Version 1.1.0 · Effective: June 1, 2026

Ebioro Privacy Policy

Last updated: June 1, 2026

1. Introduction

This Privacy Policy explains how Ebioro UAB (“Ebioro,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal data when you access or use our websites, mobile applications, APIs, and related services (collectively, the “Services”).

By using the Services, you acknowledge that your personal data will be processed as described in this Privacy Policy. If you do not agree, please refrain from using the Services.

This Privacy Policy may be updated from time to time. The most current version will always be available at www.ebioro.com/legal/privacy.

2. Who We Are

Ebioro UAB is a private limited company incorporated in Lithuania (registration number 305994333), with its registered office at Laisvės pr. 60, Vilnius, Lithuania.

For the purposes of applicable data protection laws, including:

  • Regulation (EU) 2016/679 (the General Data Protection Regulation – GDPR)
  • The Lithuanian Law on the Legal Protection of Personal Data

Ebioro acts as a data controller where it determines the purposes and means of processing personal data.

Depending on the specific service provided, Ebioro may also act as a data processor or joint controller when processing personal data on behalf of or together with third-party partners, in accordance with applicable data processing agreements.

Data Protection Officer (DPO):
📧 [email protected]

3. Scope of This Policy

This Privacy Policy applies to personal data collected:

  • Through our websites, mobile applications, and APIs
  • Through communications with us (email, customer support, surveys, chat tools)
  • From third-party service providers (e.g., identity verification or compliance partners)
  • When you interact with the Services, including account access, transactions, or integrations

4. Personal Data We Collect

4.1 Information You Provide to Us

We may collect the following categories of personal data:

  • Identification Data: name, date of birth, nationality, address, email, phone number
  • Official Identification: passport, national ID card, driver’s license, residency status, tax identifiers
  • Biometric Data: selfie images or video recordings used for identity verification
  • Financial Data: bank account details, card information, transaction-related information
  • Professional / Business Data: company name, registration details, role, business address
  • Wallet & Technical Data: blockchain wallet addresses, transaction references
  • Authentication Data: login credentials, session identifiers, security PINs
  • Preferences & Communications: language settings, notifications, customer support communications

4.2 Information Collected Automatically

  • Device & Network Data: IP address, operating system, browser type, device identifiers
  • Usage Data: interaction logs, access times, authentication events
  • Cookies & Similar Technologies: as described in our Cookie Policy

4.3 Information from Third Parties

  • Identity & Compliance Providers: identity verification results, biometric verification status, sanctions and PEP screening
  • Service Providers: payment infrastructure, account or settlement partners
  • Blockchain Networks: publicly available transaction metadata
  • Public Sources: commercial registries, sanctions lists, regulatory databases

4.4 Aggregated and Anonymized Data

We may generate anonymized or aggregated data for analytics, fraud prevention, risk monitoring, and service improvement purposes. This data does not identify individuals.

5. Legal Bases for Processing

We process personal data on one or more of the following legal bases:

  • Contractual necessity: to provide the Services requested by you
  • Legal obligations: including AML/CTF, sanctions screening, and regulatory requirements
  • Legitimate interests: to prevent fraud, ensure platform security, and improve Services
  • Consent: where required, including for biometric verification or marketing communications

5.1 Are you required to provide your data?

Some of the personal data we ask for is required either by law or in order to enter into and perform our contract with you:

  • Identity and verification data (KYC/KYB): providing it is both a legal requirement — under anti-money-laundering and counter-terrorist-financing (AML/CTF) and sanctions rules — and a contractual requirement to open and maintain an account. If you do not provide it, we cannot verify your identity and cannot open an account or provide the Services to you, or we may have to suspend or limit access to an existing account.
  • Data needed for a specific transaction: without it we cannot process the transaction or service you request.
  • Optional data: other data — for example, data we process on the basis of your consent, such as marketing communications — is voluntary. You may choose not to provide it, or withdraw your consent at any time, without affecting the provision of the core Services.

6. How We Use Personal Data and Legal Basis

The table below sets out, for each purpose, the legal basis we rely on (Article 6 GDPR; and, for special-category data such as biometrics, Article 9):

PurposeLegal basis
Verify identity and perform KYC/KYB checksLegal obligation (AML/CTF and sanctions) and contractual necessity
Comply with AML/CTF, sanctions and other regulatory obligationsLegal obligation
Provide, operate and maintain the Services; facilitate transactions and technical integrationsContractual necessity
Enable partner-provided services requested by youContractual necessity and, where the service is optional, your consent
Biometric verification (where applicable)Your explicit consent (Art. 9(2)(a) GDPR)
Provide customer support and resolve disputesContractual necessity and legitimate interests
Prevent fraud and ensure platform securityLegitimate interests and, where applicable, legal obligation
Send operational and service-related communicationsContractual necessity
Send marketing communicationsYour consent
Improve security, performance and functionalityLegitimate interests

6.1 Reuse of KYC/KYB Information for Partner Services

Where permitted by law and necessary to provide additional services requested by you, Ebioro may reuse previously collected identity or business verification information (KYC/KYB) and share it with trusted service providers (such as banking, payment, or account infrastructure partners), so that you are not required to submit the same information multiple times.

Such sharing is limited to what is necessary to enable the requested service and is subject to contractual confidentiality and data protection obligations.

6.2 Automated Decisions and Profiling

To meet our legal obligations and protect the platform, we use automated systems that assess the risk of each customer and each transaction. This includes building risk profiles (for example, a customer risk index) and generating signals or alerts.

Logic involved: these systems combine factors such as country of residence or incorporation, customer and product type, transaction patterns and volumes, and the results of sanctions and politically-exposed-person (PEP) screening.

Possible consequences: a high risk score may lead to additional checks (enhanced due diligence), delays to a transaction, or restriction or closure of access to the Services.

Where a decision is based solely on automated processing and produces legal effects concerning you or similarly significantly affects you, you have the right to obtain human intervention, express your point of view and contest the decision by writing to [email protected]. However, certain measures required by AML/CTF and sanctions law may be maintained where the law so requires.

7. Sharing of Personal Data

We may share personal data with:

  • Identity and Compliance Providers (e.g., KYC/KYB verification services)
  • Financial Institutions and Infrastructure Partners (e.g., virtual accounts, payment rails)
  • Technology and Hosting Providers supporting the Services
  • Regulators, Supervisory Authorities, or Law Enforcement where required by law
  • Affiliated or Acquiring Entities in the context of corporate restructuring

Personal data is shared solely to enable the Services requested by you and in accordance with applicable data protection laws. We do not sell personal data.

8. International Data Transfers

Some of our service providers (for example, identity verification, cloud hosting or payment infrastructure providers) may be located outside the European Economic Area (EEA). Where we transfer personal data outside the EEA, we apply the safeguards required by the GDPR, including:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs), with supplementary measures where appropriate
  • Your explicit consent, where required

You can request a copy of the applicable safeguards by contacting [email protected].

9. Blockchain-Related Data

Certain data, such as public blockchain wallet addresses and transaction records, may be recorded on distributed ledger networks that are immutable and publicly accessible. Such data cannot be altered or deleted by Ebioro.

Where possible, Ebioro limits processing to off-chain data and applies pseudonymization measures.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data, including encryption, access controls, monitoring, and internal policies. Users are responsible for maintaining the confidentiality of their credentials.

11. Data Retention

We keep personal data only for as long as necessary for the purposes described and to comply with the law. Periods are determined by category:

Data categoryRetention period
Identity and compliance data (KYC/KYB, AML/CTF, sanctions, transaction monitoring)For the duration of the relationship and the period required by applicable AML/CTF law — up to 10 years after the account is closed.
Transaction and account recordsFor the duration of the relationship and as required by accounting, tax and AML obligations.
Support and communicationsTypically up to 24 months after the interaction, unless needed for a dispute or legal claim.
Device, usage and security logsTypically up to 12 months, or longer where needed to investigate security incidents.
Data processed on the basis of your consent (e.g. marketing)Until you withdraw your consent or object to the processing.

Once retention periods expire, personal data is securely deleted or anonymized.

12. Children’s Data

The Services are not intended for individuals under 18 years of age. If we become aware that personal data of a minor has been collected, it will be deleted without undue delay.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data
  • Request correction or deletion
  • Withdraw consent
  • Restrict or object to processing
  • Request data portability
  • Lodge a complaint with a supervisory authority

Requests can be submitted to [email protected]. Identity verification may be required.

14. Marketing & Cookies

You may manage marketing preferences via your account or by contacting us. Information about cookies and similar technologies is available in our Cookie Policy.

15. Contact Information

Ebioro UAB (registration number 305994333)
📧 [email protected]
📧 [email protected]
📍 Laisvės pr. 60, Vilnius, Lithuania

You have the right to lodge a complaint with the competent supervisory authority. In Lithuania this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI), L. Sapiegos g. 17, 10312 Vilnius, Lithuania — https://vdai.lrv.lt.