PRIVACY POLICY V8
PRIVACY POLICY
VERSION 8.0
GROOVY COMPANY, INC. DBA OTCM PROTOCOL
Wyoming Corporation | CIK: 1499275 | OTC: GROO
12 Daniel Rd East, Fairfield, NJ 07004
SEC Category 1 Model B Compliant | Release No. 33-11412 (March 17, 2026)
Issuer-Sponsored Tokenized Securities pursuant to SEC–CFTC Joint Interpretive Release No. 33-11412 (March 17, 2026) and SEC Division of Corporation Finance, Division of Investment Management, and Division of Trading and Markets Joint Statement dated January 28, 2026.
1. Our Commitment to Your Privacy
At Groovy Company, Inc. dba OTCM Protocol, we are serious about protecting your privacy while maintaining compliance with federal securities laws and Category 1 regulatory requirements. This Privacy Policy explains how we collect, use, share, and protect your Personal Data when you access or use our Services.
Your Agreement
When you use our Services, you are required to:
|
Requirement |
Description |
|
Acknowledge |
Acknowledge and agree to this Privacy Policy |
|
Understand |
Understand and consent to our data practices |
|
Accept |
Accept that we will collect, use, and share information as outlined below |
|
Regulatory Consent |
Consent to data collection required for Category 1 compliance, KYC/AML, and accredited investor verification |
Related Documents
Your use of our Website and Services is subject to:
• Terms of Use
• Terms of Service (which incorporates this Privacy Policy)
• Risk Disclosure
• Cookie Notice
Capitalized terms in this Policy have the definitions given to them in the Terms of Use and Terms of Service, unless first defined in this Policy.
2. Purpose and Scope
This Privacy Policy helps you understand our collection and use of information, your rights regarding your data, and how Category 1 compliance affects data handling.
Category 1 Compliance Data
OTCM Protocol operates SEC Category 1 Model B compliant infrastructure for ST22 Digital Securities under Release No. 33-11412. This requires collection and retention of certain data for regulatory compliance purposes.
|
Data Category |
Regulatory Purpose |
|
KYC Data |
Know Your Customer verification required by Bank Secrecy Act |
|
Accreditation Data |
Accredited investor verification required under Reg D |
|
OFAC Screening Data |
Sanctions compliance required by U.S. Treasury |
|
Transaction Records |
Securities transaction records required by federal securities laws |
|
Custody Records |
Records coordination with Empire Stock Transfer, SEC-registered transfer agent and qualified custodian |
Mandatory Collection: Category 1 compliance requires collection of KYC and accreditation data. You cannot use ST22 Digital Securities services without providing required verification data.
3. Third-Party Data Sharing
If your Personal Data is lawfully provided to any company that we do not own or control, or to individuals we do not directly oversee, then their privacy policy applies, not this Privacy Policy.
Key Third-Party Data Sharing (Category 1 Requirements)
|
Third Party |
Data Shared |
Purpose |
|
Empire Stock Transfer |
Identity, ownership records |
SEC-registered transfer agent for custody and shareholder registry |
|
KYC/AML Providers |
Identity verification data |
Chainalysis KYT + TRM Labs regulatory compliance verification |
|
Accreditation Verification |
Financial qualification data |
Reg D compliance |
|
OFAC Screening Services |
Identity data |
Sanctions compliance |
|
Regulatory Bodies |
As required by law |
SEC, FinCEN, and other regulatory reporting |
4. Blockchain Transparency Notice
Our Services utilize Solana blockchain and SPL Token-2022 smart contract technology for Category 1 Model B compliant ST22 Digital Securities trading.
|
Data Type |
Visibility |
Notes |
|
Wallet Addresses |
Public |
Visible on Solana blockchain |
|
Transaction History |
Public |
All ST22 and OTCM token transfers visible |
|
Token Balances |
Public |
Holdings visible at wallet level |
|
Identity Data |
Private |
NOT stored on blockchain |
|
KYC / Accreditation |
Private |
Stored off-chain with Empire Stock Transfer and compliance providers |
Privacy Limitation: Blockchain transactions are permanent and public. While we do not publish your identity on-chain, sophisticated analysis may potentially link wallet addresses to identities. We take reasonable steps to protect your privacy, but blockchain transparency is inherent to the technology.
5. How We Gather Personal Data
5.1 Directly From You
|
Action |
Data Collected |
|
Account Creation |
Name, email, contact information |
|
KYC Verification |
Government ID, address verification, date of birth |
|
Accreditation Verification |
Financial documentation (for ST22 Digital Securities) |
|
Payment Information |
Payment details for minting fees |
|
Service Usage |
Additional data as you use our Services |
5.2 From Third Parties (Category 1 Requirements)
|
Third Party |
Data Received |
Purpose |
|
Empire Stock Transfer |
Custody confirmations, shareholder records |
Category 1 custody verification |
|
KYC Providers |
Verification results |
Identity confirmation |
|
Accreditation Services |
Verification status |
Reg D compliance |
|
OFAC Screening |
Sanctions check results |
Compliance verification |
|
Analytics Providers |
Usage patterns |
Service improvement |
5.3 From Blockchain
When you connect your wallet to our platform, we collect your wallet address. Transaction history and token holdings are public blockchain data accessible to all participants.
6. Cookies and Tracking Technologies
Our Site may use cookies or similar tracking methods. When you use our Services, you will be shown a cookie disclosure with details on what cookies we use, their purposes, and how to manage your preferences.
|
Technology |
Purpose |
|
Session Cookies |
Maintain login state |
|
Analytics Cookies |
Understand usage patterns |
|
Security Cookies |
Fraud prevention |
|
Preference Cookies |
Remember your settings |
Do Not Track
We honor DNT signals where technically feasible. However, some tracking required for Category 1 compliance cannot be disabled.
Cookie Management
You may accept or reject cookies through your browser settings and delete existing cookies on your device. Some platform functions may not work if you disable cookies. Visit AllAboutCookies.org for comprehensive cookie information.
7. Types of Personal Data We Collect
7.1 Standard Personal Data
|
Data Type |
Purpose |
|
Full Name |
Account identification, regulatory compliance |
|
Addresses |
Mail, billing, and email addresses |
|
Online Identifiers |
Usernames, wallet addresses |
|
IP Address |
Security, geolocation compliance |
|
Phone Number |
Account security, communications |
7.2 Category 1 Compliance Data (Required for ST22 Digital Securities)
|
Data Type |
Purpose |
Regulatory Basis |
|
Government ID |
KYC verification |
Bank Secrecy Act |
|
Date of Birth |
Identity verification, age compliance |
BSA, securities laws |
|
Residential Address |
Identity verification, jurisdiction compliance |
SEC regulations |
|
Financial Information |
Accredited investor verification |
Reg D |
|
Tax Identification |
Tax reporting, regulatory compliance |
IRS requirements |
|
Employment Information |
Accreditation verification |
SEC Rule 501 |
|
Net Worth Documentation |
Accreditation verification |
SEC Rule 501 |
Mandatory Collection: Category 1 compliance requires collection of KYC and accreditation data. This data collection is not optional for ST22 Digital Securities services.
7.3 Customer Records and Internet Activity
We collect account records, transaction records, custody coordination records with Empire Stock Transfer, compliance records, communication records, browsing history on our platform, interaction data, trading activity for compliance monitoring, and security events.
8. How We Use Your Personal Data
Nearly all Personal Data we collect is used to manage, improve, understand, and personalize our Services and maintain Category 1 compliance.
8.1 Service Delivery
• Accomplish the purpose for which you provided Personal Data
• Provide our Services and respond to your requests
• Process ST22 Digital Securities and OTCM token transactions
• Coordinate with Empire Stock Transfer for custody verification
8.2 Category 1 Compliance (Required)
|
Use |
Regulatory Basis |
|
KYC Verification |
Bank Secrecy Act, AML requirements |
|
Accreditation Verification |
Reg D |
|
OFAC Screening |
U.S. Treasury sanctions requirements |
|
Transaction Monitoring |
Securities law compliance |
|
Regulatory Reporting |
SEC, FinCEN reporting obligations |
|
Record Keeping |
Securities transaction record requirements |
8.3 Communications
• Service communications based on your preferences
• Transaction confirmations
• Updates about your use of the Services
• Security alerts and notifications
8.4 Support, Personalization, and Development
• Offer and provide customer support
• Personalize content on our Site
• Test, research, analyze, and develop the Service
• Offer new Services and improve the platform
8.5 Security and Compliance
• Deter and stop illegal, fraudulent, and other damaging actions
• Maintain safety, security, and integrity of the Site and Services
• Ensure compliance with obligations and enforce company policies
• Interact with governmental and law enforcement as required by law
New Uses
We may need to use your previously-collected Personal Data for new purposes consistent with our Services and their evolution. When this happens, we will inform you before we start, except where required by law or Category 1 compliance.
Communication Preferences
To opt out of marketing communications, use the opt-out link provided in emails or email your preference to privacy@otcm.io. You cannot opt out of transactional or compliance-related communications required for Category 1 operations.
9. How We Share Your Personal Data
We are NOT in the business of sharing your Personal Data for monetary gain. We share data only as necessary to perform and improve our Services and maintain Category 1 compliance.
9.1 Regulatory and Compliance Sharing (Required)
|
Recipient |
Data Shared |
Purpose |
|
Empire Stock Transfer |
Identity, ownership records |
SEC-registered transfer agent custody |
|
SEC |
As required by law |
Securities law compliance |
|
FinCEN |
SAR/CTR filings as required |
Bank Secrecy Act compliance |
|
OFAC |
Screening data |
Sanctions compliance |
|
Law Enforcement |
As required by law |
Legal obligations |
Mandatory Sharing: Category 1 compliance requires sharing certain data with regulatory bodies and Empire Stock Transfer. This sharing is not optional.
9.2 Service Providers
• Payment processors for minting fee transactions
• Security providers for platform protection
• Technology and hosting infrastructure providers
• Analytics providers for usage analysis
• KYC/AML providers (Chainalysis KYT + TRM Labs) for identity verification
• Accreditation verification services for Reg D compliance
9.3 Public and Blockchain Information
Blockchain Transparency: ST22 Digital Securities and OTCM token transactions are recorded on the Solana blockchain and are publicly visible. While your identity is not directly published, wallet addresses and transaction history are public.
9.4 Corporate Changes
Your Personal Data may be transferred in connection with a merger, acquisition, bankruptcy, or asset sale. We will notify you of any such transfer and your options.
10. Data Security and Retention
10.1 Security Measures
We employ technical safeguards (encryption, access controls, monitoring), organizational safeguards (employee training, access policies), and physical safeguards (secure facilities, device security) designed to protect Personal Data. However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
10.2 Data Retention
Category 1 Compliance Retention Requirements
|
Data Type |
Retention Period |
Regulatory Basis |
|
KYC Records |
5 years after account closure |
Bank Secrecy Act |
|
Transaction Records |
7 years |
Securities laws, IRS requirements |
|
Accreditation Records |
5 years |
Reg D |
|
OFAC Screening |
5 years |
Treasury requirements |
|
Communications |
3 years |
Business records |
Regulatory Retention: We are required by law to retain certain records for specified periods. Deletion requests cannot override regulatory retention requirements.
10.3 Global Processing
Your Personal Data may be used, hosted, or otherwise processed outside of your home jurisdiction, including the United States, which serves as our primary processing location. Standard contractual clauses apply where required.
11. Personal Data of Children
We do not offer our Services to children. We do not knowingly collect Personal Data from anyone under 18. ST22 Digital Securities require accredited investor status, which is limited to adults. If we discover Personal Data from a child under 18, we will delete it as quickly as possible. If you believe a child under 18 has provided us Personal Data, contact us at privacy@otcm.io.
12. Privacy Rights in Certain Jurisdictions
12.1 California Residents (CCPA/CPRA)
|
Right |
Description |
|
Right to Know |
Request disclosure of Personal Data collected |
|
Right to Delete |
Request deletion of Personal Data (subject to regulatory retention exceptions) |
|
Right to Opt-Out |
Opt out of sale or sharing of Personal Data |
|
Right to Correct |
Request correction of inaccurate Personal Data |
|
Non-Discrimination |
Not be discriminated against for exercising rights |
Limitations: Category 1 regulatory retention requirements may limit deletion rights.
12.2 Other Jurisdictions
You may have additional rights based on your residency. Contact privacy@otcm.io for jurisdiction-specific information.
13. Changes to This Privacy Policy
From time to time, we may need to change how we use your Personal Data due to applicable laws and regulations, Category 1 compliance requirements, or evolution of our Services. If changes occur, we will update this Privacy Policy, place notice on the Site and/or send email, and clearly indicate when changes take effect.
We use Personal Data according to the Privacy Policy effective at the time that information is collected. Continued use after policy updates constitutes acceptance.
14. Contact Information
If you have any questions or comments about your Personal Data, your privacy, this Privacy Policy, or your rights, please contact us:
|
Channel |
Contact |
|
Privacy Inquiries |
privacy@otcm.io |
|
Category 1 Compliance |
compliance@otcm.io |
|
General / Investors |
invest@otcm.io |
|
Chief Technology Officer |
frank@otcm.io |
|
Mailing Address |
12 Daniel Rd East, Fairfield, NJ 07004 |
|
Phone |
1-404-734-3277 |
Document Information
|
Field |
Value |
|
Document Version |
8.0 |
|
Effective Date |
March 2026 |
|
Entity Jurisdiction |
Wyoming Corporation |
|
Governing Law |
New Jersey State Law and Federal Law |
|
Regulatory Framework |
SEC Category 1 Model B — Release No. 33-11412 (March 17, 2026) |
Your privacy matters. We are committed to protecting your personal information while maintaining Category 1 compliance and providing you with the best possible service experience.
© 2026 Groovy Company, Inc. dba OTCM Protocol | All Rights Reserved
ST22 Digital Securities are Category 5 Digital Securities under SEC–CFTC Release No. 33-11412 (March 17, 2026). Category 1 compliance requires collection and retention of certain personal data as described in this Privacy Policy. Groovy Company, Inc. dba OTCM Protocol is a Wyoming Corporation (CIK: 1499275).