Matrex
Legal

Privacy Policy

Version
v1.0
Effective date
20 May 2026
Last reviewed
20 May 2026
View version history

1. Purpose of this Privacy Policy

1.1

This Privacy Policy explains how Matrex collects, uses, discloses, stores, protects, and retains personal information.

1.2

Matrex is a token management and investor administration software platform. The platform may be used for tokenised real-world asset projects, investor onboarding, identity verification, anti-fraud controls, transfer restrictions, document repositories, transaction workflows, and compliance records.

1.3

This Privacy Policy applies to visitors, users, issuer personnel, administrators, investors, prospective investors, token holders, service providers, and other people who interact with Matrex.

2. Personal information we collect

2.1

Matrex may collect the following categories of personal information:

  1. identity information, including name, date of birth, nationality, identity document details, photographs, signatures, and verification results;
  2. contact information, including email address, phone number, physical address, and communication preferences;
  3. account information, including username, password credentials, authentication settings, roles, permissions, and login history;
  4. investor eligibility information, including wholesale investor status, accredited investor status, qualified purchaser status, sophisticated investor status, professional investor status, certifications, acknowledgements, and supporting documents;
  5. AML/CFT and sanctions information, including beneficial ownership information, source of funds information, source of wealth information, politically exposed person checks, sanctions screening results, watchlist results, and risk scores;
  6. transaction information, including subscription records, transfer requests, approval records, token holdings, wallet addresses, blockchain transaction identifiers, timestamps, settlement information, payment references, and project participation records;
  7. technical and device information, including IP address, device identifiers, operating system, browser type, time zone, approximate location, log data, session data, security events, cookies, analytics data, and fraud indicators;
  8. communications information, including emails, support requests, notices, messages, call notes, document comments, and audit trails;
  9. uploaded documents and project records, including subscription documents, signed agreements, evidence of eligibility, tax forms, corporate documents, trust documents, registers, board approvals, powers of attorney, and due diligence materials;
  10. compliance and security information, including audit logs, access logs, permission changes, failed login attempts, device risk information, geolocation signals, and investigation records; and
  11. any other information you provide to us or that is required for platform operation, compliance, fraud prevention, cybersecurity, legal claims, or issuer administration.

3. How we collect personal information

3.1

We may collect personal information:

  1. directly from you;
  2. from issuers, project sponsors, administrators, advisers, fund managers, lawyers, accountants, trustees, supervisors, or other authorised parties;
  3. from identity verification, AML/CFT, sanctions, blockchain analytics, payment, fraud prevention, e-signature, secure file transfer, hosting, and compliance providers;
  4. from blockchain networks and public ledgers;
  5. from your device, browser, wallet, or network connection;
  6. from public registers, company registers, court records, sanctions lists, government databases, and other lawful sources; and
  7. from communications with us.

4. Why we collect and use personal information

4.1

Matrex may collect and use personal information for the following purposes:

  1. providing, operating, securing, and improving the Matrex platform;
  2. creating and managing accounts;
  3. verifying identity;
  4. assessing investor eligibility;
  5. supporting issuer onboarding and investor administration;
  6. administering token subscriptions, transfers, registers, restrictions, notices, approvals, redemptions, reporting, and records;
  7. detecting, preventing, investigating, and responding to fraud, cyber threats, unauthorised access, misuse, sanctions risk, money laundering, terrorist financing, market abuse, and unlawful conduct;
  8. collecting IP address, operating system, device, browser, location, and usage data for legitimate anti-fraud, cybersecurity, compliance, audit, and platform-integrity purposes;
  9. complying with securities, financial markets, AML/CFT, sanctions, tax, privacy, accounting, audit, court, regulator, and law enforcement obligations;
  10. supporting secure file transfer, document management, e-signature, and communication workflows;
  11. maintaining evidence, audit trails, and compliance records;
  12. enforcing platform terms and project rules;
  13. responding to support requests and disputes;
  14. sending administrative, legal, compliance, security, and service communications;
  15. improving user experience, analytics, performance, and reliability; and
  16. protecting the rights, property, safety, and legitimate interests of Matrex, users, issuers, investors, service providers, and third parties.
5.1

Depending on the jurisdiction, Matrex may process personal information because:

  1. processing is necessary to provide the platform or perform a contract;
  2. processing is necessary for compliance with legal obligations;
  3. processing is necessary for legitimate business, cybersecurity, anti-fraud, compliance, audit, and platform-integrity purposes;
  4. processing is necessary to establish, exercise, or defend legal claims;
  5. processing is necessary to protect users, issuers, investors, or third parties;
  6. processing is authorised by the relevant user, issuer, administrator, or project sponsor; or
  7. consent has been obtained where required.

6. Sensitive information

6.1

Matrex may collect sensitive information only where reasonably necessary for lawful purposes, including identity verification, AML/CFT, sanctions screening, fraud prevention, security, investor eligibility, legal compliance, or where you provide it as part of project documentation.

6.2

Sensitive information may include government identification, biometric verification outputs, nationality, tax information, source of funds information, politically exposed person status, criminal or sanctions screening indicators, precise location in limited security contexts, and financial information.

6.3

Matrex does not use sensitive information to infer characteristics unrelated to the relevant compliance, security, platform, or legal purpose.

7. Cookies and similar technologies

7.1

Matrex may use cookies, pixels, local storage, software development kits, analytics tools, and similar technologies.

7.2

These technologies may be used for login, authentication, fraud prevention, cybersecurity, session management, preferences, analytics, performance, and platform improvement.

7.3

You may be able to manage cookies through your browser settings, but disabling cookies may affect platform functionality.

8. Disclosure of personal information

8.1

Matrex may disclose personal information to:

  1. issuers, project sponsors, administrators, fund managers, advisers, trustees, supervisors, lawyers, accountants, auditors, or other authorised project participants;
  2. identity verification providers;
  3. AML/CFT, sanctions, politically exposed person, and watchlist screening providers;
  4. blockchain analytics and wallet verification providers;
  5. payment, banking, settlement, escrow, and transaction service providers;
  6. cloud hosting, cybersecurity, analytics, logging, monitoring, error reporting, session replay, and support providers (including, for example, Sentry — used by Matrex for error and performance monitoring and, where the visitor has granted analytics cookie consent, masked session replay; Matrex configures Sentry to default-mask all text and input values and to strip identifying user fields before transmission);
  7. secure file transfer and document management providers;
  8. e-signature and workflow providers;
  9. professional advisers;
  10. regulators, law enforcement agencies, courts, tribunals, tax authorities, government agencies, or dispute-resolution bodies;
  11. prospective purchasers, investors, financiers, insurers, or advisers in connection with a business sale, merger, restructuring, financing, or due diligence process; and
  12. other parties where authorised, required by law, or reasonably necessary for platform, compliance, security, fraud prevention, legal, or operational purposes.

9. International transfers

9.1

Matrex may store, process, or disclose personal information in New Zealand, Australia, the United States, the European Union, the United Kingdom, Singapore, or other jurisdictions where Matrex, its users, issuers, service providers, or infrastructure providers operate.

9.2

Where required, Matrex will use appropriate safeguards for international transfers, which may include contractual protections, vendor due diligence, access controls, encryption, and other security measures.

10. Retention of personal information

10.1

Matrex retains personal information for as long as reasonably required for the purposes described in this Privacy Policy.

10.2

Compliance, identity, AML/CFT, sanctions, investor eligibility, audit, transaction, anti-fraud, cybersecurity, legal, tax, accounting, and dispute records may be retained for extended periods where required or appropriate.

10.3

Because token administration, securities compliance, AML/CFT compliance, investor registers, transfer restrictions, legal claims, and blockchain-related records may require long-term evidence, some records may be retained after an account is closed.

10.4

Matrex may retain de-identified, aggregated, security, audit, or statistical information where it no longer identifies an individual.

11. Security

11.1

Matrex uses technical, organisational, and administrative safeguards designed to protect personal information.

11.2

Safeguards may include access controls, encryption, secure file transfer, authentication controls, audit logs, vendor controls, monitoring, backup procedures, and security review processes.

11.3

No system is completely secure. Users are responsible for protecting their own credentials, devices, wallets, private keys, and communications.

12. Your privacy rights

12.1

Depending on your location and applicable law, you may have rights to:

  1. request access to personal information held about you;
  2. request correction of personal information;
  3. request deletion of personal information;
  4. request restriction of processing;
  5. object to processing;
  6. request portability;
  7. withdraw consent where processing is based on consent;
  8. opt out of certain analytics, marketing, sale, sharing, or targeted advertising activities; and
  9. complain to a privacy regulator.
12.2

Matrex may need to verify your identity before responding to a request.

12.3

Matrex may refuse, limit, or defer a request where permitted by law, including where retention is required or appropriate for AML/CFT, sanctions, securities compliance, investor records, legal claims, fraud prevention, cybersecurity, tax, accounting, audit, or regulatory purposes.

13. California privacy notice

13.1

This section applies to California residents where the California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies to Matrex.

13.2

Matrex may collect the following categories of personal information:

  1. identifiers;
  2. customer records information;
  3. protected classification information where required for compliance or identity purposes;
  4. commercial information;
  5. internet or electronic network activity information;
  6. geolocation information;
  7. professional or employment-related information;
  8. inferences for fraud, compliance, risk, and security purposes; and
  9. sensitive personal information.
13.3

Matrex collects these categories for the purposes described in this Privacy Policy, including platform operation, identity verification, investor administration, compliance, AML/CFT, sanctions screening, fraud prevention, cybersecurity, audit, legal obligations, and service improvement.

13.4

Matrex may disclose these categories to the service providers and other parties described in this Privacy Policy.

13.5

Matrex does not sell personal information for money.

13.6

Matrex does not knowingly sell or share personal information of consumers under 16 years of age.

13.7

Matrex may use analytics or advertising technologies that could be considered "sharing" under California law. Where required, Matrex will provide a "Do Not Sell or Share My Personal Information" mechanism or honour legally recognised opt-out signals.

13.8

California residents may have the right to know, access, correct, delete, opt out of sale or sharing, limit use of sensitive personal information, and not be discriminated against for exercising privacy rights.

13.9

To exercise California privacy rights, contact privacy@matrex.io or use our privacy request webform.

14. New Zealand privacy notice

14.1

Matrex handles personal information in accordance with the New Zealand Privacy Act 2020 where that Act applies.

14.2

Matrex collects personal information for lawful purposes connected with its platform functions, compliance obligations, anti-fraud controls, cybersecurity, investor administration, and business operations.

14.3

Where practical, Matrex collects personal information directly from the individual, but may also collect it from issuers, administrators, service providers, public sources, blockchain networks, regulators, or other authorised sources.

14.4

Individuals may request access to and correction of personal information held by Matrex.

14.5

Privacy requests may be sent to privacy@matrex.io.

14.6

Individuals may complain to the New Zealand Privacy Commissioner if they are not satisfied with Matrex's handling of their personal information.

15. Children

15.1

Matrex is not intended for children.

15.2

Users must not provide personal information about children unless authorised and necessary for a lawful project, legal, trust, inheritance, beneficial ownership, or compliance purpose.

16. Automated processing and risk controls

16.1

Matrex may use automated or semi-automated tools to assist with identity verification, fraud detection, sanctions screening, risk scoring, device risk, blockchain analytics, access control, and transaction monitoring.

16.2

These tools may produce alerts, scores, recommendations, or restrictions.

16.3

Matrex may review automated outputs manually where appropriate.

17. Blockchain data

17.1

Blockchain transactions may be public, permanent, and difficult or impossible to delete.

17.2

Wallet addresses, transaction hashes, token balances, and smart contract interactions may be visible on public blockchains.

17.3

Matrex cannot delete or modify information recorded on public blockchains.

18. Changes to this Privacy Policy

18.1

Matrex may update this Privacy Policy from time to time.

18.2

Updated versions will be published on matrex.io.

18.3

The updated policy will apply from the date published or from any later effective date stated in the policy.

19. Contact

Privacy questions and requests should be sent to the Matrex Privacy Officer:

Matrex Privacy Officer

Email: privacy@matrex.io

Webform: /privacy-request

This document is published by Matrex. It may be updated from time to time — the effective date at the top of this page reflects the current version.