Legal

Stable Mint Global Privacy Policy

Last updated: July 23, 2024

This privacy notice explains how Stable mint Ltd (“Stable Mint”) collects, uses and otherwise processes personal data when providing its services as an electronic money institution. The privacy notice has been prepared in accordance with articles 13 and 14 of the General Data Protection Regulation (the “GDPR”). 

1. Identity of the Controller

The data controller of your personal data is Stable mint Ltd, a company incorporated in Malta having company registration number C 109060 and registered address at Trident Park, Notabile Gardens, No. 2 – Level 3, Mdina Road, Zone 2, Central Business District, Birkirkara CBD 2010, Malta.

Stable Mint can be contacted via email at info@stablemint.io, and via post at Trident Park, Notabile Gardens, No. 2 – Level 3, Mdina Road, Zone 2, Central Business District, Birkirkara CBD 2010, Malta. 

Stable Mint has appointed a Data Protection Officer in terms of the GDPR. The Data Protection Officer can be contacted via email at gdpr@stablemint.io, and via post at Trident Park, Notabile Gardens, No. 2 – Level 3, Mdina Road, Zone 2, Central Business District, Birkirkara CBD 2010, Malta. 

2. Categories of Personal Data

The term “Personal Data” refers to all personally identifiable information about you and includes all the information you provide to Stable Mint or information that is provided to Stable Mint by third parties, which can be identified with you personally. 

The following are the categories of personal data that Stable Mint collects as part of the provision of its services:

  • Identity Data: Your identity details such as your name, surname, nationality, residence status, passport or ID number, National Insurance number and Income Tax number (where applicable), the ‘Request ID’ that is generated by Stable Mint when a mint request is initiated), your internal reference which is generated by Stable Mint and includes your identity details, risk score and digital wallet information and a detailed customer file that includes a risk profile, identification, beneficial owner information and transaction records;
  • Contact Data: Your contact information such as your email address, physical address and any telephone numbers;
  • Financial Data: Your IBAN number, bank account numbers and digital wallet identifiers;
  • KYC Data: Copies of identification documents (such as ID cards and passports), information on source of funds and wealth and the risk score that is generated during a redemption request;
  • Online Data: Cookies that are activated when visiting Stable Mint’s website and IP addresses associated with the device through which you access Stable’s website; and
  • General Data: Any personal data that we may collect and process as a result of legal obligations imposed on Stable Mint, any personal data that Stable Mint may process as a result of our, or a third party’s, legitimate interest and any personal data which you may voluntarily provide to us.

We do not collect and/or otherwise process special categories of personal data.

3. Purposes of Processing and Legal Basis for Processing

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases (in terms of article 6 of the GDPR) we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

Note that we may process your personal data on more than one lawful basis, depending on the specific purpose for and context in which we are using your personal data. Please contact us if you require details about the specific legal basis we are relying on to process your personal data where more than one legal basis has been set out in the table below.

Purpose of Processing Categories of Personal Data Lawful bases for processing 
To process and respond to your queries, requests, feedback, complaints, or any other communication received via post, phone, email, social media, our Website, or through any other platform.
  1. Identity Data
  2. Contact Data
  3. General Data
  1. Our legitimate interest to efficiently handle queries, requests, feedback, complaints, and any other communications received in relation to Stable and its business and services.
  2. Should you enquire about or request our products or services, the lawful basis of processing will be taking steps at your request prior to entering into a contract with you or with the corporate entity you represent.
To enter into and perform a contract with you or the entity that you represent for the provision of products and/or services
  1. Identity Data
  2. Financial Data
  3. KYC Data
  4. Contact Data
  5. Online Data
  6. General Data
  1. Necessity for the performance of our contract with you for the provision of products and/or services, where you are our client of record.
  2. Our legitimate interest in maintaining and honouring our contractual relationship that we have entered into with an entity that you represent or are employed by.
To comply with our legal and statutory obligations 
  1. Identity Data
  2. Financial Data
  3. KYC Data
  4. Contact Data
  5. General Data
 To comply with our legal obligations, particularly our anti-money laundering obligations. 
Verification and identification of clients
  1. Identity Data
  2. Financial Data
  3. KYC Data
  4. Contact Data
  5. General Data
  1. Necessary to take steps to enter into a contract with you for the provision of products and/or services, where you are our client of record.
  2. Our legitimate interest in entering into contractual relationship with an entity that you represent or are employed by.
Onboarding and monitoring client relationships
  1. Identity Data
  2. Financial Data
  3. KYC Data
  4. Contact Data
  5. General Data
  1. Necessary to take steps to enter into a contract with you for the provision of products and/or services, where you are our client of record.
  2. Our legitimate interest in entering into contractual relationship with an entity that you represent or are employed by.
  3. Compliance with our legal obligations.
To administer our website Online Data
  1. Our legitimate interest to administer our website efficiently and securely.
  2. Your consent
To establish, exercise or defend legal claims
  1. Identity Data
  2. Financial Data
  3. KYC Data
  4. Contact Data
  5. Online Data
  6. General Data
 Our legitimate interest to establish, exercise or defend legal claims.

4. Categories of recipients of personal data

Stable Mint may disclose, transfer and/or share personal data with other entities in order to provide its services. The categories of recipients of your personal data may include:

  • Entities forming part of our group of companies;
  • Stable Mint’s regulatory, compliance and audit partners;
  • Stable Mint’s banking partners and other credit institutions;
  • Stable Mint’s professional advisors, including lawyers, auditors and accountants;
  • Exchanges and market markers; and
  • Regulators and supervisory authorities.

5. International transfers of personal data

Stable Mint may be required to transfer your personal data to entities located outside of the EU in order to provide you with Stable’s services. 

Stable Mint is a wholly owned subsidiary of Gold Token SA (“GTSA”). GTSA is a Swiss-incorporated stablecoin issuer with status as an SRO, a self-regulated organisation which is subject to supervision and monitoring by FINMA. Other companies forming part of Stable Mint’s group of companies are located in Jersey and the United Kingdom. Seeing as Switzerland, Jersey and the United Kingdom, Stable Mint has ensured that any transfer of personal data to these jurisdictions complies with Chapter V of the GDPR.  At as the date of this privacy notice, all three jurisdictions are subject to adequacy decisions in terms of article 45 of the GDPR. In the event that the adequacy status of a jurisdiction changes, Stable Mint shall ensure that it implements one of the transfer safeguards referred to in article 46 of the GDPR and you will be able to access a copy of the transfer safeguards used by contacting us through the details set out in section 1 above.  

6. Retention of personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements that may be applicable.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Our standard practice is to determine whether there are any specific laws permitting or obliging us to keep certain personal data for a certain period of time, in which case we will typically keep the personal data for the maximum period indicated by any such law. We would also determine whether there are any laws and/or contracts that may be invoked against us by you and/or third parties and, if so, what the prescriptive periods for such actions are. These periods are usually of two or five years. In such cases, we will keep any relevant personal data that we may need to defend ourselves against any claims, challenges or other such actions by you and/or third parties for such time as is necessary. 

Generally, personal data that is processed for the purpose of providing our services shall be retained for five (5) years from the date of termination of our contractual relationship on the basis of the Financial Institutions Act (Chapter 376 of the Laws of Malta) and our legitimate interests to protect ourselves from civil cases which you might institute against us. 

KYC Data will be retained for a maximum period of ten (10) years from the date on which that data is collected in accordance with the Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01).

7. Processing requirements

The processing of your personal data is both a statutory requirement and a contractual requirement. It is a statutory requirement because we are required to process certain personal data (particularly your KYC Data) to comply with legal obligations imposed on us under anti-money laundering laws. The processing of your personal data is also a contractual requirement for the performance of the services contract that we enter into with you. Failure to provide us with your personal data will result in you being unable to utilise our services.

8. Automated Decision-Making

Your personal data may be subject to automated decision making when your risk score is generated by Stable Mint in response to a redemption request. The risk score is generated by Stable Mint and the resulting risk score is based on a number of factors, including geography, nature of business relationship, interaction type, political exposure and adverse media. Stable Mint’s compliance officer frequently reviews the risk scores generated, but Stable Mint’s default process is that these scores are generated without human intervention.

The legal effect of this automated decision-making process is that you may be denied a redemption request if your risk score falls below Stable Mint’s internal risk profile. Subject to exemptions as set out in the GDPR, namely that the decision will be required to perform the contract for services that we have entered into with you, you have the right to request that Stable Mint does not utilise its automated decision-making software for the purpose of your redemption request.

9. Your rights

For as long as we retain your personal data, you have certain rights in relation to your personal data including:

Right to object You have a right to object and request that we cease the processing of your personal data where we rely on our, or a third party’s legitimate interest for processing your personal data.
Right of access
 You have the right to obtain confirmation from Stable as to whether or not personal data concerning you is being processed and, where that is the case, access to the personal data as well as other information as set out in article 15(1) GDPR
Right to erasure
 In certain circumstances, you may request that we delete the personal data that we hold about you. 
Right to portability
 You may request that we provide you with personal data concerning you in a structured, commonly used and machine-readable format (except where such personal data is provided to us in hand-written format, in which case such personal data will be provided to you, upon your request, in such hand-written form). Where technically feasible, you may also request that we transmit such personal data to a third-party controller indicated by you.
Right to rectification
 You have the right to update or correct any inaccurate or incomplete personal data which we hold about you.
Right to restriction
 You have the right to request that we stop using your personal data in certain circumstances, including if you are of the view that we are unlawfully processing your personal data or the personal data that we hold about you is inaccurate.
Right to withdraw your consent
Where our processing of your personal data is based on your consent, you have the right to withdraw that consent. Withdrawal of your consent will not affect the lawfulness of the processing based on your consent prior to its withdrawal.
Right to be informed of the source Where the personal data we hold about you was not provided to us directly by you, you may also have the right to be informed of the source from which your personal data originates.

Please note that your rights in relation to your personal data are not absolute and we may not be able to entertain such a request if we are prevented from doing so in term of an applicable law.

You may exercise the rights indicated in this section by contacting us at the details indicated in section 1 above.

10. Complaints

If you have any complaints regarding our processing of your personal data, we kindly ask that you please attempt to resolve any issues you may have with us first by contacting us at the contact details included in section 1 above. However, please note that you always have a right to lodge a complaint with the Office of the Information and Data Protection Commissioner in Malta (www.idpc.gov.mt).

11. Minors

Our services are not available for persons under the age of 18 (a “Minor“). We do not knowingly collect personal information from or about Minors. If you are a Minor, you should not download or use any of our services nor provide any personal data to us.

If we become aware that a Minor has shared any personal data with us, we will delete such information. If you have any reason to believe that a Minor has shared any information with us, please contact us using the details set out in section 1 above. 

12. Updates

We may update this Privacy Notice in our sole discretion including as result of a change in applicable law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.

If you represent a company, intermediary or other corporate entity (including a bank or broker), and you provide Stable Mint with personal data of third-party individuals such as your employees, affiliates, service providers, underlying clients/customers, directors or any other individuals connected to your business, you shall be solely responsible to ensure that:

  • you immediately bring this Privacy Notice to the attention of such individuals and direct them to it;
  • the collection, transfer, provision and any processing of such personal data by you and the entity that you represent fully complies any applicable laws;
  • as a Controller (as defined by the GDPR), the entity that you represent remains fully liable towards such individuals and adheres to the applicable data protection law;
  • you collect, and subsequently provide, any information notices, approval, consents or other requirements that may be required from such individuals before providing Stable Mint with their personal data; and
  • you remain responsible for making sure the information you give Stable Mint is accurate and up to date, and you must tell us if anything changes as soon as possible.

You hereby fully indemnify Stable Mint and shall render Stable Mint completely harmless on first written demand against all costs, damages or liability of whatsoever nature resulting from any claims or litigation (instituted or threatened) against Stable Mint as a result of your provision of said personal data to us.