Data privacy andprotection policy.

1. Overview & Data Controller

This Privacy Policy applies to all systemic actors (Originators, Corporate Entities, Auditors) utilising the Crevy platform infrastructure, accessible at crevy.app.

For the purposes of the General Data Protection Regulation (GDPR) and the Ghana Data Protection Act 2012 (Act 843), the data controller is:

2. Telemetry & Data Collected

We systematically collect and process the following categories of data to operate the registry:

• Identity Metadata (KYC/KYB): Full legal names, corporate registration documents, government-issued IDs, and biometric liveness checks (processed via authorised third-party identity vendors).
• Financial Vectors: Mobile Money (MoMo) routing numbers, SWIFT/IBAN bank details, and Polygon/EVM wallet addresses for settlement.
• Spatial & Environmental Telemetry: Precise GIS polygons, GPS coordinates of sensor deployments, and continuous IoT data streams (e.g., Soil Carbon, Biomass readings) tied to your identity.
• System Access Logs: IP addresses, cryptographic signatures, browser types, and timestamped audit trails of platform actions.

3. Operational Usage

The collected telemetry is utilised strictly for the following operational imperatives:

• To establish cryptographic proof of environmental assets (carbon credits).
• To execute identity verification to prevent double-counting and financial fraud in compliance with AML/CFT regulations.
• To route corporate liquidity to local project originators seamlessly.
• To generate ESRS and IFRS S2 compliant ESG reports for corporate buyers.

4. Legal Basis for Processing

We ground our data processing in the following legal bases:

• Contractual Necessity: To fulfil our Terms of Service (e.g., issuing credits, executing payouts).
• Legal Obligation: To comply with Ghanaian and international financial regulations (KYC/AML).
• Legitimate Interest: To maintain platform security, prevent fraud, and optimise the dMRV algorithm.
• Explicit Consent: For non-essential marketing communications and analytical cookies.

5. Third-Party Sharing

We do not sell entity data. Telemetry is shared exclusively with authorised infrastructure partners:

6. Ledger Immutability

7. Cookies & Tracking

We utilise cryptographic session tokens and minimal cookies to maintain state and secure access. We categorise these as:

• Strictly Necessary: Authentication tokens and CSRF protection. Cannot be disabled.
• Analytical (Optional): Aggregated telemetry to monitor platform latency and user flow.

8. Entity Rights

Under the GDPR and GH-DPA, you possess the right to:

• Request a cryptographic export of all your personal data (Right to Portability).
• Request correction of inaccurate identity profiles.
• Request deletion of your data (Right to be Forgotten) — Note: This does not apply to data already anchored to the public blockchain or data we must retain for AML compliance.

9. Data Retention

We retain identity and financial transaction data for a minimum of seven (7) years following account termination to comply with international auditing and anti-money laundering statutes. Environmental telemetry used to generate active carbon credits is stored indefinitely to ensure the lifetime integrity of the issued asset.

10. Cryptographic Security

Our infrastructure employs AES-256 encryption at rest and TLS 1.3 in transit. Access to sensitive corporate and personal data is governed by strict Role-Based Access Control (RBAC), requiring Multi-Factor Authentication (MFA) for all administrative operations.

11. Protocol Modifications

We may update this policy periodically to reflect changes in legal frameworks or system architecture. Material changes will be communicated via the platform dashboard or email prior to enforcement. Continued use of the platform post-enforcement constitutes acceptance of the modified protocol.

12. Governance Contact

For inquiries regarding this protocol, data subject access requests, or to contact our Data Protection Officer (DPO):