Privacy Policy

by

Webot EEA Privacy Policy

This Privacy Policy explains how Pionew Ireland Limited collects, uses, shares and protects your personal data when you use the Webot Platform.

Regulatory Status. Pionew Ireland Limited (trading as “Webot”) is authorised by the Central Bank of Ireland as a Crypto-Asset Service Provider under Regulation (EU) 2023/1114 (“MiCA”). We process personal data in accordance with Regulation (EU) 2016/679 (“GDPR”), the Irish Data Protection Act 2018, MiCA, the EU Anti-Money Laundering and Counter-Terrorist Financing framework, the Transfer of Funds Regulation (EU) 2023/1113, Regulation (EU) 2022/2554 (“DORA”) and Council Directive (EU) 2023/2226 (“DAC8”).

Quick Contacts: 

  • Data Protection: dpo@webot.eu   
  • Customer Service: service@webot.eu   

1. Introduction

This Privacy Policy applies to the personal data processed by Pionew Ireland Limited (“Pionew”, “Webot”, “we”, “our” or “us”) when you visit www.webot.com/eu (the “Site”), use our mobile application or otherwise access the Crypto-Asset Services we provide as a Crypto-Asset Service Provider authorised under MiCA (collectively, the “Services” provided through the “Platform”).

This Privacy Policy is incorporated by reference into our Terms of Service and forms part of our contract with you. Capitalised terms used but not defined here have the meaning given in the Terms of Service. By using the Services, you acknowledge that you have read this Privacy Policy. If you do not agree with any aspect of this Privacy Policy, you should not use the Services.

This Privacy Policy is provided in clear and plain language, on a durable medium and free of charge, in line with Articles 12 to 14 of the GDPR. Where this Privacy Policy refers to specific laws or regulatory frameworks, you can request further information at any time by contacting our Data Protection Officer at dpo@webot.eu.

2. Who we are (Data Controller)

The controller responsible for the collection and processing of your personal data, within the meaning of Article 4(7) of the GDPR, is:

Pionew Ireland Limited

Office 01, Ground Floor, Penrose Two, Penrose Dock

Cork, Ireland  T23 YY09

Authorised by the Central Bank of Ireland as a Crypto-Asset Service Provider on 18th December 2025 under MiCA.

3. Definitions

In this Privacy Policy:

  • “Crypto-Asset” has the meaning given in Article 3(1)(5) of MiCA.
  • “GDPR” means Regulation (EU) 2016/679 (the General Data Protection Regulation), supplemented in Ireland by the Data Protection Act 2018.
  • “Personal data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • “Processing” has the meaning given in Article 4(2) of the GDPR.
  • “Services” means the Crypto-Asset Services we provide through the Platform, as described in our Terms of Service (custody and administration of Crypto-Assets, operation of a trading platform, exchange of Crypto-Assets for Fiat Currency and for other Crypto-Assets, execution of Orders on behalf of clients, reception and transmission of Orders, and provision of transfer services for Crypto-Assets on behalf of clients).

4. Personal data we collect

We collect and process the following categories of personal data, depending on how you interact with the Platform:

4.1 Identity and contact data

Full name, date and place of birth, gender, nationality, country of residence, residential address, email address, telephone number and any other contact details you provide.

4.2 Verification and KYC data

Information collected as part of our customer due diligence obligations under EU AML/CFT law, including but not limited to your government-issued identity document, your address proof, a “selfie” image or video for liveness checks, signature, biometric vectors derived from identity-document and liveness data (where strictly necessary for identification), nationality, tax residency status and tax identification numbers, source of funds and source of wealth information, employment status, employment sector and information on whether you (or someone close to you) are a politically exposed person (“PEP”) or sanctioned individual.

4.3 Account and authentication data

Login credentials, Account ID, Client ID, Device ID, two-factor authentication (2FA) settings, security questions, IP address, session tokens and recovery information.

4.4 Transaction and trading data

Information about your Orders, trades, custody balances, deposits, withdrawals, transfers (including incoming and outgoing Crypto-Asset transfers), counterparty information required under the Transfer of Funds Regulation (EU) 2023/1113, blockchain wallet addresses, transaction hashes, network metadata, IBANs and bank account details for fiat on/off-ramp, amounts, currencies, dates and execution venues.

4.5 Communications and support data

The content of communications you have with us (including support chat, email, telephone calls — which may be recorded for quality, training, dispute resolution and regulatory record-keeping purposes — and other channels), service request details, complaint records, language preferences and any other information you choose to share with us.

4.6 Device and technical data

IP address, device identifier, device type, operating system version and producer, browser type and version, time zone, browser language, referring URL, pages visited, links clicked, scrolling and click-through behaviour, app version, crash logs and other diagnostic information.

4.7 Marketing and preference data

Your marketing preferences, consent records, response to surveys, and feedback.

4.8 Information from third parties

We also receive personal data from third parties, including:

  • Identity verification, KYC and biometric service providers;
  • Blockchain analytics and on-chain risk providers (for example, for sanctions, fraud and AML risk scoring on wallet addresses);
  • Payment service providers, banks and fiat on/off-ramp partners;
  • Sanctions, watchlist, PEP and adverse media data providers;
  • Credit and fraud reference agencies;
  • Public sources (including company registers, public blockchains and publicly available media); and
  • Regulators, law enforcement and courts.

Where we collect personal data directly from you, you are required to provide the categories of data marked as mandatory at the relevant collection point (for example, during Account opening). If you do not provide that information, we may not be able to enter into or perform our contract with you, or comply with our legal obligations under MiCA, AML/CFT law or tax-reporting law (including DAC8), and we may be required to refuse to onboard you or to suspend or close your Account.

5. Why we process your personal data and our legal basis

We only process your personal data where we have a valid legal basis under Article 6 of the GDPR (and, for special categories of data, Article 9). The principal purposes and legal bases are set out in the table below.

PurposeLegal basisCategories of data
Account opening, authentication, onboarding, ongoing account access, and providing the Services (custody, trading platform operation, exchange, execution and reception/transmission of Orders, transfer services).Article 6(1)(b) GDPR — performance of a contract.Identity and contact data; account and authentication data; transaction and trading data; communications and support data.
Customer due diligence (KYC), ongoing monitoring, transaction monitoring, sanctions and PEP screening, suspicious-activity reporting and other AML/CFT obligations under EU and Irish law (including the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended).Article 6(1)(c) GDPR — legal obligation. Article 9(2)(g) for any biometric data, on grounds of substantial public interest.Identity and contact data; verification and KYC data (including biometric vectors where applicable); transaction and trading data; information from third parties.
Compliance with MiCA obligations as a Crypto-Asset Service Provider, including record-keeping, custody statements (Article 75 MiCA), market-abuse surveillance (Title VI MiCA), order-execution records (Article 78 MiCA), conflicts-of-interest management (Article 72 MiCA) and complaints handling (Article 71 MiCA and Commission Delegated Regulation (EU) 2025/294).Article 6(1)(c) GDPR — legal obligation.Identity and contact data; account and authentication data; transaction and trading data; communications and support data.
Compliance with the Transfer of Funds Regulation (EU) 2023/1113 (the “Travel Rule”), including the transmission and receipt of originator and beneficiary information for Crypto-Asset transfers.Article 6(1)(c) GDPR — legal obligation.Identity and contact data; transaction and trading data.
Tax and reporting obligations, including obligations under DAC8 (Directive (EU) 2023/2226) and other Irish and EU tax-reporting frameworks.Article 6(1)(c) GDPR — legal obligation.Identity and contact data; verification and KYC data (tax residency, TIN); transaction and trading data.
ICT risk management, operational resilience, fraud prevention, market-abuse detection, security incident detection and response, in accordance with DORA (Regulation (EU) 2022/2554) and our internal security framework.Article 6(1)(c) GDPR — legal obligation; and Article 6(1)(f) GDPR — legitimate interests in protecting the security and integrity of the Platform, our clients and our business.Account and authentication data; transaction and trading data; device and technical data; information from third parties (including blockchain analytics).
Customer service, complaint handling, dispute resolution and the establishment, exercise or defence of legal claims.Article 6(1)(b) GDPR — performance of a contract; Article 6(1)(c) GDPR — legal obligation; and Article 6(1)(f) GDPR — legitimate interests in defending and asserting our legal rights.All categories of data, as relevant to the case.
Improving the Platform, conducting analytics on usage, troubleshooting, testing new features, and aggregated and de-identified product analytics.Article 6(1)(f) GDPR — legitimate interests in operating, securing, improving and developing the Platform, balanced against your rights and freedoms.Account and authentication data; transaction and trading data; device and technical data; communications and support data (in pseudonymised or aggregated form, where feasible).
Direct marketing of our own products and services to existing clients (where permitted), and marketing to prospective clients on the basis of consent.Article 6(1)(a) GDPR — consent; or Article 6(1)(f) GDPR — legitimate interests, where you are an existing client and have not objected. You may object or withdraw consent at any time (see Section 17).Identity and contact data; marketing and preference data; device and technical data.
Use of cookies and similar technologies that are not strictly necessary, including analytics and marketing cookies.Article 6(1)(a) GDPR — consent (in accordance with the ePrivacy Directive 2002/58/EC and S.I. No. 336/2011).Device and technical data; marketing and preference data.
Compliance with court orders, lawful requests from public authorities and other legal obligations to which we are subject.Article 6(1)(c) GDPR — legal obligation.All categories of data, as required by the relevant order or request.
Corporate transactions (including a prospective merger, acquisition, sale or reorganisation of all or part of our business or assets).Article 6(1)(f) GDPR — legitimate interests in conducting and protecting our business.All categories of data, on a need-to-know basis and subject to confidentiality.

Where we rely on Article 6(1)(f) (legitimate interests), we have carried out a balancing assessment to ensure that our interests are not overridden by your interests, rights or freedoms. You can request further information about that assessment by contacting our DPO at dpo@webot.eu.

6. Special categories of data

We do not seek to collect any “special categories” of personal data within the meaning of Article 9 GDPR (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, data concerning health, or data concerning a person’s sex life or sexual orientation).

However, in the course of providing the Services we may collect and process limited biometric data for the purposes of identity verification and the prevention of fraud, identity theft and money laundering. Where we do so, we rely on Article 9(2)(g) GDPR (substantial public interest), as the processing is necessary for compliance with our obligations under EU AML/CFT and MiCA frameworks. Biometric vectors are processed only to the extent strictly necessary, are kept separate from other identifiers, and are deleted in line with our retention schedule.

We do not extract from your transaction data any inferences about your political opinions, religious or philosophical beliefs, trade-union membership, health, sex life or sexual orientation. Our employees are prohibited by internal policy from extracting or analysing such inferences from transaction data.

7. Children

The Site, the Platform and the Services are not directed to and may not be used by persons under the age of 18. We do not knowingly collect personal data from minors. If we obtain actual knowledge that we have collected personal data from a person under the age of 18, we will promptly delete it (unless we are legally required to retain such data) and take steps to disable the relevant Account. If you are a parent or guardian and believe that we hold personal data of a minor, please contact our DPO at dpo@webot.eu.

8. Recipients of your personal data

We share personal data with the categories of recipients set out below, on a need-to-know basis and only for the purposes described in this Privacy Policy. All recipients are subject to confidentiality obligations and, where they act as processors on our behalf, to a written data processing agreement that complies with Article 28 of the GDPR.

8.1 Affiliates within our corporate group

Other companies within the corporate group to which Pionew Ireland Limited belongs, where this is necessary for centralised functions such as compliance, security, risk management or technology support. Each such transfer is subject to internal data sharing arrangements and, where the transfer is outside the EEA, to the safeguards described in Section 9.

8.2 Service providers and processors

Carefully selected third-party service providers acting on our instructions, including:

  • Cloud computing, hosting and storage providers (for example, Amazon Web Services);
  • Identity verification, KYC and biometric service providers;
  • Blockchain analytics and on-chain risk providers (for example, for sanctions, fraud and AML risk scoring of wallet addresses);
  • Sanctions, PEP, watchlist and adverse media data providers;
  • Customer support, ticketing and communications platforms;
  • Analytics, business intelligence and product analytics providers (for example, Snowflake, Mode Analytics, Appsflyer, Amplitude, Google Analytics);
  • Email, SMS and push-notification service providers;
  • Fraud prevention and cybersecurity providers;
  • Banking and fiat on/off-ramp partners; and
  • Professional advisers (legal, accounting, audit and consulting).

8.3 Counterparties under the Transfer of Funds Regulation

Where you send or receive Crypto-Asset transfers, we share with the originator’s or beneficiary’s Crypto-Asset Service Provider the information required by the Transfer of Funds Regulation (EU) 2023/1113. Such other Crypto-Asset Service Providers act as independent controllers in respect of the data they receive.

8.4 Public authorities

We may disclose personal data to the Central Bank of Ireland, the Irish Data Protection Commission, the Revenue Commissioners (including for DAC8 purposes), An Garda Síochána, the Financial Intelligence Unit Ireland, courts, tax authorities, and any other competent regulatory, supervisory, judicial or law-enforcement authority, where we are required to do so by law or where we have legitimate grounds for doing so (for example to comply with a court order, lawful request, or to protect our rights, property or safety).

8.5 Corporate transactions

In the event of a prospective merger, acquisition, sale, reorganisation, or insolvency proceeding, we may disclose personal data to potential or actual buyers, investors, lenders or their advisers, subject to appropriate confidentiality safeguards.

8.6 With your direction

To other recipients where you specifically direct us to do so or have given your consent.

A more detailed list of our material processors and recipient categories is available on request from dpo@webot.eu. We do not sell your personal data, and we do not share it for the purposes of cross-context behavioural advertising by third parties.

9. International transfers of personal data

Pionew Ireland Limited is established in Ireland and primarily processes your personal data within the European Economic Area (EEA). However, certain of our service providers, business partners or affiliated entities are located outside the EEA, and we may therefore transfer your personal data to “third countries” within the meaning of Chapter V of the GDPR.

Where we transfer personal data outside the EEA, we ensure that one of the following lawful transfer mechanisms applies:

  • Adequacy decisions issued by the European Commission, where the destination country has been recognised as providing an adequate level of data protection (the current list of adequacy decisions is available at commission.europa.eu);
  • Standard Contractual Clauses (SCCs) approved by the European Commission under Decision (EU) 2021/914, supplemented where necessary by additional technical, organisational and contractual safeguards based on a transfer impact assessment;
  • Binding Corporate Rules, where these have been approved by a competent supervisory authority for our group; or
  • One of the specific derogations set out in Article 49 of the GDPR (for example, your explicit informed consent, or where the transfer is necessary for the performance of a contract concluded in your interest).

You may obtain a copy of the relevant transfer mechanism, or further information about the safeguards in place for a specific transfer, by contacting our DPO at dpo@webot.eu.

10. Privacy when using Crypto-Assets and blockchains

Crypto-Asset transactions are recorded on public blockchains, which are distributed ledgers operated by decentralised networks of participants. Public blockchains are designed to be tamper-resistant and immutable: once a transaction is recorded, we cannot erase, modify or alter it. Blockchain data may be the subject of forensic and analytical techniques (including those of blockchain analytics providers) that, in combination with other data, may allow re-identification of transacting parties.

You should be aware that:

  • Wallet addresses, transaction amounts, timestamps and counterparties on a public blockchain are publicly accessible by design;
  • Pionew has no ability to procure the deletion or rectification of personal data recorded on a public blockchain that is not under our control; and
  • Where you choose to disclose your wallet address to others (for example by publishing it or by sharing it with counterparties), this may allow others to associate on-chain activity with you.

Where you exercise rights under the GDPR in relation to data we hold off-chain, we will give effect to those rights to the extent that the data is within our control, in accordance with Section 15.

11. Automated decision-making and profiling

We use automated processing, including profiling, in particular for:

  • Identity verification (including liveness checks and document authenticity checks);
  • AML/CFT transaction monitoring, sanctions screening, PEP screening and detection of suspicious activity;
  • Fraud detection and prevention; and
  • Detection of market abuse on the trading platform we operate.

Where a decision based solely on automated processing produces legal effects concerning you or similarly significantly affects you (for example a decision to decline onboarding, to freeze, restrict or close your Account, or to refuse a transaction), we rely on either Article 22(2)(a) GDPR (necessary for entering into or the performance of a contract between you and us) or Article 22(2)(b) GDPR (authorised by EU or Irish law, in particular AML/CFT and counter-terrorist financing law). In all such cases, you have the right to obtain human intervention, to express your point of view and to contest the decision. Please contact our DPO at dpo@webot.eu to exercise these rights.

12. Data retention

We retain your personal data only for as long as necessary for the purposes for which it was collected, having regard to our contractual relationship with you, our legal and regulatory obligations, and the limitation periods applicable to potential legal claims.

Category of dataRetention period
KYC, customer due diligence and AML/CFT records (including identity verification documents, sanctions and PEP screening results).At least 5 years following the end of our business relationship, in accordance with the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) and EU AML/CFT law. May be extended where required by competent authorities.
Transaction and trading records, custody statements, Order execution records and records of communications relating to provision of the Services.At least 5 years following the date of the transaction or communication, in accordance with MiCA record-keeping obligations and applicable Irish law.
Tax-reporting records (including DAC8 records).For the period required by Irish tax law (typically up to 7 years).
Account data of inactive or closed Accounts (where not subject to a longer obligation).Up to 6 years following Account closure to manage potential disputes and legal claims.
Complaints records.At least 5 years following resolution, in accordance with MiCA Article 71 and the Central Bank of Ireland’s Consumer Protection Code.
ICT and security logs (including DORA-related incident records).For the period required to ensure operational resilience and incident reporting under DORA, and in any event for the periods specified in our internal information-security policies.
Marketing and preference data.Until you withdraw consent or object to processing, plus a residual period to maintain a suppression list.
Cookies and similar technologies.As described in our Cookie Policy, available on the Platform.

When personal data is no longer required, we will securely delete or anonymise it, except where retention for a longer period is required by law, requested by a competent authority, or necessary to establish, exercise or defend legal claims.

13. How we protect your personal data

We have implemented appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to your rights and freedoms, in line with Article 32 of the GDPR. As a financial entity within the scope of DORA, we maintain a comprehensive ICT risk management framework, including information-security policies, identity and access management, encryption of data in transit and at rest, network segmentation, vulnerability management, business continuity and disaster recovery arrangements, third-party risk management, and regular resilience testing. We restrict access to personal data to those staff and processors who need it to perform their duties, and we train our staff on data protection and security obligations.

Where we engage processors that handle personal data on our behalf, we conduct due diligence and put in place written data processing agreements that include the safeguards required by Article 28 GDPR and DORA Article 30 (where applicable).

14. Personal data breaches

We maintain an incident management process for personal data breaches and ICT-related incidents. In line with Article 33 of the GDPR, where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Irish Data Protection Commission without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, in line with Article 34 of the GDPR.

Where a major ICT-related incident falls within DORA, we will report it to the Central Bank of Ireland within the timeframes set out in DORA and the relevant Regulatory Technical Standards. We document all personal data breaches and major ICT-related incidents in accordance with our regulatory obligations.

15. Your rights

Subject to the conditions and limitations set out in the GDPR and the Irish Data Protection Act 2018, you have the following rights in relation to your personal data:

  • Right of access (Article 15 GDPR) — to obtain confirmation of whether we are processing your personal data and, if so, to receive a copy of that data and information about the processing.
  • Right to rectification (Article 16 GDPR) — to have inaccurate personal data corrected, and to have incomplete data completed.
  • Right to erasure (Article 17 GDPR), also known as the “right to be forgotten” — to have your personal data deleted in certain circumstances. This right is not absolute and may be limited by overriding legal obligations (in particular AML/CFT, MiCA record-keeping and tax obligations).
  • Right to restriction of processing (Article 18 GDPR) — to require us to suspend the processing of your personal data in certain circumstances.
  • Right to data portability (Article 20 GDPR) — to receive personal data you have provided to us, in a structured, commonly used and machine-readable format, where the processing is based on your consent or on a contract and is carried out by automated means.
  • Right to object (Article 21 GDPR) — to object to processing based on legitimate interests, including profiling for such purposes, and to object at any time to processing for direct marketing.
  • Right not to be subject to automated decision-making (Article 22 GDPR), as further described in Section 11.
  • Right to withdraw consent (Article 7 GDPR) — at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Right to lodge a complaint with a supervisory authority, as set out in Section 18.

To exercise any of these rights, please contact our DPO at dpo@webot.eu. You may also rectify certain personal data directly through your Account settings on the Platform. We will respond to your request without undue delay and in any event within one (1) month of receipt, in accordance with Article 12(3) of the GDPR. That period may be extended by up to two (2) further months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension within one (1) month of receipt of the request, together with the reasons for the delay. We may need to verify your identity before responding to a request, in order to protect your personal data. Exercising these rights is generally free of charge, although we may charge a reasonable fee, or refuse to act, where requests are manifestly unfounded or excessive, in particular because of their repetitive character.

16. Cookies and similar technologies

We use cookies, pixels and similar technologies on the Site and the Platform, both for purposes that are strictly necessary to provide the Services (for example, for security and authentication) and, with your consent, for analytics and marketing. You can manage your preferences in our cookie banner and in our Cookie Policy, which describes the cookies we use, the purposes for which they are used and the retention periods that apply.

17. Marketing communications

We may send you marketing communications about our Services, including by email, push notification or in-app message, where you have consented or where this is otherwise permitted by law. You can opt out of marketing at any time by clicking the “unsubscribe” link in any marketing email, by adjusting your notification preferences in the Platform, or by contacting us at dpo@webot.eu. Opting out of marketing does not affect service-related communications that are necessary for the operation of your Account.

18. Complaints to a supervisory authority

If you have concerns about how we process your personal data, we would appreciate the opportunity to address them directly — please contact our DPO at dpo@webot.eu in the first instance.

You also have the right at any time to lodge a complaint with a competent data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement. The lead supervisory authority for Pionew Ireland Limited is:

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

Telephone: +353 (0)761 104 800

You also retain any other administrative or judicial remedies available under EU or national law.

19. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our Services, technology, applicable law or regulatory requirements. Where amendments materially affect your rights, we will provide you with at least thirty (30) days’ advance notice through the Platform or to your registered email address before the changes take effect. Less material updates (for example, minor clarifications) may be made by posting an updated version on the Site, with a revised “Last Updated” date. We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of an amendment constitutes your acknowledgement of the updated Privacy Policy.

20. Contact us

For any questions, comments or requests regarding this Privacy Policy or the processing of your personal data, please contact:

Pionew Ireland Limited 

Email: dpo@webot.eu

Postal address: Office 01, Ground Floor, Penrose Two, Penrose Dock, Cork, Ireland T23 YY09.