Last updated: 24 September 2025

Scorechain S.A. ("Scorechain", "we", "our", "us") is a blockchain analytics and crypto-compliance provider headquartered in Luxembourg. This Privacy Policy explains how we collect, use, disclose, transfer, and protect personal data when you visit our websites, use our products and APIs, engage with our events and marketing, or receive professional services from us (together, the "Services"). It also describes choices and rights available to individuals under applicable laws, in particular the EU General Data Protection Regulation (GDPR).

Important: We operate a privacy-by-design program. Except where we expressly act as an independent controller (for example, for our own websites, sales and marketing, billing, security and fraud prevention), we generally act as a processor of personal data on behalf of our enterprise customers who are the controllers of their own datasets. This Policy covers both roles and explains the differences.

1) Who we are and scope

• Entity: Scorechain S.A., 11, boulevard du Jazz, L-4370 Belvaux, Luxembourg.
• Contact: support@scorechain.com
• Data Protection Officer (DPO): support@scorechain.com
  
  

This Policy applies where we decide the purposes and means of processing (controller activities) and where we process on documented instructions from our customers (processor activities). If there is any conflict between this Policy and a written agreement with a customer (e.g., a Data Processing Addendum), the agreement prevails for that customer’s data.

2) The data we process

We seek to minimize personal data and favor aggregation, hashing, and tokenization. The categories we may process are:

A. Account & business contact data (controller): name, employer, role, work email, phone, authentication and access logs, subscription preferences.

B. Billing & transactional data (controller): invoicing details, payment method tokens, VAT/Tax IDs, billing contacts, service usage needed to calculate fees.

C. Website/device data (controller): IP address, device identifiers, browser type, language, time zone, pages viewed, referring URLs, crash/diagnostic logs, cookie identifiers, and consent choices.

D. Event & marketing data (controller): registrations, attendance, webinar recordings, newsletter preferences, campaign engagement, feedback forms.

E. Recruitment data (controller): CV/resume, application content, interview notes, eligibility to work, background check outcomes where lawful.

F. Customer-submitted content (processor): blockchain identifiers (e.g., wallet addresses, transaction hashes), labels and notes, case files, uploaded lists (e.g., counterparties), API queries and outputs, and any other data the customer chooses to load into the Services.

G. Public blockchain data (processor/controller): on-chain records, including addresses and transaction metadata gathered from public networks and block explorers, and our derived analytics (e.g., clustering inferences, risk indicators). On-chain identifiers may be considered personal data in certain cases under EU law. We apply safeguards and comply with applicable obligations where relevant.

H. Risk & compliance data (controller/processor): sanctions entries, politically exposed person (PEP) flags, adverse media metadata, geographic risk signals, regulatory lists and watchlists from official/public or licensed sources.

We may incorporate official sanctions or regulatory lists where required by law, with appropriate safeguards.

‍

3) Where the data comes from

• Directly from you or your employer (account setup, support, contracts, events).
  
  
• From your use of the Services (logs, telemetry, cookies/SDKs).
  
  
• From public sources (e.g., public blockchains, official sanctions registers, corporate registries).
  
  
• From trusted vendors acting under contract (e.g., cloud hosting, payment processors, email delivery, analytics limited to our own sites and apps).

4) Purposes and Legal Basis 

We process personal data only where we have a valid legal basis under the GDPR. The purposes for which we use personal data, and the corresponding legal bases, are:

Operating and providing our services
We use personal data to create and manage accounts, provide authentication, operate APIs, and deliver the services you request.
Legal basis: Performance of a contract and our legitimate interests in operating the service.

Security and fraud prevention
We process personal data to detect and prevent fraud, abuse, or security incidents, and to maintain the integrity of our systems.
Legal basis: Legitimate interests and compliance with legal obligations.

AML / compliance and risk analysis
Where required, we process relevant data to help meet anti-money laundering or regulatory requirements, including on behalf of customers.
Legal basis: Legitimate interests and legal obligations, where applicable.

Marketing and communications
We may send newsletters, event information, or marketing communications.
Legal basis: Consent (where required by local law); otherwise legitimate interests.
You can opt out at any time.

Product improvement and analytics
We analyze usage to improve our services and develop new features. Where possible, we use aggregated or pseudonymized data.
Legal basis: Legitimate interests.
For non-essential cookies or similar technologies, we obtain consent where required.

Recruitment and HR
If you apply for a role with us, we use your data for recruitment and employment processes.
Legal basis: Legitimate interests, employment law obligations, and consent where required by local law.

‍

5) Automated decision-making & profiling

Our Services compute risk indicators about blockchain activity (e.g., exposure to sanctioned entities). These risk outputs are decision support for compliance teams and are not designed to be the sole basis for decisions producing legal or similarly significant effects about a person. Where a customer configures automated rules, they remain responsible for human review as appropriate. We provide explanations of key factors and allow customers to tune rules and thresholds.

‍

6) International data transfers

We host core production systems in the EU. Where transfers outside the EU occur (e.g., to vetted vendors, global support, or at a customer’s direction), we use appropriate safeguards such as the EU Standard Contractual Clauses, plus technical and organizational measures (encryption in transit/at rest, access controls). We disclose transfer details in our DPA and vendor list.

‍

7) How we share data

We share personal data:

• With processors/sub-processors who perform services for us (hosting, email/SMS delivery, analytics and product experience tools limited to our properties, customer support, payments). We require strict confidentiality, security, and data-protection terms.
• With enterprise customers (when we act as their processor) according to their instructions and access controls.
• With competent authorities or courts when legally required or to protect our rights, users, or others.
• In corporate transactions (merger, acquisition) subject to appropriate safeguards.
  
  

We do not sell personal information and do not share it for cross-context behavioral advertising. If this changes, we will update this Policy, honor opt-out/limit rights, and display required notices.

‍

8) Retention

We keep personal data only as long as necessary for the purposes described above or as required by law. Typical retention periods are:

• Account & auth logs: 12–24 months (security).
  
  
• Billing & contracts: up to 10 years (statutory/accounting).
• Support tickets: 3 years after closure.
• Marketing records: up to 3 years after your last interaction with us, unless you opt out earlier.
• Recruitment: up to 12 months after decision, unless longer retention is required/consented to.
• Customer-submitted content (processor): as instructed by customers; we provide deletion tools and API endpoints.
  
  

Backups and archives are purged on rolling schedules. When retention ends we delete, aggregate, or irreversibly anonymize data.

‍

9) Security & operational resilience

We maintain technical and organizational measures aligned with industry standards and EU financial-sector resilience expectations, including:

• We apply technical and organizational measures in line with industry standards, including encryption, access controls, monitoring, and resilience programs. Details are available in our Security Whitepaper upon request provided there is a legitimate business reason and the information requested is relevant to the engagement..
• Incident detection and response with customer and regulator notification support as required by law.
• Business continuity and disaster recovery with regular testing.
• Vendor risk management, audit and assessment rights for enterprise customers, and contractual security obligations.
  
  

Customers regulated in the EU financial sector can incorporate our security controls and audit rights into their operational resilience programs. We provide security whitepapers and detailed TOMs (technical and organizational measures) upon request provided there is a legitimate business reason and the information requested is relevant to the engagement.

‍

10) Cookies & similar technologies

We use necessary cookies for site functionality and, with your consent, analytics or similar technologies. Details of specific cookies and vendors are shown in our Cookie Banner.

‍

11) Your rights

European Economic Area

 individuals have the right to: access; rectification; erasure; restriction; portability; and to object to processing based on legitimate interests or direct marketing. Where processing relies on consent, you may withdraw it at any time.

We comply with GDPR for EU/EEA and UK users, and respect applicable local privacy laws elsewhere.

For requests, email contact@scorechain.com. We may verify your identity and will respond within the deadlines set by Applicable Privacy Laws. If you believe your rights have been infringed, you may lodge a complaint with your local supervisory authority (e.g., the CNPD in Luxembourg).

‍

12) Children’s privacy

Our Services are for professional/business use and are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us to delete it.

‍

13) Processor terms & government access requests

When we act as a processor, we process customer personal data only on documented instructions, implement security measures, assist with data subject requests and impact assessments, and flow down protections to sub-processors. We notify customers of any legally binding request for disclosure from public authorities unless prohibited by law and challenge overbroad or unlawful requests.

Information about categories of sub-processors used by Scorechain (e.g., hosting, email delivery, support tools) is available on request by contacting contact@scorechain.com. We will provide notice of material changes as specified in our DPA.

‍

14) Data protection impact assessments

We assess privacy risks of our processing activities and implement proportionate mitigations where required by law.

‍

15) International specific terms

• European Union / EEA: Processing is carried out in accordance with the GDPR.
  
  
• Global users: While GDPR is our primary framework, we respect and comply with other applicable privacy laws in regions where our users are located, including the UK, to the extent required by local law.
  
  

16) Changes to this Policy

We will revise this Policy from time to time. We will post the updated version and, if changes are material, provide prominent notice (e.g., in-product notice or email to account owners). The "Last updated" date at the top shows the effective date of the latest version.

‍

17) How to contact us

• Email: support@scorechain.com
  
  
• Postal: Scorechain S.A., Attn: Privacy, 11, boulevard du Jazz, L-4370 Belvaux, Luxembourg.
  
  

Annex A – Definitions

• Personal data / personal information: any information that identifies or relates to an identified or identifiable individual, including online identifiers and precise location data when linked to a person.
  
  
• Processing: any operation on personal data, such as collection, storage, analysis, disclosure, or deletion.
  
  
• Controller/Processor: as defined by the GDPR and similar laws.
  
  

Annex B – High-level Technical and Organizational Measures (TOMs)

• Encryption in transit and at rest; secure key management.
• Role-based access control, MFA, SSO; and regular access reviews.
• Network segmentation, WAF, DDoS mitigation; vulnerability scanning, and penetration testing.
• Secure development lifecycle with code review and dependency monitoring.
• Logging, monitoring, and anomaly detection with retention consistent with Section 8.
• Incident response runbooks, breach assessment and notification procedure; disaster recovery and business continuity with tested RTO/RPO targets.
• Vendor due diligence and ongoing monitoring; sub-processor onboarding/offboarding with contractual safeguards.
  
  

If you have questions about this Policy or how we protect privacy on and off the chain, contact us at support@scorechain.com.

‍