Cryptotricity Privacy Policy (March 2026)

CRYPTOTRICITY LTD

Version 1.0 | Effective Date: March 2026 | Last Reviewed: March 2026

Applies to: www.cryptotricity.io and all associated platform services

This Privacy Policy explains how Cryptotricity Ltd collects, uses, shares, and protects your personal data when you use our website and platform services. Please read it carefully. If you do not agree with this policy, you should not use our services.

1. Who We Are

Cryptotricity Ltd ("Cryptotricity", "we", "us", or "our") is a private limited company registered in England and Wales. We operate an energy-fintech platform that connects household smart meter data with the XRP Ledger to deliver token-based energy bill rewards and demand-side response services.

Detail	Information
Company name	Cryptotricity Ltd
Registered address	Ratheen Avenue, Cookstown, County Tyrone NI
Company number	NI738544
ICO registration
Data Protection Officer	Michael McDonald
Privacy contact email	web@cryptotricity.ie
Supervisory authority (UK)	Information Commissioner's Office (ICO) — ico.org.uk
Supervisory authority (Ireland)	Data Protection Commission (DPC) — dataprotection.ie

2. Scope of This Policy

This Privacy Policy applies to:

All visitors to our website at www.cryptotricity.io
All registered users of the Cryptotricity platform and Energy Dashboard
Energy suppliers and business partners who access our B2B services
Individuals whose smart meter data is processed through the Hildebrand Glow API integration
Any person who communicates with us by email, telephone, or through our contact forms

This policy does not apply to third-party websites or services that may be linked from our platform. We are not responsible for the privacy practices of third parties.

3. Legal Framework

We process personal data in accordance with the following legislation:

Legislation	Relevance to Our Processing
UK GDPR & Data Protection Act 2018	Primary framework governing all personal data processing for UK residents
EU GDPR (Regulation 2016/679)	Applies to processing of personal data of Irish and EU residents
Data Use and Access Act (DUAA) 2025	Governs the use of smart meter data accessed via Hildebrand and DCC infrastructure. Users retain the right to human review of any automated decisions.
Privacy and Electronic Communications Regulations (PECR) 2003	Governs electronic marketing, cookies, and use of communication networks
Consumer Rights Act 2015 / DMCCA 2026	Consumer protection obligations applicable to our platform terms and staking mechanisms
FCA Cryptoasset Gateway 2026	Regulatory obligations applicable to cryptoasset-related data processing and consumer communications
Network and Information Systems (NIS) Regulations 2018	Cybersecurity obligations for platform infrastructure and data security

4. Data We Collect

We collect personal data through several distinct channels. The categories of data we process are set out below.

4.1 Account and Identity Data

When you register for a Cryptotricity account, we collect:

Full name
Email address
Password (stored as a cryptographic hash — we never store your plain-text password)
Date of birth (for age verification where required by FCA regulations)
Residential address (UK or Ireland)
Phone number (optional, for account recovery)

4.2 Smart Meter and Energy Data

With your explicit consent, we access your smart meter data via the Hildebrand Glow API and the national Data Communications Company (DCC) infrastructure. This data includes:

Half-hourly electricity consumption readings
Demand-Side Response (DSR) event participation data
Prepayment meter credit balance (for Lifeline emergency top-up eligibility)
Tariff and standing charge information provided by your energy supplier
Smart meter identifier (MPAN — Meter Point Administration Number)

Smart meter data is classified as sensitive personal data under the Data Use and Access Act (DUAA) 2025. We process this data only with your explicit consent. You have a legal right to request human review of any automated decisions made on the basis of your smart meter data, including DSR reward calculations and Lifeline credit releases.

4.3 Token and Blockchain Data

When you use the $Tricity token ecosystem, we process:

Your XRP Ledger wallet address (XRP public address — not your private key)
Token balance and transaction history (as recorded on the public XRP Ledger)
Staking tier and escrow lock records
DSR reward event logs and corresponding token issuance records
Token redemption records (bill credit conversions)

Important: XRP Ledger transactions are recorded on a public, immutable blockchain. Your wallet address and transaction history are publicly visible on the XRPL ledger once written. We cannot delete, alter, or remove on-chain records. This is an inherent characteristic of distributed ledger technology.

4.4 Technical and Usage Data

When you visit our website or use our platform, we automatically collect:

IP address
Browser type and version
Device type and operating system
Pages visited and time spent on each page
Referring URLs
Session identifiers and authentication tokens
Error logs and crash reports

4.5 Communications Data

When you contact us or participate in surveys or feedback programmes, we collect:

Email correspondence and attachments
Support ticket content and history
Survey responses and feedback submissions
Records of any complaints and our responses

4.6 Business Partner Data (B2B)

If you are an authorised representative of an energy supplier or business partner, we additionally collect:

Company name and registration number
Authorised representative name, title, and contact details
Contract and commercial agreement data
Aggregated (non-personal) customer retention and DSR performance metrics

4.7 Data We Do Not Collect

We explicitly do not collect or store the following:

Private keys or seed phrases for any cryptocurrency wallet
Bank account or payment card details (we do not process direct payments)
Special category personal data (health, race, religion, political opinions, etc.) unless voluntarily disclosed in a support communication
Data from children under the age of 18 — our services are for adults only

5. How and Why We Use Your Data

We process your personal data only where we have a lawful basis to do so under UK GDPR Article 6 and, where applicable, Article 9. The table below sets out our processing purposes, the data used, the legal basis, and our standard retention period.

Purpose	Data used	Legal basis	Retention
Account creation and authentication	Identity data, email, password hash	Contract (Art. 6(1)(b))	Duration of account + 6 years
Smart meter data access and DSR reward calculation	Smart meter data, MPAN, consumption readings	Explicit consent (Art. 6(1)(a) + Art. 9(2)(a))	3 years from collection
Token issuance, escrow, and staking management	Wallet address, token balance, escrow records	Contract (Art. 6(1)(b))	Duration of account + 7 years
Lifeline emergency prepayment top-up	Prepayment meter balance, MPAN, token balance	Vital interests / Contract (Art. 6(1)(b)/(d))	3 years from event
Bill credit redemption and supplier reconciliation	Consumption data, token redemption records	Contract (Art. 6(1)(b))	7 years (financial records)
Fraud prevention and AML compliance	Identity, transaction history, wallet address	Legal obligation (Art. 6(1)(c))	5 years post-relationship
Customer support and complaint handling	Communications data, account data	Legitimate interests (Art. 6(1)(f))	3 years from resolution
Platform security and abuse prevention	Technical data, IP address, session logs	Legitimate interests (Art. 6(1)(f))	90 days rolling
FCA regulatory reporting and compliance	Identity, transaction, and token data	Legal obligation (Art. 6(1)(c))	7 years
Service improvement and analytics	Anonymised/aggregated usage data	Legitimate interests (Art. 6(1)(f))	Indefinite (anonymised only)
Marketing communications (opted-in users only)	Name, email, communication preferences	Consent (Art. 6(1)(a))	Until consent withdrawn
B2B supplier performance reporting	Aggregated, non-personal retention metrics	Contract (Art. 6(1)(b))	Duration of contract + 7 years

5.1 Legitimate Interests Assessment

Where we rely on legitimate interests as our legal basis, we have conducted a balancing test to ensure our interests do not override your rights. A summary is available on request by contacting privacy@cryptotricity.io. You have the right to object to processing based on legitimate interests at any time (see Section 10).

5.2 Automated Decision-Making

We use automated systems to:

Calculate DSR rewards based on smart meter event data
Determine Lifeline top-up eligibility based on prepayment meter balance thresholds
Apply loyalty bond discount tiers based on staked token quantities

These automated decisions have a meaningful effect on your energy costs. Under UK GDPR Article 22 and the DUAA 2025, you have the right to:

Request human review of any automated decision
Contest any decision you believe is incorrect
Obtain an explanation of the logic involved

To exercise these rights, contact: privacy@cryptotricity.io

6. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies in accordance with the Privacy and Electronic Communications Regulations (PECR) 2003. We will not place non-essential cookies on your device without your prior consent.

6.1 Types of Cookies We Use

Cookie type	Name / Provider	Purpose	Duration
Strictly necessary	session_id, csrf_token	Maintains your logged-in session and prevents cross-site request forgery attacks. Cannot be disabled.	Session
Functional	user_prefs, lang	Remembers your language and display preferences between visits.	1 year
Analytics	_ga, _gid (Google Analytics)	Collects anonymised usage data to help us understand how users interact with the platform. Requires consent.	2 years
Performance	Sentry (error tracking)	Captures anonymised error and crash reports to help us fix technical issues. Requires consent.	30 days
Marketing	None currently set	We do not currently use marketing or retargeting cookies. This will be updated if our cookie use changes.	N/A

6.2 Managing Your Cookie Preferences

You can manage your cookie preferences at any time via our Cookie Preference Centre, accessible from the footer of every page. You may also manage cookies through your browser settings. Please note that disabling strictly necessary cookies will prevent you from logging into your account.

7. Sharing Your Personal Data

We do not sell, rent, or trade your personal data. We share it only in the circumstances described below.

7.1 Service Providers (Data Processors)

We share personal data with carefully selected third-party service providers who process data on our behalf under strict contractual obligations:

Provider	Role	Data shared	Location
Hildebrand Technology Ltd	DCC-accredited data intermediary; smart meter data access via Glow API	MPAN, consumption data	UK
GateHub / Xaman (Xumm)	Non-custodial XRPL wallet SDK for consumer staking interface	Wallet address, session tokens	EU / EEA
XRP Ledger Foundation	Public blockchain infrastructure for token settlement and escrow	Wallet address, transaction data (public)	Decentralised
Cloud hosting provider (TBC)	Infrastructure hosting for platform, dashboard, and database	All platform data	UK / EEA
Email service provider (TBC)	Transactional emails, account notifications	Name, email address	UK / EEA
Analytics provider (Google Analytics)	Website usage analytics (anonymised)	Anonymised usage data	USA (SCCs)

7.2 Energy Supplier Partners

We share data with participating energy suppliers only to the extent necessary to operate the platform and fulfil our contractual obligations:

Aggregated, anonymised demand-response participation statistics (never individually identifiable)
Confirmation of staking tier status for the purpose of applying your discount to your energy bill
Lifeline top-up credit instructions sent to your registered supplier via the DCC bridge

We do not share your smart meter consumption history, token balance, transaction history, or personal account details with energy suppliers without your explicit consent.

7.3 Regulatory and Legal Disclosure

We may share your personal data where required by law or to protect our legal rights:

With the Financial Conduct Authority (FCA), Information Commissioner's Office (ICO), or other competent authorities in response to lawful requests or investigations
With the Data Protection Commission (DPC) in Ireland where applicable
With law enforcement agencies in connection with the prevention or detection of crime
With professional advisers (lawyers, auditors, insurers) under strict confidentiality obligations
In connection with a merger, acquisition, or sale of all or part of our business, where data protection obligations are transferred to the acquirer

7.4 International Transfers

Where we transfer personal data outside the UK or European Economic Area (EEA), we ensure that appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO, as applicable
Adequacy decisions where the destination country provides equivalent data protection
Binding Corporate Rules where applicable

Note regarding the XRP Ledger: the XRPL is a decentralised network with validators operating globally. Once transaction data is written to the ledger, it is replicated across all validator nodes worldwide. This is a technical characteristic of blockchain infrastructure and not a discretionary transfer we can restrict.

8. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention schedule is:

Data category	Retention period	Basis for retention
Account and identity data	Duration of account + 6 years post-closure	Limitation Act 1980; FCA regulatory requirements
Smart meter consumption data	3 years from date of collection	DUAA 2025; proportionality principle
Token and XRPL transaction records	7 years (off-chain records)	FCA cryptoasset requirements; HMRC obligations
Lifeline emergency top-up logs	3 years from event date	Consumer protection legislation; audit trail
Financial and billing records	7 years from transaction date	HMRC; Companies Act 2006
AML and fraud prevention records	5 years post-relationship end	Money Laundering Regulations 2017
Customer support communications	3 years from resolution	Legitimate interests; statute of limitations
Marketing preferences and consent records	Until consent withdrawn + 1 year for audit	PECR; ICO guidance on consent records
Website access and security logs	90 days rolling	Security monitoring; proportionality
On-chain XRPL records (public ledger)	Permanent — cannot be deleted	Inherent property of blockchain technology

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised. Where anonymisation is not technically possible (for example, backup systems), we isolate and protect the data until it can be deleted.

9. Data Security

We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect against unauthorised access, loss, destruction, or alteration of your data, consistent with UK GDPR Article 32 and the NIS Regulations 2018.

9.1 Technical Measures

All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted using AES-256 or equivalent
Passwords are hashed using a strong one-way algorithm (bcrypt or Argon2) — we never store or have access to your plain-text password
Two-factor authentication (2FA) is available and strongly recommended for all accounts
Regular penetration testing and vulnerability assessments
API access is restricted by key rotation, rate limiting, and IP allowlisting where appropriate
Smart meter data is processed in isolated, access-controlled environments
XRPL private key management: we never hold, access, or store your private keys. The Xaman wallet is non-custodial — your keys remain on your device

9.2 Organisational Measures

Access to personal data is restricted on a strict need-to-know basis
All staff and contractors with data access undergo data protection training
Data processing agreements (DPAs) are in place with all third-party processors
A formal incident response plan is maintained and tested annually
Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities, including smart meter data integration and automated decision-making

9.3 Security Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the ICO (and DPC where applicable) within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
Maintain a record of all breaches, their effects, and remedial actions taken

To report a suspected security vulnerability, please contact: security@cryptotricity.io

10. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. Irish and EU residents have equivalent rights under EU GDPR. You can exercise any of these rights free of charge by contacting privacy@cryptotricity.io. We will respond within one calendar month.

Your right	What it means	How to exercise it
Right of access (Subject Access Request)	The right to obtain a copy of your personal data and information about how we process it.	Email privacy@cryptotricity.io with subject line 'SAR Request'
Right to rectification	The right to have inaccurate personal data corrected, or incomplete data completed.	Update via your account settings or email us
Right to erasure ('right to be forgotten')	The right to request deletion of your personal data where there is no compelling reason for continued processing. Note: on-chain XRPL records cannot be erased.	Email privacy@cryptotricity.io with subject line 'Erasure Request'
Right to restrict processing	The right to request that we limit how we use your data, for example while a dispute is being resolved.	Email privacy@cryptotricity.io
Right to data portability	The right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.	Email privacy@cryptotricity.io — we will provide data in JSON or CSV format
Right to object	The right to object to processing based on legitimate interests or direct marketing at any time.	Email privacy@cryptotricity.io or use the unsubscribe link in any marketing email
Rights related to automated decision-making	The right to human review, contestation, and explanation of automated decisions that significantly affect you (including DSR reward calculations and Lifeline decisions).	Email privacy@cryptotricity.io with subject line 'Automated Decision Review'
Right to withdraw consent	Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.	Withdraw via account settings or email us
Right to lodge a complaint	The right to complain to the ICO (ico.org.uk) or, for Irish residents, the DPC (dataprotection.ie) if you believe we have violated your data protection rights.	Contact the ICO: 0303 123 1113 or casework@ico.org.uk

We will acknowledge your request within 5 business days and provide a full response within one calendar month. For complex requests, we may extend this by a further two months and will notify you accordingly. We will not charge a fee for reasonable requests, but may charge for manifestly unfounded or excessive requests.

11. Children's Privacy

Our services are intended for adults aged 18 and over. We do not knowingly collect, process, or store personal data relating to individuals under the age of 18.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact privacy@cryptotricity.io immediately. We will take steps to verify the claim and, if confirmed, delete the relevant data as promptly as possible.

12. Marketing Communications

We will only send you marketing communications where you have given us your explicit consent to do so, in compliance with PECR 2003. We will never send unsolicited commercial emails or share your contact details with third parties for marketing purposes.

12.1 What We May Send

If you opt in, we may send you:

Platform updates and new feature announcements
Educational content about energy saving and demand-side response
Information about the $Tricity token ecosystem (service information only — not investment promotion)
Regulatory updates relevant to the platform

We will never use marketing communications to promote $Tricity as an investment, to make representations about token price, or to suggest speculative returns. All communications are subject to FCA financial promotion rules where applicable.

12.2 Opting Out

You may withdraw your marketing consent and opt out of all marketing communications at any time by:

Clicking the 'Unsubscribe' link in any marketing email
Updating your preferences in the account settings panel
Emailing privacy@cryptotricity.io with subject line 'Marketing Opt-Out'

Opting out of marketing does not affect essential service communications such as account notifications, security alerts, or regulatory disclosures.

13. Third-Party Links and Services

Our platform may contain links to third-party websites, including energy supplier portals, XRP Ledger explorer tools (such as XRPL.org or Bithomp), and regulatory body websites. We are not responsible for the privacy practices or content of these third-party sites.

We recommend reviewing the privacy policy of any third-party site you visit. The presence of a link does not constitute an endorsement of that site or its privacy practices.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing activities, legal obligations, or regulatory requirements. The version number and effective date at the top of this document will be updated accordingly.

For material changes — those that significantly affect how we process your data or your rights — we will:

Notify registered users by email at least 30 days before the changes take effect
Display a prominent notice on our website and within the platform dashboard
Where required, obtain fresh consent before processing under the new terms

Continued use of our platform after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree with changes, you should close your account before the effective date.

15. How to Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data processing activities, please contact us:

Contact method	Details
Email (privacy)	privacy@cryptotricity.io
Email (security)	security@cryptotricity.io
Subject Access Requests	privacy@cryptotricity.io — subject line: 'SAR Request'
Post	Data Protection, Cryptotricity Ltd, [Registered Office Address]
ICO (supervisory authority — UK)	ico.org.uk \| 0303 123 1113 \| casework@ico.org.uk
DPC (supervisory authority — Ireland)	dataprotection.ie \| +353 57 868 4800 \| info@dataprotection.ie

CRYPTOTRICITY LTD • PRIVACY POLICY • VERSION 1.0

This document is provided for informational purposes. It does not constitute legal advice. Cryptotricity Ltd recommends obtaining independent legal counsel before publishing this policy.