The data controller responsible for your personal data is Corporate Business Consulting Group Limited (Company No. 78675544), a Private Company Limited by Shares incorporated under the laws of Hong Kong SAR, with registered office at RM 701, UNIT 108, 7/F, TWR B, NEW MANDARIN PLAZA, 14 SCIENCE MUSEUM RD, TSIM SHA TSUI, HONG KONG (hereinafter referred to as "the Company", "we", "us" or "our"). The Company operates the KeyCandle platform (the "Platform"). This Privacy Policy describes how we collect, process, store, and protect your personal data when you access or use the Platform, in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), the EU General Data Protection Regulation ("GDPR") where applicable, and other relevant data protection legislation.

We collect and process the following categories of personal data, depending on your use of the Platform:

• Account data: full name, email address, date of birth, country of residence, username, and cryptographically hashed password.
• Identity verification data (KYC): government-issued identity document (passport, national ID card, or driver's licence), proof of residential address, selfie or biometric liveness check, and nationality.
• Financial data: cryptocurrency wallet addresses, deposit and withdrawal history, transaction records, betting history, and balance information.
• Technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, timezone, and session duration.
• Usage data: pages visited, features used, click patterns, navigation paths, and interactions with the Platform interface.
• Communication data: records of support requests, chat messages, emails sent to and received from the Company, and feedback submissions.

We process your personal data on the following legal bases:

• Performance of contract: processing is necessary to fulfil our contractual obligations to you, including account management, trade execution, and deposit/withdrawal operations.
• Legal obligation: processing is required to comply with applicable laws and regulations, including anti-money laundering (AML) and counter-terrorism financing (CTF) requirements, tax reporting obligations, and regulatory inquiries.
• Legitimate interests: processing is necessary for our legitimate business interests, including fraud prevention, platform security, service improvement, and analytics — provided these interests do not override your fundamental rights.
• Consent: where required by law, we obtain your explicit consent before processing your data for specific purposes, such as marketing communications. You may withdraw consent at any time.

Your personal data is processed for the following purposes:

• Providing, operating, and maintaining the Platform and its core features
• Verifying your identity as required by KYC/AML regulations and preventing fraudulent activity
• Processing your deposits, withdrawals, bets, and other financial transactions on the Platform
• Communicating with you regarding your account, transactions, support requests, and service updates
• Complying with all applicable legal and regulatory obligations, including responding to lawful requests from competent authorities
• Conducting anonymised analytics and statistical research to improve Platform features, reliability, and user experience
• Detecting, preventing, and investigating security incidents, unauthorised access, and other potentially harmful activities

The following table provides a detailed mapping of each processing activity to its corresponding data categories and lawful basis under the GDPR and the PDPO:

We may disclose your personal data to the following categories of recipients, subject to appropriate safeguards:

• Service providers: trusted third parties that assist us in operating the Platform, including cloud hosting providers, payment processors, email delivery services, and analytics tools. These providers are contractually bound to protect your data.
• Regulatory authorities: law enforcement agencies, financial regulators, tax authorities, and courts, when required by law or in response to a valid legal process.
• KYC verification partners: specialised identity verification providers (e.g., SumSub) that process your identity documents and biometric checks on our behalf.
• Professional advisors: legal counsel, auditors, and compliance consultants, to the extent necessary for the provision of their professional services.

We do not sell, rent, or trade your personal data to any third party for marketing or any other commercial purpose.

We engage the following categories of third-party service providers to support the operation of the Platform. Each provider is bound by contractual obligations to process personal data only in accordance with our instructions and applicable data protection laws:

As the Company is incorporated in Hong Kong and operates globally, your personal data may be transferred to, stored, and processed in jurisdictions outside your country of residence — including Hong Kong SAR and other locations where our service providers operate. Where personal data is transferred outside the European Economic Area (EEA), we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or rely on adequacy decisions, to ensure an equivalent level of data protection.

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• All data in transit is protected by TLS 1.3 encryption across every endpoint
• Passwords are stored using bcrypt adaptive hashing — we never store plaintext credentials
• Two-factor authentication (2FA) via TOTP is available and strongly recommended for all accounts
• Continuous 24/7 intrusion detection and real-time monitoring of all systems for anomalous activity
• Strict role-based access control (RBAC): employee access to personal data is limited to authorised personnel on a need-to-know basis
• 95% of user funds are held in air-gapped, multi-signature cold storage wallets, isolated from internet-connected systems

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Account data is retained for the duration of your account's active status and for a minimum of five (5) years following account closure, in compliance with anti-money laundering record-keeping requirements. Transaction records are retained for a minimum of seven (7) years. Technical and usage data collected for analytics purposes is anonymised or deleted within twenty-four (24) months. You may request erasure of your personal data at any time, subject to our legal and regulatory obligations.

Under the PDPO and, where applicable, the GDPR, you are entitled to exercise the following rights with respect to your personal data:

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations
• Right to object — object to the processing of your data where we rely on legitimate interests
• Right to data portability — receive your data in a structured, machine-readable format
• Right to restrict processing — request that we limit the processing of your data under specific circumstances

To exercise any of these rights, please contact us at privacy@keycandle.com. We will respond to your request within thirty (30) days.

We use cookies and similar tracking technologies (such as local storage and session identifiers) to operate the Platform, maintain your authenticated session, remember your preferences, and analyse usage patterns. For a detailed description of the types of cookies we use, their purposes, retention periods, and your options for managing them, please refer to our Cookie Policy.

We may use your contact information to send you marketing communications about our services, promotions, and updates. We are committed to transparency and your right to control how we communicate with you:

• We will only send you marketing communications where you have provided your explicit, affirmative consent (opt-in). Pre-checked boxes are never used.
• Every marketing communication includes a clear, functional unsubscribe mechanism. You can opt out at any time with a single click, and we will process your request within seventy-two (72) hours.
• Transactional and service-related communications (e.g., security alerts, account notifications, withdrawal confirmations) are not marketing and will continue to be sent regardless of your marketing preferences, as they are essential to the safe operation of your account.
• You can manage your communication preferences at any time through your account settings or by contacting us at privacy@keycandle.com.

In accordance with Article 22 of the GDPR, we inform you that we may use automated processing, including profiling, in certain limited circumstances in connection with the Platform. This includes: (a) automated risk-scoring and fraud detection systems that evaluate transaction patterns, login behaviour, and device fingerprints to identify potentially fraudulent or suspicious activity; (b) automated KYC/AML checks performed by our identity verification partners, which may result in the acceptance, escalation, or rejection of a verification application; and (c) automated market settlement, where position outcomes are determined algorithmically based on verified OHLC candle data. We do not use automated decision-making for marketing profiling, credit scoring, or any purpose that produces legal effects or similarly significant effects on you without human oversight. You have the right to request human review of any automated decision that significantly affects you, to express your point of view, and to contest the decision. To exercise this right, please contact us at privacy@keycandle.com.

The Platform is not intended for, nor directed at, individuals under the age of eighteen (18). We do not knowingly collect, store, or process personal data from anyone under this age. Age verification is enforced during the account registration process and through our KYC identity verification procedures. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete such data from our systems and terminate the associated account. If you are a parent or guardian and believe that a minor has provided us with personal data, please contact us immediately at privacy@keycandle.com so that we can take appropriate action.

As a prediction market platform dealing in digital assets, we are subject to stringent anti-money laundering (AML) and counter-terrorism financing (CTF) obligations. In relation to financial data, the following specific provisions apply:

• All users must complete KYC verification before depositing funds, placing positions, or withdrawing balances. Enhanced due diligence (EDD) may be required for high-value transactions or accounts flagged by our automated risk assessment systems.
• We are obligated to report suspicious transactions to the relevant Financial Intelligence Unit (FIU) and cooperate with law enforcement inquiries. Such reporting is mandatory and may be performed without prior notification to the affected user, as required by law.
• All transactions on the Platform are subject to real-time automated monitoring for patterns indicative of money laundering, terrorist financing, sanctions violations, or other financial crimes. This monitoring is conducted using specialised compliance software.
• Financial records, including deposit/withdrawal history, transaction logs, and KYC documentation, are retained for a minimum of seven (7) years after the last transaction or account closure, in compliance with applicable AML record-keeping requirements.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 of the GDPR, providing you with: (a) a description of the nature of the breach; (b) the name and contact details of our Data Protection Contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to be taken to address the breach and mitigate its potential adverse effects. We maintain a comprehensive incident response plan and conduct regular security drills to ensure rapid and effective response to any data security incident.

If you are dissatisfied with the way we have handled your personal data or any privacy-related request, you have the right to lodge a complaint. We encourage you to contact us first at privacy@keycandle.com so that we can attempt to resolve your concern directly. We will acknowledge your complaint within five (5) business days and provide a substantive response within thirty (30) days. If you are not satisfied with our response, or if you prefer to lodge a complaint directly with a supervisory authority, you may contact: (a) the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong (www.pcpd.org.hk); or (b) your local data protection authority within the European Economic Area, if the GDPR applies to the processing of your data. You also have the right to seek a judicial remedy before a competent court.

You may request closure of your account at any time by contacting support@keycandle.com. Upon receiving your closure request, the following data handling procedures apply: (a) all outstanding balances must be withdrawn prior to account closure, subject to applicable verification and withdrawal procedures; (b) your account will be deactivated and access to the Platform will be revoked; (c) personal data will be retained for the minimum period required by law — typically five (5) years for account data and seven (7) years for financial records, as mandated by anti-money laundering regulations; (d) after the expiration of all mandatory retention periods, your remaining personal data will be securely deleted or irreversibly anonymised; (e) data that has already been anonymised and aggregated for statistical purposes will not be affected by account closure, as it can no longer be linked to you. You may request a copy of your personal data in a structured, machine-readable format (data portability) at any time before or during the closure process.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes, we will notify you by email and/or by posting a prominent notice on the Platform at least thirty (30) days before the changes take effect. The "Last updated" date at the top of this page indicates the most recent revision. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.