Privacy Policy

Notice. This policy is an informational summary drafted for the public website. It is not legal advice and does not create a lawyer–client relationship. Specific processing arrangements with Clearing Members, Observers, and enterprise customers are governed by the Data Processing Addendum and the underlying commercial contract, which prevail in the event of conflict.

\u00a7 1. Controller

Unless indicated otherwise, the controller of personal data collected through the Platform is Wavestar Holdings LLC, a Wyoming limited liability company with its registered office in Cheyenne, Wyoming, United States. For Clearing Members and other business counterparties, Wavestar typically acts as a processor in respect of Member data; the applicable role is set out in the Data Processing Addendum.

\u00a7 2. Categories of Personal Data

We collect and process the following categories of personal data, depending on how you interact with the Platform.

• Account data. Name, business email, role, employer, country of operation, did:orbit identifier, public signing keys, and authentication factors.
• Transaction data. Trade tickets, cleared volumes, attestation submissions, reference prices, and associated metadata required for settlement, surveillance, and regulatory reporting.
• Observability data. Server logs, request identifiers, user-agent strings, IP addresses, error stack traces, and performance telemetry collected to detect abuse, maintain service quality, and investigate incidents.
• Communications. Support enquiries, compliance correspondence, and other communications you initiate with us.
• Website analytics. Pseudonymised engagement data — page views, scroll depth, navigation paths — collected subject to your consent where required (see the Cookies Policy).

\u00a7 3. Lawful Bases

Where GDPR or UK GDPR applies, we rely on the following lawful bases:

• Contract (Art. 6(1)(b)) — to perform the clearing, settlement, and attestation services requested by Members and to take pre-contract steps.
• Legal obligation (Art. 6(1)(c)) — to comply with anti-money-laundering, sanctions, tax, market integrity, and regulator-reporting obligations.
• Legitimate interests (Art. 6(1)(f)) — to operate and secure the Platform, prevent fraud and abuse, defend legal claims, and conduct aggregated analytics. We have balanced these interests against your rights.
• Consent (Art. 6(1)(a)) — for non-essential cookies, marketing communications, and other optional processing. You may withdraw consent at any time.

\u00a7 4. Sources

We collect data directly from you, from your employer in the course of Clearing Member admission, from publicly available registries (ITU SNS, FCC IBFS, sanctions lists), and from our sub-processors, who are listed at /legal/subprocessors.

\u00a7 5. Purposes

We process personal data to provide and maintain the Platform, to admit Members and Observers, to clear and settle cleared transactions, to operate surveillance and risk management, to meet regulatory, audit, and record-keeping obligations, to secure the Platform against abuse, to communicate with you, and to improve the Platform with anonymised insights.

\u00a7 6. Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Indicative retention periods are set out below; actual periods may be longer where required by law.

\u00a7 7. Sharing

We share personal data with sub-processors listed at /legal/subprocessors, with regulators and law-enforcement where required, with professional advisors under duties of confidentiality, and with counterparties to a cleared transaction to the extent necessary for clearing, reconciliation, and delivery-versus-payment. We do not sell personal data and do not share it for cross-context behavioural advertising.

\u00a7 8. International Transfers

Personal data may be transferred to, and processed in, countries outside your country of residence, including the United States, the United Kingdom, the European Economic Area, and in the future Singapore. Where required, we rely on adequacy decisions, Standard Contractual Clauses approved by the European Commission and their UK addendum, and supplementary measures including encryption in transit and at rest.

\u00a7 9. Your Rights

Depending on your jurisdiction, you may have rights of access, rectification, erasure, restriction, portability, and objection, and rights to withdraw consent and to lodge a complaint with a supervisory authority. California residents have additional rights under the CCPA/CPRA, including the right to know the categories of personal information collected, the right to request deletion, and the right to opt out of sharing. To exercise any right, email privacy@wavestar.space. We will respond within the period required by law, ordinarily within 30 days.

\u00a7 10. Automated Decision-Making

Certain Platform functions — default detection, market-abuse surveillance, transaction-risk scoring — rely on automated processes. These processes do not produce legal or similarly significant effects on natural persons without human review. A summary of the logic is available on request to privacy@wavestar.space.

\u00a7 11. Security

We apply technical and organisational measures commensurate with the sensitivity of the data and the risk to data subjects, including encryption in transit (TLS 1.3) and at rest, strict tenant isolation in our databases, multi-factor authentication for administrative access, hardware-backed key custody for operator signing keys, and continuous monitoring. No system is perfectly secure; see our Responsible Disclosure policy for reporting suspected vulnerabilities.

\u00a7 12. Children

The Platform is not directed to, and we do not knowingly collect personal data from, individuals under 18 years of age.

\u00a7 13. Contact and DPO

The Wavestar Data Protection Officer may be contacted at privacy@wavestar.space or by post at Wavestar Holdings LLC, Attn: Data Protection Officer, Cheyenne, Wyoming, United States. EU and UK data subjects may additionally contact our Article 27 representative, whose details will be added on the effective date of our first regulated EU activity.