Effective Date: 31-07-2025
1. Introduction
1.1. Overview
This Data Protection & Record Keeping Policy (“Policy”) outlines the commitment of Canis Life s.r.o. (“Canis”, “we” or “us”) to protect the privacy and personal data of its clients, employees, and partners and to keep records of all necessary information as required by all relevant regulations.
1.2. Purpose
The purpose of this Policy is to ensure that all personal data processing activities and all record keeping activities conducted by Canis comply with Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”), Regulation (EU) 2023/1114 on Markets in Crypto-Assets (“MiCA”), European Commission Delegated Regulation (EU) 2025/1140, and relevant Czech data protection legislation, including Act No. 110/2019 Coll. on Personal Data Processing, and Act No. 253/2008 Coll., on Selected Measures against Legitimisation of Proceeds of Crime and Financing of Terrorism (the “AML Act”).
1.3. Scope
Section 1 (Data Protection Policy) applies to all Clients’ personal data processed by Canis, regardless of the medium of storage, relating to:
Corporate Clients: including representatives, employees, directors, and Ultimate Beneficial Owners (UBOs) of legal entities engaging Canis’ services.
Platform Users: Authorised individuals who access the Canis business dashboard or API.
Employees and Contractors: All individuals employed or contracted by Canis.
Third-Party Vendors and Partners: Representatives of our service providers, liquidity partners, and other business partners.
Section 2 (Record Keeping Policy) applies to all records related to the crypto-asset services offered by Canis, including but not limited to the services of:
Exchange of crypto-assets against fiat currency and vice versa.
Exchange of crypto-assets for other crypto-assets.
All transactions, client communications, and internal processes undertaken by Canis.
1.4. Approval
The Management Board of Canis has reviewed and formally approved this Policy. Any amendments must receive formal approval from the Management Board and be documented accordingly to ensure transparency and regulatory compliance. This Policy will be reviewed at least annually, or at any time in case of material changes.
Definitions
Personal Data: Any information relating to an identified or identifiable natural person (the ‘Data Subject’).
Processing: Any operation or set of operations performed on Personal Data, such as collection, recording, storage, use, disclosure, or erasure.
Data Controller: The entity that determines the purposes and means of the processing of personal data. For the purpose of this policy, Canis Life s.r.o. is the Data Controller.
Data Processor: A natural or legal person which processes personal data on behalf of the controller.
Data Subject: An individual whose personal data is processed.
CASP: Crypto-Asset Service Provider, as defined in the Markets in Crypto-Assets Regulation (MiCA).
Transaction: The acquisition or disposal of crypto-assets.
Executing a transaction: Providing services such as the reception and transmission of orders, the execution of orders, or the exchange of crypto-assets for funds or other crypto-assets that result in a Transaction.
Data Protection Policy
3.1. Data Controller Principles
Canis is committed to the following data protection principles as outlined in Article 5 of the GDPR:
Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
Data Minimisation: We ensure that personal data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Accuracy: We take every reasonable step to ensure that personal data is accurate and, where necessary, kept up to date.
Storage Limitation: We keep personal data in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data is processed.
Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Accountability: We are responsible for, and able to demonstrate compliance with, these principles.
3.2. Data Controller Information
Entity: Canis Life s.r.o.
Address: Václavské nám. 2132/47, 110 00 Nové Město, Praha
IČO: 223 81 597
Contact: ask@canis.xyz
3.3. Purpose and Legal Basis for Processing
Canis processes personal data based on the following lawful grounds under Article 6 of the GDPR:
Pursuant to Article 6(1)(b) GDPR we process personal data to fulfil our contractual obligation to our clients, such as:
Client Onboarding: to perform mandatory KYB/KYC due diligence and verify the identity of our clients and their beneficial owners.
Service Provision: to execute on-ramp, off-ramp and crypto-to-crypto exchange services and manage client accounts.
Customer Support: to respond to client inquiries, provide technical assistance, and handle complaints.
Pursuant to Article 6(1)(c) GDPR we process personal data where it is necessary for our compliance with a legal obligation, such as:
Regulatory Compliance: to comply with AML/CTF obligations, conduct transaction monitoring (KYT), adhere to the Travel Rule, and report to regulatory bodies like the Czech National Bank (ČNB) and Financial Analytical Unit (FAÚ). This includes performing Know Your Customer (KYC) and Know Your Business (KYB) checks as required by the Czech AML Act and the 5th AML Directive, monitoring transactions to prevent money laundering and terrorist financing, and fulfilling record-keeping obligations mandated by MiCA and the AML Act.
Human Resources: To manage our employees and contractors in line with employment law.
Pursuant to Article 6(1)(f) GDPR we process personal data for legitimate business interests, provided these interests are not overridden by the rights of the data subject, such as:
Security: To protect our platform and client accounts from fraud, cyber threats, and other unauthorised activities..
Service Improvement: To analyse platform performance and enhance our product offerings.
Managing our relationships with vendors and business partners.
Pursuant to Article 6(1)(a) GDPR we process personal data for other purposes, such as marketing communications upon explicit and informed consent. This consent can be withdrawn at any time.
Canis does not process special categories of personal data as defined in Article 9(1) GDPR unless it is otherwise necessary for any of the purposes set out in Article 9(2) GDPR.
The Client must provide the above information for Canis to provide services. Without this information, Canis cannot fulfil its contractual obligations.
3.4. Categories of Collected Data
Canis collects and processes the following categories of personal data, strictly limited to what is necessary for our services:
Identification Data: Full name, date of birth, nationality, residential address, and copies of government-issued identification documents (e.g., passport, national ID card) of client representatives and UBOs.
Contact Details: Business email address and phone number.
AML/KYC Data: Information on the source of funds/wealth, political exposure (PEP) status, results of sanctions and watchlist screenings, and biometric data for identity verification (e.g., facial images from liveness checks).
Financial & Transactional Data: Corporate bank account details (IBAN), blockchain wallet addresses, transaction histories, and crypto-fiat conversion logs.
Technical Data: IP addresses, and login metadata collected for security and fraud prevention purposes.
Communication Data: Records of correspondence, including support tickets, emails, and chat transcripts.
3.5. Data Sharing and Third-Party Processors
Canis does not sell personal data. We only share data with trusted third-party service providers (Data Processors) when necessary to provide our services and meet our legal obligations.
Our key sub-processors include:
Third-Party Processor
Function
Purpose
Sumsub
KYC/KYB
Bank account verification
Verification of user bank account ownership
Sumsub
Blockchain analytics via Chainalysis
Address monitoring, transaction risk scoring, KYT
Sumsub
Travel Rule
Compliance with Travel Rule requirements, VASP-to-VASP data exchange
EU-licensed credit institutions
Fiat safeguarding
Segregated client accounts, SEPA payouts
AWS EU-regions
GDPR-compliant infrastructure, ISO 27001
ClickUp
Project management
Internal system for project management
Hubspot
CRM
Customer relationship management
Sentry
Performance monitoring
Analyzes application runtime, exceptions, and real-time errors
Google Analytics
Performance monitoring
User behavior analytics for service quality and UX improvements
HotJar
Performance monitoring
Heatmaps and user journey analysis for UI/UX optimization
Czech audit firm (registered with Chamber of Auditors)
Independent internal audit
Internal audit
Microsoft Office 365
Internal workspace
Productivity and communication tools (e.g., email, documents, teams)
We may also be required to share your personal data with government bodies, law enforcement, and regulatory authorities (e.g., ČNB, FAÚ) upon a lawful request.
3.6. International Data Transfers
Where data is transferred outside the European Economic Area (EEA), such as to our sub-processors in the United States (e.g. Google), we ensure that an adequate level of data protection is maintained. We rely on legally-approved transfer mechanisms, primarily:
Standard Contractual Clauses (SCCs): As adopted by the European Commission, which contractually oblige the recipient to protect data to GDPR standards.
Adequacy Decisions: The European Commission has issued an adequacy decision for the EU–US Data Privacy Framework, under which certain certified US organizations are deemed to provide adequate protection.
All data is encrypted both in transit (using TLS 1.3) and at rest (using AES-256) to further protect it during international transfers.
3.7. Rights of the Data Subject
Data subjects have the following rights concerning their personal data under the GDPR:
Right of Access (Article 15): To request a copy of the personal data we hold about you.
Right to Rectification (Article 16): To request the correction of inaccurate or incomplete data.
Right to Erasure ('Right to be Forgotten') (Article 17): To request the deletion of your data, subject to our legal obligations (e.g., AML retention requirements).
Right to Restriction of Processing (Article 18): To request a temporary halt on the processing of your data in certain circumstances.
Right to Data Portability (Article 20): To receive your data in a structured, machine-readable format and transfer it to another controller.
Right to Object (Article 21): To object to the processing of your data, particularly for direct marketing.
Right to Lodge a Complaint: To lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů - ÚOOÚ) or another competent supervisory authority.
All requests should be answered within 1 month from the date of receipt, with a possible extension of up to 2 additional months in complex cases.
3.8. Security Measures
Canis implements organizational and technical security, including:
Encryption: Data is encrypted in transit using TLS 1.3 and at rest using the AES-256 standard.
Access Control: We enforce strict Role-Based Access Control (RBAC) and the principle of least privilege. Multi-Factor Authentication (MFA) is mandatory for all administrative and privileged access.
Monitoring and Logging: All system access and activities are continuously logged and monitored through a Security Information and Event Management (SIEM) system to detect and respond to threats.
Resilience: Our infrastructure is hosted on AWS in EU data centers (Frankfurt and Stockholm) with built-in redundancy and a tested Business Continuity and Disaster Recovery Plan (BCP/DRP).
Vulnerability Management: We conduct regular vulnerability scanning, and independent penetration tests are performed quarterly.
3.9. Data Breach Management
In the event of a personal data breach, Canis will follow its established Data Breach Response Plan. If the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Czech Data Protection Authority (ÚOOÚ) without undue delay, and where feasible, within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals, we will also inform the affected data subjects directly and without undue delay.
Canis shall document all personal data breaches, regardless of whether they require notification in an internal breach documentation.
3.10. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our retention periods are:
AML/KYC Records: 10 years after the termination of the business relationship, as required by the Czech AML Act.
Transaction Records: 10 years from the date of the transaction, in line with financial and AML regulations.
Client Communication & Support Records: 5 years after the issue is resolved or the account is closed.
Employee & HR Records: for periods required by the Czech social security laws, as defined in Act No. 582/1991 Coll. on Social Security Administration.
Technical Logs: up to 12 months for security and auditing purposes.
Marketing consents: until withdrawn.
4. Record Keeping Policy
4.1. General Principles of Record Keeping
All records are retained in a durable medium that meets the following conditions:
Accessibility: If necessary, competent authorities will be able to readily access the records and reconstitute each key stage of every transaction and activity.
Accuracy and Immutability: All records are accurate, and it is easy to ascertain any corrections or amendments while preserving the original content. It is not possible to manipulate or alter the records illicitly.
Data Usability: Records are stored in a way that allows for efficient analysis by ICT systems, especially for large volumes of data.
Technology Neutrality: The record-keeping arrangements comply with the regulation irrespective of the technology used.
Hosting: Production data is stored in AWS region: eu-central-1 (Frankfurt) with immutable logs retained for ten years
4.2. Record Keeping Periods
General Rule: Documents setting out the rights and obligations between Canis and its clients shall be kept for 5 years after the termination of the service agreement.
Transaction Data: In line with Czech AML Act requirements, transaction logs will be retained for a period of 10 years.
4.3. Records of Specific Services and Activities
Canis shall keep detailed records of all its services and activities as listed in Annex I of this Policy. Key areas include:
Client Communications and Agreements: Records of all marketing communications, client agreements, information provided to clients about services and costs, and any other communications relating to transactions shall be maintained.
Exchange Services: As a core service, Canis will record the price of crypto-assets or the methodology for determining the price for every transaction, along with any applicable limits.
Outsourcing Arrangements: Given Canis’s reliance on third-party providers (e.g., Sumsub, Chainalysis, Notabene, EU-licensed credit institutions), written agreements and details of all outsourced functions shall be recorded and maintained. This includes the name, location, and regulatory status of each provider.
Safekeeping of Client Assets: Although Canis operates on a non-custodial basis, it must keep records that prove this status. This includes records that distinguish client crypto-assets and funds from Canis's own assets at all times. Records shall include details of the safeguarded client accounts held with the partners and agreements that establish client ownership over assets.
Complaints Handling: A register of all client complaints and the measures taken to resolve them will be maintained in accordance with the Complaints Handling procedure.
Canis also keeps records of all its policies and procedures as required by MiCA.
4.4. Records of Transactions
Canis shall immediately record the details for every transaction undertaken. These records will contain all required data fields as specified in the Annexes of European Commission Delegated (ECD) Regulation 2025/1140, including:
Section 3, Table 3: Details of transactions.
Section 3, Table 4: Details of on-chain data (e.g. transaction hash, wallet addresses, timestamp).
4.5. Identification standards
Canis Identification: Canis will be identified in all records by its validated Legal Entity Identifier (LEI) which complies with the ISO 17442 standard and is included in the Global LEI database maintained by the Central Operating Unit appointed by the Legal Entity Identifier Regulatory Oversight Committee.
Client Identification (Legal Entities): All corporate clients will be identified using their LEI and their LEI will be recorded.
Natural Person Identification: Any natural person who is a decision-maker for a client shall be identified using the designation resulting from the concatenation of their country code and national identifier (e.g., DE+NationalIDNumber), as further specified in Article 9 of the ECD Regulation (EU) 2025/1140.
Crypto-Asset Identification: All crypto-assets will be identified using a Digital Token Identifier (DTI) or an equivalent unique identifier compliant with the ECD Regulation (EU) 2025/1140. (e.g., ISIN for tokens, internal reference, etc.).
Final Provisions
5.1. Roles and Responsibilities
The Management Board of Canis holds ultimate responsibility for ensuring the compliance with this Policy and all applicable data protection and record-keeping regulations. The Board approves this Policy and periodically reviews reports on its effectiveness.
The Chief Technology Officer (CTO) is currently designated as the Data Protection Officer (DPO). Canis ensures that the DPO operates independently and without conflicts of interest, reporting directly to the highest level of management.
Canis also appoints a Compliance Officer who ensures that data processing and record-keeping activities align with all regulatory requirements.
All Canis employees and contractors are required to complete annual data protection training and are responsible for handling personal data in accordance with this Policy in their daily work.
Approved by: The Management Board of Canis Life s.r.o.
Approval Date: 31/07/2025
Next Review: by 31/07/2026 or sooner if needed
Annex I - Records of specific services and activities
Type of Record
Summary of Content / Specific Records for Canis
Communication with clients
All marketing communications issued by Canis (or on its behalf), including information on services, crypto-assets, costs, charges, and electronic communications related to transactions or client orders.
Rights and obligations
Any document agreed between Canis and its clients that sets out the rights and obligations of the parties (e.g., Service Agreements). Records of any communication or document evidencing that the client has consented to the provision of services and the terms of service.
Complaints handling
Records of all complaints received and the procedures undertaken for their resolution, in line with Canis's Complaints Handling Policy.
Conflicts of interest
Records of any identified or potential conflicts of interest and the measures implemented to manage them.
Outsourcing
Records of written agreements with all critical third-party providers, in accordance with Article 73(3) of Regulation (EU) 2023/1114. Records of each outsourced service, including the name, location, and regulatory status of the provider (e.g., Sumsub, Chainalysis, Notabene, AWS, EU-licensed credit institution)
Records of the price of the crypto-assets or the method for determining the price for every exchange transaction, which is Canis's core service. Records of any limits set by Canis on exchange amounts
