Privacy Policy
1. Introduction
mintus operates a blockchain-based smart-voucher and loyalty platform consisting of the mintus Wallet (consumer app), the mintus Cashier (merchant app), the Enterprise Console (web), this website, and supporting APIs (together, the "Services"). This Privacy Policy explains what personal data we process when you use the Services, why we process it, on what legal basis, who we share it with, and the rights you have under applicable data-protection law.
This policy is designed to satisfy our obligations under the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Personal Information Protection Law of the People's Republic of China (PIPL), Singapore's Personal Data Protection Act (PDPA), and comparable laws in other jurisdictions.
2. Who is responsible (data controller)
The controller of personal data processed via the Services is mintus (the "Company", "we", "us"). You can contact us — including our Data Protection Officer (DPO) — at privacy@mintus.world. Country-specific representatives appointed under Article 27 GDPR, Article 53 PIPL, or other applicable regimes are identified in this policy where applicable and updated on this page.
Where a merchant uses the Enterprise Console or Cashier app to issue, distribute or redeem vouchers, that merchant acts as an independent controller of the personal data of its customers. The merchant's own privacy policy governs that processing. mintus acts as a processor on behalf of the merchant for those operations and as a controller only in respect of operational data needed to run the platform (account credentials, billing, security logs, etc.).
3. Scope of this policy
This policy applies to personal data collected via:
- this website, mintus.world, and its subdomains;
- the mintus Wallet, the mintus Cashier app and the Enterprise Console;
- our customer support, sales and partner channels (email, in-app help, etc.).
It does not apply to third-party websites or services that you may access through the Services. Those have their own privacy policies; please review them separately.
4. Personal data we collect
We collect personal data only when it is necessary for the Services to function or for a clearly stated, lawful purpose. The categories are:
| Category | Examples | Source |
|---|---|---|
| Account data | Username, hashed password, recovery email, security questions, language preference | From you, at signup |
| Identity data (merchants only, where required) | Business name, registration number, legal representative, banking details for billing, KYC documents above issuance thresholds set by applicable law | From you |
| Device & technical data | Device model, operating system, app version, IP address, locale, time zone, crash reports, performance metrics | Automatic, from the device on which you run the Services |
| Usage data | Pages or screens viewed, features used, in-app interactions, voucher actions (mint, transfer, redeem) initiated by you | Automatic, while you use the Services |
| On-chain identifiers | Your DID, public keys, transaction hashes | Generated when your account is created; written to a public blockchain |
| Communications data | Messages you send to our support, sales or legal teams; survey responses | From you |
| Push notification identifiers | The Firebase Cloud Messaging (FCM) / Apple Push Notification (APNs) device token assigned to your installation, platform (iOS / Android), app bundle id, and language preference | Generated by your device and the operating-system push service after you grant the notification permission; transmitted to us when the app registers for push |
| Marketing data (opt-in only) | Newsletter subscription, marketing consent state | From you |
We do not ask for sensitive personal data (racial or ethnic origin, political opinions, religion, health, sexual orientation, biometric or genetic data). Please do not send us such data unsolicited.
5. Why we process your data and legal bases
| Purpose | Data categories | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and operate your account; provide the Services | Account data, on-chain identifiers, device data | Contract (Art. 6(1)(b)) |
| Process voucher actions (mint, transfer, redeem) at your request | Account data, usage data, on-chain identifiers | Contract (Art. 6(1)(b)) |
| Comply with legal obligations (tax, AML/CFT, sanctions screening, response to lawful requests) | Identity data, communications data, usage data | Legal obligation (Art. 6(1)(c)) |
| Detect, prevent and respond to fraud, abuse and security incidents | Device data, usage data, communications data | Legitimate interests (Art. 6(1)(f)) — protecting our Services and our users |
| Maintain and improve the Services (debugging, performance, analytics) | Device data, aggregated usage data, crash reports | Legitimate interests (Art. 6(1)(f)) |
| Send service notices (security alerts, terms changes) | Account data | Legitimate interests / legal obligation |
| Deliver push notifications you have allowed (wallet activity, inbound messages, account-security events) | Push notification identifiers, account data, communications data | Contract (Art. 6(1)(b)) — delivering the Services you signed up for. The push permission itself is granted at the operating-system level and can be revoked there at any time. |
| Send marketing communications | Account data, marketing data | Consent (Art. 6(1)(a)) — withdrawable at any time |
Under the PIPL we rely on the equivalent bases: contractual necessity (Article 13(1)(2)), legal obligation (Article 13(1)(3)), responding to public-health or other emergencies (Article 13(1)(4) — extremely rare), and your separate consent for any processing that requires it (Article 14). Under the CCPA/CPRA we process data for the "business purposes" listed above; the right to opt out applies where relevant. Under the PDPA we rely on consent, deemed consent in the context of contracted services, and the legitimate-interests exception where appropriate.
6. Information stored on a public blockchain
The Services use a public blockchain to record voucher state. Information written to that blockchain — including your DID, public keys, voucher contract addresses and transaction hashes — is by design public, immutable and not under our control. We do not write your name, email or other directly identifying data on-chain.
Because on-chain records cannot be deleted, exercising a deletion right (e.g. under GDPR Article 17) erases the off-chain link between your identity and your on-chain identifiers; it does not erase the on-chain transactions themselves, which remain pseudonymous. We consider this a reasonable balance under Article 17(3)(b) GDPR (compliance with a legal obligation) and Article 17(1)(c) (legitimate interests of the Services and the ecosystem). The same reasoning applies under the PIPL, CCPA/CPRA and PDPA.
7. Who we share data with
We share personal data only as follows:
- Service providers (processors) who provide infrastructure, customer support, communications, analytics and security services on our behalf. These vendors are bound by written contracts requiring confidentiality, security, and processing only for our documented purposes.
- Push notification gateways: Google (Firebase Cloud Messaging) and Apple (Apple Push Notification service) act as processors when we route notifications to your device. They receive only the device push token and the notification payload required for delivery; we do not use these channels to share account data with Google or Apple for any other purpose.
- Merchants you transact with, but only the information that is strictly necessary for them to fulfil your voucher request (e.g. that voucher X was redeemed in store Y).
- Auditors, advisors and professional services bound by professional confidentiality obligations.
- Government authorities and law enforcement where we are legally compelled to do so, and only to the extent required.
- Acquirers, in the event of a merger, acquisition or sale of all or part of our business, subject to the protections of this policy.
We do not sell or rent your personal data, and we do not "share" your personal data for cross-context behavioural advertising as defined under the CPRA.
8. International data transfers
mintus operates internationally; personal data may be transferred to and processed in jurisdictions other than the one in which it was collected. Where we transfer personal data from the European Economic Area, the United Kingdom or Switzerland to a country that is not the subject of an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Implementing Decision (EU) 2021/914) and, where relevant, the UK International Data Transfer Addendum or the Swiss equivalent, supplemented by transfer impact assessments and supplementary technical measures (encryption in transit and at rest, access controls, audit logging).
Transfers of personal information collected in China are made under the routes provided in PIPL Articles 38–43, including security assessment, standard contract or certification as required by the applicable issuance volume.
9. How long we keep data
We keep personal data only for as long as needed for the purposes set out in this policy or as required by law. Indicative retention periods:
| Category | Retention |
|---|---|
| Active account data | For the life of your account, plus up to 30 days after you delete it (to allow recovery from accidental deletion) |
| Billing and tax records (merchants) | As required by applicable tax law (typically 7–10 years) |
| AML/KYC documents | 5 years after the end of the customer relationship, or longer where required by law |
| Security and fraud logs | Up to 24 months |
| Push notification tokens | Until you log out, uninstall the app, the operating-system push service rotates the token, or our backend receives a not-registered error from the gateway — whichever comes first. Inactive tokens are marked as such automatically; rows older than 30 days in the inactive state may be purged. |
| Support and communications records | Up to 36 months after closure of the matter |
| On-chain records | Permanent (public blockchain) — see §6 |
10. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss and destruction. Measures include: TLS encryption in transit, encryption at rest for personal data stores, key isolation, least-privilege access controls with mandatory multi-factor authentication for staff, secrets management, vulnerability scanning, periodic third-party penetration testing, an audit log of administrative access, and an incident-response process aligned with regulator-notification deadlines (72 hours under GDPR Article 33). See also our Security page.
11. Your rights (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom or Switzerland, you have the right to:
- request access to the personal data we hold about you (Art. 15);
- request rectification of inaccurate or incomplete data (Art. 16);
- request erasure ("the right to be forgotten") (Art. 17);
- request restriction of processing (Art. 18);
- data portability (Art. 20);
- object to processing based on legitimate interests or for direct marketing (Art. 21);
- withdraw any consent you have given, at any time, without affecting prior processing (Art. 7(3));
- lodge a complaint with a supervisory authority (Art. 77). A list of EEA supervisory authorities is published by the European Data Protection Board.
To exercise any of these rights, email privacy@mintus.world. We respond within one month (extendable by two further months for complex requests, with notice). We do not charge a fee unless the request is manifestly unfounded or excessive.
12. Your rights under the CCPA / CPRA (California)
California residents have the right to:
- know what personal information we have collected, the sources, the purposes and the categories of recipients;
- access a portable copy of their personal information;
- request deletion of their personal information, subject to certain exceptions;
- correct inaccurate personal information;
- opt out of the "sale" or "sharing" of their personal information (we do neither, but you may make the request);
- limit the use of "sensitive personal information" (we do not collect such information beyond what is necessary to provide the Services);
- non-discrimination for exercising any of the above rights.
Authorised agents may submit requests on your behalf. To submit a verifiable consumer request, email privacy@mintus.world. We will verify your identity using the information already associated with your account, and we will not require you to create an account in order to make a request.
13. Your rights under the PIPL (China)
If you are in mainland China, you have the right to:
- be informed about and to decide on the processing of your personal information (Art. 44);
- access and copy your personal information (Art. 45);
- request rectification or supplementation of inaccurate information (Art. 46);
- request deletion of your personal information in the circumstances listed at Article 47;
- withdraw consent for processing based on consent (Art. 15);
- request an explanation of our personal-information processing rules (Art. 48);
- have your designated person exercise these rights on behalf of a deceased data subject (Art. 49).
Send requests to privacy@mintus.world. We respond within statutory deadlines. You may also lodge a complaint with the Cyberspace Administration of China or other competent authority.
14. Your rights under the PDPA (Singapore)
If you are in Singapore, you have the right to request access to and correction of your personal data (Sections 21 and 22 of the PDPA), and to withdraw any consent you have given (Section 16). Send requests to privacy@mintus.world. You may also lodge a complaint with the Personal Data Protection Commission.
15. Other applicable jurisdictions
If you are resident in another jurisdiction that grants you privacy rights — including, without limitation, Brazil (LGPD), Canada (PIPEDA and provincial laws), Japan (APPI), South Korea (PIPA), India (DPDP Act 2023), Australia (Privacy Act), the United Arab Emirates (PDPL) and any U.S. state with a comprehensive privacy law (Colorado, Connecticut, Virginia, Utah, Texas and others) — you may exercise the equivalent rights through the same contact address. We will treat your request consistently with applicable law.
16. Children
The Services are not directed to and are not intended for use by individuals under the age of 13, or under the local minimum age of consent if higher (for example, 16 in some EU member states under GDPR Art. 8). We do not knowingly collect personal data from such individuals. If you believe we have inadvertently collected such data, please contact privacy@mintus.world and we will delete it.
17. Cookies and similar technologies
We use a minimal set of cookies and similar technologies, described in our Cookie Policy. Where consent is required by law (EU/UK ePrivacy and similar regimes), we ask for it through a consent banner before any non-essential cookie is set.
18. Automated decision-making
We use automated systems to detect fraud, abuse and security incidents. Where such a decision produces legal or similarly significant effects on you, you have the right to obtain human review, to express your point of view, and to contest the decision (GDPR Art. 22 and equivalents).
19. Changes to this policy
We may update this policy from time to time. When we make material changes, we will revise the "Last updated" date and, where required by law, give prominent notice (in-app banner, email or both) before the change takes effect. We encourage you to review this page periodically.
20. Contact us
Questions, requests, or complaints? Contact:
- Email: privacy@mintus.world
- Postal: published in the merchant onboarding pack and available on request
- Country-specific representatives, where appointed, are listed in this section as the appointment takes effect.
You also have the right to lodge a complaint with your local data-protection authority. We encourage you to contact us first so that we can address your concern directly.