PRECOG NEXUS – PRIVACY POLICY




Effective date:  28th August 2025

This Privacy Policy explains how Precog Nexus Corp. and its affiliates (collectively, “Precog Nexus,” “we,” “us,” or “our”) collect, use, disclose, and protect personal information when you visit or use:

  • Our websites, including precog.nexus and any sub‑domains (the “Sites”);


  • Online products, web apps, mobile apps, smart‑contract interfaces, dashboards, and related services we operate (the “Services”);


  • Communications and marketing channels, including email, social media, events, surveys, and customer support.


This Policy applies wherever we operate and regardless of device or channel. It includes additional regional disclosures for the EEA/UK (GDPR), Australia (Privacy Act 1988 & APPs), California (CCPA/CPRA), and Malaysia (PDPA 2010). Where local laws require stricter protections, we follow those.

Important Web3 note. Public blockchains are distributed ledgers intended to be immutable and transparent. Transactions (including wallet addresses and on‑chain metadata) are generally public and not controlled by Precog Nexus. We cannot modify or delete data recorded on a blockchain. We explain below how we handle off‑chain data that we control.



1) Who we are and how to contact us

Controller: Precog Nexus Corp., Labuan, Malaysia (and relevant affiliates). For some Services, an affiliate may be the controller—details are provided at the point of collection or in your agreement.

Contact (all regions): privacy@precog.nexus
 Postal address: Lebuan, Malaysia

EU/UK representative (GDPR Art. 27): TBC.
 Data Protection Officer (if appointed): TBC

For Australian privacy queries, you can also consult the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. For Malaysia, see the Jabatan Perlindungan Data Peribadi (JPDP) at www.pdp.gov.my.



2) The information we collect

We collect information from three sources: you, automatically (via the Sites/Services), and third parties.

A. Information you provide directly

  • Account & profile: name, username/handle, email, phone, photo/avatar, job title, organization, country.


  • Credentials: hashed passwords or SSO identifiers (we never store your raw passwords for third‑party services).


  • Wallet linkage: wallet address(es) you connect, network(s), signatures used to prove ownership; we never request or store your private keys.


  • Transactions via our Services: off‑chain orders, KYC/KYB forms, sanctions declarations, questionnaires, support tickets.


  • Identity verification (KYC/KYB): government ID details, date of birth, selfies/liveness checks, proof of address—typically processed by vetted verification partners (see Section 7 & 9).


  • Payments & billing: billing name, email, address, partial card details (tokenized by our payment processor), tax IDs, invoices.


  • Communications & marketing: email preferences, event registrations, survey responses, contest entries.


  • Developer/workspace content: logs, API usage, metadata, and other content you submit to our Services.


B. Information collected automatically

  • Usage data: pages viewed, features used, clickstream, time on page, referral URLs.


  • Device & network: IP address, device IDs, browser type/version, OS, language, screen size, mobile carrier, network type.


  • Cookies & similar tech: session cookies, analytics cookies, advertising cookies, web beacons, pixels, local storage (see Section 6).


  • Security & fraud signals: failed logins, rate limits, abnormal patterns, geolocation inferences, and other telemetry.


C. Information from third parties

  • Vendors & partners: analytics providers (e.g., website analytics), payment processors, KYC/KYB vendors, CRM/support tools, ad networks, data enrichment providers.


  • Public sources: block explorers, public social profiles, company registries, and other open data sets.


  • Enterprise customers: if you use the Services under an organization’s account, your admin may provide user lists and role metadata.


D. Web3 & blockchain data

  • Wallet addresses and transaction hashes you interact with via our interfaces are public on the relevant chain. We may index or link your wallet address to your account email or other identifiers for security, feature enablement, or regulatory compliance.


  • Where we store off‑chain metadata (e.g., project settings, RWA tokenization records, provenance logs, signatures, and audit trails), that off‑chain data is under our control and subject to this Policy.


E. Inferences & AI‑generated signals

We may derive inferences about preferences, risk scores, and likely interests (e.g., feature usage clusters) using analytics and machine learning. See Section 12 for your rights in relation to profiling and automated decisions.

F. Sensitive information

We do not require sensitive personal information unless necessary (e.g., KYC biometric checks, sanctions screening). If collected, we use enhanced safeguards and limit access.



3) Why we use your information (Purposes)

We process personal information for:

  1. Providing the Services: account creation, authentication, wallet linkage, transactions, content hosting, customer support.


  2. Security & integrity: fraud prevention, abuse detection, incident response, rate limiting, threat analysis, anti‑spam, and anti‑bot measures.


  3. Compliance & risk: KYC/KYB, AML/CFT screening, sanctions checks, tax and audit obligations, recordkeeping, dispute resolution.


  4. Product improvement: diagnostics, analytics, research, beta testing, and new feature development (including AI‑assisted features).


  5. Personalization: tailoring content, dashboards, and recommendations, including Web3‑specific prompts.


  6. Marketing & communications: service announcements, updates, newsletters, and events (you can opt out of non‑essential marketing).


  7. Business operations: billing, accounting, vendor management, mergers/acquisitions due diligence, and corporate governance.


  8. Legal: enforcing terms, protecting our rights/users/public, responding to lawful requests, and complying with applicable law.




4) Our legal bases under GDPR/UK GDPR

Where GDPR/UK GDPR applies, our legal bases include:

  • Contract (Art. 6(1)(b)): to provide and support the Services.


  • Legitimate interests (Art. 6(1)(f)): to secure and improve Services, prevent fraud, personalize features, and market to business users (balanced against your rights).


  • Consent (Art. 6(1)(a)): for certain cookies/marketing, optional features, and where required by law. You may withdraw at any time.


  • Legal obligation (Art. 6(1)(c)): KYC/AML, sanctions, tax, bookkeeping, and responding to lawful requests.


Where we process special category data (rare), we rely on Art. 9(2) bases (e.g., explicit consent or substantial public interest) where applicable.



5) Do we sell personal information?

We do not sell personal information in the traditional sense. Under CPRA, “sell” or “share” can include certain advertising disclosures. Where our use of advertising cookies/pixels constitutes “selling” or “sharing,” you may opt‑out via the “Do Not Sell or Share My Personal Information” link (see Section 6) and “Limit Use and Disclosure of Sensitive PI” where applicable.



6) Cookies, analytics, and advertising

We use cookies and similar technologies to operate and improve the Sites/Services.

  • Strictly necessary: sign‑in, load balancing, security.


  • Performance/analytics: usage metrics, error diagnostics, A/B testing.


  • Functional: preferences, localization, saved settings.


  • Advertising/retargeting: only where enabled; controls provided.


Your choices:

  • Use our Cookie Settings banner or preference center to accept/decline non‑essential cookies.


  • Configure your browser to block or delete cookies (may impact functionality).


  • For interest‑based ads, use platform tools (e.g., Google Ad Settings) and regional opt‑out portals.


Do Not Track: We currently do not respond to DNT signals due to lack of a common standard.



7) KYC/KYB, AML/CFT & sanctions screening

If you access features that require identity verification or entity onboarding, we may process:

  • Government IDs, biometrics/liveness checks, proof of address, beneficial ownership, corporate registry documents.


  • Sanctions and watchlist screening results.


These processes are often conducted via trusted third‑party providers acting as processors or separate controllers. We receive results/metadata needed to make eligibility decisions and meet legal obligations. See Section 9 for disclosures.



8) Web3 & RWA tokenization specifics

  • Public ledgers: Wallet addresses and transactions are public. Anyone can view them via block explorers. We cannot erase or alter on‑chain data.


  • Provenance & audit: For RWA tokenization and provenance features, we may publish hashes or other proofs to a blockchain. Hashes alone generally do not reveal plain personal data, but linkage may exist.


  • Off‑chain mapping: Where identity/off‑chain records map to on‑chain identifiers, we store and protect the off‑chain records under this Policy.


  • Private keys: We will never request your seed phrase or private keys. Treat any such request as suspicious and contact us immediately.




9) How we share information

We share personal information only as necessary and with safeguards:

  • Service providers (processors): hosting, cloud infrastructure, analytics, email/SMS, payments, KYC/KYB/AML, customer support, error tracking, security, and professional advisers (law, audit, insurance).


  • Business partners: integrations you enable (e.g., single sign‑on, wallet providers, custodians, exchanges). Sharing follows your settings and the partner’s policy.


  • Corporate transactions: financing, merger, acquisition, or asset sale—subject to confidentiality and compliance.


  • Legal: to comply with laws, lawful requests, court orders, or to protect rights, safety, and security.


  • Public: content you intentionally make public (e.g., forum posts, profile name/avatar) and on‑chain actions recorded on public ledgers.


We require processors to process personal information only on our instructions, under confidentiality and security obligations, and to implement appropriate technical and organizational measures.



10) International transfers

We operate globally and may transfer information to countries with different data protection laws. When transferring from the EEA/UK to countries without an adequacy decision, we use Standard Contractual Clauses (SCCs) (and the UK Addendum, where relevant), plus additional safeguards where appropriate (e.g., encryption at rest/in transit, access controls).



11) Data retention

We retain personal information only for as long as necessary to fulfill the purposes above or as required by law (e.g., tax and AML records may be kept for 5–10 years depending on jurisdiction). Criteria include account status, feature usage, legal obligations, dispute resolution needs, and our backup cycles. We may anonymize data for analytics/research.



12) Automated decision‑making & profiling

We may use automated systems (including AI/ML models) to:

  • Detect fraud/abuse and secure accounts;


  • Personalize content and experiences;


  • Support risk and compliance assessments (e.g., sanctions/KYC risk scores).


Where required by law, you have the right to obtain human review, express your point of view, and contest decisions that produce legal or similarly significant effects.



13) Your privacy rights

Your rights depend on your location and how you use the Services. You can make a request by emailing [privacy@precognexus.com] or via in‑product tools where available. We may verify your identity before responding.

A. EEA/UK (GDPR)

Rights to access, rectify, erase, restrict, object (including to profiling/legitimate‑interests processing), and data portability. You may also lodge a complaint with your local supervisory authority (e.g., ICO in the UK or your EU authority). Where we rely on consent, you can withdraw it at any time.

B. Australia (Privacy Act & APPs)

Rights to access and correction of personal information. You may also complain to us and, if unresolved, to the OAIC. We do not adopt, use, or disclose government related identifiers except as permitted by law.

C. California (CCPA/CPRA)

Rights to know (categories/specific pieces), correct, delete, opt‑out of sale/share, limit use/disclosure of sensitive information, and non‑discrimination. See our “CPRA Disclosures” table in Section 16 and the Do Not Sell or Share controls in the footer.

D. Malaysia (PDPA 2010)

Rights to access, correct, and withdraw consent (where consent is the basis). You may also contact the JPDP for recourse.

Note: Additional rights may apply in other regions (e.g., Canada’s PIPEDA, Singapore’s PDPA). We will honor applicable local rights.



14) Marketing choices

You can opt out of non‑essential marketing emails by clicking unsubscribe or adjusting preferences in your account. We may still send service or transactional messages.



15) Security

We implement appropriate technical and organizational measures to protect personal information, including encryption in transit, access controls, vulnerability management, and least‑privilege practices. No method of transmission or storage is 100% secure; if you suspect unauthorized access, contact us immediately.



16) CPRA disclosures (last 12 months)

Categories collected: identifiers (A), customer records (B), protected classifications (C) [only if necessary/consented], commercial info (D), internet/network activity (F), geolocation inferences (G) [approximate], employment information (I) [B2B], inferences (K), and sensitive information [KYC only].

Sources: you, your devices/browsers, enterprise admins, service providers, partners, and public sources.

Business/commercial purposes: as listed in Sections 3–4.

Disclosures for business purposes: to service providers/processors and partners per Section 9.
 Sale/Share: We do not sell personal information for money. We may share identifiers and internet activity with ad partners for cross‑context behavioral advertising if enabled; you can opt‑out via our site controls.

Sensitive Personal Information: used only as necessary to provide Services or comply with law (e.g., KYC/AML). We do not use SPI to infer characteristics for advertising.

Retention: per Section 11.



17) Third‑party sites & integrations

Our Sites/Services may link to third‑party websites, wallets, custodians, block explorers, identity providers, ad networks, or social plugins. Their privacy practices are not controlled by us. Review their policies before sharing information.



18) Children’s privacy

Our Services are not directed to children. We do not knowingly collect personal information from individuals under 16 (or as defined by local law) without appropriate consent. If you believe a child has provided personal information, contact us to request deletion of off‑chain data we control.



19) Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. We will post the updated Policy with a new effective date and, if changes are material, provide additional notice (e.g., email or in‑product notification). Continued use of the Services after the effective date signifies acceptance.



20) How to exercise your rights or contact us

  • Email: privacy@precog.nexus


  • Web form: Coming Soon.

  • Postal: Lebuan, Malaysia

We will respond within the timelines required by applicable law. If we cannot fulfill a request due to legal obligations (e.g., retention under AML laws) or technical limitations (e.g., on‑chain immutability), we will explain why.



21) Complaints & dispute resolution

If you have a privacy complaint, please contact us first. If unresolved:

  • Australia: lodge a complaint with the OAIC (www.oaic.gov.au).


  • EEA/UK: contact your local supervisory authority (e.g., the ICO in the UK).


  • Malaysia: contact the JPDP (www.pdp.gov.my).


  • California: you may also contact the California Attorney General or CPPA for CPRA issues.




22) Appendix – Data categories & retention overview

CategoryExamplesSourcePurposeLegal basis (GDPR)Typical retentionIdentifiersname, email, wallet address, IPyou, device, public chainaccount, security, communicationscontract; legitimate interestslife of account + 2–7 yrs backupsGovt/ID (KYC)passport/ID, DOB, livenessyou, KYC providercompliance (KYC/AML, sanctions)legal obligation; consent (where required)5–10 yrs (jurisdiction‑dependent)Commercialorders, invoices, subscription tieryou, payment processorbilling, support, analyticscontract; legal obligation5–7 yrsInternet/activitypages, clicks, events, telemetrydevice/browseranalytics, security, improvementlegitimate interests; consent (cookies)12–36 mos (aggregated thereafter)Sensitive (SPI)biometrics/liveness (KYC only)you, providercompliance & fraud preventionlegal obligation; explicit consentper statutory minimumsInferencesrisk scores, preferencesderivedpersonalization, securitylegitimate interests; consent (where required)variable; often aggregated



23) Region‑specific addenda (short‑form)

EEA/UK

  • Controllers/contacts: see Section 1.


  • Transfers: SCCs + UK Addendum as applicable.


  • Complaints: lodge with your local authority.


Australia

  • We comply with the Australian Privacy Principles (APPs). We will not adopt government identifiers as our own. Cross‑border disclosures occur under APP 8 with appropriate safeguards.


California

  • See Section 16 for CPRA categories and disclosures. Use site controls to opt‑out of sale/share and to limit SPI use.


Malaysia

  • We comply with PDPA 2010 principles (Notice & Choice, Disclosure, Security, Retention, Data Integrity, Access). Transfers use appropriate contractual safeguards.




Final notes

  • Where this Policy conflicts with a specific agreement (e.g., enterprise DPA), the specific agreement controls for that relationship.


  • For enterprise customers, a Data Processing Addendum (DPA) with SCCs is available upon request.


© [2025] Precog Nexus Corp. All rights reserved.



Precog Nexus – Privacy Policy