Privacy Policy v1.1 | ARCANA CRYPTO LTD

This Privacy Policy explains how Arcana Crypto LTD collects, uses, shares and protects personal data. It is issued in compliance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).

Who We Are and Data Controller
Scope
What Personal Data We Collect
Special Category Data and Criminal Offence Data
Personal Data of Third Parties
How and Why We Use Your Data
Automated Decision-Making and Profiling
Who We Share Your Data With
International Transfers
Cookies and Similar Technologies
Marketing Communications
How Long We Keep Your Data
Your Rights Under UK GDPR
Security
Children
Terms of Engagement
Changes to This Policy
Contact Us

1. Who We Are and Data Controller

Arcana Crypto LTD ("Arcana", "we", "us", "our") is a private limited company incorporated in England and Wales, Company Number 16371124, with registered office at 12 Pullman Gardens, London, SW15 3DF, United Kingdom.

We act as Data Controller for the personal data described in this Policy and are registered with the Information Commissioner's Office (ICO) under registration reference C1918773.

We provide cryptocurrency wallet recovery, blockchain forensic investigation, security consulting and related digital-asset services.

1.1 Data Protection Contact

We have not appointed a statutory Data Protection Officer because our processing activities do not meet the mandatory criteria under Article 37 UK GDPR. The point of contact for all data protection enquiries is:

Email: support.arcanacrypto@protonmail.com

Postal: Data Protection Enquiries, Arcana Crypto LTD, 12 Pullman Gardens, London, SW15 3DF, United Kingdom

2. Scope

This Policy covers personal data of:

Clients and prospective Clients of our Services;
Authorised representatives, beneficial owners, directors and trustees of corporate Clients;
Visitors to the Site;
Third parties whose personal data is processed in the course of investigations (see section 5).

3. What Personal Data We Collect

Category	Examples	Source
Identity data	Full name, date of birth, nationality, government-issued ID (KYC onboarding)	You; ID verification providers
Contact data	Email, telephone, postal address	You (enquiry form, contract)
Financial data	Wallet addresses, transaction hashes, asset values	You; on-chain public sources
KYC / AML data	Proof of address, source of funds, sanctions screening results	You; third-party providers
Communications data	Emails, messages, meeting notes	Our correspondence with you
Case data	Investigation findings, evidence files, deliverables	You + our investigation
Technical data	IP address, browser type, cookies	Automatically via the Site

4. Special Category Data and Criminal Offence Data

4.1 Special Category Data (Article 9 UK GDPR)

We do not actively seek special category data. Where such data is incidentally processed (e.g. biometric data in passport chips, or health-related information voluntarily provided), we rely on:

Article 9(2)(f) — processing necessary for the establishment, exercise or defence of legal claims;
Article 9(2)(g) read with DPA 2018, Schedule 1, Part 2, paragraph 10 — preventing or detecting unlawful acts; and
Article 9(2)(a) — explicit consent, where freely given.

4.2 Criminal Offence Data (Article 10 UK GDPR)

Our investigative work routinely involves processing data relating to criminal offences (theft, fraud, money laundering, sanctions evasion). We rely on:

DPA 2018, Schedule 1, Part 2, paragraph 10 — preventing or detecting unlawful acts;
DPA 2018, Schedule 1, Part 3, paragraph 33 — establishment, exercise or defence of legal claims; and
DPA 2018, Schedule 1, Part 2, paragraph 12 — preventing fraud.

An Appropriate Policy Document (APD) is maintained in respect of this processing, as required by DPA 2018, Schedule 1, Part 4.

5. Personal Data of Third Parties (Article 14 UK GDPR)

In the course of investigations, we may process personal data of individuals who are not our Clients (e.g. counterparties to suspect transactions, beneficial owners identified through blockchain analytics). Where direct notification under Article 14 would be impossible, disproportionate, or would prejudice the investigation, we rely on the Article 14(5)(b), (c) or (d) exemptions. We document our reliance on such exemptions.

6. How and Why We Use Your Data

Purpose	Lawful Basis (UK GDPR Art. 6)
Providing and managing our Services	Performance of a contract — Art. 6(1)(b)
Identity verification and KYC/AML compliance	Legal obligation — Art. 6(1)(c) (MLR 2017)
Sanctions screening	Legal obligation — Art. 6(1)(c) (SAMLA 2018)
Detection and prevention of fraud	Legitimate interests — Art. 6(1)(f)
Submission of SARs to the NCA	Legal obligation — Art. 6(1)(c) (POCA 2002)
Responding to your enquiries	Legitimate interests — Art. 6(1)(f)
Sending service-related communications	Performance of a contract — Art. 6(1)(b)
Establishing, exercising or defending legal claims	Legitimate interests — Art. 6(1)(f); Art. 9(2)(f)
Direct marketing to existing clients	Consent — Art. 6(1)(a); or B2B soft opt-in (PECR Reg. 22(3))

We do not engage in data selling, data brokering or behavioural advertising.

7. Automated Decision-Making and Profiling (Article 22 UK GDPR)

We use automated tools for sanctions screening, PEP screening, KYC verification and blockchain risk-scoring. No decision producing legal or similarly significant effects is taken solely by automated means. All outputs are reviewed by a human before any onboarding, refusal or termination decision is taken.

You have the right to obtain human intervention, express your point of view and contest any decision.

8. Who We Share Your Data With

Recipient Category	Examples	Role
Identity verification providers	Onfido, Veriff, Sumsub	Processor
Blockchain analytics providers	Chainalysis, Elliptic, TRM Labs	Joint/Independent controller
Cloud and IT service providers	Hosting, email, secure storage	Processor
Professional advisers	Solicitors, accountants, insurers	Independent controller
Regulators and law enforcement	HMRC, ICO, NCA, OFSI	Independent controller
Courts and tribunals	Civil and criminal courts	Independent controller

An up-to-date list of our material sub-processors is available on written request to support.arcanacrypto@protonmail.com.

9. International Transfers

Where personal data is transferred outside the United Kingdom, we rely on one or more of:

UK adequacy regulations (which currently include all EEA member states);
The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
Other valid Article 46 transfer mechanisms; or
Article 49 derogations where applicable.

Providers currently operating outside the UK include Chainalysis (US) and certain cloud infrastructure providers. We select providers offering appropriate UK/EU data protection safeguards.

10. Cookies and Similar Technologies (PECR)

Cookie / Type	Category	Purpose	Duration
Session cookies	Strictly necessary	Maintain session state and Site functionality	Session
CSRF token	Strictly necessary	Security — prevent cross-site request forgery	Session
Cookie consent preferences	Strictly necessary	Remember your consent choice	12 months
Analytics cookies (if enabled)	Analytics	Understand Site usage (pages visited, time, links clicked)	12 months

Strictly necessary cookies are placed without consent (PECR Reg. 6(1)). Analytics cookies require prior consent. A cookie consent banner is presented on first visit.

11. Marketing Communications

B2C clients: We will only send marketing emails with your explicit prior consent (PECR Reg. 22). You may withdraw consent at any time.

B2B clients: We may send relevant marketing under the soft opt-in rule (PECR Reg. 22(3)) where you are an existing client and the communication relates to similar services.

To opt out of all marketing, email support.arcanacrypto@protonmail.com with the subject line "Unsubscribe".

12. How Long We Keep Your Data

Data Type	Retention Period
KYC / AML records	5 years from end of engagement (MLR 2017 reg. 40)
Contract and financial records	6 years from end of engagement (Limitation Act 1980)
Communications	3 years from last contact
Marketing data	24 months from last engagement
Technical / website logs	12 months

13. Your Rights Under UK GDPR

Access (DSAR) — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your data. Note: where we have a legal obligation to retain data (e.g. AML records under MLR 2017 reg. 40), we cannot erase such data until the retention period expires.
Restriction — ask us to restrict processing in certain circumstances.
Portability — receive your data in a structured, machine-readable format.
Object to direct marketing — you have an absolute right to object at any time.
Object to other processing — where we rely on legitimate interests (Art. 6(1)(f)), you may object; we will cease unless we can demonstrate compelling legitimate grounds.
Withdraw consent — you may withdraw consent at any time without affecting prior processing.
Automated decision-making — the right to human review of any solely automated decision.

13.1 How to Exercise Your Rights

Email support.arcanacrypto@protonmail.com with the subject line "Data Subject Request". We may ask you to verify your identity before responding (UK GDPR Art. 12(6)). We will respond within one calendar month. For complex requests, we may extend by up to two further months (Art. 12(3)).

13.2 Right to Complain

ICO: ico.org.uk/make-a-complaint | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Non-UK residents may also complain to their local supervisory authority (e.g. Garante in Italy, CNIL in France, BfDI in Germany).

14. Security

We implement appropriate technical and organisational measures, including:

Encryption of data at rest (AES-256) and in transit (TLS 1.3 minimum);
Role-based access controls on a need-to-know basis;
Segregation of client data and secure key management;
Secure deletion and destruction procedures;
Written confidentiality undertakings from staff and contractors;
Logging, monitoring and periodic security review.

In the event of a personal data breach, we will notify the ICO within 72 hours (UK GDPR Art. 33) and affected data subjects without undue delay where required by Art. 34.

15. Children

Our Services are contractual in nature and provided only to persons aged 18 or over. Although the UK age of digital consent under DPA 2018 s.9 is 13, we do not knowingly collect personal data from any individual under 18.

16. Terms of Engagement

This Privacy Policy should be read alongside our Terms of Engagement & Service Agreement, which govern the provision of our services and contain additional provisions relating to data handling, confidentiality and client obligations. A copy is provided at the start of each engagement and is available on request.

17. Changes to This Policy

We may update this Policy from time to time. The Version and Last updated fields at the top reflect any changes. Material changes will be communicated to active Clients by email.

18. Contact Us

Arcana Crypto LTD

12 Pullman Gardens, London, SW15 3DF, United Kingdom

Company Number: 16371124 | ICO Registration: C1918773

Email: support.arcanacrypto@protonmail.com

Website: arcana-crypto.com

Arcana Crypto LTD · Privacy Policy v1.1 · Last updated 25 April 2026

Governed by the laws of England and Wales

Terms & Legal Information | Contact

Privacy Policy

Contents