Privacy Policy – Finality Labs Private Limited

Last Updated: 30th April 2026

1. Who we are

This Privacy Policy describes how Finality Labs Private Limited (“Finality”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data when you visit our websites, communicate with us, or use our services.

Finality Labs Private Limited is incorporated in India and operates in multiple jurisdictions, including India, the United Arab Emirates (Dubai), and Singapore.

Legal entity details

• Company name: Finality Labs Private Limited
• Registered office: W115, First Floor, 3rd Avenue, Anna Nagar, Chennai – 600040, Tamil Nadu, India
• Contact email (privacy and general): [email protected]

For the purposes of applicable data‑protection and privacy laws, including India’s Digital Personal Data Protection framework, relevant UAE and Dubai data‑protection regulations, and the Singapore Personal Data Protection Act (PDPA), Finality generally acts as an independent controller (or equivalent “data fiduciary”) in relation to the personal data it processes for its own business purposes.

2. Scope and crypto context

This Policy applies to:

• Visitors to our websites and landing pages.
• Individuals who contact us or submit forms to discuss our products and services.
• Representatives, owners, and employees of professional counterparties and institutional clients (such as P2P desks, OTC brokers, and crypto‑native businesses) who explore or use our infrastructure and workflows for crypto ↔ fiat and USDT ↔ INR flows.

Finality does not provide a retail crypto exchange or wallet service directly to consumers; our infrastructure is designed for professional operators and businesses subject to their own regulatory obligations.

Where we process personal data solely on behalf of an institutional client as their processor/service provider, that processing will be governed by the relevant service or data‑processing agreement, and this Policy applies only to our own controller‑level processing.

Nothing in this Policy is intended to override or limit applicable financial‑sector, anti‑money‑laundering, sanctions, or virtual asset regulatory obligations in India, Dubai/UAE, or Singapore; where such obligations require more extensive record‑keeping or disclosures, those legal requirements prevail.

3. Personal data we collect

Depending on your interaction with us, we may collect the following personal data:

• Identification and contact data – name, business email address, phone number, Telegram/WhatsApp handle, job title, organisation name.
• Business relationship data – information about your organisation, crypto and fiat flows, use cases, indicative volumes, jurisdictions, and other details you choose to share while exploring or using our services.
• Communications data – contents of emails, messages, meeting notes, and other communications between you and us.
• Technical and usage data – IP address, device identifiers, browser type and version, time zone, operating system, referral URLs, pages viewed, time and date of visits, and interaction data with our websites and interfaces.
• Cookies and similar technologies – information collected via cookies, pixels, tags, and similar technologies for analytics, security, and performance, as described in Section 8.

We do not intentionally collect sensitive personal data such as government‑issued identifiers, biometric data, or payment card numbers through our website or basic contact forms, and we ask you not to submit such information via these channels unless we specifically request it under an appropriate agreement.

4. How we collect personal data

We collect personal data:

• Directly from you – when you fill in website forms, request a call, send us an email, message us via communication platforms (such as Telegram or WhatsApp), or otherwise contact or interact with us.
• Automatically – through cookies, server logs, and analytics tools when you access or use our websites or digital assets.
• From third parties – for example, from your organisation (when it designates you as a contact), from service providers (such as form processors, CRM tools, analytics providers), from publicly available sources, or from professional networking platforms where you interact with our content.

5. Why we use personal data and legal bases

We use personal data only for lawful purposes and in accordance with applicable data‑protection and crypto/financial‑sector regulations in India, Dubai/UAE, and Singapore.

Our main purposes (and typical legal bases) include:

Providing and improving our services

• To respond to enquiries, schedule and conduct calls or demos, evaluate fit, and design how your flows may connect to our infrastructure.
• To operate, maintain, and improve our websites, tools, and workflows.

Legal bases: performance of pre‑contractual steps or a contract, legitimate interests, and where required, consent.

Communications and relationship management

• To manage our relationship with you or your organisation, including sending service‑related communications, updates, and relevant B2B information about our products.
• To send you marketing communications where permitted by law and with an easy way to opt out.

Legal bases: legitimate interests, consent where required by local laws (including PDPA in Singapore and applicable rules in India and UAE).

Regulatory, compliance, AML, and risk management

• To comply with applicable laws and regulations relating to anti‑money‑laundering, counter‑terrorist financing, sanctions, tax, financial supervision, and virtual‑asset or payments regulation in India, Dubai/UAE, Singapore, and any other relevant jurisdiction.
• This may include verifying counterparties, conducting due diligence on institutional clients, maintaining audit trails, and cooperating with competent authorities where required.

Legal bases: compliance with legal obligations, substantial public interest where recognised, and legitimate interests in safeguarding our business and counterparties.

Security and abuse prevention

• To protect our systems, infrastructure, and users from fraud, abuse, unauthorised access, and security incidents.
• To monitor, detect, and respond to suspicious or potentially unlawful activity in accordance with applicable laws and our contractual obligations.

Legal bases: legitimate interests, compliance with legal obligations, and where applicable, public interest in maintaining security and integrity.

Analytics, business development, and reporting

• To understand how our website and campaigns perform, which content is most relevant, and how to reach and support operators across different markets.
• To generate aggregated, de‑identified or anonymised insights for business planning and reporting that do not identify individuals.

Legal bases: legitimate interests and, where required, consent (e.g., for certain analytics cookies).

Where we rely on consent (for example, certain marketing or non‑essential cookies), you may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

6. How we share personal data

We never sell your personal data. We may share personal data, on a need‑to‑know basis and under appropriate safeguards, with:

Service providers and vendors

Providers of hosting, cloud infrastructure, security tools, analytics, CRM systems, communication platforms, form processors, and professional advisors (legal, compliance, tax, audit).

These providers are contractually restricted from using personal data for their own purposes and must process it only in accordance with our instructions and applicable law.

Business partners and group entities

Where necessary to explore, structure, or deliver services to you or your organisation, or to support cross‑jurisdictional operations and compliance.

Regulators, authorities, and other parties where required

Competent courts, regulators, law‑enforcement agencies, financial‑intelligence units, or other authorities where we are legally required to disclose information or where disclosure is necessary to protect our rights, our users, or the public, including under crypto‑asset, AML, and financial‑regulatory frameworks in India, Dubai/UAE, and Singapore.

Any sharing will be done in accordance with applicable data‑protection laws, financial‑regulation requirements, and with appropriate contractual and security protections.

7. International data transfers

Because we operate across multiple jurisdictions and use global service providers, personal data may be transferred to, stored in, or accessed from countries other than the one where you are located, including India, the UAE, Singapore, and other countries with differing data‑protection standards.

Where required by law, we implement appropriate safeguards for cross‑border transfers, such as contractual clauses or other mechanisms recognised under the DPDP framework in India, UAE data‑protection regulations, and Singapore’s PDPA.

8. Cookies and similar technologies

We may use cookies, pixels, tags, and similar technologies to:

• Enable core website functionality and security.
• Measure site performance and usage.
• Support limited and targeted B2B marketing and optimisation activities.

Where required by law, we will provide a cookie notice and obtain consent for non‑essential cookies. You can adjust your browser settings to block or delete cookies; doing so may affect the functionality of certain parts of the website.

9. Data retention

We retain personal data only for as long as reasonably necessary to:

• Fulfil the purposes described in this Policy.
• Maintain records of our interactions and relationships with you or your organisation.
• Comply with legal, regulatory, tax, accounting, anti‑money‑laundering, and sanctions‑screening obligations in India, Dubai/UAE, Singapore, and other relevant jurisdictions.
• Resolve disputes and enforce our agreements.

Where personal data is no longer required, we will delete, anonymise, or otherwise securely de‑identify it in line with our internal policies and applicable laws.

10. Your rights

Depending on your location and the laws that apply to you (including India’s Digital Personal Data Protection framework, UAE and Dubai data‑protection regulations, and Singapore’s PDPA), you may have some or all of the following rights:

• Right to request access to the personal data we hold about you.
• Right to request correction or updating of inaccurate or incomplete data.
• Right to request deletion of personal data, subject to legal and contractual limitations (for example, AML record‑keeping obligations).
• Right to restrict or object to certain types of processing, including direct marketing.
• Right to withdraw consent where processing is based on consent.
• Right to data portability, where recognised under applicable law.
• Right to lodge a complaint with a competent data‑protection or supervisory authority.

To exercise your rights, please contact us at [email protected] with sufficient details to identify you and your relationship with us. We may need to verify your identity and, where applicable, confirm with your organisation that you are authorised to act on its behalf.

11. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These may include encryption in transit, access controls, network and application security, logging and monitoring, segregation of duties, and staff training.

However, no system or transmission is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of any credentials or authentication factors associated with your use of our systems or services.

12. Third‑party sites and services

Our websites may contain links to third‑party websites, services, or content.

We are not responsible for the privacy practices, security, or content of such third parties, and their handling of personal data is governed by their own privacy policies and terms. We encourage you to review those policies before providing any personal data to them.

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our services, practices, technologies, or applicable legal requirements in India, Dubai/UAE, Singapore, or other relevant jurisdictions.

When we make material changes, we will update the “Last Updated” date at the top of this Policy and, where appropriate, provide additional notice (for example, a banner or email notification).

Your continued use of our websites or services after any update becomes effective will constitute your acknowledgement of the revised Policy, to the extent permitted by applicable law.