1. Scope and Your Consent

This Policy applies exclusively to Personal Information collected by GoldTrust in connection with your participation in the MVP. By accessing or using the MVP, you signify that you have read, understood, and agree to the collection, use, and disclosure of your Personal Information as described in this Policy. If you do not agree with this Policy, please do not use the MVP.

2. Personal Information We Collect

We collect Personal Information necessary for the operation of the MVP, primarily information you provide directly, along with limited automatically collected data.

2.1. Personal Information You Provide Directly:

• Account Registration Data: Your full legal name, primary contact email address (which we will verify), a secure mobile phone number (may be used for verification or support), your country of residence, and if you are registering on behalf of a business entity, the official business name, type, and your designated role within that entity.
• Identity Verification Data (Know Your Customer - KYC / Know Your Business - KYB): In line with our "Initial KYC/AML/CFT Procedures (Manual MVP - FINAL v1.4)," we collect information and documentation necessary to perform due diligence and verify your identity and/or the identity of your business and its Ultimate Beneficial Owners (UBOs). This may include, but is not limited to: copies of valid government-issued identification documents (e.g., passport, national ID), proof of current residential or business address (e.g., recent utility bills, bank statements, lease agreements), business registration documents (e.g., certificate of incorporation, articles of association), details identifying UBOs, relevant operational licenses, declarations regarding the source of funds or the source/provenance of gold, and potentially a photographic selfie for liveness verification.
• Listing and Transaction-Related Information: If you act as a Seller, details concerning the gold you list (e.g., form, stated purity, weight, current location, asking price, uploaded images, source declarations, indicated vaulting status for GTT conceptualization, declarations of any upfront operational costs for which pre-funding may be sought). If you act as a Buyer, details related to your expressions of interest, offers made, specific purchasing requirements, and **any agreement to pre-fund specific seller costs**. Communications exchanged with GoldTrust Administrators or (with facilitation) other users regarding potential or active deals, including terms related to cost handling.
• Asset Verification Related Data: Communications between Users and GoldTrust Administrators pertaining to the arrangement, execution, or outcome of third-party asset inspections (for non-vaulted gold); potentially copies of third-party inspection reports or assay results if shared with GoldTrust as part of the transaction validation or dispute resolution process; documentation related to vault deposits and associated vault-level verification confirmations (e.g., vault receipts, assay results performed at vault) necessary for confirming GTT eligibility. Documentation related to the verification and disbursement of pre-funded seller costs (e.g., tax invoices, smelter quotes).
• Feedback & Correspondence: Any feedback, inquiries, support requests, or other communications you voluntarily send to us.

2.2 Limited Information Collected Automatically During MVP Use:

• Server Log Data: When you access the MVP, our hosting servers (or those of our underlying no-code platform provider) may automatically record standard technical information. This typically includes your Internet Protocol (IP) address, the type and version of the web browser you are using, your operating system, the referring URL (if applicable), the specific pages you visited on the Platform, the dates and times of your access, and the duration of your visit on each page. This data is collected primarily for maintaining the security and operational integrity of the MVP, for troubleshooting technical issues, and for basic, aggregated analytics to understand MVP usage patterns.
• Cookies and Similar Technologies (Strictly Necessary Only): We will only use cookies that are essential for the basic functioning of the MVP platform during this phase. This may include session cookies required to maintain your logged-in state or cookies necessary for form submissions or security functions. We will not deploy non-essential cookies (e.g., for persistent analytics tracking across sessions, third-party advertising, or detailed user profiling) during the MVP phase without first obtaining your explicit, granular, and informed consent via a compliant mechanism.

3. How We Use Your Personal Information

Your Personal Information is processed by GoldTrust strictly for the following purposes directly related to the operation, testing, and improvement of the MVP:

• 3.1. To Provide, Operate, Maintain, and Secure the MVP: To enable core functionalities such as account creation, secure login, profile management, listing creation/viewing, and facilitating your overall use of the services offered within the defined scope of the MVP.
• 3.2. For Identity Verification (KYC/KYB) and AML/CFT Due Diligence: To conduct the necessary checks to verify your identity and/or your business's identity and legitimacy, as mandated by our internal procedures and foundational compliance principles, aimed at preventing fraud and fostering a trusted environment among MVP participants. As stated, this is primarily a manual process during the MVP.
• 3.3. To Facilitate Connections and Simulated Transactions: To allow verified Sellers to list gold, verified Buyers to discover these listings and express interest, and for GoldTrust administrators to manually facilitate communication and oversee the escrow simulation process (including coordination of asset verification steps and management of pre-funded upfront seller costs) for potential pilot deals agreed upon between users.
• 3.4. For Essential Communication and User Support: To send you crucial service-related communications regarding your account status, KYC verification updates, progress on potential transactions you are involved in (including verification stages and handling of upfront costs), important updates or changes to the MVP platform or its terms, and to respond effectively and efficiently to your support requests, inquiries, or feedback.
• 3.4. For Essential Communication and User Support: To send you crucial service-related communications regarding your account status, KYC verification updates, progress on potential transactions you are involved in (including verification stages and handling of upfront costs), important updates or changes to the MVP platform or its terms, and to respond effectively and efficiently to your support requests, inquiries, or feedback.
• 3.5. For MVP Analysis, Improvement, and Feedback Collection: To analyze aggregated and anonymized usage patterns to understand how users are interacting with the MVP, identify usability issues or friction points, gather specific feedback for improvements, and iteratively refine the Platform's design, features, workflow, and overall user experience based on real-world testing.
• 3.6. For Security, Integrity, and Foundational Legal Compliance: To protect the security and operational integrity of the MVP platform and its data, detect and prevent potentially fraudulent, unauthorized, or illegal activities, enforce our Terms of Service, and adhere to fundamental legal record-keeping and compliance principles, even within the context of an experimental MVP.
• 3.7. To Coordinate and Oversee Asset Verification Processes and Upfront Cost Disbursements: To use relevant Personal Information (such as contact details, listing information, vaulting documents, tax invoices, smelter quotes) and collected Asset Verification Related Data to manage the asset verification steps integrated within the transaction workflow, to manage the secure disbursement of any Buyer pre-funded Seller operational costs, to confirm verification outcomes, to facilitate related escrow actions based on those outcomes, and potentially to manage any disputes arising directly from these processes according to platform policies.

4. Disclosure and Sharing of Your Personal Information

We maintain strict controls over the sharing of your Personal Information. It will only be shared in the following limited, defined circumstances during the MVP phase. We will never sell your Personal Information.

• 4.1. Between Directly Transacting Users: If a Buyer (who has passed KYC) expresses a serious, verified interest in a specific Seller's listing (who has also passed KYC), and both parties explicitly consent to proceed with direct communication after initial screening and facilitation by GoldTrust administrators, we may share the minimum necessary contact information (e.g., verified email addresses) or enable a simple, admin-monitored communication channel (if technically feasible within the MVP tool) to allow them to negotiate final terms and arrange logistics.
• 4.2. With Authorized GoldTrust Personnel: Access to your Personal Information within GoldTrust is strictly limited to designated administrators and core team members who require such access to perform their specific duties related to operating the MVP. These duties include conducting KYC/KYB reviews, overseeing simulated escrow processes (including asset verification steps and disbursement of pre-funded costs), providing user support, maintaining platform security, and analyzing MVP performance. All personnel with access are bound by strict confidentiality obligations.
• 4.3. For Legal & Regulatory Obligations: We may be required to disclose your Personal Information if we believe in good faith that such disclosure is necessary to:
• a. Comply with an applicable law, regulation, binding court order, subpoena, or other valid legal process issued by a governmental or regulatory authority with competent jurisdiction.
• b. Protect and defend the legal rights, property, or safety of GoldTrust, our users, or the public, as required or permitted by law (e.g., reporting suspected fraud or illegal activity).
• c. Detect, prevent, or otherwise address fraud, security breaches, or critical technical issues.
• 4.4. With Your Explicit and Informed Consent: We may share your Personal Information with other third parties for specific purposes not outlined in this Policy, but only if we have clearly explained the purpose and obtained your explicit, informed consent prior to sharing.
• 4.5. With Third-Party Inspection Agencies / Vault Partners / Service Providers: If Users mutually agree within their deal terms to utilize a third-party inspection service for non-vaulted gold, or if pre-funded costs involve direct payment to entities like tax authorities or smelters, necessary logistical and identifying information (which may include seller contact details, gold location, listing ID, tax ID, smelter details) may be shared securely by GoldTrust Administrators with the agreed-upon third party, strictly for the purpose of arranging/conducting the verification or facilitating the payment. Similarly, limited verification details may be exchanged with vault partners for GTT eligibility. Sharing will always be minimized and subject to confidentiality where feasible.
• 4.6. Third-Party Service Providers: For the current MVP, our direct reliance on external third-party data processors will be minimized. In future, scaled versions, we anticipate engaging specialized providers for automated KYC/AML, payment processing, cloud hosting, etc. They will be vetted and bound by DPAs.

5. Data Security

GoldTrust is committed to implementing reasonable and appropriate administrative, technical, and physical security measures designed to protect the Personal Information we hold from unauthorized access, use, disclosure, alteration, loss, or destruction. For the MVP, these measures include:

• 5.1. Utilizing secure, encrypted channels for submission/transfer of sensitive KYC/KYB and Asset Verification/Cost data.
• 5.2. Storing sensitive Personal Information in encrypted digital formats (at-rest and in-transit) within secure, access-controlled environments.
• 5.3. Implementing strong authentication for administrative accounts.
• 5.4. Restricting internal access based on "least privilege" and "need-to-know."
• 5.5. Basic security awareness guidance for personnel.
• You acknowledge no internet transmission or electronic storage is 100% secure. While we strive to protect your Personal Information during the MVP, we cannot guarantee absolute security. You are also responsible for safeguarding your account credentials.

6. Data Retention Period

We retain Personal Information only as long as necessary for MVP purposes (operation, user relationships, feedback, transaction records including verification/cost handling), and to comply with foundational legal/audit obligations (e.g., KYC/AML records). Upon MVP conclusion or account closure, data will be securely deleted/anonymized per policy, unless longer retention is legally mandated.

7. Your Data Protection Rights

Depending on your jurisdiction (e.g., GDPR, CCPA), you may have rights regarding your Personal Information (Access, Rectification, Erasure, Restriction, Objection, Portability). For the MVP, we will make good faith efforts to respect these, acknowledging our manual systems. Submit requests in writing to the contact below. We may need to verify your identity. We will respond timely and per applicable law.

8. International Data Transfers

Personal Information collected may be stored/processed in [Specify primary country/region of data storage for MVP, e.g., "EEA," "secure US cloud services," or "UAE"]. If transferred from your jurisdiction, we ensure adequate protection via robust security by us and our MVP infrastructure providers.

9. Children's Privacy Protection

The Platform is not for individuals under 18. We do not knowingly collect children's Personal Information. If we become aware of such, we delete it promptly.

10. Modifications and Updates to This Privacy Policy

We reserve the right to modify this Policy. Material changes will be notified (posting on Platform, email). Continued MVP use after changes constitutes acceptance. Review periodically.

11. Contact Us

Email: [Your Official Email Address for Privacy Matters, e.g., privacy@goldtrust.io or mvp-support@goldtrust.io]
Subject Line: Please include "MVP Privacy Inquiry" [Optional: Company Name/Initiative Name & Mailing Address for formal correspondence]