Privacy Policy

Last Updated: May 22, 2026

M-STROKE Ltd. (“the Company”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy. This Privacy Policy (“Privacy Policy”) explains how we collect, use, disclose, and safeguard your personal data when you visit our website (M-STROKE.com) (the “Website”), interact with our platform (the “Platform”), or purchase, acquire, use, or manage the MSTK utility token (the “Token”).

This Privacy Policy is drafted in accordance with the British Virgin Islands Data Protection Act, 2021 (“BVI DPA”), and other applicable regional data protection frameworks.

1. Identification of the Data Controller & Representatives

1.1 Data Controller

The primary data controller for processing operations under this policy is:

Corporate Name: M-STROKE Ltd.
Company Registration: Incorporated under the BVI Business Companies Act, 2004.
Registered Office Address: ASIA Leading Chambers, Tortola VG1110, BVI
Data Protection Contact Email: privacy@m-stroke.com

2. Categories of Personal Data We Process

We categorize the personal data we collect into three distinct classifications based on its source:

2.1 Data Provided Directly by You

Identification Data: Your full legal name, date of birth, nationality, country of residence, and government-issued photographic identification, alongside images captured for identity verification.
Biometric Data: Facial geometry captured during "liveness" verification checks
Contact Data: Your email address, telephone number, physical postal address, and social media handles.
Financial Declarations: Source-of-funds and source-of-wealth declarations, along with any necessary supporting documentation.
On-Chain Interactions: Wallet addresses connected to our interfaces and transaction hashes stemming from your interaction with the Company's smart contracts.
Eligibility Affirmations: Representations and warranties confirming your jurisdictional eligibility, age of majority, accredited/qualified investor status, and absence of sanctions designations.
Communications: The content of any interactions you have with us via email, support tickets, or official community channels.

2.2 Data Collected Automatically

Technical Identifiers: Internet Protocol (IP) addresses and the approximate geolocation derived from them.
Device Information: Operating system, device type, browser specifications, language settings, time zones, and technical diagnostic logs.
Usage Data: Metrics highlighting pages and screens viewed, navigation paths, user clicks, and session durations.
Tracking Technologies: Cookies and similar storage objects (such as local/session storage, pixels, and web beacons) as detailed in our Cookie Policy.
Public On-Chain Data: Data emanating from wallet addresses that you voluntarily connect to our interfaces.

2.3 Data Received from Third Parties

Compliance Outcomes: Verification status, risk scorings, and adverse-media findings delivered by our third-party identity-verification, Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and politically-exposed-person (PEP) screening providers.
Blockchain Analytics: Wallet risk scoring and exposure analyses provided by external blockchain intelligence firms.
Public Databases: Records obtained from corporate registries, consolidated global sanctions lists, and public databases.
Partner Data: Information supplied by payment service providers, custodians, and exchanges participating in the Token distribution ecosystem.

3. Categories of Data Recipients

We do not sell your personal data. We share your information only with selected recipients to fulfill the purposes listed above:

Corporate Group Entities: Associated group companies, subsidiaries, and our affiliated foundations.
Compliance Vendors: Specialized identity verification companies, AML screening services, and PEP providers.
Infrastructure Partners: Cloud hosting platforms, content delivery networks (CDNs), and core technical infrastructure providers.
Blockchain Analysts: Specialized firms performing risk assessments and forensic tracking on cryptocurrency addresses.
Operational Providers: Email delivery networks, customer management databases, and analytics services.
Auditors and Consultants: Cyber-security personnel, technical smart-contract auditing firms, and professional legal/financial advisers.
Market Intermediaries: Licensed digital asset custodians, centralized/decentralized cryptoasset exchanges, and designated market-makers.
Regulators and Law Enforcement: Competent governmental, tax, or judicial authorities when legally requested to do so.
Corporate Successors: Merged entities, asset purchasers, or successors-in-interest in the event of a structural reorganization.

4. International Data Transfers

M-STROKE Ltd. operates as a British Virgin Islands business company. Because the BVI has not received an adequacy decision under Article 45 of the GDPR, any transfer of personal data from the EEA or the UK to the Company relies on specific protection mechanisms:

Standard Safeguards: We actively implement the European Commission's Standard Contractual Clauses (SCCs) (Decision (EU) 2021/914), alongside the UK International Data Transfer Agreement (IDTA) or UK Addendum, across our processing frameworks.
Other Jurisdictions: Cross-border data transfers originating from the DIFC, ADGM, or various African nations are executed in strict alignment with their respective regional cross-border data transfer statutes.

You maintain a right to request a redacted copy of the active safeguards utilized for your regional profile by messaging our data compliance team.

5. Data Retention Protocols

We store your data only for as long as necessary to comply with structural regulatory mandates or clear legal limitations.

5.1 Data Retention Schedule

Verification and AML Records: Retained for not less than five (5) years from the date of account closure, extendable up to seven (7) to ten (10) years based on the BVI Anti-Money Laundering Regulations and matching local guidance.
Sanctions and PEP Screenings: Retained for not less than five (5) years.
Marketing Consents: Maintained for the duration of your active consent plus the length of any applicable local statutory limitation period following withdrawal.
Server and Security Incident Logs: Stored for twelve (12) to twenty-four (24) months.
Customer Support Interactions: Held for up to three (3) years from your last logged technical interaction.
Cookies: Validity parameters are determined uniquely per element within our dedicated Cookie Policy.

5.2 Immutable Ledger Warning

CRITICAL COMPLIANCE NOTE: By interacting with our Platform, you explicitly acknowledge that public blockchain records are immutable ledger frameworks. The Company does not possess the operational or technical capacity to modify, alter, delete, or unilaterally rectify personal data recorded directly onto a public blockchain ledger.

6. Automated Decision-Making & Profiling

Our automated compliance stack incorporates automated decision-making engines to determine user onboarding eligibility:

Underlying Logic: Our systems cross-reference identity documents and connected wallet addresses against third-party AML databases, PEP lists, global sanctions tables, and localized geographic IP trackers to produce real-time risk scores.
System Consequences: High-risk indicators, location matches within Restricted Jurisdictions, or failed liveness scans will result in an automated rejection of your onboarding application, preventing the purchase or claim of Tokens.
Your Rights: Pursuant to Article 22 GDPR, you have the right to challenge any automated decision, express your personal point of view, and request that a qualified compliance officer perform a manual human review of your file.

7. Data Subject Rights

Subject to regional exemptions (including AML data preservation laws), you possess the following statutory rights regarding your data:

Right of Access: Request copies of all personal files held regarding your identity.
Right to Rectification: Mandate the update or correction of inaccurate personal parameters.
Right to Erasure (“Right to be Forgotten”): Request complete deletion of records, subject to overriding AML legal retention requirements.
Right to Restriction: Suspend the active processing of your data under specific technical scenarios.
Right to Data Portability: Export your structured electronic files to an outside technical service provider.
Right to Object: Halt data processing based exclusively on our legitimate interest parameters.
Right to Withdraw Consent: Terminate promotional marketing permissions at any point without impacting prior actions.
Right to Lodge a Complaint: File formal grievances with your regional data protection authority

7.1 Exercise Procedure

To exercise any of these rights, contact our compliance office via email at privacy@m-stroke.com. We will fulfill valid requests, or within thirty (30) days under the BVI DPA.

8. Data Security Infrastructure

We have implemented technical and organizational security measures in accordance with Article 32 of the GDPR to protect your personal data from theft, loss, alteration, or unauthorized access:

Encryption Protocols: Complete cryptographic encryption of data both in transit (via TLS) and at rest (using advanced AES structures).
Access Controls: Strict role-based internal access permissions reinforced by mandatory multi-factor authentication (MFA) across all operations.
Audit Logging: Continuous tracking of access logs to detect and identify anomalies across databases.
Defensive Auditing: Regular vulnerability scanning and third-party penetration testing integrated into our secure development lifecycles.
Vendor Assessment: Due diligence validation executed on all incoming technical service providers.
Breach Notification: In the event of a data breach that poses a risk to your rights, we will notify relevant supervisory authorities within seventy-two (72) hours of discovery.

9. Children's Privacy

Our Platform and Tokens are strictly designed for, and targeted at, individuals who are at least eighteen (18) years of age. We do not knowingly gather or process data from individuals under 18 years old. If we discover that a minor has submitted personal profiles to our database, we will delete that data immediately.

10. Amendments to this Privacy Policy

We reserve the right to amend this Privacy Policy at our discretion. Material updates will be communicated transparently on our Website or sent directly to your registered email address. Your continued interaction with the Website or holding of the Token following the effective date of an update constitutes acknowledgment of the revised policy.