‍

In all instances, reference to the "toco initiative" includes any subsidiaries or branches of these entities, especially if they are involved (directly or indirectly) in the process of collecting, processing or storing your data.

About this notice

This Global Privacy Notice describes the types of personal information we collect, the purposes for which we collect that personal information, the other parties with whom we may share it and the measures we take to protect the security of the data. It also tells you about your rights and choices with respect to your personal information, and how you can contact us about our privacy practices.

To whom does this notice apply?

Our users

This privacy notice is applicable to the persons and entities who plan to (i.e. they have taken steps to register with us) or are currently transacting in tocos. Specifically, it includes natural persons or entities who:

• Download our mobile application from an application store;
• Register a toco wallet via the mobile application or on our desktop version of the platform;
• Already use an activated toco wallet or wallets to buy toco from The Carbon Reserve or sell toco to The Carbon Reserve;
• Use an activated toco wallet or wallets to transact with other toco wallet holders.

Prospective employees

This privacy notice is also applicable to natural persons who apply for vacancies at any of the entities in the initiative and whose personal data we collect during the recruitment process.

Why do we need your data and what sources do we use?

For KYC/AML regulatory compliance

The integrity of this initiative is too important to risk its unlawful exploitation. While the network is open and accessible to everyone with internet access, the network’s entry points, in the form of exchanges and wallets, will need to follow applicable anti-money laundering regulations as issued by FINMA. The Carbon Reserve has delegated compliance with anti-money laundering regulation to Toco AG, an authorised financial intermediary which is duly supervised by a FINMA accredited self-regulating organisation.

To protect this network and comply with regulations, Toco AG will collect the following personal data from you during the process of registration and activation of a wallet: facial verification, name(s), surname, date of birth, nationality, address, source of funds, geolocation, email address, and cell phone number. This information is provided by you or extracted from documents, images, or videos which you provide to us. We collect this information to ensure that we know who we are dealing with, to restrict any criminals or prohibited persons from using this network, ultimately protecting all the users of this network.

During our onboarding process, we use global leaders in identity verification that use technology such as OCR (optical character recognition) to extract and verify data. We have strict data privacy agreements with these providers to ensure that their collection, processing, and storage of your data meets our requirements and ultimately protects you.

Once you use an activated wallet, we will collect only information about your transactions to be able to comply to AML regulations. We do this to monitor and identify suspicious transactions and/or wallets so that we may report this to the authorities and/or takes the necessary action to remove such participants from the network.

Generally, on a continued basis, we will attempt to know our customers to comply with financial market regulations. This may require collection of information about you from publicly available sources e.g. the internet and public registries, including sanctions lists.

To enable payments

Once you have an activated wallet, you may opt to buy tocos from The Carbon Reserve or sell your tocos back to The Carbon Reserve. These transactions will be concluded using your bank account, debit or credit card information. Therefore, if you want to buy/sell tocos as described here, we will need to collect and store your bank account details and/or debit/credit card details, depending on the payment method applicable. We may use payment gateways to facilitate these transactions and will therefore share your information (which will include personal information such as your name) with these service providers. We have strict data privacy agreements with these providers to ensure that your information is protected.

To communicate with you

During the wallet registration process, we collect your contact details and may take steps to verify these.The purpose of collecting this data is so that we may communicate with you. Communication can relate to regulatory compliance (we need more information about your financial background), promotional events, or functions which we would invite you to. At any time, you may opt-out of marketing-related communications by either selecting an “unsubscribe” option in the email or by sending us an email hello@tocos.org.

To balance interests

Where necessary, we process your data beyond the requirements of our Terms and Conditions to protect our own (and 3rd parties') legitimate interests. This could include:

• Review and optimisation of procedures required for the evaluation of direct client engagement;
• Advertising or market and opinion research, provided you have not objected to the use of your data;
• Assertion of legal claims and defence in legal disputes;
• Ensuring IT security and IT operations;
• Prevention and investigation of criminal offenses;
• Measures for building and facility security (e.g. access controls);
• Measures for business management and further development of services and products;
• Risk management.

‍

A special note on wallet private keys

For your protection, we will never store the private keys to your wallet. It is therefore important that you take the necessary steps (and we will prompt you during registration) to save your 12 Secret Words. You will need these to recover your wallet.

Who gets my data?

We may only disclose information about you if we are required to do so by law, you have consented or we are authorised to provide information. Under these conditions, recipients of personal data may be, for example:

• Regulators;
• The service providers we use to perform identify verification, process fiat transaction (i.e. payment gateways) or perform market analysis.

Data may be transferred internationally as far as it is necessary to complete your identify verification (we use global KYC service providers), is required by law or you have given your consent.

How long will my data be stored?

We process and store your personal data as long as it is necessary for the fulfillment of our obligations.

Does profiling take place?

We sometimes process your data automatically with the aim of evaluating certain personal aspects(profiling). We use profiling in the following cases:

• Due to legal and regulatory requirements, we are obligated to combat money laundering, terrorist financing and criminal offenses that endanger assets. In the process, data evaluations are also carried out. These measures also serve to protect you.
• In order to be able to inform and advise you about products in a targeted manner, we use evaluation tools. These enable needs-based communication and advertising, including market and opinion research.

We may collect biometric data about you

Biometric data may qualify as sensitive personal data. Therefore, where required by applicable law, your explicit consent, to be obtained separately, is required to use your fingerprint or other biometric recognition system to access certain applications.

Features and Links to Other Websites

Our websites may include links to other third-party websites, social media tools, widgets or plug-ins, permitting sharing web content including IP address, with third parties and social media providers. These social media providers may learn of your visit even if you are not logged in to your social media account or if you do not have an account with them. To the extent any linked websites or features you visit or use are not part of the toco initiative, we suggest that you review their own privacy notices or policies.

What data protection rights do I have?

Depending on your country, you may have the right or choice to:

• Opt out of some collection or uses of your personal information, including the useof cookies and similar technologies, the use of your personal information for marketing purposes, and the anonymization of your personal information for data analyses.
• Access your personal information, obtain a copy of it, rectify it, restrict or object to its processing, or request its deletion, destruction or anonymization.
• Receive the personal information you provided to us to transmit it to another company.
• Withdraw any consent provided.
• Where applicable, lodge a complaint with your relevant supervisory authority or regulator.

You, or a party authorized to act on yourbehalf, can exercise your rights by contacting us on hello@tocos.org.

You may withdraw your consent to the processing of your personal data at any time. Please note that this is only effective for the future. Processing that took place before the withdrawal request is not affected. If you object or revoke your consent, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. Please note that in such cases we will not be able to provide services and maintain a business relationship with you.

‍