PrivacyPolicy.

Treviya Holdings ("Treviya", "we", "us") is the data controller of the personal data described in this Policy. Our registered office is Floor 16, Bay Gate Tower, Business Bay, Dubai, United Arab Emirates.

Our Data Protection Officer can be contacted at dpo@treviya.com. Our compliance desk can be contacted at compliance@treviya.com.

This Policy applies to personal data Treviya processes when you visit treviya.com, open a Treviya account, apply to become a supplier, partner or institutional buyer, interact with our commerce, supplier, partner, compliance or legal desks or otherwise engage with the platform.

Identity data: name, date of birth, nationality, registered address, identity document details (passport or national ID number), photograph submitted for identity verification.

Entity data (for institutional accounts): registration number, articles of association, ultimate beneficial owner details, director identification, source-of-funds declarations.

Account data: email, phone, username, hashed password, two-factor device metadata, session logs, device fingerprint, IP address.

Cycle data: authorisations, allocations, path selections, messages sent through the platform, disputes filed, evidence uploaded.

Financial data: credit top-up and withdrawal records, counterparty bank or wallet identifiers, transaction monitoring flags.

Communications data: support tickets, scheduled call metadata, messages sent to commerce, supplier, compliance, press or legal desks.

Technical data: pages visited, timestamps, browser and device information, referrer, crash reports (aggregated and anonymised where possible).

Treviya uses personal data for the following purposes:

• Account provision, creating and maintaining your account, authenticating sessions, processing authorisations and settlements.
• KYC and KYB, verifying your identity or entity as required by AML regulation.
• Sanctions screening, continuous screening against UN, OFAC, EU, UK and Swiss SECO lists at registration and thereafter.
• Cycle operation, recording authorisations, routing supplier and partner communications, generating settlement statements.
• Compliance, meeting obligations under AML, data protection, tax and other applicable law.
• Service improvement, analysing platform use in aggregate to improve functionality and reliability.
• Security, detecting and preventing fraud, account compromise and platform abuse.
• Communications, sending service messages, dispute updates and (with consent) opt-in newsletters.
• Dispute handling, resolving disputes and, where necessary, defending or bringing legal claims.

Under GDPR and the UK Data Protection Act, we rely on the following legal bases:

• Contract, processing necessary to provide the platform to you under these Terms.
• Legal obligation, KYC / KYB, sanctions screening, tax reporting, record retention and other regulatory duties.
• Legitimate interests, platform security, fraud prevention, service improvement, internal reporting and analytics.
• Consent, marketing communications, non-essential cookies, optional features.
• Vital interests, in rare cases where processing is necessary to protect someone's life or safety.

Under Swiss FADP and Singapore PDPA we rely on equivalent bases as implemented in those regimes.

Personal data is shared with the following categories of recipient where necessary for the purposes above:

• KYC and sanctions providers, to perform identity verification and screening.
• Banks and payment processors, to process credit top-ups, withdrawals and institutional invoicing.
• Logistics partners, to coordinate delivery-path shipments. Logistics partners receive the minimum data needed to deliver (recipient name and address).
• Cloud infrastructure providers, hosting, storage, backup, monitoring.
• Professional advisers, lawyers, auditors, tax advisers, insurers.
• Law enforcement and regulators, where required by law or valid legal process.
• Acquirer or successor, in the event of a corporate reorganisation or change of control.

We do not sell personal data and we do not share personal data with advertising networks.

Personal data may be transferred to countries outside the UK, EEA, Switzerland or Singapore for the purposes above. Where we do so, transfers are protected by one of the following mechanisms: (a) an adequacy finding by the source regulator, (b) Standard Contractual Clauses (SCCs) incorporated into our vendor agreements or (c) another lawful transfer mechanism available under the applicable regime. A list of transfer destinations is available on request to dpo@treviya.com.

We retain personal data for no longer than is necessary for the purposes for which it was collected, subject to the following minimums required by law or regulation:

• KYC / KYB records, 7 years after account closure, per AML rules.
• Cycle ledger entries, 7 years minimum, retained on the platform's append-only log.
• Settlement statements and supporting documents, 7 years minimum.
• Support and dispute records, 6 years after resolution.
• Marketing consent records, until consent is withdrawn, plus 2 years thereafter.

After the retention period, personal data is deleted or anonymised.

Treviya applies technical and organisational measures to protect personal data from unauthorised access, alteration, disclosure or destruction. Measures include AES-256 encryption at rest, TLS 1.3 in transit, HKDF-SHA256 key derivation, mandatory two-factor authentication for accounts, step-up authentication on sensitive actions, role-based access control, continuous monitoring and regular penetration testing. The Security page documents the full architecture.

Subject to the data-protection framework applicable to you, you may exercise the following rights:

• Access, request a copy of your personal data.
• Rectification, correct inaccurate personal data.
• Erasure, delete your personal data, subject to statutory retention obligations.
• Restriction, limit processing in specific circumstances.
• Portability, receive your personal data in a structured, machine-readable format.
• Objection, object to processing based on legitimate interests.
• Withdraw consent, for any processing based on consent.
• Lodge a complaint, with the Information Commissioner's Office (UK), your national data-protection authority (EU / EEA), the Federal Data Protection and Information Commissioner (Switzerland) or the Personal Data Protection Commission (Singapore).

To exercise any of these rights, use the account privacy panel in the member dashboard or email dpo@treviya.com. We respond within 30 calendar days (shorter where your regime requires).

The platform is not intended for children. Account opening requires verified age of at least 18 (or the relevant age of majority in the account holder's jurisdiction). Where we become aware that a child's data has been submitted, we delete it promptly.

Sanctions screening, risk scoring and anomaly detection involve automated processing. Automated sanctions hits block account activation pending human review. Risk scores inform monitoring thresholds but do not solely determine account status.

You have the right to request human review of automated decisions that affect you. Requests can be made to dpo@treviya.com.

We review this Policy at least annually. Material changes are announced to account holders at least 30 days before they take effect. Prior versions are retained and available on request to dpo@treviya.com.

Questions about this Policy can be directed to dpo@treviya.com. For general enquiries, contact compliance@treviya.com.