Version 2026-05-16 · MVP draft.

Roles

the bond issuer is the controller of the personal data you provide during KYC; fintok is the processor that operates the platform under contract with the Issuer.

Data we collect

• Account identifiers — email address, login timestamps.
• Identity verification — full legal name, date of birth, residential address, the identifier from the document you presented (JMBG for Serbian residents; passport number otherwise), scans/photos of your ID document and address proof.
• Bank account information used for fiat settlement (IBAN, bank name).
• Wallet address — the public address of the self-custodial wallet you linked. We do not store private keys or seed phrases; those remain in your browser only.
• Transaction history — orders, investments, redemptions, payouts, on-chain events.

Retention

Identity and transaction records are retained for at least ten years from the relevant transaction or KYC decision, as required by Article 84 of Zakon o digitalnoj imovini and the underlying AML law. See docs/RETENTION.md in the platform repository for the full inventory.

Sharing

We share data only with: (a) the Issuer, who is the data controller; (b) public authorities when required by law (e.g. court order, AML reporting); (c) sub-processors engaged to provide the platform (cloud storage, email, KYC provider) under written contract.

Your rights

You have the rights granted by the Serbian Law on Personal Data Protection (and the GDPR if you are in the EU): access, rectification, erasure (subject to the legal retention floor above), restriction, and complaint to the supervisory authority. To exercise these rights contact the Issuer directly.