MXTK · BV Innovations DeFi
Get access
Legal

Privacy policy

Last updated: May 27, 2026

This Privacy Policy (the “Policy”) explains how personal data is collected, used, disclosed, retained, and protected when you interact with the website located at mxtktoken.com(the “Site”), together with any related forms, intake pages, lead-magnet downloads, transactional email communications, and analytics endpoints operated under the same domain (collectively, the “Services”). You should read this Policy carefully and in conjunction with our Terms of Service and Disclosures.

1. Identity of the controller

The data controller for the Site and the Services is Mertin Industries Inc., a company organized under the laws of the Republic of Panama, with registered office at SL-55 Building, 31st Floor, Samuel Lewis Ave. & 55 East St., Obarrio, Panama City, Republic of Panama (the “Operator,” “we,” “us,” or “our”). The Operator is the sole legal counterparty for the Site, the Services, and any Offering described on the Site; no other entity is a controller, joint controller, or party to this Policy.

You may contact our data-protection team at privacy@mxtktoken.comor by writing to the registered office above. For EU/UK matters we will appoint an Article 27 representative prior to active solicitation of EU/UK data subjects; the representative's contact details will be published on this page once designated.

2. Scope of this Policy

This Policy covers personal data we collect through the Site and the Services. It does not cover (a) processing carried out by third-party websites or applications linked from the Site, (b) processing carried out by issuers, originators, or counterparties in connection with any specific securities offering, OTC trade, or tax-credit transaction (which is governed by the disclosure and subscription documents for that transaction), or (c) processing carried out by independent operators of public blockchain networks. On-chain data is, by design, public and is not personal data in our hands unless we have linked it to an identified natural person.

3. Categories of personal data we collect

We collect the following categories of personal data (the “Personal Data”):

  • Identity and contact data. Information you provide when you submit the OTC intake form, the accreditation-verification form, a lead-magnet download request, a contact form, or any subscription request on the Site: full legal name, work email address, employer or sponsoring entity, job title, telephone number (optional), country of residence, and investor persona.
  • Investor-qualification data.Self-certifications and supporting documentation you provide to evidence professional-investor, qualified-investor, or accredited-investor status under Regulation S, applicable non-U.S. equivalents (including EU Prospectus Regulation (EU) 2017/1129, the FCA's rules in the United Kingdom, and the equivalent classifications under Panamanian and other applicable securities law), or, if and when an onshore U.S. channel is opened, Regulation D 506(c).
  • Transactional and correspondence data. The content of emails you send to us, meeting notes, calendar invitations, and any records of telephone or video conferences (we do not record calls without your prior consent).
  • Wallet and on-chain data, when voluntarily provided. Public blockchain addresses you submit for whitelisting, allowlisting, or distribution purposes. Public addresses are not Personal Data on their own, but become Personal Data when we link them to an identified individual through our records.
  • Server and device data. When you visit the Site we automatically collect technical data through server logs: source IP address, user-agent string, requested URLs, referring URLs, response codes, byte counts, and timestamps.
  • Cookie data. See Section 12 for a full description of the cookies and similar technologies we use.
  • Data from third-party sources. We may obtain additional information about you from publicly available sources (corporate registers, professional networks, sanctions and politically-exposed-person screening services, public press) for the purposes of investor qualification, sanctions screening, fraud prevention, and due diligence.

We do not knowingly collect any special-category data (racial or ethnic origin, political opinions, religion, trade-union membership, genetic or biometric data, health, sex life, or sexual orientation) and we ask that you not submit such information through the Site. If you nonetheless submit such information, you grant us a non-exclusive, royalty-free, perpetual licence to process it solely for the purposes of responding to your inquiry and complying with our legal obligations, and we will hold and use it under the same protections as ordinary Personal Data.

4. Purposes of processing

We process Personal Data for the following purposes (the “Purposes”):

  1. To respond to your inquiries and route you to the appropriate team member;
  2. To verify your investor qualifications under Regulation S today, and under any other applicable exemption that we elect to rely on in the future;
  3. To send transactional emails confirming submissions, replies, document access, and similar service communications;
  4. To send marketing communications, only with your prior opt-in consent where consent is required, and to measure list engagement;
  5. To operate, secure, monitor, and improve the Site, including error-monitoring, capacity planning, and traffic analytics;
  6. To perform internal lead-scoring and prioritization (see Section 14);
  7. To prevent, detect, investigate, and respond to fraud, abuse, scraping, circumvention of geographic or eligibility restrictions, sanctions evasion, money laundering, terrorism financing, cyber-attacks, and other unlawful activity;
  8. To conduct due diligence on counterparties and to satisfy our know-your-customer, anti-money-laundering, and sanctions-screening obligations;
  9. To comply with applicable legal, regulatory, tax, accounting, and audit obligations, including the Books-and-Records requirements of Panamanian commercial law and any equivalent foreign requirement applicable to us, and to cooperate with lawful requests from competent authorities;
  10. To establish, exercise, or defend legal claims, including in arbitration or court proceedings;
  11. To enforce our Terms of Service and to protect our legal rights and those of third parties.

5. Lawful bases for processing (UK GDPR / EU GDPR)

For data subjects in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under Article 6 of the UK GDPR and the EU GDPR:

  • Article 6(1)(a) — Consent. For non-essential analytics cookies, marketing newsletters, and any voluntary processing not necessary to deliver the Services. You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Article 6(1)(b) — Contract or pre-contract steps. For processing OTC intake submissions, accreditation-verification documentation, and any communications taken at your request prior to entering into a contract for a specific offering or service.
  • Article 6(1)(c) — Legal obligation. For processing required to comply with applicable AML/KYC obligations, sanctions screening, tax reporting, books-and-records retention, court orders, and lawful regulatory requests.
  • Article 6(1)(f) — Legitimate interests.For server logs, fraud prevention, due-diligence enrichment from public sources, lead-scoring and routing, security monitoring, the secure administration of the Site, the establishment, exercise, and defence of legal claims, and the protection of our and third parties' rights, property, and safety. Our legitimate interest in operating a functioning, secure, and compliant marketing and intake surface is substantial; we have conducted a balancing assessment and consider that our interests are not overridden by your rights and freedoms. You may object to this processing as described in Section 11.

6. CCPA / CPRA and other regional equivalencies

California residents.Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), the categories of Personal Data described in Section 3 correspond to: identifiers, customer records, commercial information, internet or other electronic network activity, geolocation data (approximate, derived from IP), and inferences drawn from any of the above (lead-scoring outputs). We do not sell or share Personal Data within the meaning of the CCPA and we do not use or disclose sensitive Personal Data for any purpose that would require an opt-out right under Cal. Civ. Code § 1798.121. California residents have the rights to know, delete, correct, limit use of sensitive data, opt out of sale or sharing, and non-discrimination; you may exercise these rights as described in Section 11.

United Kingdom.The Operator's UK representative under Article 27 of the UK GDPR will be designated prior to active solicitation of UK data subjects; until then UK residents may contact us at privacy@mxtktoken.comand may lodge complaints with the Information Commissioner's Office (ico.org.uk).

Brazil, Canada, and other jurisdictions.Where Brazil's LGPD, Canada's PIPEDA, or comparable regimes apply, we extend equivalent rights of access, correction, deletion, and objection, subject to the legal bases recognized in those regimes and to the limitations set out in this Policy.

7. International data transfers

The Operator is located in the Republic of Panama. Certain of our service providers maintain infrastructure in the United States and other jurisdictions. Accordingly, Personal Data is routinely transferred from your jurisdiction to Panama and to the United States and may be processed in other jurisdictions where our service providers maintain infrastructure.

For transfers from the EEA, UK, or Switzerland to recipients in jurisdictions not benefiting from an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 — controller-to-processor — and Module 3 — processor-to-processor, where applicable), together with the UK International Data Transfer Addendum issued by the ICO. We conduct a transfer-impact assessment for each processor where the law of the recipient jurisdiction is materially different from EU data-protection law and we apply supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging) as appropriate.

8. Sub-processors and service providers

We currently engage the following sub-processors. Each has executed a written data-processing agreement that incorporates the EU SCCs (where applicable) and binds the sub-processor to confidentiality, security, breach-notification, and sub-sub-processor controls:

  • Supabase, Inc. (United States) — hosted database, authentication, and edge-function infrastructure for the customer-relationship-management persistence layer (lead records, intake-form submissions, accreditation-verification artefacts).
  • OpenRouter, Inc. (United States) — when you interact with any embedded chat or AI-assistant feature, your prompts and responses are routed through OpenRouter to the selected model provider. Do not submit confidential or sensitive information to chat interfaces;chat inputs may be transmitted to upstream third-party model providers (including OpenAI, Anthropic, Meta, and others) under those providers' terms.
  • Independent auditors, accountants, outside counsel, and arbitrators or judicial authorities — when their engagement or jurisdiction requires access to Personal Data for diligence, compliance, audit, dispute, or law-enforcement matters, subject to confidentiality obligations or to the applicable legal process.

We may engage additional sub-processors (including, without limitation, transactional-email providers, product-analytics providers, and additional hosting providers) as our infrastructure evolves. We will update this list upon any material change. If you have subscribed to product updates, we will use reasonable efforts to notify you by email of any material change; you may object to any new sub-processor by terminating your use of the Services.

9. Data retention

We retain Personal Data for as long as we determine, in our reasonable judgement, is necessary for the Purposes for which it was collected and to comply with applicable legal, regulatory, tax, accounting, audit, books-and-records, and dispute-defence obligations. Without limiting the foregoing, the following default minimum periods apply:

  • Intake-form submissions and CRM records — for the duration of our prospective or actual relationship with you, plus seven (7) years after the last substantive contact.
  • Accreditation-verification documentation — for the duration of any related offering plus seven (7) years thereafter.
  • Server logs — ninety (90) days in identifiable form, after which IP addresses are truncated or hashed.
  • Aggregated, non-identifiable analytics — may be retained indefinitely.
  • Records required to defend legal claims — for the applicable limitations period plus two (2) years.

10. Security measures

We maintain administrative, technical, and physical safeguards designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These include transport-layer encryption for all data in transit, encryption at rest for our CRM database, single-sign-on with multi-factor authentication for administrative consoles, role-based access control on the principle of least privilege, immutable audit logs for access to production data stores, segregated production and non-production environments, periodic vulnerability scanning, and an incident-response runbook with documented escalation paths. No system can be guaranteed secure; we do not warrant absolute security and your transmission of Personal Data to us is at your own risk. For security disclosures, please email security@mxtktoken.com.

11. Your rights and how to exercise them

Subject to applicable law and to verifying your identity to a standard that we, acting reasonably, deem appropriate to the sensitivity of the request, you have the following rights:

  • Access — to obtain confirmation of whether we process your Personal Data and a copy of that data.
  • Rectification — to have inaccurate or incomplete data corrected.
  • Erasure (the “right to be forgotten”) — to have your Personal Data deleted, subject to our retention obligations described in Section 9 and to our right to retain data needed to establish, exercise, or defend legal claims.
  • Restriction — to require us to limit our processing in defined circumstances.
  • Portability — to receive Personal Data you provided to us in a structured, commonly used, machine-readable format.
  • Objection — to object to processing carried out on the basis of our legitimate interests, including profiling.
  • Withdrawal of consent — at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Complaint to a supervisory authority — to lodge a complaint with the data-protection authority of your country of residence, place of work, or place of the alleged infringement.

To exercise any of these rights, email privacy@mxtktoken.com with the request, the rights you wish to exercise, and sufficient information to allow us to identify your records. We will respond within thirty (30) days; we may extend this period by up to sixty (60) additional days when reasonably necessary, in which case we will notify you of the extension. We reserve the right to charge a reasonable fee, or to refuse to act on, any request that is manifestly unfounded, vexatious, repetitive, or excessive.

12. Cookies and similar technologies

We use the following categories of cookies and similar technologies:

  • Strictly necessary cookies. Required to deliver the Site (session integrity, security tokens, cookie-banner state, language preference). These cookies do not require consent and cannot be disabled through the cookie banner.
  • Analytics cookies.If and when we deploy product-analytics tooling, we will set analytics cookies only after you accept analytics via the cookie banner; you may revoke consent at any time via the “Cookie preferences” link in the Site footer.
  • Marketing cookies. We do not set marketing, advertising, retargeting, or cross-site tracking cookies on the Site.

13. Children

The Site is directed at qualified professional and accredited counterparties only. It is not directed to children under the age of sixteen (16), and we do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data to us, please contact privacy@mxtktoken.com and we will delete the information promptly.

14. Automated decision-making and profiling

We use automated lead-scoring to prioritize inbound inquiries: an algorithm assigns each new submission a numeric score based on persona, indicative ticket size, jurisdiction, and engagement history, in order to route the submission to the appropriate team member. Lead-scoring affects the order and speed of our response; it does not by itself determine whether you may access any offering, and no offering is made or denied solely on the basis of an automated decision.

To the extent any automated decision produces a legal or similarly significant effect on you within the meaning of Article 22 of the UK GDPR or EU GDPR, you have the right to obtain human review, to express your point of view, and to contest the decision by emailing privacy@mxtktoken.com.

15. Disclosures to government and regulators

We may disclose Personal Data to courts, regulators, law-enforcement authorities, tax authorities, sanctions authorities, or other governmental bodies when we determine, in our reasonable judgement, that disclosure is required or advisable to comply with applicable law, a binding legal process (including a subpoena, court order, or lawful regulatory request), or our internal compliance program. To the extent permitted by law, we will use reasonable efforts to notify you of such a disclosure; we have no obligation to do so where notice is prohibited or would prejudice an investigation.

16. Changes to this Policy

We may update this Policy from time to time to reflect changes in applicable law, our processing operations, or our sub-processor roster. The “Last updated” date above reflects the most recent revision. Material changes will be notified by a prominent banner on the Site for at least thirty (30) days following the change and, where we hold a subscription email address for you, by direct email.

17. Contact

Privacy enquiries: privacy@mxtktoken.com
Legal: legal@mxtktoken.com
Security disclosures: security@mxtktoken.com
Postal: Mertin Industries Inc., SL-55 Building, 31st Floor, Samuel Lewis Ave. & 55 East St., Obarrio, Panama City, Republic of Panama.