Privacy Policy

(in compliance with Regulation (EU) 2016/679 — General Data Protection Regulation)

This Privacy Policy sets forth the principles and practices by which XENIOS BLOCKCHAIN GROUP S.A., a company duly incorporated and existing under the laws of Greece, with registered office at 17th Noemvriou 4B, Melissia, Attica, VAT number 802248144 and G.E.MI. 160986401000, hereinafter referred to as “XENIOS” or the “Company”, processes, protects and manages personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Greek Law 4624/2019 and other applicable data protection frameworks, including the Swiss Federal Act on Data Protection (FADP) where relevant. The Company is fully committed to maintaining the confidentiality, integrity, availability and accountability of all personal data under its control, implementing a continuous compliance framework that safeguards the rights and freedoms of every individual whose data it processes.

The Data Controller is XENIOS BLOCKCHAIN GROUP S.A., registered at 17th Noemvriou 4B, Melissia, Attica, Greece. For any matter related to the protection of personal data, individuals may contact the Company at the email address [email protected]. The appointed Data Protection Officer (DPO) is Mr. Vasileios Apostolidis, reachable at [email protected].

This Policy applies to all personal data processed by XENIOS, whether relating to employees, associates, contractors, clients, suppliers, partners or any other natural person whose information is collected or handled by the Company in the context of its operations, including users of XENIOS digital platforms, products and technological solutions.

Depending on the context of the relationship, XENIOS may process data identifying individuals such as full name, position, professional contact details, tax or registration information, payment and financial data, electronic identifiers including IP addresses, access logs and user credentials, as well as data contained in communications, correspondence or legal and contractual documentation. The Company does not process special categories of data unless such processing is required by law or necessary for compliance purposes and always under strict safeguards.

All processing activities are carried out for legitimate, specific and lawful purposes, which include the performance and administration of contracts with clients, suppliers and partners; the management of employees and contractors; the provision, operation and maintenance of XENIOS technological platforms; the fulfilment of statutory obligations relating to taxation, accounting, anti-money laundering and data protection; communication and collaboration with business counterparts and authorities; the maintenance of information-security operations; and the establishment, exercise or defence of legal claims. Processing is based on one or more of the lawful grounds provided in Article 6 of the GDPR, namely the performance of a contract or pre-contractual steps, compliance with a legal obligation, the pursuit of legitimate interests of the Company which do not override the interests or rights of the data subject, and, where applicable, the explicit consent of the data subject for specific purposes.

Personal data are retained only for as long as necessary for the purposes for which they were collected or as required by law. Retention periods are defined in the Company’s internal Data Retention Policy, which ensures that data are periodically reviewed and erased or anonymised once no longer required. Data stored in electronic form are kept in secure servers located within the European Economic Area, under encryption and strict access controls, while hard-copy records are stored in locked facilities accessible only to authorised personnel.

Personal data may be disclosed solely to authorised third parties acting on behalf of the Company and only where such disclosure is necessary for the fulfilment of contractual or legal obligations. These recipients may include accounting and payroll providers, legal and IT consultants, external auditors, banks, and public authorities. In every case, XENIOS ensures that each recipient is bound by written contractual terms guaranteeing confidentiality, integrity and compliance with the GDPR and the Company’s data-protection standards. No personal data are disclosed to any party that does not provide adequate assurances of lawful and secure processing.

XENIOS primarily stores and processes personal data within the European Economic Area (EEA). Transfers of personal data to countries outside the EEA shall take place only when necessary and always in compliance with Chapter V of the GDPR. Such transfers will be governed by appropriate safeguards, including Standard Contractual Clauses adopted by the European Commission or other mechanisms approved by competent authorities, and will be preceded by a Transfer Impact Assessment ensuring that an equivalent level of protection is maintained.

The Company maintains a comprehensive information-security management system aligned with international standards, implementing technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include access control and authentication, encryption of data in transit and at rest, intrusion prevention, network segmentation, system monitoring, secure backup, periodic penetration testing and continuous employee awareness programmes. The effectiveness of these measures is periodically evaluated and updated.

Every individual whose data are processed by XENIOS enjoys the rights granted by Articles 12 to 23 of the GDPR, namely the right of access, rectification, erasure, restriction of processing, data portability, objection to processing and withdrawal of consent where consent constitutes the legal basis of processing. Requests to exercise these rights shall be submitted in writing to [email protected] and will be handled without undue delay and, in any case, within one month from receipt, subject to possible extension under Article 12(3) GDPR. Data subjects also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) or any competent supervisory authority in their jurisdiction.

Access to personal data within XENIOS is granted solely to individuals whose duties require such access, following the principles of necessity and proportionality. All personnel, employees and contractors are bound by confidentiality obligations both during and after the termination of their relationship with the Company. The Company performs regular audits and maintains detailed records of processing activities to ensure continuous compliance and accountability.

In the event of a personal-data breach, XENIOS will promptly assess the incident, mitigate its impact and, where required, notify the competent supervisory authority within seventy-two (72) hours from discovery, pursuant to Article 33 of the GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, affected individuals shall be notified without undue delay, in clear and transparent language, describing the nature of the breach, its possible consequences and the remedial actions taken.

XENIOS has established internal policies and procedures to ensure continuous adherence to data-protection principles, including lawful, fair and transparent processing, data minimisation, accuracy, storage limitation, integrity and confidentiality. The Company maintains up-to-date records of processing activities, performs regular Data Protection Impact Assessments where required, ensures that all third parties operate under binding Data Processing Agreements, and incorporates privacy-by-design and privacy-by-default principles into all technological developments.

This Privacy Policy is reviewed periodically and updated whenever necessary to reflect changes in legislation, business operations or processing practices. The current version is always available to all stakeholders and may be provided upon request. Employees, partners and clients are notified of any significant amendments through appropriate communication channels. Continued interaction with the Company following publication of an updated version shall be deemed acceptance of the revised terms.

For any questions, concerns or requests regarding the processing of personal data by XENIOS BLOCKCHAIN GROUP S.A., please contact the Data Protection Officer at [email protected] or by post at 17th Noemvriou 4B, Melissia, Attica, 15127, Greece.

This Policy enters into effect on 27 March 2026 and has been formally approved by the Board of Directors of XENIOS BLOCKCHAIN GROUP S.A.

Approved by:
Anastasios Oureilidis
Chief Executive Officer
XENIOS BLOCKCHAIN GROUP S.A.
17th Noemvriou 4B, Melissia, Attica, Greece
VAT 802248144 – G.E.MI. 160986401000