BFDA LogoBFDA

Privacy Policy for Black Forest Digital Assets

Last Updated: February 4, 2026

Black Forest Digital Assets ] ("we," "us," or "our"), a registered Virtual Asset Service Provider ("VASP") with the National Bank of Georgia ("NBG"), is committed to protecting your personal data in compliance with the Law of Georgia on Personal Data Protection (effective March 1, 2024, as amended), relevant NBG regulations, anti-money laundering/counter-financing of terrorism (AML/CFT) requirements, the Travel Rule, and international standards (including FATF recommendations).

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you access our website [website URL] (the "Website"), use our Services, or interact with us. By using the Website or Services, you consent to the practices described in this Policy.

  1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person (data subject), as defined in the Law of Georgia on Personal Data Protection. • Special Categories of Data: Data revealing racial/ethnic origin, political views, religious beliefs, health, sexual life, biometric/genetic data, criminal records, etc. • Processing: Any operation performed on personal data, such as collection, recording, storage, use, disclosure, etc. • Controller: We act as the controller of your personal data in most cases. • Processor: Third parties we engage to process data on our behalf.

  1. Data We Collect

We collect the following categories of personal data as required for KYC/AML/CFT compliance, Service provision, and legal obligations:

• Identification Data: Full name, date/place of birth, nationality, government-issued ID/passport details, tax ID. • Contact Data: Email address, phone number, residential address, proof of address documents. • Financial/Transaction Data: Wallet addresses, transaction history, source of funds/wealth information, payment details. • Account Data: Username, password hashes, login activity, IP address, device information. • KYC/AML Data: Verification documents (e.g., selfies, scans), PEP/sanctions screening results, risk assessment data. • Travel Rule Data: Originator and beneficiary information (name, account/wallet address, address, ID number) for virtual asset transfers above thresholds (e.g., GEL equivalent of USD 1,000). • Other: Usage data, cookies/analytics data (see Section 9), customer support communications. We do not intentionally collect special categories of data unless required by law or with explicit consent. 3. How We Collect Data • Directly from you during account registration, KYC verification, transactions, or support interactions. • Automatically via cookies, logs, analytics tools. • From third parties (e.g., identity verification providers, blockchain analytics for risk screening, public sanctions lists). • As part of AML/CFT monitoring and Travel Rule obligations. 4. Legal Basis for Processing We process personal data based on: • Legal Obligation — Compliance with AML/CFT laws, NBG regulations, Travel Rule, tax reporting. • Contract Performance — Providing Services, account management, transaction execution. • Legitimate Interests — Fraud prevention, security, service improvement (balanced against your rights). • Consent — For marketing communications or non-essential processing (withdrawable at any time). • Public Interest — AML/CFT risk mitigation.

  1. Purposes of Processing

• Verify identity and perform KYC/AML/CFT checks. • Provide, maintain, and improve Services. • Execute transactions and comply with Travel Rule (sharing originator/beneficiary data with counterparty VASPs or authorities). • Detect/prevent fraud, money laundering, terrorist financing, sanctions violations. • Respond to legal requests, NBG supervision, or court orders. • Communicate with you (support, updates, required notices). • Analyze usage for security and service enhancement.

  1. Sharing and Disclosure of Personal Data

We may disclose personal data to:

• Counterparty VASPs/financial institutions for Travel Rule compliance (originator/beneficiary information). • Regulatory authorities (NBG, Financial Monitoring Service of Georgia, law enforcement) for AML/CFT or supervisory purposes. • Service providers (e.g., KYC/verification tools, cloud storage, analytics) acting as processors under strict agreements. • Legal advisors, auditors, or in mergers/acquisitions. • With your consent or as required by law. We do not sell personal data. Disclosures comply with Georgian data protection law and are limited to what is necessary.

  1. International Transfers

Personal data may be transferred outside Georgia (e.g., to cloud providers or international counterparties for Travel Rule). Transfers occur only:

• To jurisdictions with adequate protection (per Georgian law or NBG rules). • Under appropriate safeguards (e.g., standard contractual clauses, binding rules). • When necessary for contract performance or legal obligations.

  1. Data Security

We implement technical and organizational measures (encryption, access controls, regular audits) to protect personal data against unauthorized access, loss, or breach, in line with NBG cybersecurity requirements and Georgian law.

In case of a personal data breach posing risks to rights/freedoms, we notify the Personal Data Protection Service and affected individuals as required.

  1. Cookies and Analytics

We use cookies and similar technologies for essential functions, analytics, and security. You can manage preferences via our cookie banner. For details, see our Cookie Policy (linked on the Website).

  1. Your Rights as a Data Subject

Under the Law of Georgia on Personal Data Protection, you have the right to: • Access your personal data and obtain a copy. • Rectify inaccurate/incomplete data. • Erase data (subject to legal retention obligations). • Restrict processing. • Object to processing (e.g., for marketing). • Data portability (where technically feasible). • Withdraw consent (does not affect prior processing). • Lodge a complaint with the Personal Data Protection Service (pdps.ge).

Requests are handled within statutory deadlines (typically 10 working days). Contact us to exercise rights.

  1. Data Retention

We retain personal data only as long as necessary:

• For AML/CFT/transaction records: at least 5 years after relationship ends (or longer per law). • Account data: during active use + post-termination as required. • Other data: deleted when purpose ceases, subject to backups.

  1. Children's Privacy

Our Services are not directed to individuals under 18. We do not knowingly process data of minors without parental/guardian consent or legal basis.

  1. Changes to This Policy

We may update this Policy to reflect legal, regulatory, or operational changes. Material changes will be notified via the Website, email, or account notice. Continued use constitutes acceptance.

  1. Contact Information

For privacy questions, rights requests, or complaints:

• Email: compliance@bfda.io • A Data Protection Officer will be assigned to your csase if deemed necessary.

Our NBG registration and compliance details are available upon request.

This Policy aligns with our obligations as a registered VASP under NBG supervision and Georgian data protection law.

Thank you for trusting us with your data.