PERSONAL DATA PROTECTION NOTICE
NAKA SERVICES
1 April 2026
1. BASICS
This Personal Data Protection Notice (“Notice”) defines how the individual companies (“we”, “our” or “NAKA”) from the NAKA Group process, protect, and manage your Personal Data when you use the NAKA Services. This Notice refers solely to the provision of the NAKA Services and processing that takes place as a part of it. It does not cover processing that takes place (i) on our Web Interfaces (covered by a separate Personal Data Protection Notice Web Interfaces), (ii), during the provision of services provided by third-party providers (unless the third-party providers act as processors on our behalf when providing services, which are part of the NAKA Services) and (iii) on websites, links, or domains owned by third parties.
Whenever you interact with one of the NAKA Services, this Notice serves as the governing framework for processing of your Personal Data during the provision of such service. If a specific NAKA Service implements a unique Personal Data handling process, we will include an additional notice to ensure full transparency.
This Notice also refers to the Personal Data processed through the use of cookies included on the NAKA Services. For specific information, please see Addendum: Cookie Policy below.
1.1 Your Agreement to this Notice
By using the NAKA Service, to which this Notice refers, you expressly confirm that you accept and agree with this Notice.
1.2 Changes to the Notice
We will update this Notice when necessary. For example, we might change it if data protection laws change, if a local authority adopts a new decision, opinion, stance, or if we change how we collect, use, or store your Personal Data or when other relevant circumstances change. In such cases, we reserve the right to change the provisions of this Notice without prior notification. We will provide you with any updates and modifications through NAKA Web Interfaces, indicating the effective date of said changes, so that you may familiarize yourself with them. Each version of this Notice will have the date of its effect stated at the top of the Notice, so that you may track the currently applicable version of this Notice by checking this date. We also recommend that you save a copy of the Notice for future reference and comparison.
We recommend you check this Notice each time before using the NAKA Service or review it periodically to stay informed of our current privacy rules.
1.3 Applicable Terms and Definitions
Terms and capitalized words not defined in the main text have the following meanings:
Term | Definition / Meaning |
Acquirer | means a legal entity or sole entrepreneur that acts as an intermediary between the Merchants and NAKA Payment Network. It establishes a contractual relationship with the Merchants, provides them the NAKA Payment Technology, exchanges the Crypto-Assets for other Crypto-Assets or the Fiat, and settles the Merchants claims. |
Administrator | is NAKA GLOBAL, as defined below. |
Affiliate | is a direct or indirect subsidiary, a holding company, and any other subsidiary of that holding company. |
Agent(s) | means shareholders, directors, officers, Associates, contractors, partners, insurers, and attorneys of the NAKA Entities. |
AML/CTF Legislation | means any anti-money laundering and counter-terrorism financing legislation applicable in a particular jurisdiction. |
AML/CTF Measures | means any rules and procedures governed by the AML/CTF Legislation applicable in a particular jurisdiction. |
Associate(s) | means any persons performing work for the NAKA Entities based on an independent contractor agreement. |
Authorized Representative | is a person who is lawfully appointed or recognized to act on behalf of a legal entity in legal, financial, or administrative matters. |
Beneficial Owner | is (i) any natural person who: (a) directly or indirectly holds the locally determined shareholding threshold, stock, voting rights, or other rights enabling them to participate in the management of the business entity, or (b) is directly or indirectly involved in the capital of the business entity with the locally determined threshold, or (c) has a controlling position in managing the assets of the business entity; or (ii) any natural person who indirectly provides or ensures funds for the business entity and, on this basis, has the ability to control, direct, or otherwise significantly influence the management's decisions regarding the financing and operations of the business entity. |
Blockchain | means an information repository that keeps records of transactions and that is shared across, and synchronized between, a set of Blockchain Nodes using a Consensus Mechanism. |
Blockchain Node | is a device or a process that is part of a Blockchain and holds a complete or partial replica of records of all transactions on a Blockchain. |
Card(s) | refers to NAKA Card and NAKA+ Card. |
Card Issuer(s) | is a legal entity, licensed as a credit institution, e-money issuer, postal institution, payment institution, bank, state, local government, or a legal person holding a PSI DSS certificate, that facilitates the technical issuance of new Cards. It also performs EMV security checks including PIN and CVV correctness. |
Cardholder(s) | means (i) any individual to whom NAKA Card is issued and who is onboarded as the user of NAKA Pay App, and/or (as the context requires) (ii) any individual to whom NAKA+ Card is issued and who is onboarded as the user of NAKA Pay App. |
Cardholder Agreement | is a contract between the Issuer and the Cardholder containing their respective rights, duties, and obligations for NAKA Card issuance. |
Chainalysis | is a software tool for analyzing the Crypto-Asset transactions. For more information on Chainalysis please see: https://www.chainalysis.com/. |
Consensus Mechanism | means rules and procedures by which an agreement is reached among the Blockchain Nodes that a transaction is validated. |
Crypto-Asset(s) | means a digital representation of a value or of a right that can be transferred and stored electronically using the Blockchain or similar technology. |
Crypto QR Payments | means a system for facilitating payments via QR codes with the Crypto-Assets, managed and operated within the NAKA Group. |
Crystal | is a software tool for analyzing the Crypto-Asset transactions. For more information on Crystal please see: https://www.crystalintelligence.com/. |
Customer(s) | means the Cardholder(s) and/or the Merchant(s). |
Digital ID | is an electronic representation of personal identity, used for verification processes. |
Digital Wallet(s) | is any custodial or self-custodial mobile application that enables management and payment with the Crypto-Assets via QR codes at the Merchants. |
End-Customer(s) | is the Merchant’s customer with whom the Merchant concluded a purchase contract. |
Fiat | is a government-issued currency that is not backed by a physical commodity but by the government that issued it. |
ICT | means information and communication technology. |
INN | issuing institution number that identifies the Issuer and is assigned by the Administrator. |
Issuer(s) | means a regulated legal entity that enters into a contractual relationship with the Cardholder for the issuance of the Card(s). |
KYC Procedure(s) | means the know-your-customer procedure(s) implemented for the purpose of obtaining relevant customer information, as required under the applicable AML/CTF Legislation and in line with NAKA’s internal acts. |
Merchant(s) | is a legal entity or a sole entrepreneur who concludes the Merchant Agreement with the Acquirer to be included in NAKA Payment Network. |
Merchant Agreement | means a contract between the Merchant and the Acquirer containing their respective rights, duties, and obligations for the Merchant’s participation in NAKA Payment Network. |
NAKA Card | means a virtual payment card, issued within NAKA Card Payment Network, which may be used to pay for goods and services using the Crypto-Assets and/or other tokenized assets, at the Merchants. Management of NAKA Cards is facilitated through NAKA Pay App. |
NAKA+ Card | means a virtual self-custodial payment card, issued within NAKA Payment Network in association with the principal issuer within Visa Payment Network, which may be used to pay for goods and services using the Crypto-Assets and/or other tokenized assets. Management of NAKA+ Cards is facilitated through NAKA Pay App. |
NAKA Payment Network | means a Blockchain-based payment network compatible with EMV and PCI DSS standards, used to facilitate transactions and settlements between the Cardholders and the Merchants, who are associated with this Network, through the utilization of the Smart Contracts. |
NAKA Entity(ies) | means any, several or all (as the context may require) of the following companies: 1. NAKA GLOBAL d.o.o. (NAKA GLOBAL Ltd.), incorporated under the laws of the Republic of Slovenia, with its corporate seat at Letališka c. 33F, 1000 Ljubljana, Republic of Slovenia, reg. no. 8106452000 (“NAKA GLOBAL”); 2. NAKA CH Sagl, incorporated under the laws of Switzerland, with its corporate seat at Crocicchio di Cortogna 6, 6900 Lugano, Switzerland, reg. no. CHE-327.549.674 (“NAKA CH”); 3. NAKA SLV, S.A. de C.V., incorporated under the laws of El Salvador, with its corporate seat at Calle Cuscatlán, Casa 4312, Colonia Escalón, the municipality of San Salvador, El Salvador, reg. no. 2023108736 (“NAKA SLV”); 4. NAKA EUROPE d.o.o. (NAKA EUROPE Ltd.), incorporated under the laws of the Republic of Slovenia, with its corporate seat at Letališka c. 33F, 1000 Ljubljana, Republic of Slovenia, reg. no. 9244557000 (“NAKA EUROPE”). |
NAKA Group | means a group of legal entities, which are subsidiaries and/or the Affiliates of the parent company, NAKA GLOBAL, either directly or indirectly, including all NAKA Entities. |
NAKA Mobile App(lication)(s) | means a software program developed, owned, and operated by one or more of the NAKA Entities, designed to be downloaded and installed by a User on a device (e.g., a smartphone or tablet) running a compatible operating system (e.g., iOS or Android). This includes all versions, updates, and integrated features of the published NAKA Mobile App. |
NAKA Partner(s) | means any individual or a legal entity with whom the NAKA Entities concluded a service or other type of contract, such as ICT services and cloud service providers, AML/CTF checks service providers, CRM software providers, card processing service providers, etc. |
NAKA Pay App | means the NAKA Mobile Application used to access a self-custodial wallet, through which the Cardholder operates and manages the Cards, issued within NAKA Card Payment Network or in association with it (e.g., NAKA Card or NAKA+ Card). The Cards are managed through the wallet in NAKA Pay App, including the Card’s Private Key. This app serves also as a means of personal identification when using Crypto QR Payments. |
NAKA Personnel | means individuals acting as NAKA’s employees, Associates and Agents. |
NAKA Primary Websites | means domains www.naka.com, www.ch.naka.com and www.sv.naka.com. |
NAKA Service(s) | means any of the products and services offered by any of the NAKA Entities, including NAKA Pay App and issuing of the Cards. |
NAKA Web Interface(s) | refers to any browser-based graphical user interface, through which the Users access the NAKA Websites and/or interact with the NAKA Services and or the NAKA Entities (i.e., all content, functionalities, and digital tools hosted on the domains owned or operated by the NAKA Entities, public-facing pages, informational content, and digital touchpoints accessible via a web browser, including contact forms and other email correspondence for the purpose of direct marketing). |
NAKA Website(s) | means all websites, microsites and web pages owned, operated, or controlled by the NAKA Entities, regardless of the specific domain or subdomain name used to access them, including the NAKA Primary Websites. |
PAN | primary account number of NAKA Card, which consists of INN (first 8 digits), account identifiers (next 10 digits) and checksum (the last digit). |
Payer(s) | means (i) a natural or legal person who makes a payment to the Merchant using NAKA Card, or a Digital Wallet (for the purpose of employing Crypto QR Payments), and/or (ii) a natural person who makes a payment via NAKA+ Card. |
PIN | means a personal identification number required to complete transactions with NAKA Card or NAKA+ Card (if set by the User). |
Personal Data | means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more other factors. |
Private Key | is a unique code that allows the Users to access and manage the Crypto-Assets in NAKA Pay App. |
RAALS | is a software tool for monitoring Customers’ business activities. For more information on RAALS please see:https://www.salviol.com/raals. |
Regulatory Authority(ies) | refers to the local authorities in charge of monitoring provision of the NAKA Services and personal data processing activities in a particular jurisdiction in which the NAKA Entity is incorporated. |
Sanctions List | means: (i) SDN List, Non-SND List, FSE List, SSI List, NS-PLC List, CAPTA List, NS-MBS List and NS-CMIC list, published by the Office of Foreign Assets Control of the U.S. Department of the Treasury; (ii) Consolidated list of persons, groups and entities subject to the EU financial sanctions, published by the European Commission; (iii) the United Nations Security Council Consolidated List, (iv) Consolidated list of financial sanctions targets, published by the Office of Financial Sanctions Implementation, part of HM Treasury, (v) SECO list and (vi) any other global and national sanctions lists used by SumSub. |
Smart Contract | is a software program stored on a Blockchain, which will execute itself when a set of predetermined conditions are met and is meant to implement automated transactions in NAKA Payment Network. |
SumSub | is a third-party identity verification service provider and the NAKA Partner. More information on SumSub is available on the following link: https://sumsub.com/. |
Terminal(s) or Point(s) of Sale (POS) | means payment acceptance points available as (i) a part of physical point-of-sale (POS) hardware devices, (ii) a soft-POS solution, (iii) e-commerce solution or (iv) pay-by-link solution that the Merchants use to process the Payers’ transactions and other transactions with other payment means (including Crypto QR Payments). The Terminal may be provided by the NAKA Entity, a NAKA Partner or a third party. |
Transaction | means a process implemented to make a payment by the User to the Merchant or another business. |
Travel Rule | refers to a global regulatory standard adopted by Recommendation 16 of the Financial Action Task Force (FATF) that requires the Crypto-Asset service providers to share certain information about originators and beneficiaries of transactions with the Crypto-Assets. |
Travel Rule Obligation | means the scope of information that must be enclosed to any Crypto-Assets transaction by the service provider in line with the Travel Rule. |
User(s) | means any individual user of any of the NAKA Service. |
Visa Payment Network | means the payment network Visa. For more information please see: https://www.visa.com/en-us. |
2. WHOSE PERSONAL DATA DO WE PROCESS?
This Notice applies to all individuals accessing the NAKA Services (i.e., the Users), regardless of the individual NAKA Service they use (e.g., Cards, offering payments with Crypto-Assets to End-Customers, etc.), the type of the device through which the NAKA Service is provided, device’s operational system and the region the User is located in when accessing the NAKA Service.
3. WHO ACTS AS A CONTROLLER OF YOUR PERSONAL DATA?
The controller of your Personal Data in accordance with this Notice is the NAKA Entity, operating and managing the NAKA Service that you’re using.
The NAKA Entity that may act as a controller in a particular case may be:
NAKA Entity | Contact Information | |
Address | ||
NAKA CH | Crocicchio di Cortogna 6, 6900 Lugano, Switzerland | dpo@naka.com |
NAKA SLV | Calle Cuscatlan, Casa 4312, Colonia Escalon, the municipality of San Salvador, El Salvador | |
NAKA GLOBAL | Letališka c. 33f, 1000 Ljubljana, Slovenia | |
NAKA EUROPE | Letališka c. 33f, 1000 Ljubljana, Slovenia | |
If you’re uncertain as to which of the NAKA Entities is the controller of your Personal Data, we recommend checking the terms of use of the NAKA Service that you’re using. All terms were provided to you upon conclusion of the legal relationship, but they can also be accessed here. If you cannot find the applicable terms of use, please contact us at any of our e-mail addresses.
If you have any questions regarding the processing of your Personal Data, please contact the NAKA Entity, acting as the controller of your Personal Data at the contact information stated in the table above.
The processing of personal data carried out in El Salvador is governed by the Personal Data Protection Law and other applicable regulations issued by the State Cybersecurity Agency (ACE). The company is committed to processing personal data in accordance with the principles of lawfulness, purpose, minimization, security, accuracy, and temporality established under Salvadoran legislation.
4. IN WHAT CASES CAN WE PROCESS YOUR PERSONAL DATA?
We will only collect and use your Personal Data if we have a valid legal ground to do so, according to local data protection laws, and our own internal rules. We do not collect Personal Data in excess of what is absolutely necessary to achieve the purpose for which we are processing your Personal Data.
4.1 Legal Grounds for Personal Data Processing
The legal ground for processing your Personal Data can be one of the following:
(a) Your Consent: When required by law, we will always ask for your permission to process your Personal Data;
(b) Legal Obligation: In certain cases, the locally applicable legislation requires us to process Personal Data of our Customers (e.g., for the purpose of adhering to the local AML/CTF Legislation, for adhering to the payments, crypto and digital asset sector related regulations etc.);
(c) Preparing for a Legal Relationship: We will need to use some of your Personal Data to prepare necessary documents, offers, or drafts before you start using a NAKA Service;
(d) Contract Performance: Once we establish a legal relationship with you, we will process your Personal Data in order to successfully implement and perform the obligations from the contract we executed with you;
(e) Our Business (Legitimate) Interests: In certain cases, none of the above legal grounds will exist, but we may still process your Personal Data. In such cases, we’ve established that our need to process your Personal Data is so paramount that it overrides your interests or fundamental rights and freedoms, which require protection of Personal Data. In most cases, this includes processing of Personal Data to allow us to maintain or enhance the NAKA Web Interfaces and/or the NAKA Services, e.g., when implementing information system security measures in line with the international standards which bound us, when identifying information technology systems and server issues/incidents.
5. HOW DO WE COLLECT YOUR PERSONAL DATA?
We may obtain your Personal Data from various sources. We will always try to obtain your Personal Data directly from you or your device when you use our Services or Web Interface (e.g., when you use the NAKA Web Interface to access our Service, subscribe to our newsletter, fill out our contact form, etc.). We may also use other information and data accessible through or provided by third party providers (e.g., our AML/CTF checks provider) or public sources (e.g., public registers, social media, etc.).
When you visit our Web Interfaces through which we offer the NAKA Services, we may also collect your Personal Data through cookies. You can find all the details on how we use cookies in the separate Addendum: Cookie Policy.
6. WHAT PERSONAL DATA DO WE PROCESS AND WHY?
NAKA processes the following types of Personal Data (the purpose for which we process each type is stated in each category):
6.1 Merchants’ Authorized Representatives and Beneficial Owners
Purpose of Personal Data Processing | (i) Implementing the KYC Procedure before and during implementation of the legal relationship, (ii) Implementing the AML/CTF Measures before and during implementation of the legal relationship, (iii) Performing obligations based on the concluded Merchant Agreement, (iv) Providing support and ICT services, (v) Other obligations stemming from the applicable legislation. |
Categories of Data Subjects to which the Personal Data refer to | (i) The Merchants’ Authorized Representatives, (ii) The Merchants’ Beneficial Owners, (iii) The Merchants’ contact points (e.g., employees in charge of communication with suppliers). |
Personal Data Processed | 1. For each Merchant’s Authorized Representative and Beneficial Owner: (i) name and surname, (ii) birth date, (iii) birth place, (iv) citizenship, (v) residency address, (vi) e-mail, (vii) ID document (type, date of issue and expiry; issuing state and authority), (viii) personal identification number or tax number (if locally required), (ix) share, (x) face capture, (xi) status of a politically exposed person, (xii) status of a sanctioned person, (xiii) copy of an ID document, (xiv) other information from ID document (depending on the local requirements for ID documents), (xv) proof of address. 2. For the Merchant’s contact person: (i) name and surname, (ii) e-mail, (iii) telephone no. |
Source of data | The Merchant, the Authorized Representative, the Beneficial Owner, public records or third party service providers |
Legal Grounds for Processing | (i) Local AML/CTF Legislation (ii) Performing contractual obligations |
6.2 Travel Rule Obligations
Purpose of Personal Data Processing | (i) Implementing the Travel Rule Obligation |
Categories of Data Subjects to which the Personal Data refer to | The Payers with Crypto QR Payments |
Personal Data Processed | (i) e-mail, (ii) name and surname, (iii) residency address (iv) birth place, (v) birth date, (vi) citizenship, (vii) ID document (no. and type, date of issue and expiry; issuing state and authority), (viii) DLT/wallet address, (ix) transaction date, (x) txhash, (xi) copy of an ID document, including all information from ID document (depending on the local requirements for ID documents). |
Source of data | The Payers with Crypto QR Payments, third party service providers |
Legal Grounds for Processing | Local Travel Rule Legislation |
6.3 Cardholders
Purpose of Personal Data Processing | (i) Implementing the KYC Procedure before and during implementation of the legal relationship, (ii) Implementing the AML/CTF Measures before and during implementation of the legal relationship, (iii) Performing obligations based on the concluded Merchant Agreement, (iv) Providing support and ICT services, (v) Other obligations stemming from the applicable legislation. |
Categories of Data Subjects to which the Personal Data refer to | The Cardholders |
Personal Data Processed | (i) name and surname, (ii) birth date, (iii) birth place, (iv) citizenship, (v) residency address, (vi) e-mail, (vii) ID document (type, date of issue and expiry; issuing state and authority), (viii) tax number, (ix) face capture, (x) copy of an ID document, including all other information from ID document (depending on the local requirements for ID documents), (xi) tokenized PAN, (xii) wallet address. |
Source of data | The Cardholders and third party providers |
Legal Grounds for Processing | (i) Local AML/CTF Legislation (ii) Performing contractual obligations |
6.4 Transactions and Customers’ Activities Monitoring
Purpose of Personal Data Processing | Implementing the AML/CTF Measures and other AML/CTF obligations relating to transactions monitoring. |
Categories of Data Subjects to which the Personal Data refer to | The Payers, the Cardholders, the End-Customers |
Personal Data Processed | (i) e-mail, (ii) name and surname, (iii) residency address (iv) birth place, (v) birth date, (vi) citizenship, (vii) ID document (date of issue and expiry), (viii) DLT/wallet address, (ix) copy of an ID document, including all information from ID document (depending on the local requirements for ID documents), (x) tax number, (xi) face capture, (xii) tokenized PAN, (xiii) txhash, (xiv) transaction date and place. |
Source of data | The Payers, the Cardholders and third party providers |
Legal Grounds for Processing | Local AML/CTF Legislation |
6.5 User Support Activities
Purpose of Personal Data Processing | Performing obligations based on the established legal relationship |
Categories of Data Subjects to which the Personal Data refer to | The Payers, the End-Customers, the Merchant’s contact person and other Users of the NAKA Services |
Personal Data Processed | (i) E-mail, (ii) Name and surname (if provided, not required), (iii) Depending on the type of the NAKA Service, with which the User requires support, all other Personal Data processed by NAKA can be used for this purpose |
Source of data | The Users of the NAKA Services |
Legal Grounds for Processing | Established legal relationship |
6.6 User Satisfaction Surveys
Purpose of Personal Data Processing | Control of customer support efficiency |
Categories of Data Subjects to which the Personal Data refer to | The Users who require support with the NAKA Services |
Personal Data Processed | |
Source of data | The Users of the NAKA Services |
Legal Grounds for Processing | Legitimate/business interest |
6.7 Business analytics and statistics in the NAKA Group
Purpose of Personal Data Processing | Control and monitoring of business operations in the NAKA Group |
Categories of Data Subjects to which the Personal Data refer to | The Users of the NAKA Services |
Personal Data Processed | (i) Transaction details (date, place, amount and currency), (ii) User’s location, (iii) Device type used to access the NAKA Service, (iv) Activities performed |
Source of data | The Users of the NAKA Services |
Legal Grounds for Processing | Legitimate/business interest |
6.8 Management of ICT Security in the NAKA Group
Purpose of Personal Data Processing | Enabling safe and secure use of the NAKA Services |
Categories of Data Subjects to which the Personal Data refer to | The Users of the NAKA Services |
Personal Data Processed | (i) User’s geo-location and IP, (ii) Device type used to access the NAKA Service, (iii) Activities performed |
Source of data | Users and their devices |
Legal Grounds for Processing | Legitimate/business interest |
6.9 Handling of Complaints and Pursuit of Legal Actions against Customers
Purpose of Personal Data Processing | Pursuing/defending claims against the Users of the NAKA Services |
Categories of Data Subjects to which the Personal Data refer to | The Users of the NAKA Services |
Personal Data Processed | Depending on the nature and type of the claim, any Personal Data held by NAKA may be processed for this purpose |
Source of data | The Users of the NAKA Services |
Legal Grounds for Processing | (i) Established legal relationship and/or (ii) Legitimate/business interest |
Please take into consideration that the actual scope of the Personal Data processed for individual purposes may depend on certain factors that cannot be accounted for in advance (e.g., support required by a User may entail certain information, which are not typically required, but in that particular case are indispensable for support to be successful). You may request a full list of the Personal Data processed in individual cases at any time by emailing dpo@naka.com.
7. WHO CAN USE YOUR PERSONAL DATA?
7.1 General
Apart from the trusted NAKA Personnel, whose position within the NAKA Group requires them to process your Personal Data (due to the fact that a particular NAKA Entity is operating and/or managing specific tasks within the NAKA Group’s ecosystem), we only share your Personal Data with those NAKA Partners (service providers) who process the data on our behalf and follow our strict instructions, as agreed in our contracts with them. We may also have to share your Personal Data with the authorized Regulatory Authorities.
7.2 Other Entities
We never sell or otherwise trade your Personal Data, nor do we share it with unauthorized persons. Under NAKA’s internal policies, your Personal Data is treated as NAKA’s business secret and is handled as such. The NAKA Personnel processes your Personal Data in accordance with their limited authorizations, contractual obligations and our internal policies. They are legally obliged to protect your Personal Data and respect your rights at all times, under the threat of applicable legal consequences for any breach.
The entities to which we may disclose or which may come in contact with your Personal Data are:
(a) Companies within the NAKA Group: Some of the features of the NAKA Services and/or the NAKA Web Interfaces through which we provide individual services are operated by the NAKA Entities and other NAKA Group companies, which are not acting as the controller of your Personal Data (e.g., ICT security measures are operated primarily by one company).
(b) The NAKA Partners: To facilitate the use of the NAKA Services, NAKA is using capacities of other service providers. This includes services like web hosting, AML/CTF software service providers (SumSub, RAALS, Crystal, Chainalysis), providers of software for managing customer relations, cloud service providers, etc. In any of these instances, NAKA concludes adequate contracts governing how and for which purposes the NAKA Partners may process your Personal Data. In addition, we may be required to share some of your Personal Data with third parties, providing services relating to payment and transaction processing. Without such services, the transactions and payments as we offer within the NAKA Services would not be possible (e.g., we share some of the transaction data like PAN with Card Issuers to ensure secure transactions).
When we provide collaborative products—like co-branded, co-badged or combined payment cards (e.g., NAKA+ Card), or integrated payment solutions—we often work with partners who provide their own specialized services alongside ours. In these instances, NAKA and the partner are jointly responsible for your Personal Data. We sync necessary information with these partners (and vice-versa) to ensure both we and our partner fulfil legal obligations (especially in the field of the AML/CTF Legislation). At the same time, we ensure your transactions are processed and your Personal Data remains secure across both our systems.
Since our business operations are dynamic, it is impossible to publish a list of every single individual or entity who might see your Personal Data in a manner that would be up to date at all times. In addition, some of the information is NAKA’s business secret, which we are not allowed to disclose publicly. However, you may request a full list of the users processing your Personal Data at any time by emailing dpo@naka.com.
7.3 Relationship With Regulatory Authorities
Please take into consideration that some of the NAKA Entities are regulated crypto-asset service providers in their respective countries of incorporation, and are, thus, subject to strict regulatory requirements and AML/CTF Legislation.
While we will never disclose your Personal Data without being compelled to do so, there will be instances in which we will be required to share your Personal Data with the Regulatory Authorities (e.g., during regular reviews by the Regulatory Authorities, after the result of the implemented AML/CTF Measures indicate the need to inform the Regulatory Authorities of the findings, etc.). We will only do so if (i) we deem this as necessary to comply with the applicable legislation, (ii) if the Regulatory Authorities present a legally enforceable request applicable to the NAKA Entity, which acts as the controller and/or processor of your Personal Data and we (a) deem the request as justified or (b) are forced to comply.
When dealing with the Regulatory Authorities, we will comply with their respective requests in a way that protects your privacy rights to the broadest extent possible considering the local legislation. We will only disclose the information that is absolutely necessary to comply with the Regulatory Authorities’ requests or legal requirements.
7.4 Use Of Blockchain Technology
To provide secure, transparent, and immutable payment services, NAKA utilizes public Blockchain networks (for the current list please see here). These networks serve as a distributed ledger where transaction records are processed and permanently stored. In addition, they’re fully publicly accessible to anyone with an internet connection - as opposed to our internal databases, which are available only to us and our trusted agents. The use of this technology is a core component of the NAKA Services (or parts thereof). Whether Blockchain technology is used in provision of a particular NAKA Service is evident from the terms of use of the individual services.
While we as a rule never record your personally and directly identifiable information (e.g., name, surname, physical and email address etc.) on the Blockchain, certain data that is recorded on the Blockchain during the provision of the NAKA Services (e.g., wallet addresses, timestamps, and transaction amounts) may still be classified as personal data under certain legislation (e.g., GDPR), even though they are recorded as hashed and/or pseudonymized, because it could potentially be linked back to an individual via external information.
We are the controller for the data we collect from you directly, but we do not control the Blockchain itself. Because a public Blockchain is decentralized, no single entity (including us) "controls" the network. Once the information is broadcast to the Blockchain, the processing is performed by a global network of independent nodes. Thus, once a transaction is broadcast to the network, NAKA does not have the technical ability to unilaterally modify, stop, or delete that specific record.
Furthermore, due to the inherent functionality of Blockchain technology, which in principle does not allow for modification and/or deletion of data recorded on the Blockchain, any record made is permanent and immutable, not allowing any deletion/erasure/alteration. This refers also to instances when the User would choose to implement rights derived from the privacy laws, such as right to data erasure or data rectification. Despite such requests, we (including any third party) would not be able to comply with such requests. Therefore, we want you to be aware of such limitations for your rights, especially:
(a) Right to Erasure (as defined below): If you request the erasure of your data, NAKA will delete your identifiable information from our internal databases. This breaks the link between your identity and the on-chain information, rendering the Blockchain data effectively anonymous from our perspective. However, the record of the transaction itself will remain on the public ledger.
(b) Right to Rectification (as defined below): Because the Blockchain is an append-only ledger, historical records cannot be changed. If a record is inaccurate, the "correction" usually involves broadcasting a new, updated transaction rather than altering the old one, meaning that the past entries cannot be directly altered in any case.
8. TRANSFERS OF PERSONAL DATA TO OTHER JURISDICTIONS
The Personal Data we collect and process is mainly stored and processed in the country where the specific NAKA Entity, acting as controller, is based. However, under some circumstances, we have to transfer some of the data outside of these countries for particular processing activities, e.g., when one of our service providers (acting as processors on our behalf) is located in a different jurisdiction.
Whenever we transfer your Personal Data to another jurisdiction, we will ensure that it is protected and transferred in a manner which complies with the local legal requirements for Personal Data protection. For instance, when we transfer your Personal Data from the EU to a third country (or from the third country to the EU and then back), we always ensure that (i) the country to which we transfer your Personal Data was approved by the European Commission, or (ii) the recipient of your Personal Data signed a contract based on “Model Contractual Clauses” approved by the European Commission, obliging them to protect your Personal Data.
By agreeing to this Notice (as stipulated in section 1.1 Your Agreement to this Notice), you also expressly consent to transfers of your Personal Data to other jurisdictions, as described above. For transfers based on cookies we use, please see Addendum: Cookie Policy.
9. HOW WILL YOUR PERSONAL DATA BE PROTECTED?
When we process your Personal Data, we use all the necessary organizational, technical and other suitable procedures and measures to protect it and prevent unauthorized data destruction, modification, loss or any unauthorized processing.
The NAKA Group’s parent company (NAKA GLOBAL) holds several ISO certifications, including ISO 27001: Information Security Management System and ISO 22301: Business Continuity Management Systems. The same high standards from these international certifications and NAKA GLOBAL’s internal rules are applied across all other NAKA Entities. This ensures that the same robust level of personal data protection and security is used throughout the entire NAKA Group.
Specifically, these measures include:
(a) Defining internal data protection rules, which oblige all NAKA Personnel;
(b) Providing regular training to all NAKA Personnel on how to process Personal Data safely and in compliance with internal rules;
(c) Implementing other standard measures (like a clean desk policy, regular password changes, and using 2-step verification wherever possible);
(d) Implementing internal controls for all processing activities;
(e) Regularly monitoring our IT and other assets;
(f) Conducting regular internal and external reviews.
We also implement other measures, such as:
(a) Minimalizing the Personal Data we collect;
(b) Using pseudonymization (hiding direct identifiers) where possible;
(c) Ensuring transparency;
(d) Continuously upgrading our safety measures.
The NAKA Group regularly invests in various safety features for both our physical premises (like regular checks for alarms) and our IT systems (like state-of-the-art monitoring software), to ensure we maintain a strong and wide scope of security measures.
IMPORTANT: Notwithstanding the above, the Users must consider at all times that they are solely responsible for keeping their Private Keys, passwords for accessing the NAKA Services, PIN numbers and other unique identifiers, etc., safe and secure. Such identifiers must not be shared with anyone. It should be noted that in case the User forgets or loses any of such identifiers (especially the Private Key), NAKA does not have means nor is able to assist the User in obtaining another identifier.
10. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
The period of keeping your Personal Data depends on the basis and individual purpose of personal data processing (i.e., why and for what purpose we collected your Personal Data ). We only keep your Personal Data for as long as this is (i) legally required (e.g., due to the AML/CTF Legislation), (ii) necessary to achieve the purpose for which the Personal Data has been collected or processed and/or (iii) necessary to initiate/implement/finalize any legal proceedings in relation to you, in the scope needed to implement the legal proceedings (e.g., for evidence or defense purposes in case of a possibility of legal claims).
Once the original purpose is achieved or any legal proceedings are finished, we will only keep the data that we are legally obliged to keep (if any). The rest of the Personal Data will be erased (to the extent this is technically possible) or blocked and/or anonymized for use, unless otherwise is legally required for certain types of data (e.g., where a permanent record is legally required).
As a general rule, most of the Personal Data is kept for a period of five years from when it is collected, with several exceptions:
(a) If you revoke consent: The processing of Personal Data based on your consent will cease after you revoke your consent and there is no other legally recognized reason for us to continue to process it (e.g., an ongoing legal claim or proceedings and your Personal Data is necessary to defend/pursue such claim).
(b) The AML/CTF Legislation: Personal Data relating to AML/CTF legislation is as a rule processed for a period of 10 years after the last transaction/termination of the legal relationship.
(c) Legal proceedings: Any data needed to finalize a legal proceeding will be kept until the proceedings are concluded with a final effect, even if the general five-year deadline has already passed.
Any Personal Data we process for direct marketing (like sending you offers and newsletters) is kept until you withdraw your consent or, in any case, for a maximum period of five years from the date we obtained your consent. After that time, we will ask for your permission again if we still want to send you marketing communications.
11. EXERCISING YOUR RIGHTS
You can always request to exercise the following rights relating to your Personal Data:
(a) Right to Withdraw the Consent: If we’re relying on your consent as the legal ground for processing your Personal Data, you may withdraw your consent at any time. However, please take into account that the withdrawal of your consent does not affect the lawfulness of the processing that took place based on your consent for the period prior to the withdrawal.
(b) Right to File a Complaint with a Supervisory Authority: You have a right to always file a complaint with the Regulatory Authority monitoring the data protection requirements in the jurisdiction of the controller’s incorporation. While you are not legally required to, we would appreciate it if you would inform us before filing any claim, as we may be able to resolve the matter to mutual satisfaction on our own. In addition, we would appreciate it if you would inform us of the lodged claim so we can properly review and respond to the matter.
NAKA Entity | Regulatory Authority |
NAKA CH | Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1 Switzerland - 3003 Berne T: 058 462 43 95 W: www.edoeb.admin.ch www.edoeb.admin.ch/de/kontakt |
NAKA SLV | Agencia de Ciberseguridad del Estado T: (503) 7530-6114 E: contacto@ace.gob.sv W: www.agenciadeciberseguridad.gob.sv |
NAKA GLOBAL NAKA EUROPE | Informacijski pooblaščenec (Information Commissioner) Dunajska cesta 22 1000 Ljubljana, Slovenia T: +386 1 230 97 30 E: gp.ip@ip-rs.si W: www.ip-rs.si |
Information about the Regulatory Authority in charge or individual controllers within the NAKA Group: (c) Right to Access: You can always contact us to confirm if we are processing any of your Personal Data, and if so, to provide you a copy of the Personal Data undergoing processing. You may also request information on: (i) the purpose for processing and the source of Personal Data, if you haven’t provided them to us, (ii) the categories of Personal Data we process, (iii) the users/recipients or categories of users/recipient to whom the Personal Data have been or will be shared, in particular users/recipients in third countries or international organisations, (iv) the planned duration of storage, or, if not possible, the criteria used to determine that period, (v) your rights in relation to the processing (especially the rights from this section), (vi) the right to file a complaint with a supervisory authority, (vii) the existence of automated decision-making, including profiling and (vii) whether the Personal Data are transferred outside of the controller’s jurisdiction and what safeguards will be employed during the transfer.
(d) Right to Correction or Rectification: You may also request that we - without undue delay - rectify any of your Personal Data that is inaccurate and/or incomplete.
(e) Right to Erasure: You have a right to request that we erase your Personal Data without undue delay, in particular if your Personal Data are no longer necessary to achieve the purposes for we were processing them, if you have withdrawn your consent and there is no other legal ground for the processing or if we’ve been processing your Personal Data unlawfully. You may request us to erase your Personal Data also if we have no overriding legitimate grounds for the processing, or you object to the processing for the purposes of direct marketing. We will erase your Personal Data also if we have to comply with a legal obligation to which we’re subject. In general, we do not transact with individuals, who are considered children, but if this nevertheless happens, we will fully adhere to any requests to erase the data of children for which no other legal ground for the processing exists.
(f) Right to Restriction of Processing: In certain cases, you may also request that we restrict processing of your Personal Data. This may happen when: (i) you are challenging the accuracy of your Personal Data; (ii) the processing is unlawful, but you do not wish us to erase your Personal Data, just not to process them; (iii) we no longer need your Personal Data for the purposes of processing, but you need them for the establishment, exercise or defence of legal claims; (iv) you have objected to processing and we’re still verifying if our legitimate interests override yours.
(g) Right to Object: In particular situations you may object to processing of your Personal Data if the legal grounds for the processing stem from our legitimate interests (including profiling). To continue to process your Personal Data, we will have to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that we need them for initiation, exercise or defence of legal claims. You may also object to processing of your Personal Data for direct marketing purposes, such as sending offers and newsletters (including profiling to the extent that it is related to such direct marketing).
(h) Right to Data Portability: Under certain circumstances, you also have a right to data portability, as defined under the applicable legislation. The enforcement of this right depends on the technical capacities and internal policies of individual controllers. For further information about this right and whether it applies to your situation, you may contact us at dpo@naka.com.
We will try to fulfill your requests within 20 business days after receiving them. If the request is complex and we have a justified reason, we might need up to an additional 20 business days.
If your request affects how you use the NAKA Web Interface or the NAKA Services, we will let you know.
Please note that you are responsible for making sure the personal information you give us is accurate and up-to-date, unless our internal policies state otherwise.
If there is a data breach that affects your Personal Data, we will notify you as required by the law.
12. AUTOMATED DECISION-MAKING ACTIVITIES
Provision of some of the NAKA Services requires from us to implement an in-depth KYC Procedure of our customers (in particular, relating to the Cardholders, Merchant’s Authorized Representatives and Beneficial Owners) for the purpose of compliance with the local AML/CTF Legislation. To do so, we employ certain software solutions, which process Cardholders’ personal data with automated means, resulting in a report based on the Cardholder’s personal data. Nevertheless, we always ensure that the obtained decision is verified by one of our employees.
While you may opt to exercise your right not to be subject to the automated decision-making activities, we are not obliged to adhere to such request under certain conditions (e.g., the automated decision-making activity is necessary for entering into, or performance of, a contract between you and us; the use of such process is authorised by the law, applicable to the controller, provided it lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or your provided an explicit consent to use such means).
13. DO YOU NEED TO KNOW ANYTHING ELSE?
We recommend you also read the general terms of use for the NAKA Service you are using, as those terms, along with this Notice, form a binding agreement between you and NAKA.
If you have any questions or want to clarify anything in this Notice or about how we process your Personal Data, please contact us at dpo@naka.com or use the other contact details listed above or in the general terms.
NAKA Team
Addendum 1: Cookie Policy
1. BASICS
This Cookie Policy (“Cookie Policy”) is in addition to the Personal Data Protection Notice NAKA Services and together with it represents a comprehensive framework for Personal Data processing in the NAKA Group. Any capitalized terms not defined in this Cookies Policy, have the same meaning as defined in that Notice.
The Cookie Policy refers specifically to processing of information and Personal Data obtained through cookies and other similar technologies used on the NAKA Services. While not all information we obtain through cookies can be categorized as the Personal Data when observed individually and in isolation, in connection with other data we collect, they may be categorized as the Personal Data under certain legislations (e.g., GDPR).
2. WHO IS THE CONTROLLER OF PERSONAL DATA OBTAINED THROUGH COOKIES?
The controller of your Personal Data obtained through cookies in line with this Cookie Policy is the NAKA Entity, which operates the specific NAKA Services. For further details please see the Notice, section 3. “WHO ACTS AS A CONTROLLER OF YOUR PERSONAL DATA?” above.
3. WHAT ARE COOKIES AND WHAT IS THEIR PURPOSE?
Cookies are small text files that are downloaded to your device when you visit a website or other web interface (e.g., a mobile app). Usually they contain the name of the server from which the cookie was sent, the cookie’s expiration time and a randomly generated unique number, which serves as a cookie value.
A cookie itself does not contain or collect information. However, when a server reads the cookie together with your web browser, it helps the website provide a better, more user-friendly service, e.g., to remember your username and password for your next visit. Cookies are not harmful for the device and are always set to expire after a certain amount of time.
The main purpose of cookies is to make the website work better and to improve your experience while viewing it. Cookies make the interaction between you and a website faster and easier, saving you time and making your visit more efficient.
In general, there are two types of cookies: (i) essential and (ii) non-essential cookies:
(a) Essential cookies are required for a basic web service (e.g., just browsing a website) to function properly. You cannot opt out of these, as the website won't work without them.
(b) Non-essential cookies are not necessary for the provision of a particular web service (e.g., browsing a website), but merely serve to enhance your user experience or help the website operator gain insight into the functionalities of the service it offers through the website. You can choose not to allow these to be saved on your device.
Cookies can also be categorized as (i) internal (“first party”): set and used directly by us, or (ii) external (“third party”): set and used by third parties, such as service providers like Google Inc.
4. WHICH COOKIES DO WE USE?
NAKA uses both essential and non-essential cookies. Non-essential cookies include: (i) analytics cookies and (ii) marketing cookies.
We use cookies to determine how you navigate the NAKA Websites, what content you are interested in, and how long your visits last. This information allows us to tailor the content of the NAKA Websites to better suit your needs.
The data collected through cookies is used exclusively for statistical purposes and for collecting demographic data and visitor interests (but in a way that cannot reveal your identity), identifying server problems and for editing the NAKA Website.
Some cookies we use are temporary (also known as session cookies), meaning they are deleted when you close your browser. Other cookies are saved on your device for a certain time even after you have left our Website (the persistent cookies). We use temporary cookies to measure the number of visitors and check our content's effectiveness. Persistent cookies allow us to save your contact information for subsequent visits so our Website content adjusts to your device. We also use saved cookies originating from other sites like Google, Facebook, X, etc.
4.1 Essential Cookies
Essential cookies are necessary to enable the basic NAKA Website functionality and are always active.
Essential Cookies | Uses | Type | Expiration |
cookie_consent | Used by the website to remember the user's cookie consent preference and ensure compliance with privacy laws. | Internal | 180 days |
4.2 Non-Essential Cookies
Privacy is important to us, so you have the choice to disable all or some of the non-essential cookies—those that are not strictly necessary for the basic functioning of the NAKA Website you’re visiting.
You can choose not to allow any of the below non-essential cookie categories to be stored on your device (you can make this choice in the cookie banner by clicking the “Cookies preferences” button). Please remember that if you opt out, some features that depend on these cookies (or the information they convey) may not work.
Please also note that once external cookies are downloaded to your device, we are not able to control them. To delete them, you need to manage your browser settings yourself.
Analytics and marketing cookies help NAKA understand how its website performs, how visitors interact with the site, and whether there may be technical issues.
Analytics and Marketing Cookies | Uses | Type | Expiration |
_ga | Google Analytics assigns a randomly generated ID to distinguish between different users and analyze website traffic (calculate visitors, sessions, and campaign data). | External | 400 days |
_ga_ID | Stores session and campaign data for Google Analytics to measure performance. | External | 400 days |
__hstc | The main cookie for tracking visitors. It contains the domain, user token (utk), and timestamps of previous visits. Tracks visitor behavior across sessions to understand how users interact with the website and improve performance. | Internal | 180 days |
hubspotutk | Keeps track of a visitor's identity. This is used to link website behavior to a specific contact record in the CRM. | Internal | 180 days |
visitor_id | Used to monitor unique visitor behavior and interactions across the site to improve user experience. | Internal | 270 days |
_hjSessionUser_4944793 | Identifies a unique user for behavior tracking (e.g., heatmaps - where users click, session recordings - how users move their mouse). | Internal | 365 days |
5. GOOGLE ANALYTICS
We also use the Google Analytics web service by Google Inc. (“Google”). Google Analytics is a web analysis service providing information on your behaviour on our Website, which helps us to create a better user experience for you. Data related to your use of our Website (e.g., your IP address, browser type, language settings, operating system, etc.) collected by Google will be transferred to Google’s server in the United States of America, where this data will be stored and analysed. The relevant data in anonymized form will then be sent to us. Google guarantees adequate data protection standards because it complies with the "Model Contractual Clauses" approved by the European Commission, which legally require them to protect your personal information.
You may withdraw your consent to the use of web analysis at any time by downloading Google Analytics Opt-out Browser Add-on. You can find more information about the service in the Google Analytics terms and conditions, its security and privacy principles, and Google's general privacy policy.
6. CONTACT
If you have any questions or comments in connection with the cookies, you can reach us at dpo@naka.com.