📋 EXPLICIT CONSENT FOR PERSONAL DATA PROCESSING

Version 1.0 | Last updated: January 10, 2026

Document required by GDPR (EU) 2016/679 and Spanish Law 10/2010

⚠️ IMPORTANT: You must read the entire document before providing your consent. Scroll to the end of the document to enable the consent options.

SECTION 1: INTRODUCTION AND PURPOSE OF THIS DOCUMENT

This document constitutes the Explicit and Informed Consent that you, as a user of the CUANDEORO platform (hereinafter, "the Platform"), must provide freely, specifically, informedly and unambiguously for the processing of your personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, "GDPR"), as well as Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (hereinafter, "LOPDGDD").

Furthermore, since CUANDEORO operates as an obliged entity within the framework of prevention of money laundering and terrorist financing, the processing of your data is also subject to the provisions of Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing (hereinafter, "Law 10/2010"), and its implementing Regulation approved by Royal Decree 304/2014, of May 5.

LEGAL NOTICE: Reading this document in its entirety is mandatory before you can provide your consent. The system will verify that you have accessed all the content before enabling the acceptance or rejection options.

1.1. Identification of the Data Controller

For the purposes provided in current data protection regulations, the controller responsible for the processing of your personal data is:

Concept Information
Company Name CUANDEORO TECHNOLOGIES, S.L.
Tax ID (CIF) [Pending registration]
Registered Office Spain
Email privacy@cuandeoro.es
Data Protection Officer dpo@cuandeoro.es

1.2. Purpose of Processing

CUANDEORO is a technology platform that facilitates the purchase and sale of real estate through blockchain technology (specifically, the Stellar network) and smart contracts. To provide our services efficiently, securely and in compliance with current legislation, we need to collect, store and process certain personal data from our users.

This document aims to inform you exhaustively and in detail about:

  1. The personal data that will be processed
  2. The specific purposes for which said data will be processed
  3. The legal basis that legitimizes each processing
  4. The retention periods applicable to each category of data
  5. The recipients or categories of recipients of the data
  6. International data transfers, if any
  7. Your rights as data subject
  8. The consequences of not providing the requested data
  9. The existence of automated decisions, including profiling

SECTION 2: APPLICABLE LEGAL FRAMEWORK

2.1. General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679, directly applicable in all European Union Member States since May 25, 2018, establishes the fundamental legal framework for the protection of natural persons with regard to the processing of their personal data.

In accordance with Article 4.11 GDPR, "consent of the data subject" means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Article 7 GDPR establishes the conditions for consent, requiring that:

  • The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data
  • If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters
  • The data subject shall have the right to withdraw his or her consent at any time, it being as easy to withdraw as to give consent
  • When assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract

2.2. Spanish Data Protection Law (LOPDGDD)

Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights, complements and develops the GDPR in the Spanish legal system. This law establishes specific provisions for data processing in certain sectors and situations, as well as a catalog of digital rights.

Article 6 LOPDGDD regulates processing based on the consent of the data subject, establishing that:

"1. In accordance with Article 4.11 of Regulation (EU) 2016/679, consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. When the processing of data is intended to be based on the consent of the data subject for multiple purposes, it shall be necessary for it to be specifically and unequivocally stated that such consent is given for all of them."

2.3. Anti-Money Laundering Law (Law 10/2010)

Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing, imposes on obliged entities—among which CUANDEORO is included due to its activity of intermediation in real estate transactions with crypto-assets—a series of due diligence obligations that necessarily involve the processing of clients' personal data.

⚠️ IMPORTANT - LEGAL OBLIGATION TO RETAIN DATA:

In accordance with Article 25 of Law 10/2010, CUANDEORO is legally obligated to retain documentation related to the fulfillment of due diligence obligations for a period of TEN (10) YEARS from the termination of the business relationship or the execution of the transaction.

This means that your identification data (KYC), copies of identity documents, information about transactions carried out and any other documentation related to the prevention of money laundering will be retained for a minimum of 10 years, regardless of whether you request the deletion of your data.

Article 25.1 of Law 10/2010 textually states:

"Obliged entities shall retain for a period of ten years the documentation formalizing compliance with the obligations established in this law, proceeding to its deletion thereafter. After five years from the termination of the business relationship or the execution of the occasional transaction, the retained documentation shall only be accessible by the internal control bodies of the obliged entity, including the technical prevention units, and, where applicable, those in charge of their legal defense."

2.4. Implications of the Legal Framework for Users

The convergence of the aforementioned regulations has the following practical implications for you as a user:

Aspect Implication Legal Basis
Minimum retention Your KYC data will be retained for 10 years mandatorily Art. 25 Law 10/2010
Right to erasure NOT applicable to KYC data during the legal period Art. 17.3.b) GDPR
Restricted access After 5 years, access only for compliance Art. 25 Law 10/2010
Mandatory deletion After 10 years, automatic deletion Art. 25 Law 10/2010

SECTION 3: CATEGORIES OF PERSONAL DATA PROCESSED

3.1. Identification Data

To comply with the formal identification obligations established in Article 3 of Law 10/2010, CUANDEORO will collect the following identification data:

  • Full name as it appears on the official identity document
  • Identity document number: DNI (Spain), NIE (foreign residents in Spain), Passport (non-resident foreigners)
  • Date of birth
  • Place of birth (country and locality)
  • Nationality (current and previous, if any)
  • Full address (street, number, floor, postal code, city, province, country)
  • Contact details: mobile phone number, landline number (optional), email address
  • Photograph of identity document (front and back)
  • Selfie photograph for biometric verification
  • Handwritten signature (digitized)

3.2. Beneficial Owner Identification Data

In accordance with Article 4 of Law 10/2010 and Article 4 bis introduced by Royal Decree-Law 7/2021, data will be collected to identify the beneficial owner of operations:

  • Sworn declaration of whether you are acting on your own behalf or on behalf of third parties
  • In the case of legal entities: ownership and control structure
  • Identification of natural persons who control more than 25% of the capital
  • Identification of administrators and attorneys

3.3. Economic-Financial Data

To comply with know-your-customer (KYC) obligations and continuous monitoring of the business relationship established in Articles 5 and 6 of Law 10/2010, the following data will be processed:

  • Professional or business activity
  • Source of funds used in transactions
  • Origin of wealth
  • Purpose and intended nature of the business relationship
  • Estimated volume of operations
  • Bank details: IBAN of bank account(s)
  • Wallet data: crypto-asset wallet addresses (Stellar, etc.)
  • Transaction history carried out through the Platform

3.4. Special Categories of Data

In certain circumstances, it may be necessary to process special categories of data according to Article 9 GDPR:

  • Politically Exposed Person (PEP) status: In accordance with Article 14 of Law 10/2010, it will be verified whether you or your close relatives hold or have held relevant public offices
  • Biometric data: For identity verification through facial recognition

3.5. Navigation and Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and time spent
  • Cookies and similar technologies (subject to specific consent)
  • Geolocation data (if expressly authorized)
  • Device identifiers

SECTION 4: PURPOSES OF PROCESSING AND LEGAL BASES

4.1. Processing Based on Legal Obligation

The following processing is carried out in compliance with legal obligations (Art. 6.1.c) GDPR) and does NOT require your consent, being mandatory for the provision of services:

Purpose Legal Basis Retention Period
Formal customer identification (KYC) Art. 3 Law 10/2010 10 years
Beneficial owner identification Art. 4 Law 10/2010 10 years
Knowledge of business relationship purpose Art. 5 Law 10/2010 10 years
Continuous monitoring of operations Art. 6 Law 10/2010 10 years
Special examination of suspicious operations Art. 17 Law 10/2010 10 years
Communication to authorities (SEPBLAC) Art. 18 Law 10/2010 10 years
Documentation retention Art. 25 Law 10/2010 10 years
Tax obligations compliance General Tax Law 4-6 years
⚠️ IMPORTANT NOTE: Processing based on legal obligation CANNOT be opposed by the user, nor is the right to erasure enabled with respect to such processing during the legally established retention period (Art. 17.3.b) GDPR).

4.2. Processing Based on Contract Performance

The following processing is necessary for the performance of the service provision contract (Art. 6.1.b) GDPR):

  • Management of your user account on the Platform
  • Processing of real estate transactions
  • Escrow management through smart contracts
  • Operational communications related to your transactions
  • Billing and service collection
  • Handling inquiries and complaints

4.3. Processing Based on Consent

The following processing requires your express consent (Art. 6.1.a) GDPR) and can be revoked at any time:

  • Sending commercial communications and newsletters
  • Commercial profiling
  • Data sharing with third parties for commercial purposes
  • Use of non-essential cookies
  • Geolocation for value-added services

4.4. Processing Based on Legitimate Interest

In accordance with Art. 6.1.f) GDPR, the following processing will be carried out based on the legitimate interest of the controller:

  • Fraud prevention
  • Platform security assurance
  • Service improvement through aggregate analysis
  • Exercise or defense of legal claims

SECTION 5: DATA RETENTION PERIODS

5.1. General Retention Regime

The principle of storage limitation established in Article 5.1.e) GDPR requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

However, this principle must be reconciled with the legal documentation retention obligations imposed by Law 10/2010 and other applicable regulations.

5.2. Detailed Retention Period Table

Data Category Period Legal Basis Observations
Identification documents (KYC) 10 years Art. 25 Law 10/2010 From end of business relationship
Beneficial owner information 10 years Art. 4 bis Law 10/2010 From cessation as beneficial owner
Transaction records 10 years Art. 25 Law 10/2010 From execution of operation
Communications to SEPBLAC 10 years Art. 25 Law 10/2010 From the communication
Blockchain wallet addresses 10 years Art. 25 Law 10/2010 Associated with AML operations
Invoices and commercial documents 6 years Art. 30 Commercial Code From fiscal year closing
Tax documentation 4 years Art. 66 General Tax Law Tax limitation period
Granted consents While valid + 6 years GDPR + Limitation of actions Evidence of consent
Navigation data (logs) 2 years Legitimate interest Platform security
Commercial communications (if consented) Until revocation Consent Can be revoked at any time

5.3. Access Regime During Retention Period

In accordance with Article 25.1 in fine of Law 10/2010, retained documentation will be subject to different access levels depending on elapsed time:

📅 YEARS 0-5: Access for normal operations and regulatory compliance.

📅 YEARS 5-10: Access restricted exclusively to:
  • Internal control bodies
  • Technical prevention units
  • Legal defense officers
  • Competent authorities (upon formal request)

📅 YEAR 10+: Automatic and secure deletion of data.

SECTION 6: DATA RECIPIENTS

6.1. Legally Required Communications

Your data may be communicated to the following authorities and organizations in compliance with legal obligations:

  • SEPBLAC (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses): In case of suspicious operations or upon request
  • Tax Agency: Tax-relevant information
  • Courts and Tribunals: In the context of judicial proceedings
  • Law Enforcement: In investigations related to money laundering
  • Notaries: For the formalization of public deeds
  • Property Registries: For registration of transfers

6.2. Data Processors

CUANDEORO uses the following data processors, who access your data to provide necessary services:

  • Identity verification providers (KYC): For documentary and biometric verification
  • Cloud service providers: For secure data hosting
  • Payment gateways: For fiat payment processing
  • Crypto-asset custody services: For blockchain fund management
  • Legal and tax advisors: For regulatory compliance

All data processors have signed the corresponding data processing agreements pursuant to Article 28 GDPR, guaranteeing the confidentiality and security of your data.

6.3. International Transfers

Your data may be subject to international transfers to countries outside the European Economic Area in the following cases:

  • Countries with adequacy decisions: The European Commission has determined that they offer an equivalent level of protection to European standards
  • Standard contractual clauses: When the recipient has signed the standard contractual clauses approved by the European Commission
  • Explicit consent: When you have expressly consented to the transfer, having been informed of the possible risks

SECTION 7: DATA SUBJECT RIGHTS

7.1. Catalog of Rights

Current regulations recognize the following rights regarding your personal data:

Right Content GDPR Article
Access Obtain confirmation of whether your data is being processed and access to it Art. 15
Rectification Obtain rectification of inaccurate or incomplete data Art. 16
Erasure Obtain erasure of data when certain circumstances apply Art. 17
Restriction Obtain restriction of processing in certain cases Art. 18
Portability Receive your data in a structured, commonly used format Art. 20
Objection Object to processing based on legitimate interest or marketing purposes Art. 21
No automated decisions Not be subject to decisions based solely on automated processing Art. 22

7.2. Legal Limitations on Exercise of Rights

⚠️ IMPORTANT - LIMITATIONS ON THE RIGHT TO ERASURE:

In accordance with Article 17.3.b) GDPR, the right to erasure shall NOT apply where processing is necessary for compliance with a legal obligation which requires processing of personal data imposed by Union or Member State law.

Consequently, you will NOT be able to exercise the right to erasure with respect to data processed in compliance with Law 10/2010 during the mandatory 10-year retention period.

Furthermore, Article 17.3.e) GDPR excludes the right to erasure when processing is necessary for the establishment, exercise or defense of legal claims.

7.3. Procedure for Exercising Rights

To exercise any of the indicated rights, you must:

  1. Send a written request to privacy@cuandeoro.es
  2. Clearly indicate the right you wish to exercise
  3. Attach a copy of your identity document
  4. In case of representation, prove it by valid document

CUANDEORO will respond to your request within one month from receipt, extendable by two additional months in cases of particular complexity.

7.4. Right to Lodge a Complaint with a Supervisory Authority

If you consider that the processing of your personal data violates current regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):

  • Address: C/ Jorge Juan, 6, 28001 Madrid
  • Web: www.aepd.es
  • Phone: 901 100 099

SECTION 8: SECURITY MEASURES

CUANDEORO has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Audit logs of all access to personal data
  • Encrypted daily backups
  • Periodic penetration testing
  • Ongoing staff training on data protection
  • Security incident response procedures

SECTION 9: AUTOMATED DECISIONS AND PROFILING

CUANDEORO uses automated systems for money laundering risk assessment, in accordance with the obligations imposed by Law 10/2010. These systems:

  • Verify identity through biometric comparison
  • Check presence on international sanctions lists
  • Assess customer risk level (low, medium, high)
  • Detect unusual transaction patterns

In case an automated decision produces legal effects or significantly affects you, you have the right to:

  • Obtain human intervention from the controller
  • Express your point of view
  • Contest the decision

SECTION 10: MODIFICATIONS TO THIS DOCUMENT

CUANDEORO reserves the right to modify this consent document to adapt it to legislative, jurisprudential or business practice developments. In case of substantial modifications, you will be notified through the contact means provided, requiring new consent if necessary.

It is recommended to periodically review this document, the updated version of which will always be available on the Platform.

SECTION 11: APPLICABLE LAW AND JURISDICTION

This consent document is governed by Spanish law and, in particular, by:

  • Regulation (EU) 2016/679 (GDPR)
  • Organic Law 3/2018 (LOPDGDD)
  • Law 10/2010 on Prevention of Money Laundering
  • Royal Decree 304/2014 (Regulation of Law 10/2010)
  • Law 34/2002 on Information Society Services

For any dispute that may arise from the processing of your personal data, the Courts and Tribunals of the user's domicile shall have jurisdiction, in accordance with consumer protection regulations.

END OF CONSENT DOCUMENT

You have reached the end of the document. You may now proceed to grant or deny your consent.

Last updated: January 10, 2026