Privacy Policy

WEB3 Solutions S.R.L. (Largo Richini 6 Cap 20122 Milan, Italy, registration number 13774000965) ("Lunu", "we" or "us") provide technical solutions that enable retailers to accept cryptocurrencies as payment and receive local-currency settlements. WEB3 Solutions S.R.L. is registered in Italy and operates under the oversight of the Organismo Agenti e Mediatori (OAM), the Italian authority for virtual asset service providers. Company comply with EU data protection law (GDPR) and with the EU's Markets in Crypto-Assets (MiCA) regulations.

This Privacy Policy explains how we implement GDPR and protect your personal data when you visit the Lunu website (https://lunu.io/) or use the Lunu services as a retailer or customer. Please note that some third-party service providers involved in our services act as independent data controllers and have their own privacy policies. This notice covers only the processing of your data by us, where we are the controller under GDPR.

Section 1: Controllers and Data Protection Officer

• WEB3 Solutions S.R.L. – Largo Richini 6 Cap 20122 Milan, Italy, registration number – 13774000965.

Each of the above companies is a data controller for the purposes of this Privacy Policy. Contact for Data Protection: [email protected] (this address is used for privacy inquiries and complaints).

Section 2: Supervisory Authorities

We are subject to the oversight of the data protection authorities in Italy:

• Italy: Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma. Tel: +39 06 696771; Fax: +39 06 696773785; Email: [email protected]; https://www.garanteprivacy.it.

You have the right to lodge a complaint with the competent authority in your country, for example the Lithuanian or Italian DPA mentioned above.

Section 3: Website Visitor Data

Scope: When you access any content on our website (the "Lunu Website"), our system automatically logs technical data ("Log Data") such as your browser type and version, operating system, IP address, data sent and received, timestamps of access, and language settings. This Log Data alone cannot personally identify you.

Purpose: We process Log Data to deliver the website content and maintain site functionality and security. For example, we temporarily store IP addresses to manage data traffic to and from the website, and we keep log entries (including IPs) for system security.

Legal Basis: Collecting Log Data is necessary for performance of our contract (Art.6(1)(b) GDPR) and for our legitimate interests (Art.6(1)(f) GDPR) in running and securing our website.

Retention: We delete Log Data when your session ends. We may retain certain log entries (including IP addresses) for up to 30 days for security and maintenance purposes.

Objection: Because this data collection is essential for the operation of the website, you cannot opt out of it.

Disclosure: We will only disclose Log Data to third parties if (a) you consent (Art.6(1)(a)), (b) it is necessary for contract performance (Art.6(1)(b)), (c) it is required by law (Art.6(1)(c)), or (d) it is necessary for our or a third party's legitimate interests (Art.6(1)(f)) and does not override your rights. We use processors (e.g. our hosting and security providers) under Art.28 GDPR, who are obliged to protect your data. The Log Data is processed exclusively within the EU.

Section 4: Cookies and Analytics

Scope: We use cookies and similar tracking technologies on the Lunu Website. These may collect data such as a unique identifier for your browser and basic usage metrics (e.g. number of visits). For example, we use Google Analytics cookies to analyze site traffic.

Purpose: Cookies help us improve the website and your user experience. We use them for analytics and to integrate services (e.g. linking Google Analytics and Ads).

Legal Basis: We rely on your consent in accordance with the EU ePrivacy Directive to set most non-essential cookies.

Retention: Cookie data (e.g. Google Analytics identifiers) is typically retained for up to 2 years. You can delete or block cookies through your browser settings at any time.

Objection: You can disable cookies in your browser or through other privacy controls. This may affect website functionality.

Disclosure: Cookie data is treated as your personal data and is only disclosed under the conditions in Section 3 (consent, contract, legal obligation, or legitimate interests). We use processors (such as analytics providers) who comply with GDPR. All cookie-related data is processed within the EU.

Section 5: Retailer Registration Data

If you register a Lunu Console account or use our services as a retailer, we collect personal and business information, including for example:

• Company name and legal form
• Company address and registration number
• Tax ID and fiat bank account number
• The name, email and mobile number of your representative.

Purpose: We use this information to set up your account and provide the Lunu payment services. We also process this data to fulfill legal obligations (e.g. tax and AML laws).

Legal Basis: Processing is necessary for contract performance (Art.6(1)(b) GDPR) and for pre-contractual measures. It is also necessary to comply with our legal obligations (Art.6(1)(c) GDPR).

Retention: We retain retailer registration data for 10 years in compliance with applicable anti-money laundering and financial regulations.

Disclosure: We only share this data with third parties if (a) you consent, (b) it is necessary for contract performance, (c) required by law (e.g. authorities for AML purposes), or (d) necessary for legitimate interests (Art.6(1)(f)) without overriding your rights. We use processors (e.g. our hosting and KYC partners) under Art.28 GDPR. The data is processed only within the EU.

Section 6: Customer Data (KYC)

When customers use the Lunu Services (e.g. to send cryptocurrency), we may process personal data for identity verification and compliance, including for example:

• Email address
• Government-issued ID (or passport) scans
• Biometric data (if collected for KYC)

Purpose: We use this information for Know-Your-Customer (KYC) checks and to provide the crypto payment services. We also process it as required by legal obligations (e.g. AML and financial reporting).

Legal Basis: Processing is necessary for contract performance (Art.6(1)(b) GDPR) and to comply with legal obligations (Art.6(1)(c) GDPR).

Retention: Customer data is retained for 10 years in accordance with AML and financial regulations (in both Lithuania and Italy).

Disclosure: This data is only disclosed if (a) you consent, (b) required for contract performance, (c) required by law (e.g. to regulators or law enforcement), or (d) necessary for legitimate interests under Art.6(1)(f) without overriding your rights. We use processors (e.g. identity verification service providers) as permitted under Art.28 GDPR. Processing occurs solely within the EU.

Section 7: Your Rights

Under GDPR, you have the following rights regarding data we process:

• Access: You can request confirmation of whether we process your personal data, and if so, receive information about the categories, purposes, retention period, and recipients (Art.15).
• Rectification: You can request correction of inaccurate or incomplete personal data (Art.16).
• Erasure: You can request deletion of your personal data (Art.17), unless we must retain it for legal compliance or legitimate interests.
• Restriction: You can request limitation of processing (Art.18) in certain cases (e.g. if data accuracy is contested or processing is unlawful).
• Data Portability: You can request a copy of your data in a structured, machine-readable format (Art.20) or have it transmitted to another controller.
• Objection: If we process your data on a legitimate-interest basis (Art.6(1)(f)), you can object (Art.21), and we will stop unless we demonstrate compelling legitimate grounds.
• Consent Withdrawal: Where processing is based on your consent (Art.6(1)(a)), you may withdraw consent at any time (Art.7(3)).
• Lodge Complaint: You have the right to lodge a complaint with a supervisory authority (Art.77). For example, you can contact the Lithuanian DPA (Section 2) or the Italian DPA (Garante, Section 2) if you believe your data rights have been violated.

To exercise these rights, or for any privacy inquiries, please contact us at [email protected].

Section 8: Compliance with Transfer of Funds Regulation (Travel Rule)

WEB3 Solutions S.R.L. act as Crypto-Asset Service Providers (CASPs) and are subject to Regulation (EU) 2023/1113 (the EU "Transfer of Funds" Regulation, commonly known as the Travel Rule). Under this regulation, the company must collect and transmit certain information about the originator (sender) and beneficiary (recipient) of each crypto-asset transfer. Specifically, this information includes at least:

• Full legal name of the originator and beneficiary,
• Crypto-asset address or unique transaction identifier,
• Residential address of the originator (including country),
• Official government-issued identity document number (e.g. passport or national ID),
• Date and place of birth (where applicable).

The collection and sharing of these data serve solely to comply with applicable EU anti-money laundering and counter-terrorism financing (AML/CFT) laws. The information is transmitted only to authorized recipients (for example, other regulated CASPs) and only to the extent required by law. All such data are treated as personal data under the GDPR. Appropriate technical and organizational safeguards are applied to protect their confidentiality and integrity – for example, data are encrypted in transit and at rest, and access is strictly limited to authorized personnel. These measures ensure that the processing of Travel Rule data complies with GDPR requirements for data security.

Processing Location: All personal data processing described above occurs within the European Union.

Updates: We may update this Privacy Policy to reflect changes in our practices or legal requirements. The current version applies from the date of publication on our website.