PART I — PRIVACY NOTICE
1. Identity of the Data Controller
The data controller for the personal data processed in connection with the Reinventy Portal and the Reinventy Equity V2 platform is:
Reinventy Solutions Corp. 185-911 Yates Street, Suite 352 Victoria BC V8V 4Y9, Canada Incorporation number BC1513581 Registered office in British Columbia, Canada Email: privacy@reinventy-solutions.ca (contact for data protection inquiries) Website: https://reinventy-solutions.ca
For the purposes of GDPR Article 4(7), Reinventy is the data controller. Reinventy has not appointed a Data Protection Officer at the date of this Notice; appointment of a DPO is scheduled as part of the full DPIA completion pre-public-sale milestone (see Part II §8 below).
For BC PIPA purposes, Reinventy is the organisation responsible for the personal information collected.
For data subjects in Canada outside British Columbia, PIPEDA applies; Reinventy complies with PIPEDA principles in addition to BC PIPA.
2. Categories of Personal Data Processed
The Company processes the following categories of personal data of Shareholders (and, where applicable, of Beneficial Owners standing behind Vehicle Shareholders per the Beneficial Owner Look-through Policy of ADR-2026-05-02 v1.1):
2.1 Identification Data
(a) Full legal name (b) Date of birth (c) Country of residence (d) Country of citizenship (e) Government-issued identification document (type, number, issuing authority, expiry) (f) Tax identification number(s) (g) Residential address (h) Verified e-mail address (i) Telephone number (where collected)
2.2 KYC and AML Data
(a) Identity verification documentation (passport, national ID, driving licence) (b) Proof of address documentation (utility bill, bank statement, official correspondence) (c) PEP (Politically Exposed Person) screening results (d) Sanctions list screening results (e) Source of funds documentation (where applicable) (f) Occupation and employment information (for accredited investor verification)
2.3 Investor Eligibility Data
(a) NI 45-106 s.2.4 category qualification (director/officer/employee/founder/family/close personal friend/close business associate/accredited investor) (b) US-person status (for the on-chain USPersonExclusion compliance rule) (c) Jurisdiction of residence (for the on-chain JurisdictionRule) (d) Investor classification under MiFID II (for EU/Italian Shareholders: professional, eligible counterparty, qualified investor)
2.4 Wallet and Blockchain Data
(a) Polygon Network wallet address(es) associated with the Shareholder (b) Reinventy OnchainID contract address (c) On-chain claim associations (KYC topic 1, AML topic 2, INVESTOR_CATEGORY topic 3, JURISDICTION topic 4, USPersonExclusion topic 7) (d) Token balances (Class P Shares and Class N Shares) per wallet (e) Transaction history (transfers, mints, burns) recorded on the public Polygon Network (f) WireGuard VPN profile credentials and connection logs
2.5 Vehicle and Beneficial Owner Data (where applicable)
(a) Legal entity name, organisational form, jurisdiction of formation, date of formation of the Vehicle (b) Vehicle company/registration number (c) Vehicle registered office address (d) Authorised signatory identification data (full legal name, date of birth, country of residence) (e) Beneficial Owner identification data (per §2.1) for each natural person standing behind the Vehicle (f) Beneficial Owner percentage of ultimate beneficial ownership of the Vehicle (g) Vehicle organisational documentation (constitutional documents, shareholder register of the Vehicle, trust deed, partnership agreement) where required for look-through verification
2.6 Portal Activity Data
(a) Login timestamps and authentication event logs (b) Signature challenge events (c) Transfer request initiations and approvals (d) Communications submitted through the Portal corporate communications channel (e) Acknowledgment records (Portal Terms of Use, Risk Disclosure, this Privacy Notice, Shareholder Agreement Amendment ratification)
3. Purposes of Processing and Legal Bases
| Purpose | Legal basis under GDPR | Legal basis under BC PIPA / PIPEDA |
|---|---|---|
| (a) Onboarding and identification of Shareholders (KYC/AML compliance) | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interest | s.6(2)(a) — purpose disclosed to individual at or before collection |
| (b) Investor eligibility verification (NI 45-106 s.2.4 categorisation) | Art. 6(1)(c) — legal obligation; Art. 6(1)(b) — performance of contract (Subscription) | s.6(2)(a) |
| (c) Maintenance of BCBCA Securities Register (BCBCA ss.111-114) | Art. 6(1)(c) — legal obligation | s.6(2)(a) + statutory authority |
| (d) On-chain claim issuance and identity verification (Reinventy as Trusted Issuer) | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest | s.6(2)(a) |
| (e) Transfer approval workflow and on-chain Compliance Engine enforcement | Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — legal obligation | s.6(2)(a) |
| (f) AML/sanctions periodic re-screening | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interest | s.6(2)(a) |
| (g) Beneficial Owner look-through for cap-counting compliance | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interest | s.6(2)(a) |
| (h) Corporate communications with Shareholders | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest | s.6(2)(a) |
| (i) Portal access management (VPN profiles, signature challenge) | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest | s.6(2)(a) |
| (j) Recovery and Freeze procedures (per SHA Amendment §6 and §7) | Art. 6(1)(b); Art. 6(1)(c); Art. 6(1)(f) — legitimate interest in corporate governance | s.6(2)(a) |
| (k) Audit trail and corporate record-keeping | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) | s.6(2)(a) + statutory authority |
Special category data (GDPR Article 9) is generally not processed; if any special category data is collected incidentally as part of identity documentation (e.g., biometric data on a passport), processing is limited to the verification purpose with no further use, consistent with Art. 9(2)(g) substantial public interest in AML compliance.
4. Wallet Addresses as Personal Data — Blockchain-Specific Disclosures
4.1 Pseudonymous Status of Wallet Addresses
Polygon Network wallet addresses are pseudonymous identifiers: in isolation they do not directly disclose the identity of the natural person holding the wallet. However, when associated with verified KYC data of a Shareholder in the Reinventy backend systems and in the BCBCA Register, the wallet address becomes personal data within the meaning of GDPR Article 4(1) and BC PIPA s.1 ("personal information").
Reinventy treats wallet addresses associated with Shareholders as personal data and applies the protections of this Notice accordingly.
4.2 Public Visibility of On-Chain Data
The Polygon Network is a public, permissionless blockchain. The following data, once recorded on-chain, is visible to any party with access to a Polygon Network explorer:
(a) Wallet address; (b) Token balances per share class held by the wallet; (c) Complete transaction history (transfers, mints, burns, claim associations); (d) OnchainID contract address and the on-chain claim associations.
This visibility is intrinsic to the blockchain architecture and is not within the Company's control. The Shareholder is encouraged to consider this visibility when assessing the privacy implications of holding Reinventy share class entries through a wallet that may be associated with the Shareholder's identity through external sources (for example, by the Shareholder publishing their wallet address, by correlation with other on-chain activity, or by data leakage).
4.3 Non-Erasability of On-Chain Data
Once data is recorded on the Polygon Network, it cannot be erased by Reinventy or by any other party. The blockchain is immutable by design. This has the following material implications for the Shareholder's data protection rights:
(a) the right of erasure under GDPR Article 17 (and the equivalent right under BC PIPA s.23) is materially constrained for blockchain-recorded data: Reinventy can erase off-chain personal data (KYC documentation, BCBCA Register entries) upon valid request and subject to applicable retention obligations, but cannot erase the on-chain wallet address, transaction history, or claim associations;
(b) the right of rectification under GDPR Article 16 is similarly constrained for on-chain data: incorrect on-chain data can only be corrected by a new on-chain operation (e.g., a Recovery Procedure issuing tokens to a substitute wallet), which adds new entries to the chain rather than modifying existing entries;
(c) the right to data portability under GDPR Article 20 is satisfied at the off-chain level (Reinventy can provide structured data export of the Shareholder's off-chain records) and is intrinsic for on-chain data (the Shareholder can independently access the public Polygon Network for their on-chain history);
(d) the EDPB Guidelines on processing of personal data through blockchains (adopted 2025) confirm that the non-erasability constraint is a feature of blockchain technology and that data controllers must inform data subjects of this constraint at the point of consent or processing notification.
4.4 Pseudonymisation Strategy
Where technically feasible, Reinventy applies pseudonymisation to minimise on-chain personal data exposure:
(a) on-chain claims (KYC topic 1, AML topic 2, etc.) carry only a hash or coded value, not the underlying identity documentation;
(b) the BCBCA Register entry (which contains the full identity data) is maintained off-chain;
(c) the OnchainID contract per Shareholder isolates the identity claim layer from the token balance layer;
(d) wallet-to-identity association exists only in the Reinventy off-chain backend systems (database, BCBCA Register annotations) and is not published on-chain.
This pseudonymisation does not eliminate the wallet address from the scope of personal data when associated with identity in the off-chain systems, but it limits the on-chain footprint of identifying information.
5. Data Sources and Recipients
5.1 Sources
The Company collects personal data from:
(a) the Shareholder directly (during onboarding via the Subscription and Transfer Approval Pack); (b) for Vehicle Shareholders: the Vehicle's authorised signatory and the disclosed Beneficial Owners directly; (c) third-party identity verification providers (Trusted Issuers authorised to sign claims on behalf of Reinventy, where applicable for KYC/AML); (d) sanctions and PEP screening service providers; (e) the Polygon Network (for on-chain transaction history that may be associated with the Shareholder's wallet); (f) public sources (corporate registries, professional registers) for verification of Vehicle organisational documentation.
5.2 Recipients
The Company shares personal data with the following categories of recipients, on a need-to-know basis and subject to appropriate contractual and technical safeguards:
(a) Trusted Issuers: third parties authorised to sign claims on the Reinventy Identity Layer (KYC providers); receive identity data necessary for claim issuance;
(b) Sanctions and PEP screening providers: receive name + date of birth + country data for screening;
(c) RPC providers and indexers: receive technical wallet activity data necessary for Polygon Network interaction; do not receive off-chain identity data;
(d) Hosting and infrastructure providers: process backend data for the Reinventy Portal and database hosting;
(e) Legal counsel and professional advisors: receive personal data as necessary for legal advice and corporate governance matters, subject to professional privilege and confidentiality;
(f) Auditors: receive personal data as necessary for financial and corporate audit, subject to professional confidentiality;
(g) Regulatory authorities: receive personal data as required by law (e.g., AML reporting to competent authorities, response to regulatory inquiries);
(h) Judicial authorities: receive personal data pursuant to binding court orders or analogous legal process;
(i) Banking and payment infrastructure (where applicable for the administrative transfer fee settlement in USDC): may incidentally receive wallet address data;
(j) The Company does not sell, rent, or trade personal data to third parties for marketing or commercial purposes.
6. Cross-Border Data Transfers
6.1 Transfer Geography
The Company is a BC-incorporated entity processing personal data in Canada. The following cross-border transfers are involved in Company operations:
(a) EU/EEA → Canada: personal data of EU/EEA Shareholders is transferred to Canada for processing by Reinventy. This transfer is covered by the European Commission Adequacy Decision 2002/2/EC for Canada (PIPEDA scope). Reinventy operates within PIPEDA scope as a federal-cross-border-business private organisation; the adequacy decision applies;
(b) Italy → Canada: same as (a) above; the adequacy decision covers Italian data subjects;
(c) Canada → third countries: where service providers (RPC providers, indexers, identity verification providers) are domiciled outside Canada, the Company applies appropriate safeguards including Standard Contractual Clauses (SCCs) where required;
(d) Polygon Network: on-chain data is replicated across the global Polygon validator network and is technically accessible from any jurisdiction. This is intrinsic to public blockchain operation and is not a controlled data transfer in the traditional sense; data subjects are informed of this characteristic per §4.2 above.
6.2 Adequacy and Safeguards
(a) for transfers covered by the EU adequacy decision for Canada, no additional safeguards are required;
(b) for transfers to third-country service providers, Reinventy enters into data processing agreements with appropriate safeguards including Standard Contractual Clauses (SCCs) per Commission Implementing Decision (EU) 2021/914 where applicable;
(c) for the public Polygon Network on-chain data, the data subject is informed of the cross-border replication characteristic and acknowledges this as a feature of blockchain technology (per §4 above);
(d) Reinventy does not currently transfer personal data to jurisdictions subject to specific high-risk assessment under GDPR Chapter V; if a future service provider engagement would introduce such transfer, the Company will conduct a Transfer Impact Assessment (TIA) and apply additional safeguards.
7. Retention Periods
7.1 Off-Chain Retention
The Company retains personal data off-chain for the following periods:
(a) Identification and KYC data: for the duration of the Shareholder relationship plus a minimum of seven (7) years following termination, consistent with AML record-keeping obligations;
(b) AML/sanctions screening records: for a minimum of seven (7) years following the screening event, consistent with applicable AML record-keeping;
(c) Investor eligibility data (NI 45-106 categorisation): for the duration of the Shareholder relationship plus a minimum of six (6) years following termination, consistent with Canadian securities recordkeeping practice;
(d) BCBCA Securities Register data: indefinitely, as the corporate register is a permanent corporate record per BCBCA s.42 and ss.111-114;
(e) Portal activity logs: typically twelve (12) months for routine logs; longer (up to seven years) for transaction-related logs supporting AML audit trail;
(f) Communications submitted through the Portal: for the duration of the Shareholder relationship plus a minimum of three (3) years;
(g) Vehicle and Beneficial Owner data (per §2.5): for the duration of the Vehicle's Shareholder relationship plus a minimum of seven (7) years following termination, consistent with KYC retention.
7.2 On-Chain Retention
On-chain data (wallet addresses, token balances, transaction history, claim associations) is retained on the Polygon Network indefinitely as a feature of blockchain technology. The Company has no technical capability to delete this data.
7.3 Retention Beyond Stated Periods
Where required by law or by binding regulatory or judicial process, retention periods may be extended. Where personal data is no longer required for the original purpose and no extended retention obligation applies, the Company performs secure deletion of off-chain records.
8. Data Subject Rights and How to Exercise Them
Data subjects may exercise the following rights with respect to their personal data, subject to applicable legal limitations and the technical constraints described in §4 (on-chain data):
| Right under GDPR | Equivalent under BC PIPA / PIPEDA | Scope and limitations |
|---|---|---|
| Art. 15 — Right of access | s.23 BC PIPA / Principle 9 PIPEDA | Off-chain records: full access. On-chain data: directly accessible by the data subject via public Polygon Network explorer |
| Art. 16 — Right of rectification | s.24 BC PIPA / Principle 9 PIPEDA | Off-chain records: corrected upon valid request. On-chain data: only by Recovery Procedure or new on-chain operation |
| Art. 17 — Right of erasure | s.35 BC PIPA / Principle 5 PIPEDA | Off-chain records: deleted subject to retention obligations. On-chain data: NOT erasable per §4.3 |
| Art. 18 — Right to restrict processing | not directly equivalent | Off-chain records: restricted upon valid grounds |
| Art. 20 — Right to data portability | not directly equivalent | Off-chain records: structured data export available |
| Art. 21 — Right to object | s.17 BC PIPA / Principle 4 PIPEDA | Available for processing based on legitimate interest |
| Art. 22 — Right not to be subject to automated decision-making | not directly equivalent | The on-chain Compliance Engine performs technical compliance checks; transfer approvals require human Board authorisation, so no purely automated decision-making with legal effect occurs |
How to exercise: data subjects may submit requests to privacy@reinventy-solutions.ca or through the Portal communications channel. The Company responds within thirty (30) days for GDPR requests (Article 12(3)) and within thirty (30) business days for BC PIPA requests (s.29), subject to extension for complex requests.
The Company verifies the identity of the requestor before processing requests, to prevent unauthorised disclosure or modification of personal data.
9. Right to Lodge Complaint with Supervisory Authority
Data subjects have the right to lodge a complaint with the relevant supervisory authority:
(a) For EU/EEA data subjects: the supervisory authority of the data subject's country of residence (a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en);
(b) For Italian data subjects specifically: Garante per la protezione dei dati personali (https://www.garanteprivacy.it);
(c) For BC data subjects: Office of the Information and Privacy Commissioner for British Columbia (https://www.oipc.bc.ca);
(d) For Canadian data subjects outside BC: Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca);
(e) The Company encourages data subjects to first contact privacy@reinventy-solutions.ca to attempt resolution before lodging a formal complaint.
10. Updates to This Notice
The Company may update this Privacy Notice from time to time to reflect changes in processing activities, regulatory developments, or operational changes. Material updates will be communicated to Shareholders through the Portal at least thirty (30) days before becoming effective; non-material updates may be implemented with reasonable notice.
The version number and effective date in the frontmatter of this Notice reflect the current applicable version.