Privacy Policy

SUPA SPC (“SUPA HUB”, “SUPA”, “S U P A”, “we”, “us”, or “our”) is a segregated portfolio company incorporated in the Cayman Islands, registration number 430549, with its registered office at:

71 Fort Street
3/F Athena Tower, Unit 2775
George Town KY1-1111
Grand Cayman, Cayman Islands

We provide digital asset registry and infrastructure services exclusively through partnerships with licensed financial institutions.
We do not provide banking, advisory, custody, or other regulated financial services.

Digital assets are not insured and may involve a risk of partial or total loss.

SUPA SPC acts as the official issuer and registrar of all documents generated through its platform.
Each document is executed using a qualified electronic signature with full legal effect.
Authenticity and integrity may be verified at any time at:
https://app.supahub.co/veri

1. Introduction

This Privacy Policy explains how we collect, use, disclose, transfer, and protect your personal data when you interact with our website, platform, or any related online or offline services (collectively, the “Services”).

We process personal data in accordance with the Data Protection Act, 2017 (as revised) of the Cayman Islands (“DPA”) and other applicable data protection laws.
Our processing activities are primarily governed by the DPA, which establishes principles for the fair, lawful, and proportionate handling of personal data.

We may facilitate or resell services provided by third parties, including but not limited to:

SUPA RED LTD
Category A Registrant under Hong Kong Cap. 615
Registration number: A-B-24-11-08324
Company / Tax number: 76874833

Registered address:
10/F YF Life Tower, Unit HD106
33 Lockhart Road, Wan Chai, Hong Kong

SUPA SPC does not itself provide financial services.

2. Personal Data We Collect

We collect only personal data necessary and proportionate to the purposes described in this Policy.

Data Provided Directly by You

  • Full name, date of birth, nationality, and identifiers
  • Contact details (email, telephone, postal address)
  • Identity and address verification documents
  • Information voluntarily submitted by you

Data Collected Automatically

  • IP address, device identifiers, browser type, operating system
  • Usage data (pages visited, time spent, referring URLs)
  • Cookie and tracking data (see Cookie Policy)

Data from Third Parties

  • Information from partner licensed financial institutions
  • Public records and sanctions/AML screening databases

We do not intentionally collect sensitive personal data unless required by law or for crime prevention.
All collection occurs fairly and lawfully under the DPA.

3. How We Use Personal Data

We process personal data only for legitimate purposes and in line with DPA principles.

Purposes and Lawful Bases

Service facilitation
Access to registry and infrastructure services via partners
Lawful basis: contract performance or legitimate interests

Identity verification, AML, sanctions screening
Lawful basis: legal obligation

Service operation and improvement
Maintenance, analytics, troubleshooting
Lawful basis: legitimate interests

Communications and support
Service notices and, where permitted, marketing
Lawful basis: legitimate interests or consent

Fraud and security prevention
Lawful basis: legal obligation and legitimate interests

Legal and regulatory compliance
Lawful basis: legal obligation

Anonymised analytics
Business improvement without identification
Lawful basis: legitimate interests

Processing is proportionate, accurate, secure, and purpose-limited.

4. Disclosure of Personal Data

We disclose personal data only where necessary and lawful:

  • To partner licensed financial institutions (independent controllers)
  • To data processors providing IT, compliance, or support services
  • To professional advisers, auditors, or insurers
  • To regulators, courts, or law enforcement where required
  • During corporate restructuring or sale, with safeguards

We do not sell personal data or share it for third-party marketing.

5. International Transfers

Personal data may be processed outside the Cayman Islands, including in:

  • Hong Kong
  • United Kingdom
  • European Union
  • United States
  • United Arab Emirates

Transfers occur only where adequate protection or appropriate safeguards exist under the DPA, such as:

  • contractual safeguards
  • binding corporate rules
  • approved transfer mechanisms

6. Data Retention

We retain personal data only as long as necessary for:

  • service provision
  • legal compliance
  • regulatory record-keeping

Client data is typically retained for at least seven (7) years after the relationship ends.

Afterwards, data is securely deleted, destroyed, or anonymised.

7. Your Rights Under the DPA

You have rights subject to statutory conditions and exemptions.

These include:

  • Access to your personal data
  • Cessation of processing in specified circumstances
  • Objection to direct marketing
  • Review of automated decision-making
  • Rectification, blocking, erasure, or destruction via Ombudsman order

The DPA does not provide:

  • data portability rights
  • an absolute right to erasure

Requests are handled within statutory timelines (typically 30 days).

You may complain to the Office of the Ombudsman (Cayman Islands) if dissatisfied.

8. Security Measures

We implement appropriate technical and organisational safeguards, including:

  • encryption and secure storage
  • access controls and authentication
  • monitoring and security testing
  • staff confidentiality and training

Measures are regularly reviewed to ensure protection of:

  • confidentiality
  • integrity
  • availability

of personal data.

9. Changes to This Policy

We may update this Privacy Policy periodically to reflect:

  • legal developments
  • operational changes
  • service updates

The latest version will always be published on our website.
Continued use of the Services constitutes acceptance of the revised Policy.