addresses)
  • Transaction history, including deposit, withdrawal, and off-ramp records
  • Bank account details, card numbers (tokenised), or other payment instrument data
  • Stablecoin holdings information relevant to your account activity
  • Platform fee records and billing history

3.4 KYC / AML Compliance Data

  • Source of funds declarations
  • Politically Exposed Person (PEP) and sanctions screening results
  • Risk assessment profiles maintained for compliance purposes
  • Enhanced due diligence documentation where applicable

3.5 Device & Technical Data

  • IP address and approximate geolocation derived therefrom
  • Device type, browser type, and operating system
  • Cookies and similar tracking identifiers (see Section 11)
  • Log data including access times, pages visited, and errors encountered

3.6 Behavioural & Usage Data

  • Feature usage patterns and interaction with platform elements
  • Customer support communications and chat logs
  • Preferences and settings you configure on the platform

3.7 Card Service Data

Where you use our card services, we additionally collect card usage data, merchant category information, transaction timestamps and geolocation, and any fraud-related signals associated with card activity.

4. How We Collect Your Information

4.1 Directly From You

We collect data you provide when you register for an account, complete identity verification, initiate transactions, communicate with our support team, or otherwise interact with our Services.

4.2 Automatically

We automatically collect technical and usage data through our website and platform using cookies, server logs, and analytics tools as you interact with our Services.

4.3 From Third Parties

We may receive information about you from third-party sources including:

  • Identity verification and KYC/AML service providers
  • Sanctions screening databases and PEP watchlists
  • Banking partners and card network providers
  • Fraud detection and risk assessment services
  • Credit reference agencies where legally permitted
  • Public registers and regulatory databases

5. Legal Basis for Processing

We rely on the following legal bases to process your personal data:

  • Contract Performance: Processing necessary to provide the Services you have requested, including facilitating off-ramp transactions and operating your account.
  • Legal Obligation: Processing required to comply with applicable laws, including anti-money laundering (AML), counter-terrorism financing (CTF), Know Your Customer (KYC) obligations, tax reporting, and financial crime prevention.
  • Legitimate Interests: Processing for our legitimate business interests including fraud prevention, platform security, product improvement, and direct marketing to existing customers, where such interests are not overridden by your fundamental rights.
  • Consent: Where we rely on your consent (e.g., for certain cookies or marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

6. How We Use Your Information

We use your personal data for the following purposes:

6.1 Service Provision

  • Creating and managing your Stabo account
  • Processing stablecoin deposits and facilitating off-ramp transactions
  • Operating card services and associated payment functions
  • Communicating account-related information and transaction confirmations

6.2 Compliance & Risk Management

  • Conducting identity verification and ongoing customer due diligence
  • Screening against sanctions lists and PEP databases
  • Detecting, preventing, and investigating fraud and financial crime
  • Meeting regulatory reporting obligations across applicable jurisdictions

6.3 Platform Improvement

  • Analysing usage patterns to improve the platform's functionality and user experience
  • Troubleshooting technical issues and errors
  • Conducting internal research and analytics

6.4 Communications & Marketing

  • Sending service updates, security alerts, and administrative notices
  • Providing customer support
  • Sending promotional communications where you have opted in or where permitted under applicable law

7. Data Sharing & Disclosure

We do not sell your personal data. We may share your data with the following categories of recipients:

7.1 Custodial Partner

Yingda, our designated custody wallet partner, receives transaction and wallet data necessary to custody your stablecoin deposits and execute off-ramp instructions on your behalf.

7.2 Service Providers

We engage trusted third-party processors to assist with identity verification, card issuance, fraud detection, cloud infrastructure, customer support, and analytics. All processors operate under data processing agreements that require them to protect your data.

7.3 Financial & Regulatory Partners

We share data with banking partners, card networks, payment processors, and correspondent institutions as necessary to execute financial transactions and comply with network rules.

7.4 Legal & Regulatory Authorities

We may disclose personal data to courts, law enforcement agencies, financial intelligence units, tax authorities, and other regulatory bodies where required by law, court order, or to protect our legal rights.

7.5 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.

8. International Data Transfers

Stabo provides Services to a global audience, and your personal data may be processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data from the EEA or UK to third countries, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) approved by relevant authorities, adequacy decisions, or other lawful transfer mechanisms. You may request details of the specific safeguards applicable to your data by contacting us at privacy@stabo.io.

9. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy, comply with legal obligations, and resolve disputes. Key retention periods include:

  • Account and transaction data: Retained for a minimum of 5 years following account closure, or longer as required by applicable AML and financial record-keeping laws.
  • KYC / identity verification records: Retained for a minimum of 5–7 years following the end of our relationship, in line with applicable anti-money laundering regulations.
  • Communication and support records: Retained for up to 3 years.
  • Technical and log data: Typically retained for 12 months unless required for longer periods for security or legal reasons.

After the applicable retention period, data is securely deleted or anonymised.

10. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data. We honour all rights applicable under the laws of your country of residence.

10.1 Access

You have the right to request a copy of the personal data we hold about you.

10.2 Rectification

You may request that we correct inaccurate or incomplete personal data.

10.3 Erasure ('Right to Be Forgotten')

You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal obligations to retain certain records.

10.4 Restriction of Processing

You may request that we restrict processing of your data in certain circumstances, such as where you contest its accuracy.

10.5 Data Portability

Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.

10.6 Objection

You may object to processing based on legitimate interests, including for direct marketing purposes.

10.7 Withdrawal of Consent

Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.

10.8 How to Exercise Your Rights

To exercise any of the above rights, please contact us at privacy@stabo.io. We will respond within 30 days (or the period required by applicable law). We may require identity verification before processing your request.

If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

11. Cookies & Tracking Technologies

We use cookies and similar technologies (pixels, local storage) to operate our platform, remember your preferences, and understand how our Services are used.

11.1 Types of Cookies We Use

  • Strictly Necessary: Essential for the platform to function. Cannot be disabled.
  • Performance & Analytics: Help us understand how users interact with our Services (e.g., Google Analytics).
  • Functional: Remember your preferences and settings.
  • Targeting / Marketing: Used to deliver relevant communications. Applied only where you have provided consent.

11.2 Cookie Management

You can manage or withdraw consent to non-essential cookies at any time through our Cookie Preference Centre, accessible via the cookie banner on our website, or through your browser settings. Note that disabling certain cookies may affect platform functionality.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

  • Encryption of data in transit (TLS) and at rest
  • Role-based access controls and least-privilege principles
  • Regular security assessments and penetration testing
  • Incident response procedures with regulatory notification protocols

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

13. Children's Privacy

Our Services are not directed to persons under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will take steps to delete it.

14. Third-Party Links & Services

Our website and platform may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service you access.

15. Regional & Jurisdiction-Specific Disclosures

15.1 European Economic Area (EEA) & United Kingdom

Users in the EEA and UK benefit from rights under the General Data Protection Regulation (GDPR) and UK GDPR respectively, as described in Section 10. Our lawful bases for processing are set out in Section 5. Where we transfer data internationally, we rely on SCCs or adequacy decisions.

15.2 California (USA)

California residents may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, delete, and opt out of the sale of personal information. We do not sell personal information. To submit a request, contact privacy@stabo.io.

15.3 Singapore

We comply with the Personal Data Protection Act 2012 (PDPA) of Singapore in respect of users resident in Singapore. You may direct access and correction requests to our Privacy Officer.

15.4 Malaysia

For users in Malaysia, we comply with the Personal Data Protection Act 2010 (PDPA). You have rights to access and correct your personal data under this Act.

15.5 Other Jurisdictions

We are committed to complying with applicable data protection laws in all jurisdictions in which we operate. Where local laws impose additional requirements, we will honour those requirements. Contact privacy@stabo.io if you have jurisdiction-specific questions.

16. Automated Decision-Making & Profiling

We may use automated systems in connection with fraud detection, risk scoring, and AML screening. Where such automated processing produces decisions that significantly affect you, you have the right to request human review of the decision and to contest the outcome. Contact privacy@stabo.io to exercise this right.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by:

  • Posting the updated policy on our website with a revised effective date
  • Sending an email notification to your registered email address
  • Displaying a prominent notice on the platform

We encourage you to review this policy periodically. Your continued use of the Services following the posting of changes constitutes your acknowledgment of the updated policy.

18. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

Privacy Officer, Stabo
Email: privacy@stabo.io

For complaints that we have not resolved to your satisfaction, you may lodge a complaint with the relevant supervisory authority in your country of residence.

© 2026 Stabo. All rights reserved.