๐ก๏ธ Privacy Policy
โ SEC CATEGORY 1 COMPLIANT | Issuer-Sponsored Tokenized Securities pursuant to SEC Division of Corporation Finance, Division of Investment Management, and Division of Trading and Markets Joint Statement dated January 28, 2026
๐ก๏ธ Our Commitment to Your Privacy
At OTCM Protocol, Inc., we are serious about protecting your privacy while maintaining compliance with federal securities laws and Category 1 regulatory requirements. You don't have to take our word for it thoughโyou can read below to understand how we treat your Personal Data.
โ Your Agreement
When you use our Services, we require that you:
Requirement | Description |
|---|---|
๐ Acknowledge | Acknowledge and agree to our Privacy Policy |
๐ค Understand | Understand and consent to our Privacy Policy |
โ Accept | Accept that we will collect, use, and share information as outlined below |
โ๏ธ Regulatory Consent | Consent to data collection required for Category 1 compliance, KYC/AML, and accredited investor verification |
๐ Related Documents
Remember that your use of our Website and Services are subject to:
- ๐ Our Terms of Use
- ๐ Our Terms of Service (which incorporates this Privacy Policy)
- ๐ Our Risk Disclosure
- ๐ Our Cookie Notice
Note: Capitalized terms in this Policy have the definitions given to them in the Terms of Use and Terms of Service, unless first defined in this Policy.
๐ฏ Why We Have A Privacy Policy (And What It Covers)
๐ก Purpose
Our Privacy Policy helps you understand:
Topic | Description |
|---|---|
๐ Collection & Use | Our collection and use of information |
โ๏ธ Your Rights | Your rights regarding your data |
๐๏ธ Regulatory Requirements | How Category 1 compliance affects data handling |
๐ก๏ธ Coverage
Our Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services.
โ๏ธ Special Notice: Category 1 Compliance Data
OTCM Protocol operates SEC Category 1 compliant infrastructure for tokenized securities. This requires collection and retention of certain data for regulatory compliance purposes, including:
Data Category | Regulatory Purpose |
|---|---|
๐ชช KYC Data | Know Your Customer verification required by Bank Secrecy Act |
๐ฐ Accreditation Data | Accredited investor verification required by SEC Rule 506(c) |
๐ซ OFAC Screening Data | Sanctions compliance required by U.S. Treasury |
๐ Transaction Records | Securities transaction records required by federal securities laws |
๐ฆ Custody Records | Records coordination with SEC-registered transfer agent |
โ ๏ธ Important: Certain data collection is mandatory for Category 1 compliance. You cannot use ST22 Tokenized Securities services without providing required KYC and accreditation verification data.
๐ข Third Party Data
If your Personal Data is lawfully given to any company that we don't own or control, or to people we don't directly oversee, then their privacy policy applies, not this Privacy Policy.
๐ฆ Key Third-Party Data Sharing (Category 1 Requirements)
Third Party | Data Shared | Purpose |
|---|---|---|
๐ฆ Empire Stock Transfer | Identity, ownership records | SEC-registered transfer agent for custody and shareholder registry |
๐ KYC/AML Providers | Identity verification data | Regulatory compliance verification |
๐ Accreditation Verification | Financial qualification data | SEC Rule 506(c) compliance |
๐ซ OFAC Screening Services | Identity data | Sanctions compliance |
๐๏ธ Regulatory Bodies | As required by law | SEC, FinCEN, and other regulatory reporting |
๐ Key Areas We'll Cover
Section | Topic |
|---|---|
๐ฅ | How we obtain your Personal Data |
๐ | The types of Personal Data we collect |
๐ง | How we use your Personal Data |
๐ค | Sharing your Personal Data |
โ๏ธ | Your rights with respect to your Personal Data |
๐๏ธ | Category 1 regulatory data requirements |
๐จ Questions or Concerns?
If any part of this Privacy Policy is unclear or if you believe your Personal Data is being misused, please contact us immediately so we can investigate and remedy the situation.
Contact: privacy@otcm.io
โ๏ธ Blockchain Transparency Notice
Please understand that our Services utilize Solana blockchain smart contract technology for Category 1 compliant tokenized securities trading.
๐ What Is Public on Blockchain
Data Type | Visibility | Notes |
|---|---|---|
๐ Wallet Addresses | Public | Visible on Solana blockchain |
๐ฐ Transaction History | Public | All ST22 and OTCM token transfers visible |
๐ Token Balances | Public | Holdings visible at wallet level |
๐ชช Identity Data | Private | NOT stored on blockchain |
๐ KYC/Accreditation | Private | Stored off-chain with compliance providers |
โ ๏ธ Privacy Limitation: Blockchain transactions are permanent and public. While we do not publish your identity on-chain, sophisticated analysis may potentially link wallet addresses to identities. We take reasonable steps to protect your privacy, but blockchain transparency is inherent to the technology.
๐ฅ Here Is How We Gather Personal Data
๐ฏ Primary Collection Methods
For our Services, we obtain your Personal Data through multiple channels:
1. ๐ค Directly From You
As a user, you will:
Action | Data Collected |
|---|---|
โ Account Creation | Name, email, contact information |
๐ชช KYC Verification | Government ID, address verification, date of birth |
๐ฐ Accreditation Verification | Financial documentation (for ST22 securities) |
๐ณ Payment Information | Payment details for minting fees |
๐ Service Usage | Additional data as you use our Services |
2. ๐ฆ From Third Parties (Category 1 Requirements)
Third Party | Data Received | Purpose |
|---|---|---|
๐ฆ Empire Stock Transfer | Custody confirmations, shareholder records | Category 1 custody verification |
๐ KYC Providers | Verification results | Identity confirmation |
๐ Accreditation Services | Verification status | SEC Rule 506(c) compliance |
๐ซ OFAC Screening | Sanctions check results | Compliance verification |
๐ Analytics Providers | Usage patterns | Service improvement |
3. โ๏ธ From Blockchain
Data Type | Collection Method |
|---|---|
๐ Wallet Addresses | When you connect wallet to platform |
๐ฐ Transaction History | Public blockchain data |
๐ Token Holdings | Public blockchain data |
๐ช We Automatically Collect Certain Information
๐ Cookie Disclosure
When you use our Services, you will be shown a cookie disclosure with details on:
Information | Description |
|---|---|
๐ช Cookie Types | What cookies/pixels/tags we use |
๐ฏ Purposes | Purposes for each type |
โ๏ธ Management | How to control cookie preferences |
๐ง Tracking Technologies
Our Site may use Cookies or similar methods:
Technology | Purpose |
|---|---|
๐ช Session Cookies | Maintain login state |
๐ Analytics Cookies | Understand usage patterns |
๐ Security Cookies | Fraud prevention |
๐ฏ Preference Cookies | Remember your settings |
๐ฏ Purpose of Cookies
- ๐ Recognize you (your web browser, phone, etc.)
- ๐ Understand how and when you visit the Site
- ๐ Analyze trends to learn and improve our Services
- ๐ Maintain security and prevent fraud
- โ๏ธ Support Category 1 compliance monitoring
๐ซ "Do Not Track" Limitations
Browser Setting | Our Response |
|---|---|
๐ซ DNT Signal | We honor DNT signals where technically feasible |
โ ๏ธ Limitations | Some tracking required for Category 1 compliance cannot be disabled |
โ๏ธ Cookie Management
Option | Description |
|---|---|
๐ง Browser Settings | Accept/reject Cookies through browser settings |
๐๏ธ Delete Cookies | Delete existing Cookies on your device |
โ ๏ธ Functionality Impact | Some functions may not work if you disable Cookies |
๐ Preference Reset | Preferences may need readjustment when you visit |
๐ Learn More: Visit AllAboutCookies.org for comprehensive cookie information.
๐ This Is The Kind of Personal Data We Collect
๐ค Information That Identifies You Personally
Standard Personal Data
Data Type | Purpose |
|---|---|
๐ Full Name | Account identification, regulatory compliance |
๐ฌ Addresses | Mail, billing, and email addresses |
๐ Online Identifiers | Usernames, wallet addresses |
๐ IP Address | Security, geolocation compliance |
๐ฑ Phone Number | Account security, communications |
Category 1 Compliance Data (Required for ST22 Securities)
Data Type | Purpose | Regulatory Basis |
|---|---|---|
๐ชช Government ID | KYC verification | Bank Secrecy Act |
๐ Date of Birth | Identity verification, age compliance | BSA, securities laws |
๐ Residential Address | Identity verification, jurisdiction compliance | SEC regulations |
๐ฐ Financial Information | Accredited investor verification | SEC Rule 506(c) |
๐ Tax Identification | Tax reporting, regulatory compliance | IRS requirements |
๐ข Employment Information | Accreditation verification | SEC Rule 501 |
๐ Net Worth Documentation | Accreditation verification | SEC Rule 501 |
โ ๏ธ Mandatory Collection: Category 1 compliance requires collection of KYC and accreditation data. This data collection is not optional for ST22 Tokenized Securities services.
๐ Customer and User Records
Information that may include customer and user records identified by applicable law:
Record Type | Contents |
|---|---|
๐ Account Records | Registration data, preferences |
๐ฐ Transaction Records | ST22 and OTCM token transactions |
๐ฆ Custody Records | Empire Stock Transfer coordination |
โ๏ธ Compliance Records | KYC/AML verification, accreditation status |
๐ง Communication Records | Support requests, correspondence |
๐ Internet Activity Information
Data Type | Purpose |
|---|---|
๐ Browsing History | Site usage analysis (on our platform only) |
๐ป Interaction Data | How you use our Services |
๐ Trading Activity | Transaction patterns for compliance monitoring |
๐ Security Events | Login attempts, security alerts |
๐ฏ Collection Philosophy
We collect information that we believe is necessary to:
Purpose | Description |
|---|---|
๐ฅ๏ธ Functionality | Make the Site render and work well for you |
โก User Experience | Make your use of Services faster, easier, and more intuitive |
๐ Improvement | Improve and expand our Services |
โ๏ธ Compliance | Meet Category 1 regulatory requirements |
๐ก๏ธ Security | Protect against fraud and unauthorized access |
โ ๏ธ Without this information: Services will not be possible, and Category 1 compliance cannot be maintained.
๐ง How We Use Your Personal Data
Nearly all Personal Data we collect is used to manage, improve, understand, personalize our Services, and maintain Category 1 compliance.
๐ฏ We Use Personal Data To:
Service Delivery
Use | Description |
|---|---|
โ Purpose Fulfillment | Accomplish a purpose when you provide Personal Data |
๐ ๏ธ Service Provision | Provide our Services and respond to your requests |
๐ฐ Transaction Processing | Process ST22 and OTCM token transactions |
๐ฆ Custody Coordination | Coordinate with Empire Stock Transfer |
Category 1 Compliance (Required)
Use | Regulatory Basis |
|---|---|
๐ชช KYC Verification | Bank Secrecy Act, AML requirements |
๐ฐ Accreditation Verification | SEC Rule 506(c) |
๐ซ OFAC Screening | U.S. Treasury sanctions requirements |
๐ Transaction Monitoring | Securities law compliance |
๐๏ธ Regulatory Reporting | SEC, FinCEN reporting obligations |
๐ Record Keeping | Securities transaction record requirements |
Communication
Use | Description |
|---|---|
๐ง Service Communications | Communicate about Services based on your preferences |
โ Confirmations | Send transaction confirmations |
๐จ Updates | Email you about your use of the Services |
๐จ Security Alerts | Notify you of security-related events |
Support & Personalization
Use | Description |
|---|---|
๐ค Support | Offer and provide support for the Services |
๐จ Personalization | Personalize the content on our Site |
๐ Requests | Fulfill requests and respond to questions |
Improvement & Development
Use | Description |
|---|---|
๐ฌ Research | Test, research, analyze and develop the Service |
๐ New Features | Offer new Services and make the Site better |
Security & Compliance
Use | Description |
|---|---|
๐ก๏ธ Fraud Prevention | Deter and stop illegal, fraudulent, and other damaging actions |
๐ Security | Maintain safety, security and integrity of the Site and Services |
โ๏ธ Policy Enforcement | Ensure compliance with obligations and enforce company policies |
๐๏ธ Legal Compliance | Interact with governmental and law enforcement as required by law |
๐ New Uses
We may need to use your previously-collected Personal Data for new purposes consistent with our Services and their evolution. When this happens, we will inform you before we start (except where required by law or Category 1 compliance).
๐ง Communication Preferences
Don't want to receive marketing communications from us?
Method | Instructions |
|---|---|
๐ฑ Email Opt-Out | Use the opt-out link provided in emails |
๐ง Contact Us | Email your preference to: privacy@otcm.io |
โ ๏ธ Note: You cannot opt out of transactional or compliance-related communications required for Category 1 operations.
๐ค How We Share Your Personal Data
๐ฐ Not for Monetary Gain
We are NOT in the business of sharing your Personal Data for monetary gain.
We do need to perform and improve our Services and maintain Category 1 compliance, which requires sharing your Personal Data with:
๐๏ธ Regulatory and Compliance Sharing (Required)
Recipient | Data Shared | Purpose |
|---|---|---|
๐ฆ Empire Stock Transfer | Identity, ownership records | SEC-registered transfer agent custody |
๐๏ธ SEC | As required by law | Securities law compliance |
๐ต FinCEN | SAR/CTR filings as required | Bank Secrecy Act compliance |
๐ซ OFAC | Screening data | Sanctions compliance |
๐ฎ Law Enforcement | As required by law | Legal obligations |
โ ๏ธ Mandatory Sharing: Category 1 compliance requires sharing certain data with regulatory bodies and Empire Stock Transfer. This sharing is not optional.
๐ข Service Providers
Provider Type | Purpose |
|---|---|
๐ณ Payment Processors | Process payments for minting fees |
๐ก๏ธ Security Providers | Maintain platform security |
๐ป Technology/Hosting | Infrastructure services |
๐ Analytics Providers | Usage analysis |
๐ KYC/AML Providers | Identity verification |
๐ฐ Accreditation Verification | SEC Rule 506(c) compliance |
๐ Compliance & Security
Recipient | Purpose |
|---|---|
๐ Auditors | Maintain compliance and security |
๐จ Security Services | Detect security issues and fraud |
๐ก๏ธ Fraud Prevention | Protect against illegal or improper activity |
๐ฌ Research & Development
Recipient | Purpose |
|---|---|
๐งช Internal Research | Technological development |
๐ Debug Services | Repair errors on the Site or Services |
๐ Customer Service
Recipient | Purpose |
|---|---|
๐ค Customer Care | Customer support services |
๐ฆ Order Processing | Transaction fulfillment |
๐ Public & Transaction Information
Others may access your Personal Data if you:
Action | Consequence |
|---|---|
๐ข Post Publicly | Information becomes public |
๐ฐ Complete Transactions | Transaction data recorded on blockchain (public) |
๐ค Access Third Parties | Their privacy policies control |
โ ๏ธ Blockchain Transparency: ST22 and OTCM token transactions are recorded on the Solana blockchain and are publicly visible. While your identity is not directly published, wallet addresses and transaction history are public.
๐ข Corporate Changes
Your Personal Data may be transferred through:
Event | Handling |
|---|---|
๐ค Merger/Acquisition | Data transfers to acquiring entity |
๐ Bankruptcy | Data may be transferred as asset |
๐ฐ Asset Sale | Data may be included in sale |
We will notify you of any such transfer and your options.
๐ก๏ธ Data Security and Retention
๐ Security Measures
We employ safeguards designed to protect Personal Data:
Safeguard Type | Examples |
|---|---|
๐ง Technical | Encryption, access controls, monitoring |
๐ข Organizational | Employee training, access policies |
๐๏ธ Physical | Secure facilities, device security |
โ ๏ธ Security Disclaimer
๐จ NO SYSTEM IS 100% SECURE
Despite our security measures, we cannot guarantee absolute security.
You are responsible for:
โข Maintaining security of your wallet and private keys
โข Using strong, unique passwords
โข Protecting your devices from unauthorized access
โข Reporting any suspected security breaches immediately๐ Data Retention
Category 1 Compliance Retention Requirements
Data Type | Retention Period | Regulatory Basis |
|---|---|---|
๐ชช KYC Records | 5 years after account closure | Bank Secrecy Act |
๐ฐ Transaction Records | 7 years | Securities laws, IRS requirements |
๐ Accreditation Records | 5 years | SEC Rule 506(c) |
๐ซ OFAC Screening | 5 years | Treasury requirements |
๐ง Communications | 3 years | Business records |
โ ๏ธ Regulatory Retention: We are required by law to retain certain records for specified periods. Deletion requests cannot override regulatory retention requirements.
๐ Personal Data Use/Storage
๐บ๏ธ Global Processing
Your Personal Data may be used, hosted, or otherwise processed outside of your home jurisdiction in jurisdiction(s) that may not provide equivalent levels of protection, including the United States.
Processing Location | Safeguards |
|---|---|
๐บ๐ธ United States | Primary processing location |
๐ Other Jurisdictions | Standard contractual clauses where applicable |
๐ถ Personal Data of Children
๐ซ Age Restrictions
Requirement | Description |
|---|---|
โ No Minors | We do not offer our Services to children |
๐ซ No Collection | We do not knowingly collect Personal Data from anyone under 18 |
โ๏ธ Accredited Investors | ST22 securities require accredited investor status (adults only) |
๐๏ธ Data Deletion Policy
If we discover Personal Data from a child under 18:
Action | Timeline |
|---|---|
๐จ Deletion | We will delete it as quickly as possible |
๐ง Contact | If you believe a child under 18 has given us Personal Data, contact us at privacy@otcm.io |
โ๏ธ Privacy Rights In Certain Jurisdictions
๐๏ธ Consumer Data Protection Laws
Certain jurisdictions have enacted laws to protect and empower consumers with respect to their data and Personal Data.
๐บ๐ธ California Residents (CCPA/CPRA)
California residents have specific rights:
Right | Description |
|---|---|
๐ Right to Know | Request disclosure of Personal Data collected |
๐๏ธ Right to Delete | Request deletion of Personal Data (subject to exceptions) |
๐ซ Right to Opt-Out | Opt-out of sale/sharing of Personal Data |
โ๏ธ Right to Correct | Request correction of inaccurate Personal Data |
โ๏ธ Non-Discrimination | Not be discriminated against for exercising rights |
โ ๏ธ Limitations: Category 1 regulatory retention requirements may limit deletion rights.
๐ Other Jurisdictions
You may have additional rights based on your residency. Contact privacy@otcm.io for jurisdiction-specific information.
๐ Changes to this Privacy Policy
๐ Updates May Occur
From time to time, we may need to change how we use your Personal Data due to:
Reason | Description |
|---|---|
โ๏ธ Legal Changes | Applicable laws and regulations |
๐๏ธ Regulatory Updates | Category 1 compliance requirements |
๐ Service Evolution | Better performance of our Services |
๐ข Notification Process
If changes happen, we will:
Action | Method |
|---|---|
๐ Update Policy | Update this Privacy Policy |
๐จ Alert You | Place notice on the Site and/or send email |
๐ Effective Date | Clearly indicate when changes take effect |
โ Continued Use = Agreement
We use Personal Data according to the Privacy Policy effective at the time that information is collected. Continued use after policy updates constitutes acceptance.
๐ Contact Information
๐ค Questions or Comments?
If you have any questions or comments about:
Topic | Contact |
|---|---|
๐ Your Personal Data | privacy@otcm.io |
๐ก๏ธ Your Privacy | privacy@otcm.io |
๐ Our Privacy Policy | privacy@otcm.io |
โ๏ธ Your Rights | privacy@otcm.io |
๐๏ธ Category 1 Compliance | compliance@otcm.io |
Mailing Address:
OTCM Protocol, Inc.
Attn: Privacy Officer
[Address]
Wyoming, United States๐ Document Information
Field | Value |
|---|---|
๐ Document Version | 3.0 |
๐ Effective Date | January 2026 |
๐ Jurisdiction | Wyoming, United States |
โ๏ธ Governing Law | Wyoming State Law and Federal Law |
๐๏ธ Regulatory Framework | SEC Category 1 (Issuer-Sponsored Tokenized Securities) |
๐ก๏ธ Your Privacy Matters โ We're committed to protecting your personal information while maintaining Category 1 compliance and providing you with the best possible service experience.
ยฉ 2026 OTCM Protocol, Inc. | All Rights Reserved
ST22 Tokenized Securities are securities under federal securities laws. Category 1 compliance requires collection and retention of certain personal data as described in this Privacy Policy.