Privacy Policy

SUPA SPC (“SUPA HUB”, “SUPA”, “S U P A”, “we”, “us”, or “our”) is a segregated portfolio company incorporated in the Cayman Islands, registration number 430549, with its registered office at:

71 Fort Street
3/F Athena Tower, Unit 2775
George Town KY1-1111
Grand Cayman, Cayman Islands

We provide digital asset registry and infrastructure services exclusively through partnerships with licensed financial institutions.
We do not provide banking, advisory, custody, or other regulated financial services.

Digital assets are not insured and may involve a risk of partial or total loss.

SUPA SPC acts as the official issuer and registrar of all documents generated through its platform.
Each document is executed using a qualified electronic signature with full legal effect.
Authenticity and integrity may be verified at any time at https://app.supa.red/veri.

1. Introduction

This Privacy Policy explains how we collect, use, disclose, transfer, and protect your personal data when you interact with our website, platform, or any related online or offline services (collectively, the “Services”).

We process personal data in accordance with the Data Protection Act, 2017 (as revised) of the Cayman Islands (“DPA”) and other applicable data protection laws.

We may facilitate or resell services provided by third parties, including but not limited to SUPA RED LTD (Hong Kong Cap. 615 Category A Registrant, registration A-B-24-11-08324, company/tax 76874833, 10/F YF Life Tower, Unit HD106, 33 Lockhart Road, Wan Chai, Hong Kong). SUPA SPC itself does not provide financial services.

2. Personal Data We Collect

Data Provided Directly by You

  • Full name, date of birth, nationality, and identifiers
  • Contact details (email, telephone, postal address)
  • Identity and address verification documents
  • Information voluntarily submitted by you

Data Collected Automatically

  • IP address, device identifiers, browser type, operating system
  • Usage data (pages visited, time spent, referring URLs)
  • Cookie and tracking data (see Cookie Policy)

Data from Third Parties

  • Information from partner licensed financial institutions
  • Public records and sanctions/AML screening databases

We do not intentionally collect sensitive personal data unless required by law or for crime prevention. All collection occurs fairly and lawfully under the DPA.

3. How We Use Personal Data

Processing purposes and lawful bases:

  • Service facilitation — performance of a contract or legitimate interests
  • Identity verification, AML and sanctions screening — legal obligation
  • Service operation and improvement — legitimate interests
  • Communications and support — legitimate interests or consent
  • Fraud and security prevention — legal obligation and legitimate interests
  • Legal and regulatory compliance — legal obligation
  • Anonymised analytics — legitimate interests

Processing is proportionate, accurate, secure, and purpose-limited.

4. Disclosure of Personal Data

We disclose personal data only where necessary and lawful:

  • To partner licensed financial institutions (independent controllers)
  • To data processors providing IT, compliance, or support services
  • To professional advisers, auditors, or insurers
  • To regulators, courts, or law enforcement where required
  • During corporate restructuring or sale, with safeguards

We do not sell personal data or share it for third-party marketing.

5. International Transfers

Personal data may be processed outside the Cayman Islands, including in Hong Kong, the United Kingdom, the European Union, the United States, and the United Arab Emirates. Transfers occur only where adequate protection or appropriate safeguards exist under the DPA.

6. Data Retention

We retain personal data only as long as necessary for service provision, legal compliance, and regulatory record-keeping. Client data is typically retained for at least seven (7) years after the relationship ends, then securely deleted, destroyed, or anonymised.

7. Your Rights Under the DPA

Subject to statutory conditions and exemptions, you have rights to:

  • Access your personal data
  • Cessation of processing in specified circumstances
  • Object to direct marketing
  • Review of automated decision-making
  • Rectification, blocking, erasure, or destruction via Ombudsman order

The DPA does not provide data portability rights or an absolute right to erasure.
Requests are handled within statutory timelines (typically 30 days). You may complain to the Office of the Ombudsman (Cayman Islands) if dissatisfied.

8. Security Measures

We implement appropriate technical and organisational safeguards, including encryption, access controls, monitoring and security testing, and staff confidentiality and training. Measures are regularly reviewed to ensure confidentiality, integrity, and availability of personal data.

9. Changes to This Policy

We may update this Privacy Policy periodically to reflect legal developments, operational changes, or service updates. The latest version will always be published on our website. Continued use of the Services constitutes acceptance of the revised Policy.