Privacy Policy

May 30, 2023

This Privacy Policy (“Policy”) describes the privacy practices of CEX Claims US, Corp., 3422 Old Capitol Trail, PMB 1425, Wilmington, Delaware 19808, United States (“CEX Claims” or “we”) concerning personal information collected in connection with CEX Claims’ verification, attestation and related services in support of the tokenization of bankruptcy claims (the “Services”). If you choose to provide personal information or claim-related data (all such information and data, the “Data”) to CEX Claims, you agree to the use of the Data in accordance with this Policy.

1. Short Summary

We use the Data to provide and improve the Services. Other than with your consent, we do not sell or share the Data. For the tokenization of bankruptcy claims, you consent to sharing the Data (excluding KYC [know-your-customer] data, if applicable) in encrypted form on the Non-Fungible Token (“NFT”) metadata, which may be decrypted by us and the NFT owner, and shared with prospective purchasers or lenders if the NFT is offered to the market, subject to our access control interfaces.

Read through the Policy to understand more specifically what information we may collect and how we use the information.

2. How we use your personal information

Data for Claims On-boarding Before NFT Issuance

First, the personal data is processed by CEX Claims for claims on-boarding, using Microsoft infrastructure secured by multi-factor authentication and other measures. The necessary metadata for the NFT is generated. Limited information (and no personal information) is to be published on the blockchain: only the original owner blockchain address, referrer blockchain address (if any), the claim’s face value and a content identifier to further metadata on the InterPlanetary File System (IPFS) are stored in the on-chain NFT collection in which the claim pertains. Once published, IPFS data can be replicated by other nodes. The claimant is encouraged to review the information before authorizing the NFT data generation. The claimant also the opportunity to review the NFT data on a web interface before minting it.

NFT Data

Instead of storing personal information in clear text on IPFS, the Lit Protocol (“LIT”) manages the encryption and decryption. Upon information and belief, LIT distributes the decryption key among Lit nodes, two thirds of the nodes must agree to decrypting based on access control conditions, which are defined by CEX Claims at the time of nodes’ encryption. The ordinary conditions require to either be CEX Claims’ blockchain address secured by Microsoft Azure Key Vault (hot wallet), CEX Claims’ backup blockchain address stored on a hardware device (cold wallet) or the NFT owner.

NFT ownership can be transferred if the holder sells the NFT or get it liquidated after having used it as collateral for borrowing; once transferred, the private data is decryptable without restriction. The contract owner also has the option to upgrade the contract, which might compromise the integrity of transfers, but that function is reserved only for security or legal enforcement. The contract owner’s private key is stored offline. Initially, the metadata update and NFT transfer are centralized (i.e., CEX Claims’ admin address can make such transactions), but we would like to implement checks and balances by requiring such transactions to be reviewable and disputable before taking effect.

Use Purposes

Overall, we process the Data for the following purposes.

To provide the Services, which includes:

  • Verifying the eligibility of claims or claimants;

  • Preventing the on-boarding of fraudulent claims;

  • Identifying and monitoring fraudulent claims or transfers thereof;

  • Sharing the results of our analysis (but not KYC data itself) in the NFT metadata, with encryption of confidential data; and

  • Increasing the efficiency and effectiveness of the Services;

  • To protect and improve the security of the Services; and

  • To anonymize the personal information and generate statistical or aggregated reports.

Under certain circumstances, we may also use the Data to:

  • Establish, exercise or defend legal claims;

  • Investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property, the property or physical safety of any person or third party;

  • Facilitate the financing, securitization, insuring, sale, assignment, or other disposal of all or part of our business or assets;

  • Respond to valid and enforceable subpoenas, court orders, and other legal process, or as otherwise required by law; and

  • Comply with legal and/or regulatory requirements.

3. Personal information we process

We may process the following information:

  • Personal identifiers (e.g., names, addresses, emails);

  • Financial information (e.g., balances and transaction information);

  • Other information you have voluntarily chosen to share.

According to the level of disclosures and assurances you decide to provide, we may also process the following information:

  • Identification documents

  • Images or recordings

We may also automatically collect certain information which enables us to provide, improve, and develop our Services. This information includes:

  • Online identifiers (e.g., IP addresses);

  • Internet or other electronic network activity

  • Inferences such as a claim calculations and analysis

Marketing data: The personal data we collect from other sources for the purposes of tailored marketing includes identifiers, profile biography information, internet activity information, and inferences about preferences and behaviors. We collect this from third party providers. This helps us identify new customers and create more tailored marketing to provide services that may be of interest to you.

We obtain information about you in a number of ways through your use of our Services, including through any of our websites, the on-boarding process, interest or sign-up forms, news and updates subscribing, and from information provided in the course of on-going support service communications. We also receive information about you from third parties and publicly available sources.

4. Whom we share Data with

Sharing for tokenization purposes.

We share some Data for the claim tokenization process described in Section 2 above. We do not include KYC submissions that might be collected by a KYC provider on the NFT on-chain data or IPFS metadata. We share claim-related Data that contains certain personal information in encrypted form on the NFT metadata; for clarity, you will be advised those fields are "confidential" or part of encrypted evidence or encrypted proof during on-boarding. For claim distribution and utility, the encrypted Data may be decrypted and shared with prospective purchasers or lenders if the NFT owner offers the NFT on the market.

Sharing for business purposes.

We may also share, disclose, or transfer the Data to the following categories of recipients:

  • Services providers that help us deliver, manage, develop, and improve the services including but not limited to third-party cloud service providers; and

  • Contract partners or business partners who are participating in the performance of the delivery of the Services.

Moreover, we may share your personal information with the following categories of recipients:

  • Legal advisors;

  • Auditors for the performance of audits;

  • Courts and public authorities; and

  • Any acquirer or successor in the event of a corporate sale, merger, reorganization, dissolution, or similar event if any of your personal information is part of the assets we transfer or share in preparation for such a transaction.

Aggregated information.

From time to time, we may also share anonymized and/or aggregated information, such as by publishing a report on trends in the usage of our Services.

5. Retention and international transfers

Retention

Except as otherwise provided in this Policy, we will retain the Data for (i) the period necessary to fulfill the purposes outlined herein, in particular as long as necessary to complete the bankruptcy process in which the claim pertains and (ii) as long as required by law or (iii) as long as relevant potential legal claims are not yet time-barred.

Please note that data published on-chain must be assumed to be perpetually public and data stored on IPFS will live as long as hosted by any node.

International Transfers

Our operations are supported by a network of computers, servers, and other infrastructure and information technology, including, but not limited to, third-party service providers and nodes. Therefore, your Personal data may be processed outside your country of residence or jurisdiction. The data protection laws in these jurisdictions may be different or less stringent.

6. Security

We use commercially reasonable physical, electronic, and procedural safeguards designed to protect the Data against loss or unauthorized access, use, modification, or deletion. However, no security program is foolproof, and thus we cannot guarantee the absolute security of the Data. For more information about our Security program, please visit our Validity & Security page.

7. Your privacy rights

If you provide us, our service providers or our affiliates with any Data, you represent that you have the authority to do so, and where required, have obtained the necessary consent, and acknowledge that it may be used in accordance with this Privacy Statement.

If you want to exercise your rights relating to your Data or believe that your personal data has been provided to us improperly, please contact us by emailing privacy at cex dot claims. Please note that we may ask you to verify your identity before taking further action on your request.

In some jurisdictions, applicable law may give you legal rights including but not limited to:

  • Request confirmation of whether we are processing your personal information, obtain a copy of your personal information, and obtain information about how we handle your personal information;

  • Receive an electronic copy of personal information that you have provided to us in a structured, commonly used, and machine-readable format, or ask us to transmit this information to another company (where technically feasible);

  • Subject to certain exceptions prescribed by law or contract, request deletion of your personal information;

  • Object to or restrict our uses of your personal information;

  • Seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed personal information; and

  • Lodge a complaint with the competent supervisory authority or regulatory agency.

  • Data portability to obtain and reuse your personal data for your own purposes in a safe and secure way without this effecting the usability of your data

Where we process your personal information based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

We will not discriminate against you for exercising any of the above rights.

Appeals

Certain jurisdictions provide residents a right to appeal a refusal of a request, you may request an appeal of a refusal by sending an email to privacy at cex dot claims.

You consent to us obtaining and using the Data to enable your use of the Services which might be partly based on artificial intelligence or automation algorithms; this includes your consent to CEX Claims sharing the Data as authorized and CEX Claims retaining the Data to provide our Services or as otherwise provided herein.

You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on your consent before its withdrawal. If we have collected your personal information on the basis of your consent and you then withdraw your consent, we may retain the Data independent of your consent to the extent necessary to establish, exercise or defend legal claims, to comply with legal obligations, or to identify potentially fraudulent transactions.

9. Other important information

Manual review for data quality

To help safeguard the quality of the Services, we implement measures that may include manual review of the personal information by specially trained verification agents.

Automated decision making

We may make automated decisions using Data provided for claim tokenization at your direction; you consent to any automated decisions at the time of submission. You are given the opportunity to review all NFT data generations and minting information prior to minting the NFT on-chain. We do not use automated decision-making that would produce legal effects for you, or that would similarly significantly affect you.

We process your personal information on the following legal bases:

  • Your consent;

  • Our and any related parties’ (including purchasers and lenders’) prevailing legitimate interest to utilize the bankruptcy claims in financial transactions and legal matters;

  • The prevailing legitimate interest of individuals who are victims of identity theft to not suffer fraudulent transactions;

  • The necessity to comply with legal obligations to which we are subject; and

  • The necessity for the establishment, exercise, or defense of legal claims.

Children’s privacy

The Services are not directed to children under the age of 13, and we will never knowingly collect personal or other information from anyone it knows is under the age of 13. We recommend that persons over 13, but under 18 years of age, ask their parents for permission before using the Services or sending any information about themselves to anyone over the Internet.

10. Changes to this policy

Technology and the Internet are rapidly changing. We therefore are likely to make changes to the Services or privacy practices in the future and as a consequence will need to revise this Policy to reflect those changes. If we revise the Policy, we will post any updates on the publication page linked to from our website footer, so we recommend reviewing the page periodically. If we make a material change to the Policy, you will be notified appropriately.

If anything in this Policy causes a concern for minting your NFT, we are happy to discuss ways to increase privacy and consider a new, more private collection while being considerate of legal validity and security.

Last updated