Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), and Sanctions Compliance Policy

Effective date: 1 October 2025

TalerX Inc. (hereinafter – the Company)

Address: 8 The Green, Ste A, Dover, Kent County, DE 19901, USA. Contact: support@taler.tirol (general), legal@taler.tirol (legal)

1. INTRODUCTION

1.1 Purpose of the Policy

The purpose of this Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), and Sanctions Compliance Policy (hereinafter – the Policy) is to establish a comprehensive framework for preventing the misuse of TalerX Inc.'s (hereinafter – the Company) non-custodial cryptocurrency wallet products in financial crime, including but not limited to:

• money laundering,
• terrorist financing,
• proliferation financing,
• sanctions evasion,
• fraud,
• ransomware,
• illicit online marketplace activities,
• use of privacy-enhancing technologies for illicit purposes,
• exploitation of blockchain anonymity for criminal activity.

Although the Company does not custody or transmit customer funds, making it exempt from many AML/KYC obligations under FinCEN, FCA, MAS, and FATF frameworks, the Company voluntarily adopts a risk-based compliance program aligned with global best practices to:

• ensure regulatory readiness,
• reduce financial crime risks,
• maintain trust with partners, vendors, and regulators,
• support responsible innovation in decentralized finance.

This policy applies both to the wallet software and to any related network infrastructure operated by the Company, including RPC endpoints, update servers, analytics interfaces, support systems, and public-facing services.

Although the Company does not custody customer funds, does not transmit value, and does not collect personal data, it voluntarily implements certain AML/CTF controls to mitigate risks associated with the misuse of its technology.

2. SCOPE OF THE POLICY

The scope of this Policy includes organizational responsibilities, product coverage, permitted activities, excluded activities, and operational boundaries relevant to regulatory oversight.

2.1

This Policy applies to all individuals, internal or external, who participate in the development, operation, governance, or support of the Company's products and services. The scope includes, but is not limited to:

• Employees. All full-time and part-time employees, regardless of role or seniority. This includes engineering, product, design, QA, marketing, operations, and business functions.
• Executives & Senior Management. CEO, CTO, COO, founders, directors, and individuals classified under governance standards such as: FCA SMF functions, MAS Senior Management roles under the PS Act, FinCEN "principals" responsible for compliance governance. Executives retain ultimate accountability for AML/CTF oversight.
• Compliance Personnel. Applies to: Chief Compliance Officer (CCO), Money Laundering Reporting Officer (MLRO) (if hired), Internal audit participants (if relevant). Responsibilities include monitoring suspicious activity, managing sanctions controls, conducting risk assessments, and maintaining program documentation.
• Developers & Technical Staff. This includes: backend engineers, blockchain engineers, mobile engineers, security engineers, DevOps and infrastructure staff. Taking into consideration that the product design directly affects AML/CTF risk exposure (e.g., key storage, analytics integrations, IP checks), technical personnel must follow secure development and compliance-by-design practices.
• Contractors & Third-Party Service Providers. Anyone with access to: Company infrastructure, code repositories, analytics dashboards, risk intelligence tools, compliance data, production environments. Contractors must sign confidentiality, ethics, and compliance agreements that reflect this Policy.
• Customer Support & User Operations. Staff involved in responding to user inquiries, identifying fraud reports, escalating red-flag behaviors, and collecting voluntary information relevant to sanctions compliance.

2.2

This Policy applies to all components of the ecosystem that could interact with blockchain networks, user devices, third-party APIs, or financial-crime detection workflows. The product scope covers:

2.2.1

The non-custodial wallet application across all supported platforms: iOS, Android, macOS, Windows, Linux, Browser extension (Chrome/Firefox/Safari). The wallet: generates and stores private key locally; enables signing transactions; broadcasts transactions via third-party or company-operated RPCs; processes address validation and risk scoring; enforces sanctions restrictions at the UI/network level.

2.2.2

Key generation and signing modules operate strictly locally on the user's device and include: seed phrase generation, HD wallet derivation, secure enclave usage, local signing, on-device encryption. Due to the Company never accessing private keys, these modules are included in scope only for security and audit requirement and not due to AML/TF obligations.

2.2.3

Interaction APIs includes backend system facilitating: blockchain data fetching, price feeds, risk scoring from analytics partners, sanctions screening (OFAC, EU, UN, HMT), optional telemetry. The Company shall collect personally identifiable information after receiving consent from the user.

2.2.4

Blockchain analytics integrations. The Company shall use the systems in order to support: address risk scoring, categorization of counterparty wallets, pattern detection for illicit transactions, access to sanction list (OFAC, EU, UN, HMT), clustering heuristics—and the systems are used without collecting customer identity. Tools shall not collect customers identity information.

2.2.5

Remote update and configuration services which will be used for: publishing software updates, pushing risk-based rules, updating sanctions list, emergency blocking of high-risk endpoints, disaster recovery.

2.2.6

User support channels which will apply to: email support, chat support, in-app reporting, fraud-report request handling. Specialists of the Company must escalate red-flags behavior to Compliance.

2.3

The Company shall apply AML/CFT/Sanctions-related activities despite the fact the Company is not legally required to perform such activities as non-custodial wallet provider.

2.3.1

The Company shall use AML/CTF monitoring in order to detect: interactions with sanctioned addresses; exposure to darknet markets; ransomware-affiliated wallets; known mixers and tumblers; fraud schemes; human-trafficking or organized-crime clusters; DeFi exploit laundering patterns. The monitoring shall be done through address-based behavioral analytics without identity-based data collection.

2.3.2

The Company shall perform sanction screening of: destination addresses; smart contracts; known illicit clusters; IP/geolocation endpoints; VPN/Tor traffic patterns (non-identifying); wallet interactions involving sanctioned jurisdictions. Sanctions list shall include OFAC SDN, EU Consolidated Sanctions list, UK HMT list, UN Security Council list, other on demand.

2.4

The Company shall perform detection of high-frequency hops, structured micro-transactions, known laundering typologies, rapid fund cycling, DEX patterns common in evasion schemes, multi-hop transactional behavior.

2.5

Risk scoring is a key part of the Anti-Money Laundering framework that helps regulated bodies to identify high-risk customers and tailor their due diligence and monitoring efforts accordingly. Due to this, the Company will proceed risk scoring for counterparty address category, chain-based flags, exposure to high-risk flows, protocol interaction, region-based sanctions risks. During this risk scoring process, no personal identifiers should be used.

2.6

Non-custody wallets can be voluntarily monitored by the Company in order to identify high-risk patterns or possible relations to suspicious activity. To avoid such patterns the following criteria should be monitored by the Company: origin/destination address type; transaction amount; suspicious on-chain flows. During this monitoring process the transaction's hashes may be analyzed and no user identity should be stored.

2.7

Internal reporting is a critical first step before a formal Suspicious Activity Report (SAR) is filed with the relevant authorities—the Company obliged to report SARs to FinCEN. It involves identifying alerts, investigating unusual blockchain activity, and documenting the findings to determine if a formal report is necessary.

2.7.1

Responsible person of the Company shall escalate: suspicious blockchain activity, potential sanctions violations, compromised accounts or fraud attempts, developer discoveries of illicit usage patterns. The escalation shall be done to Money Laundering Reporting Officer/Compliance officer.

2.8

Employee training is a structured program that equips employees to identify, prevent and report suspicious patterns or blockchain activity. The training shall be conducted not less than once per year and shall include the following: AML red flags, sanctions concepts in a crypto market, wallet-service typologies, suspicious activity escalation.

2.8.1

All Company's counterparties: analytics, hosting, infrastructure, data service providers must undergo sanctions checks, information security assessments, compliance review and periodic monitoring.

2.9

Because the Company qualifies as a non-custodial entity, it is not obligated to meet the stringent AML/TF and sanctions compliance standards applied to custodial service providers. Nonetheless, the Company is required to identify and articulate the criteria supporting its non-custodial classification:

2.9.1

The Company does not hold private keys, does not control user's assets, freeze or unfreeze user funds, does not manage user balances or intermediate transactions. The main criteria is that the clients have full, exclusive control over their wallet, transactions and funds. This means that the Company: does not generate or derive seed phrases on its servers; does not store or back up private keys directly or indirectly; does not have any mechanism to obtain, intercept, or recover private keys; cannot reset user access or reinstate wallet control; cannot modify, decrypt, or re-create cryptographic credentials. Taking into consideration the fact that cryptographic materials never leave the user's device and are never transmitted to the Company, the Company is incapable of exercising control over customer assets. This operational design aligns with non-custodial criteria recognized by FATF, FinCEN, FCA, MAS, and EU AMLD frameworks for entities that do not hold, manage, or control customer value.

2.9.2

All transaction-related operations are performed directly by the user. The Company's software only provides a technical interface for users to generate and sign transactions locally. That means that the Company does not: broadcast or "push" transactions to the blockchain on behalf of users; initiate transfers or submit them to the network; alter user-defined transaction parameters (fees, destinations, nonce, gas, etc.); route transactions through Company-controlled nodes or custodial infrastructure. Users sign and broadcast transactions using their own devices, networks, and blockchain nodes. As a result, the Company cannot affect the transfer of value, the timing or execution of transactions, the direction or destination of funds. This structure ensures that the Company does not act as an intermediary, transmitter, or operator of funds, maintaining full alignment with definitions of non-custodial service providers across all major regulatory regimes.

2.9.3

Based on the operational model, the Company does not fall within legal definitions of a custodial or transmitting service provider. Specifically, the Company does not qualify as: a Money Services Business (FinCEN); a Crypto-asset Service Provider under the FCA MLR 2017; a Digital Payment Token Service under the MAS Payment Services Act; a Custodian Wallet Provider under the EU AMLD; a Virtual Asset Service Provider (VASP) by FATF standards. Key regulatory tests consistently require control over user funds, ability to transmit value, or possession of private keys to qualify as a regulated money transmitter or VASP. Since the Company never receives, holds, or transfers value—and has no technical capacity to gain access to customer assets—it cannot satisfy any of these criteria, and therefore operates outside the scope of these regulatory obligations.

2.9.4

The Company does not engage in any activity that would constitute a fiat–crypto or crypto–fiat exchange service. Specifically, the Company does not provide: on-ramp services; off-ramp services; payment processing or settlement; exchange order execution; liquidity provision or market-making; brokerage or intermediation services. Moreover, the Company does not facilitate or intermediate conversions between fiat and crypto assets. If users choose to interact with external exchanges, payment institutions, or liquidity providers, such interactions occur outside the Company's environment, and those third-party providers bear full responsibility for KYC, AML/CTF compliance, and reporting obligations.

2.9.5

The Company is designed as a non-custodial, privacy-preserving wallet solution that does not collect or process personal identity information. The Company does not collect: names or surnames; residential addresses; email identifiers; ID or passport details; biometric data; financial or banking information; proof-of-residence documentation. The wallet functions without requiring user identification, registration, or the creation of personal accounts. As no personal data is obtained, stored, or processed, the Company is not a data controller under data protection laws, nor can it perform identity-based compliance measures.

2.9.6

Based on the fact that the Company does not collect client identity information, it cannot perform: Customer Due Diligence (CDD); Enhanced Due Diligence (EDD); identity verification or screening; source-of-funds or source-of-wealth checks; risk assessment based on identity profiles.

2.9.7

All compliance considerations are therefore transactional and behavioral. The Company may, where appropriate, implement risk-based screening of publicly available blockchain data (e.g., via sanctioned address lists), but this is performed without linking on-chain activity to identity-specific users. This model is consistent with non-custodial wallets that fall outside conventional AML/CTF identity probing requirements.

2.10

As there is no account creation or client registration, the Company does not have the ability to: approve or reject users; classify customers based on identity risk; assign risk profiles; freeze, restrict, or terminate accounts.

2.10.1

The Company does not maintain custodial accounts, user profiles, or operational access to user funds. All wallet instances exist solely on the user's device with no centralized control. Therefore, onboarding processes—typically linked to regulated financial services—are not applicable to the Company's operational framework.

3. RISK ASSESSMENT FRAMEWORK

3.1

The Company applies a risk-based approach to the identification, assessment, mitigation, and monitoring of money laundering, terrorist financing, and sanctions risks associated with its non-custodial wallet technology.

3.2

The Company acknowledges that, despite its non-custodial nature, certain inherent financial-crime risks arise from the broader blockchain ecosystem in which its product operates.

3.3

The wallet operates on public, permissionless blockchain networks that allow anyone to create addresses and transact without centralized authorization. Such environments inherently expose participants to: illicit funds originating from criminal activity; indirect interaction with sanctioned or prohibited entities; lack of centralized gatekeeping mechanisms. While blockchain transparency provides traceability, it does not prevent initial misuse.

3.4

Blockchain addresses are not directly linked to real-world identities by default. This pseudonymity may be exploited by bad actors seeking to: obscure the origin or destination of funds; avoid identity-based AML controls; engage in layering or obfuscation techniques. The absence of identity attribution at the protocol level represents an inherent AML/CTF risk.

3.5

Users may interact with third-party wallets, decentralized applications, smart contracts, exchanges deposit addresses. External addresses may belong to high-risk services, illicit marketplaces, sanctioned persons or jurisdictions. The Company has no control over the counterparties selected by users, which increases exposure to external risk.

3.6

Blockchain transactions are borderless by design. This creates potential exposure to jurisdictions: subject to international sanctions; identified as high-risk or non-cooperative by FATF; associated with higher levels of financial crime. Although the Company does not know user location or nationality, blockchain interactions may indirectly involve addresses linked to such jurisdictions.

3.7

The crypto ecosystem includes privacy-enhancing tools and technologies such as mixers and tumblers, privacy-focused blockchains, obfuscation protocols. These tools may be used for legitimate privacy purposes, but are also frequently associated with money laundering typologies, sanctions evasion and proceeds of cybercrime. Their existence contributes to the inherent risk profile of non-custodial wallet usage.

3.8

To address the identified inherent risks, the Company implements a set of proportionate, non-intrusive, and technology-based controls, consistent with its non-custodial model. These controls focus on transactional and behavioral risk, rather than customer identity.

3.9

The Company integrates blockchain analytics solutions that assess the risk profile of blockchain addresses based on exposure to illicit activity, links to sanctioned entities, interaction with high-risk services, transactional behavior patterns. Risk scoring is applied: in real time or near-real time; without collecting personal data; without identifying or profiling users. This enables informed risk-based responses while preserving user self-custody.

3.10

The Company screens blockchain addresses against: OFAC sanctions lists; consolidated international sanctions data; known sanctioned wallet clusters. Screening occurs at the address and transaction level, rather than the individual level, ensuring compliance with sanctions regimes without requiring identity verification.

3.11

The Company monitors transaction patterns to identify typologies associated with illicit activity, including: repeated interaction with high-risk services; rapid movement of funds through multiple addresses; structuring or layering indicators; recurrent exposure to sanctioned or flagged entities. This analysis is automated and anonymized serving as risk-awareness and prevention mechanism rather than an enforcement tool.

3.12

When elevated risk is detected, the wallet may display warnings to users, require explicit user acknowledgement before processing, limit interaction with known high-risk or sanctioned addresses. These measures support informed user decision-making and discourage misuse without imposing custodial control.

3.13

The Company maintains the ability to: block interaction with sanctioned endpoints, disable access to known illicit infrastructure, push emergency compliance updates where required. Such controls are applied at the network or service layer, not at the level of user funds or private keys.

3.14

After applying the above mitigation measures, the Company assesses the residual AML/CTF and sanctions risk as moderate to low. This assessment is based on the following key structural factors:

3.14.1

The Company never holds, controls, or has access to customer funds. As a result, the Company has no possibility to move or freeze assets, funds also cannot be pooled or commingled, there is no exposure to misappropriation risk. Custody-related money laundering and terrorist financing risks are therefore eliminated.

3.14.2

All transactions are initiated by users, signed locally on user devices, broadcast directly to blockchain networks. The Company has no possibility to initiate transactions, modify transaction parameters, redirect funds. These restrictions significantly limit the Company's role in value transfer.

3.14.3

The Wallet does not operate account-based relationships such as: no user profiles; no onboarding approvals; no customer balances; no account lifecycle management. These restrictions eliminate traditional onboarding and account abuse risk.

3.14.4

The Company does not support fiat deposits or withdrawals, payment processing and exchange or brokerage services. Fiat-related money laundering risks, including placement and integration stages are therefore out of scope.

3.14.5

Taking into consideration the limited functional role of the Company, the non-custodial architecture and implemented risk-mitigation controls—the residual risk of the Company operations being used for ML/TF or sanctions evasion is assessed as manageable and proportionate.

4. CUSTOMER DUE DILIGENCE AND KYC

4.1

The Company's approach to Customer Due Diligence and Know Your Customer (KYC) controls is directly informed by the non-custodial, non-account-based nature of its product and its current regulatory classification under applicable financial-crime laws.

4.2

Customer Due Diligence (CDD) and KYC obligations are applied only where legally required and operationally meaningful. Where such requirements do not arise, the Company avoids unnecessary data collection in order to minimize privacy risks, cybersecurity exposure and regulatory overreach.

4.3

The Company does not collect, request, process or store any customer identity information including: full names and aliases; residential or mailing address; government-issued identification documents; biometric identifiers (including face recognition, fingerprints or voice data); financial information such as bank account details or payment credentials; proof of residence or utility documentation.

4.4

The Company may permit anonymous or pseudonymous use of its services solely where such use is lawful, consistent with applicable regulations, and aligned with the Company's risk assessment and internal controls. Anonymous or pseudonymous access is subject to ongoing review and may be restricted or discontinued where it presents heightened legal, regulatory, or financial crime risk.

4.5

The Company does not knowingly provide services to: individuals or entities designated on sanctions lists maintained by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) or other applicable authorities; or users located in jurisdictions subject to comprehensive U.S. economic or trade sanctions. The Company reserves the right to deny, suspend, or terminate access to its services where customer activity is determined to be inconsistent with this policy or applicable legal and regulatory requirements.

5. MONITORING AND DETECTION

5.1

While the Company does not process, execute, or control customer transactions and does not have custody over customer funds or assets, the Company maintains reasonable monitoring and detection measures commensurate with its non-custodial role and the nature of the services provided.

5.2

The Company may monitor platform usage, system interactions, and other non-financial activity for the purpose of identifying potential misuse, abuse, or exposure to illicit activity. Such monitoring may include, where appropriate and lawful: analysis of usage patterns, behavioral indicators, or technical signals that may suggest attempts to misuse the services; review of publicly available blockchain data or other open-source technical information, where relevant to the Company's services; assessment and investigation of credible internal or external reports, complaints, or alerts regarding suspected illicit or prohibited activity.

5.3

The Company applies a risk-based and proportionate approach to identifying potential suspicious activity, taking into account the limitations inherent in a non-custodial business model.

5.4

Indicators of potentially suspicious or high-risk activity may include, but are not limited to: use of the Company's services in connection with typologies commonly associated with money laundering, terrorist financing, fraud, sanctions evasion, or other financial crimes; attempts to leverage the platform's features or technical architecture to conceal, obfuscate, or misrepresent the origin, destination, or ownership of assets or transactions conducted outside the Company's control; repeated or ongoing interaction, whether direct or indirect, with individuals, entities, wallets, protocols, or services that are subject to U.S. sanctions or are otherwise associated with high-risk or illicit activity; efforts to circumvent the Company's safeguards, access restrictions, or risk controls.

5.5

Where potentially suspicious activity is identified, the Company may take appropriate risk-mitigation measures, which may include enhanced review, restriction or termination of access to services, internal documentation of findings, or consultation with legal or compliance advisors, as appropriate.

6. SANCTIONS COMPLIANCE

6.1

The Company is committed to complying with applicable economic and trade sanctions laws and regulations, including those administered by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), as well as other relevant international sanctions regimes, to the extent applicable to the Company's non-custodial crypto services.

6.2

Given the Company's non-custodial and non-transactional business model, it does not hold, control, or transfer digital assets on behalf of users and does not execute blockchain transactions. Sanctions compliance measures are therefore designed to be risk-based, proportionate, and technically appropriate, taking into account the Company's limited visibility and control over on-chain activity.

6.3

To mitigate the risk of sanctions violations and misuse of its crypto-related services, the Company implements technical and operational controls aligned with its non-custodial role. Such controls may include, where lawful and technically feasible: restricting or blocking access to Company infrastructure, applications, APIs, or servers from IP addresses or geographic regions subject to comprehensive sanctions; limiting or disabling connections from RPC nodes, endpoints, or network traffic associated with sanctioned jurisdictions or high-risk IP ranges; implementing preventative controls to restrict the platform or application from facilitating interactions with blockchain addresses, smart contracts, or identifiers that are publicly associated with sanctioned persons or entities, where relevant to the Company's services; periodic testing and adjustment of controls to address emerging sanctions typologies specific to crypto assets, decentralized protocols, and blockchain infrastructure.

6.4

The Company does not knowingly support, facilitate, or enable activity involving sanctioned persons, entities, wallets, protocols, or jurisdictions.

6.5

While the Company does not have custody or transaction execution capabilities, it may assess technical usage patterns, publicly available blockchain intelligence, and credible third-party information to identify potential sanctions exposure or attempts to circumvent controls. Where heightened sanctions risk is identified, the Company may apply appropriate mitigation measures, including enhanced review, technical restrictions, service suspension, or termination of access, as warranted by the circumstances.

6.6

Taking into consideration that the Company is not legally required to submit Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) due to its non-custodial and non-financial intermediary role, the Company may, on a voluntary and risk-based basis, cooperate with relevant authorities and submit reports where appropriate. This may include: voluntary SAR submissions to the U.S. Financial Crimes Enforcement Network (FinCEN); STR submissions to the UK Financial Conduct Authority (FCA) or Office of Financial Sanctions Implementation (OFSI); STR submissions to the Monetary Authority of Singapore (MAS).

6.7

Any voluntary reporting decisions are made in consultation with legal or compliance advisors and documented internally.

7. TECHNICAL CONTROLS

7.1

The Company implements a layered set of technical and security controls designed to protect the integrity, confidentiality, and availability of its non-custodial crypto services. These controls are proportionate to the Company's business model, which does not involve custody of digital assets, and are intended to reduce the risk of unauthorized access, misuse, or exploitation of the Company's technology.

7.2

The Company employs industry-standard cryptographic controls to protect sensitive data and application components, where applicable. These controls may include: use of Advanced Encryption Standard (AES) with 256-bit keys (AES-256) for encryption of sensitive data at rest, where encryption is required; utilization of hardware-backed security mechanisms, such as Secure Enclave, Trusted Execution Environments (TEE), or equivalent platform-specific secure elements, to isolate sensitive operations and protect cryptographic material; reliance on strong, cryptographically secure randomness sources to support key generation, session management, and other security-critical processes. No private keys or user-controlled credentials are stored on Company-controlled servers.

7.3

All cryptographic key generation and management occurs entirely under the user's control. Key security measures include: compatibility with BIP-32, BIP-39, and BIP-44 (HD wallet structures); generation of mnemonic seed phrases locally and offline on the user's device without transmission to Company infrastructure; design safeguards ensuring that private keys and seed phrases never leave the user's device, are not accessible by the Company, and cannot be reconstructed by Company systems. The Company does not have the technical ability to access, recover, or reset user private keys.

7.4

The Company maintains a secure software development lifecycle (SDLC) including: adherence to OWASP Mobile Top 10 and other relevant security frameworks; use of static and dynamic code analysis tools; regular security testing, code reviews, and remediation processes; operation of a bug bounty or responsible disclosure program. Security controls are continuously evaluated and improved in response to emerging threats and technological developments.

8. TRAINING AND AWARENESS

8.1

As the Company does not perform customer identification or Know Your Customer (KYC) procedures due to its non-custodial business model, all personnel receive training appropriate to their roles and exposure to financial crime and compliance risk.

8.2

The Company shall organize on a voluntary basis: AML and financial crime awareness training for all Company's employees, covering applicable laws and regulations, common financial crime typologies relevant to crypto-asset services, internal escalation procedures, and individual responsibilities under this policy; secure development and coding practices training for engineering and technical teams, focused on protecting the integrity, availability, and security of the Company's systems and preventing misuse or exploitation of its technology; targeted sanctions compliance training for compliance and risk personnel, including OFAC and other relevant sanctions regimes, crypto-specific sanctions risks, and procedures for monitoring, escalation, and reporting.

8.3

Training can be conducted periodically and upon onboarding, and may be refreshed as necessary in response to regulatory developments, emerging risks, or material changes to the Company's products or services. Completion of training is documented and subject to management oversight.

9. DATA GOVERNANCE, RECORDKEEPING

9.1

The Company maintains a data governance and recordkeeping framework designed to support effective compliance oversight while respecting user privacy and reflecting the Company's non-custodial and non-transactional business model. The Company applies a data-minimization and privacy-by-design approach, collecting and retaining only the information necessary to operate its services, manage risk, and meet applicable legal and regulatory expectations.

9.2

Consistent with its non-custodial role, the Company does not collect, store, or process: personally identifiable information (PII) or customer identification data; private keys, seed phrases, wallet credentials, or any information that would enable control of digital assets; user transaction histories, balances, or detailed on-chain activity; behavioral analytics or usage data linked to a specific individual, wallet address, or identity.

9.3

The Company does not maintain custodial accounts, does not initiate blockchain transactions on behalf of users, and does not retain data that would allow independent reconstruction of user financial activity.

9.4

The Company may offer users the option to opt in to limited, anonymized telemetry solely for operational, security, and reliability purposes. Where enabled, such telemetry may include: application or protocol version information; general device or environment type; performance metrics, system errors, and crash diagnostics.

9.5

Telemetry data is collected in an anonymized or aggregated form and is not linked to user identities, wallet addresses, transaction data, or blockchain activity. No financial, asset-related, or on-chain transactional data is collected through telemetry.

9.6

While the Company does not retain user financial or transactional records, it maintains internal compliance and governance documentation appropriate to its non-custodial crypto services. Such records may include: AML, sanctions, and risk assessment documentation; internal compliance decisions and policy reviews; records related to investigations, escalations, or reports of potential misuse; documentation of voluntary regulatory communications, where applicable.

9.7

Record retention is limited to what is necessary for compliance and governance purposes and is generally as follows, unless otherwise required by law: technical and system logs (non-identifying): retained for up to 12 months; compliance-related documentation and reports: retained for a minimum of five (5) years; no customer PII, private keys, or transaction data is stored or retained. All retained records are secured using appropriate administrative and technical safeguards and are accessible only to authorized personnel.

9.8

Senior management of the Company is responsible for the oversight of AML, sanctions, and related compliance risks, including data governance and recordkeeping practices. Their responsibilities include: periodic review and approval of this policy; ensuring compliance controls remain proportionate to the Company's non-custodial crypto model; allocating appropriate resources for compliance oversight.

9.9

A designated compliance function is responsible for day-to-day compliance oversight, including maintaining internal records, coordinating investigations or escalations, monitoring regulatory developments relevant to crypto-asset services, and supporting ongoing policy reviews.

9.10

The Company periodically reviews its data governance and compliance framework to ensure continued alignment with: applicable laws, regulatory guidance, and enforcement trends affecting crypto-asset services; changes in the Company's products, services, or technical architecture; evolving risks associated with decentralized technologies and blockchain infrastructure.

9.11

This policy shall be reviewed on an annual basis as part of the Company's routine compliance and governance review cycle. In case any material updates to the Policy—the document shall be approved by Senior Management. Updated versions of the policy are communicated internally to ensure continued awareness and effective implementation.

Contact

For questions about this AML/CTF and Sanctions Compliance Policy or to report concerns: legal@taler.tirol.