Privacy Policy – Urano Ecosystem Presale

1. Data controller

Pursuant to Regulation (EU) 2016/679 (“GDPR”) and applicable data protection regulations, the Data Controller is:

• URANO ECOSYSTEM Sp. z o.o.

• Registered office: ul. Mickiewicza 39A/3, 86-300 Grudziądz (Kuyavian-Pomeranian Voivodeship), Poland

• Registration number (KRS): 0001028647

• REGON: 524912675

• VAT number (NIP): 8762504246

• Contact email: official@uranoecosystem.com

The Data Controller has appointed a Data Protection Officer (DPO), who can be reached at: dpo@uranoecosystem.com.

Personal data processing also complies with Regulation (EU) 2023/1114 (MiCA), with particular attention to provisions relating to user identification (KYC), information transparency, and the prevention of market abuse.

2. Purpose of the processing

The personal data collected through the $URANO token Presale landing page are processed for the following purposes:

• F1. Provision of services: allow registration for the Presale and provide informative content on the Urano Ecosystem project;

• F2. Identity Verification (KYC): verify the identity and age of users, in compliance with AML/CFT and MiCA regulations;

• F3. Administrative, technical and security management: ensure the correct functioning of the platform, prevent its abuse and guarantee its IT and operational security;

• F4. Regulatory and tax compliance: comply with applicable legal and sector-specific regulatory obligations, including those relating to the prevention of money laundering, counterterrorism, and transparency in crypto markets;

• F5. Mandatory communications: send notifications regarding changes to the Terms, Policies or legal updates, where necessary;

• F6. Protection of the Data Controller's rights: exercise or defend a right in or out of court.

2.1 Legal bases of the processing

The processing of personal data by Urano Ecosystem is based on the following legal bases, pursuant to Article 6 of the GDPR:

• Performance of a contract or pre-contractual measures – pursuant to art. 6(1)(b) GDPR: processing is necessary to allow the user to access the Presale, to provide the related services and to fulfill the user's pre-contractual requests;

• Fulfillment of legal obligations – pursuant to art. 6(1)(c) GDPR: in particular in relation to anti-money laundering legislation (AML/CFT), applicable tax legislation and the obligations set forth in Regulation (EU) 2023/1114 (MiCA), which require user identification and the traceability of relevant transactions;

• Legitimate interests of the Data Controller – pursuant to art. 6(1)(f) GDPR: relating to fraud prevention, IT security, technical monitoring of the platform, and the protection of the Data Controller's legal rights, including in judicial or administrative proceedings. These interests are balanced against the data subject's fundamental rights and freedoms;

• Explicit consent of the data subject – pursuant to Art. 6(1)(a) GDPR: required where necessary, for example, for the processing of special categories of data (such as biometric data managed by the KYC provider) or for the sending of optional communications. In any case, consent can be revoked at any time.

2.2 Age restriction

Access to the Presale is reserved exclusively for adult users (18+). Urano Ecosystem does not intentionally collect or process personal data relating to minors. Any data accidentally collected will be promptly deleted.

3. Methods of collecting personal data in the presale

Personal data is collected directly from the user at various stages of the Presale. Upon registration, we request and process identification data (first name, last name) and contact information (email address). To comply with legal and security obligations (including AML/CFT and MiCA), the user is redirected to the platform of our third-party provider, Persona Identities, Inc., for identity verification (KYC). During this process, Persona directly collects and processes the necessary data, such as identity documents, contact information, and potentially biometric data with the user's consent, without us processing or storing it directly.

Finally, to enable participation in the Presale, Urano Ecosystem receives only the public address of the user's blockchain wallet and technical metadata, such as the verification outcome (verified/unverified), a unique identifier, and a verification timestamp. Additionally, browsing data such as the IP address are collected automatically for security purposes and the proper functioning of the platform.

4. Type of data processed

In the context of registration and participation in the Presale, as well as simply browsing the landing page, Urano Ecosystem may process the following categories of personal data:

• a. Identification data: name, surname, and other data requested during registration or identity verification;

• b. Contact details: email address provided by the user;

• c. KYC verification data: verification outcome (verified/not verified), unique transaction identifier, timestamp, country code, and technical metadata provided by the Persona provider;

• d. Blockchain wallet address: public address associated with the user's wallet, used for the purposes of participating in the Presale and verifying eligibility;

• e. Browsing and technical data: IP address, user agent (browser/device), access times, referrer and system logs, collected automatically for security and statistical purposes;

• f. Data provided voluntarily: any additional information spontaneously communicated by the user in the forms on the site (e.g. contact requests, comments, suggestions).

Urano Ecosystem does not directly collect or process identity documents or biometric data. Such information, if requested, is managed independently and securely by the third-party provider Persona Identities, Inc., as specified in the section on identity verification.

5. Data retention

Personal data will be retained for a period no longer than necessary to achieve the purposes indicated in this policy and, in particular:

• a. For data collected for identity verification purposes (KYC), retention will be guaranteed for at least 5 years from the termination of the contractual relationship, in compliance with applicable anti-money laundering (AML/CFT) regulations. The processing and storage of such data, where delegated to specialized external providers (e.g., Persona Identities, Inc.), will be carried out in compliance with contractual agreements and required security measures.

• b. For other data collected through the landing page (e.g. technical data, email, IP address), the retention period will not exceed 12 months from collection, except for legal obligations, legal defense purposes, or requests from the competent authorities.

At the end of the periods indicated above, the data will be erased, unless their further retention is necessary to fulfill specific regulatory obligations or in the event of ongoing disputes.

6. Recipients and data transfer

Personal data may be disclosed, in compliance with the principles of lawfulness, necessity, and proportionality, exclusively to the following third parties:

• a. Technology and infrastructure service providers (e.g., cloud, hosting, IT security, platform maintenance), limited to the technical and operational purposes related to the provision of the service;

• b. Public authorities, regulatory or judicial bodies, in compliance with legal obligations or at their legitimate request (e.g. tax, anti-money laundering, judicial authorities);

• c. Professional consultants (legal, tax, accounting), limited to the fulfillment of regulatory obligations or to protect the rights of the Data Controller;

• d. Persona Identities, Inc., as a third-party provider specializing in identity verification (KYC AML, PEP screening, etc.) services. See Section 10 of this Privacy Policy.

All recipients are bound by contractual agreements ensuring adequate security measures and compliance with current legislation on personal data protection (GDPR). In the event of transfers to third countries, the following measures will be applied: appropriate guarantees pursuant to Articles 44 et seq. of the GDPR (e.g. adequacy decisions, Standard Contractual Clauses).

7. Transfers outside the EU

Some personal data may be transferred to countries located outside the European Economic Area (EEA), including the United States, particularly in the case of services provided by third parties such as Persona Identities, Inc., provider based in the USA (see Section 10).

Such transfers will take place exclusively in compliance with the articles 44 and following of the GDPR, adopting one or more of the following appropriate guarantees:

• a. Standard Contractual Clauses (SCC) adopted by the European Commission pursuant to art. 46(2)(c) GDPR;

• b. Verification of the adequate level of data protection offered by the recipient, including through audits and declarations of compliance with the additional measures provided for by the EDPB Guidelines 01/2020;

• c. Adoption of appropriate technical and organizational measures to guarantee the security, integrity, and prevention of unauthorized access to the personal data transferred.

The User can request further information on the applicable guarantees or a copy of the Standard Contractual Clauses by writing to: official@uranoecosystem.com or dpo@uranoecosystem.com.

8. Rights of the interested party

The User, as an interested party, can exercise at any time the rights recognised by the Articles 15–21 of the GDPR, including:

• a. Right of access: obtain confirmation of the existence or otherwise of personal data concerning him or her and access it;

• b. Right to rectification: request the correction or updating of inaccurate or incomplete data;

• c. Right to erasure (“right to be forgotten”): obtain the erasure of your data in the cases provided for by art. 17 GDPR;

• d. Right to restriction of processing: request limitation of processing in the cases provided for by art. 18 GDPR;

• e. Right to object: object to the processing of data for reasons related to your particular situation (Article 21 GDPR);

• f. Right to data portability: receive your data in a structured, commonly used and machine-readable format and, if technically feasible, transmit them to another data controller.

The User can exercise his/her rights by sending a request via email to the official support: official@uranoecosystem.com or to the Data Protection Officer (DPO): dpo@uranoecosystem.com.

Requests will be processed within 30 days from receipt, except for extensions in cases of particular complexity, in accordance with art. 12 GDPR.

The exercise of rights is free, except where requests are manifestly unfounded or excessive pursuant to art. 12(5) GDPR.

The User also has the right to lodge a complaint with a competent supervisory authority if he or she believes that the processing of his or her data violates the applicable legislation on the protection of personal data (Article 77 GDPR).

9. Data security and protection

The Owner adopts appropriate technical and organizational measures, in accordance with the articles 24, 25 and 32 of the GDPR, in order to ensure a level of security appropriate to the risk, taking into account the nature, scope, context and purposes of the processing.

In particular, measures are implemented aimed at:

• a. Ensure the integrity, confidentiality and availability of the personal data processed;

• b. Prevent unauthorized access, accidental disclosure, destruction, loss, alteration or unlawful processing;

• c. Apply encryption and pseudonymization techniques to protect the most sensitive data;

• d. Perform periodic backups and disaster recovery systems for operational resilience;

• e. Regularly monitor and update digital infrastructure, including blockchain platforms and smart contracts used.

Additionally, the smart contracts used for the $URANO token Presale have been subjected to security audits by independent third parties to ensure transparency and protection of the technical interaction between the user and the protocol. More information will be available at: https://docs.uranoecosystem.com/more/audit.

When third-party providers are involved (e.g., for KYC or cloud hosting), Urano Ecosystem ensures that these parties are bound by contractual obligations regarding security and GDPR compliance.

10. Identity verification services

To ensure compliance with anti-money laundering (AML/CFT) regulations and Regulation (EU) 2023/1114 (MiCA), Urano Ecosystem uses the identity verification services provided by Persona Identities, Inc., a US-based company specializing in secure user onboarding and personal data protection, as Data processor pursuant to art. 28 of Regulation (EU) 2016/679 (GDPR).

During the KYC (Know Your Customer) procedure, the User is redirected to a secure session hosted directly on the Persona platform. There, Persona will collect and process the following data:

• a. Identification data (name, surname, date of birth, address);

• b. Identity document (passport, identity card, driving licence, etc.);

• c. Facial recognition via selfie or short video (liveness check);

• d. Biometric data, where required and with explicit consent of the User;

• e. Any technical metadata required for verification.

This data is processed exclusively for the following purposes:

• a. Verification of user identity;

• b. Prevention of fraud and illegal activities;

• c. Compliance with AML/CFT and MiCA regulatory obligations;

• d. Security audits and legal retention, where applicable.

Persona adopts advanced technical and organizational measures for data protection, including encryption, pseudonymization, instance isolation, continuous monitoring and granular access controls. The data is stored on infrastructures compliant with international standards, including SOC 2 Type II and ISO 27001.

The User retains the right to exercise the rights provided for by the GDPR at any time, including access, rectification, and deletion of data, directly through the Persona platform.

Urano Ecosystem does not directly access, store or process biometric data or identification documents uploaded by the User. It only receives:

• The outcome of the verification (verified/not verified),

• A unique identifier associated with the User,

• A timestamp of the verification.

Persona Identities, Inc. guarantees full GDPR compliance and adheres to international data protection frameworks. Further details are available in their official policy:

• https://withpersona.com/legal/privacy-policy
• https://withpersona.com/legal

11. No automated decision-making

Urano Ecosystem does not adopt automated decision-making processes, including profiling, which produces legal or similarly significant effects on the data subject, pursuant to the Article 22 of Regulation (EU) 2016/679 (GDPR).

12. Cookies and tracking tools

This landing page uses technical session cookies necessary for the proper functioning of the site and to guarantee the user secure access to services, including any integration with the identity verification system (KYC). These cookies fall into the category of essential cookies and do not require the user's consent, pursuant to current legislation (Article 122 of the Privacy Code and Article 5.3 of the ePrivacy Directive).

Possible third-party cookies may be used for strictly necessary technical purposes (e.g. fraud prevention during KYC), in accordance with the technical measures applied by the provider Persona Identities, Inc. These cookies are active only to the extent that they are essential for the secure provision of the service.

Non-essential analytical, profiling, or tracking cookies are not used on this landing page. If they are implemented in the future, they will only be activated with the user's consent via a specific banner.

For further details on the cookies used on this landing page, a specific document is available on the page: https://www.presale.uranoecosystem.com/cookie-policy.

For complete information on the cookies used across the entire Urano ecosystem, please refer to the official Cookie Policy, available at: https://www.uranoecosystem.com/cookie-policy.

13. Changes to the Privacy Policy

Urano Ecosystem reserves the right to modify this Privacy Policy at any time, including as a result of regulatory updates, technological developments, or internal organizational changes.

Any changes will be communicated via official announcements published on official project channels, such as the website, official social media channels, and other public communications. Users are encouraged to periodically consult the most up-to-date version of the information.

The current version of the Privacy Policy is always available at the following address: https://www.presale.uranoecosystem.com/privacy-policy.

For further information on the processing of personal data within the main site and the activities of the Urano ecosystem, please consult the general Privacy Policy available at: https://www.uranoecosystem.com/privacy-policy.

14. Regulatory validity

This Privacy Policy is drafted in accordance with Regulation (EU) 2016/679 (GDPR) and, where applicable, Regulation (EU) 2023/1114 (MiCA). It forms an integral part of the pre-contractual information provided to the User, pursuant to the applicable legislation regarding the protection of personal data and the regulation of services relating to crypto-assets.