This Privacy Notice for CloudNFT Token Sale (“Privacy Notice”) outlines CloudNFT (“We”, “Our”, “Us” or “the Company”) practices with respect to information collected from Users (also referred as “You”) who access our website at https://cloudnft.io/ register or participate in our token sale. This Privacy Notice is a part of the Terms of Use, Privacy Policy, and other relevant agreements.

‍INTRODUCTION

‍The CloudNFT takes steps to protect your privacy. We, in our capacity as Data Controller, have created this Privacy Notice to inform you about why we collect and how we process your Personal Data. By continuing to use our website, you acknowledge that you have read, understood, and accepted the information described in this Privacy Notice.By using this Privacy Notice, we wish to comply and act in accordance with our obligation to inform the Users from whom we use data, as is required under the General Data Protection Regulation (“GDPR”).We will only use your Personal Data as set out in this Privacy Notice. By using our website and filling out and approving the registration form on the said website for the purpose of participating in the Company's (pre)sale of CloudNFT tokens (“the Token Sale”), you agree to us using your Personal Data in accordance with this Privacy Notice.If you have any questions about CloudNFT processing of your Personal Data or you wish to exercise your rights, you are always welcome to contact us.

If you are dissatisfied, you have the right to lodge a complaint with the supervisory authority for data protection issues - Estonian Data Protection Inspectorate (“AKI”), Tatari Tallinn, Estonia, (e-mail: info@aki.ee/phone) or a claim to court. We would, however, appreciate the chance to deal with your concerns before you approach the AKI so please contact us in the first instance.
‍
PERSONAL DATA WE COLLECT: TYPES, LEGAL BASIS, AND PURPOSES OF COLLECTING. Personal Data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article of the GDPR). An outline of the Personal Data that we require, accept, collect and process, when we collect it, how we use it and why we use it, is listed underneath:.

1.3. The Company will process your above mentioned Personal data exclusively on the legal basis listed below, as such in accordance with Article 6 of the GDPR:1.3.1. given consent to the processing (Article 6 (1)(a) of the GDPR);1.3.2. for the performance of a contract (Article 6 (1)(b) of the GDPR);1.3.3. for compliance with a legal obligation to which the Company may be or is subject(ed) (Article 6 (1)(c) of the GDPR); and1.3.4. for the purposes of the legitimate interests pursued by the Company except where such interests are overridden by the interests or fundamental rights and freedoms of the User which require protection of Personal Data (Article 6 (1)(f) of the GDPR).

1.4. Please, pay attention that your Personal data shall be collected and processed by a third party – Sum And Substance Ltd (UK), with its registered office at Suite 1, 5 Percy Street, Fitzrovia, London, England, W1T 1DG (“SumSub”), who is a trusted partner of the Company for collecting and processing Users data on behalf of the Company. SumSub is an experienced identity verification company that will process Personal data for the purposes of the necessary KYC/AML procedures. SumSub will obtain and process individually identifiable Personal data and run KYC/AML procedures and ensure compliance with the relevant AML legislation.1.5. Nevertheless, for Users' data, which is outlined in clause 1.2 of this Privacy Notice, the Company will be the Controller in accordance with GDPR.

‍2. DATA SUBJECT RIGHTS

‍2.1. You may request to:2.1.1. receive confirmation as to whether or not Personal Data concerning you is being processed, and access your stored Personal data, together with supplementary information;2.1.2. receive a copy of Personal Data you directly volunteer to us in a structured, commonly used, and machine-readable format;2.1.3. request rectification of your Personal Data that is in our control;2.1.4. request erasure of your Personal Data;2.1.5. object to the processing of Personal Data by us;2.1.6. request to restrict processing of your Personal Data by us;2.1.7. lodge a complaint with a supervisory authority.

2.2. However, please note that these rights are not absolute, and may be subject to our own legitimate interests and regulatory requirements. If you wish to exercise any of the aforementioned rights or receive more information, please contact us at support@cloudnft.io.

‍3. SHARING YOUR PERSONAL DATA WITH THIRD PARTIES

‍3.1. The Company only shares your Personal Data with third parties insofar as necessary for the provision of services with due observance of the aforementioned legal basis. Nevertheless, the Company may provide your Personal Data to a third party, such as service providers, a supervisor, or any other public authority, to the extent that there is a legal obligation to do so.

3.2. If a third party is contracted by the Company to process your Personal Data on behalf of the Company, a processing agreement is concluded under which the designated third party is also obliged to comply with the GDPR. Third parties contracted by the Company who offer services as a Controller, are also responsible for compliance with the GDPR for the processing of your Personal data.

‍4. THIRD-PARTY WEBSITES AND SOCIAL MEDIA

‍4.1. On the Website “buttons” and/or hyperlinks are included to promote or share web pages on social (media) networks or third-party websites such as Twitter, Instagram, Telegram, or YouTube. The Company does not supervise these networks and websites and is therefore not responsible for the processing of your Personal Data by and through the parties behind those networks and websites. The use of these media is therefore at your own risk. Before you make use of these third-party services, the Company recommends you to read the privacy statements of those third parties.

‍5. STORAGE AND RETENTION OF PERSONAL DATA

‍5.1. We will take all the necessary steps to ensure that your data is treated securely and in accordance with this Privacy Notice. All the (personal) data you provide to us is stored on secured servers. Where we have given you a password that enables you to access certain parts of our website and/or your personal account, you are responsible for keeping your own password confidential.. The Personal Data that we collect from you will be transferred to and stored at a secure server administered by the Company or a service provider designated by the Company. Your Personal Data will be processed by staff who work for us and/or by staff who work for one of our suppliers.

5.3. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to and through our website and or your personal account (if applicable). Therefore, any transmission is done by you at your own risk. Once we have received your Personal Data, we will use strict procedures and security features to prevent any unauthorized access.

5.4. We will keep your Personal Data no longer than is necessary in accordance with the legal basis and purposes stated above and/or to meet legal and regulatory requirements.

‍6. CHANGES TO PRIVACY POLICY

‍6.1. We reserve the right to modify or amend this Privacy Notice at our discretion. Any changes can be viewed in the “Last Updated” field above, so please check the section regularly.

6.2. If we make any material changes, we will post the new Privacy Notice on the Website, with a new effective date.

6.3. If the User does not accept a new edition of the Privacy Notice, he/she must stop using our Website.

‍THANK YOU!

INTRODUCTION

‍This Anti-Money Laundering Policy (“Policy”) prepared by CloudNFT OÜ, a company incorporated under the laws of Estonia under registered number 16356748, having legal and business address at: Harju maakond, Tallinn, Lasnamäe linnaosa, Võru tn 11, 13612 (the “Company”), website https://cloudnft.io/.This Policy is prepared in accordance with the Estonian Money Laundering and Terrorist Financing Prevention Act with all relevant amendments adopted and came into force on the 10.01.2021, 5th AML EU Directive (Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU), International Sanction Act with all relevant amendments adopted and came into force on the 01.01.2021.The Company created this Policy to decrease the risk of money laundering and terrorist financing associated with its business and the sale of its products. This Policy emphasizes our individual obligation for adhering to anti-money laundering (also referred as “AML”) and counter-terrorist financing (also referred as “CFT”) legislation (and also with laws around the world, such as European Union Directives etc).This Policy shall be disseminated to all Company personnel who manage, monitor, or oversee in any manner the Customers‘ transactions and are responsible for the implementation of the practices, measures, procedures, and controls established herein. Any employee who breaches the provisions in this Policy, or who allows others to break this Policy, may face appropriate disciplinary action, up to and including dismissal, as well as civil or criminal fines.By no means this document shall not be read as an entire set of all policies, procedures and controls in place implemented by the Company for prevention of money laundering, financing of terrorism and other forms of illicit activity.The Company shall regularly check whether the Policy is up-to-date and make necessary changes upon amendments to the regulations in force.

‍1. CUSTOMER DUE DILIGENCE AND CUSTOMER ACCEPTANCE PROCESS

‍1.1. Customer due diligence (“CDD”) is one of the main tools for ensuring the implementation of legislation aimed at preventing money laundering and terrorist financing and at applying sound business practices. CDD comprises a set of activities and practices arising from the organizational and functional structure of the Company and described in internal procedures, which have been approved by the directing bodies of the Company and the implementation of which is subject to control systems established and applied by internal control rules.

1.2. The purpose of CDD is to prevent the use of assets and property obtained in a criminal manner in the economic activities of credit institutions and financial institutions and in the services provided by them whose goal is to prevent the exploitation of the financial system and economic space of the Republic of Estonia for money laundering and terrorist financing. CDD is aimed, first and foremost, at applying the Know Your Client (“KYC”) principle, under which a Customer shall be identified and the appropriateness of transactions shall be assessed based on the Customer’s principal business and prior pattern of payments. In addition, CDD serves to identify unusual circumstances in the operations of a Customer or circumstances whereby an employee of the Company has reason to suspect money laundering or terrorist financing.

1.3. CDD ensures the application of adequate risk management measures in order to ensure constant monitoring of Customers and their transactions and the gathering and analysis of relevant information. Upon applying the CDD measures, the Company will follow the principles compatible with its business strategy and, based on prior risk analysis and depending on the nature of the Customer’s business relationships, apply CDD to a different extent.

1.4. CDD is applied based on a risk sensitive basis, i.e. the nature of the business relationship or transaction and the risks arising therefrom shall be taken into account upon selection and application of the measures. Risk-based CDD calls for the prior weighing of the specific business relationships or transaction risks and, as a result thereof, qualification of the business relationship in order to decide on the nature of the measure to be taken.

1.5. CDD measures are appropriate and with suitable scope if they make it possible to identify transactions aimed at money laundering and terrorist financing and identify suspicious and unusual transactions as well as transactions that do not have a reasonable financial purpose or if they at least contribute to the attainment of these goals.

1.6. The first requirement for the measures of prevention of money laundering and terrorist financing is that the Company does not enter into transactions or establish relationships with anonymous or unidentified persons. Legislation requires that the Company waives a transaction or the establishment of a business relationship if a person fails to provide sufficient information to identify the person or about the purpose of the transactions or if the operations of the person involve a higher risk of money laundering or terrorist financing. Also, legislation requires the Company to terminate a continuing contract without the advance notification term if the person fails to submit sufficient information for application of CDD measures.

1.7. The Company ensures that information concerning a Customer (incl. gathered documents and details) is up to date. In the event of Customers or business relationships falling in the high risk category, the existing information will be verified more frequently than in the event of other Customers/business relationships. The respective data shall be preserved in writing or in a form that can be reproduced in writing and made available to all relevant employees who need it to perform their employment duties (management board members, account managers, risk managers and internal auditors).

1.8. The Company carries out CDD measures at the outset of any business relationship and, if necessary, where any suspicions arise subsequently on our suppliers, distributors, counterparties, agents and any person with whom the Company has an established business relationship that will involve the transfer to or receipt of funds, so the Company can ensure that there are no legal barriers to working with them before contracts are signed or transactions occur.

1.9. Various factors will determine the appropriate forms and levels of screening. The Company shall perform KYC procedure for every Customer (natural or legal entity), Representative of the Customer (an individual who is authorized to act on behalf of the Customer), Beneficial Owner of the Customer and Politically Exposed Person (“PEP”) or a person connected with the PEP.

1.10. During the KYC (and registration) procedure, every Customer must provide to the Company with personal information and documents, which the Company needs to establish a portfolio of the Customer and access the risk (for more detailed risk description see Section 4 of the Policy), connected to it (see Table #1).

1.11. KYC is carried out by a third party – Sum And Substance Ltd (UK), with its registered office at Suite 1, 5 Percy Street, Fitzrovia, London, England, W1T 1DG (hereinafter - “SumSub”), who is a trusted partner of the Company for collecting and processing Users data on behalf of the Company. SumSub is an experienced identity verification company that will process personal data and run KYC/AML procedures and ensure compliance with the relevant AML legislation.

1.12. For the purposes of maintaining Customers’ accounts and reviewing Customers for the purposes of KYC/AML compliance, the Company will collect and process the same that SumSub will collect in the process of Customer verification (KYC) procedure, according to Privacy Notice for Cloud NFT Token Sale.

1.13. The Company obtains all information necessary to establish to its full satisfaction the identity of each new Customer and the purpose and intended nature of the business relationship. The extent and nature of the information depends on the type of applicant (personal, corporate, etc.) and the expected size of the account. Therefore, the Company has categorized the Customers (and personal information).

2. ESTABLISHING THE SOURCE OF FUNDS

‍2.1. The Company should follow a risk-based approach when establishing Source of Funds. The risk-based approach is that the Company is on alert to any possibility that the funds may not be from a legitimate source or are not destined for a legitimate purpose. For example, when funds are sourced from a high-risk third country with inadequate AML legislation and regime, it is appropriate to obtain more information before proceeding with any transaction. A detail/extent depends on the Customer’s money laundering and terrorist finance risks.

2.2. For the purpose of ensuring that the source of the funds is legitimate, the Company undertakes the following measures:

2.2.1. considers the reliability of the Customer based on the information provided;

2.2.2. questions information and/or proof documents of the source of funds that the Customer intends to invest;

2.2.3. considers the jurisdiction and the bank rating that those money are being transferred;

2.2.4. considers whether the funds are being transferred from an account which is held in the name of the Customer or a third party.

2.3. Where the funds come from a third party, the risk is greater and further enquiries shall be made by the Company: about the relationship between the Customer and the ultimate underlying principal of the funds (i.e., the actual provider of the funds) assessing whether the purpose of the transaction is in line with the documented profile of the Customer.

2.4. The Company undertakes to ensure that the source of funds is logical and backed by supporting documentation (e.g,. a deed of sale, etc.).

‍3. CORPORATE GOVERNANCE AND COMPLIANCE FUNCTION

‍3.1. In accordance with the Money Laundering and Terrorist Financing Prevention Act the Company is an obliged entity responsible for the implementation of Money Laundering and Terrorist Financing Prevention Act and guidelines adopted on the basis thereof.

3.2. In accordance with §20 of the International Sanction Act the Company is the person having specific obligations and shall appoint a person who shall be responsible for the compliance with the obligations provided for in §21, §22 and §23 of the International Sanctions Act and for the performance of legislation and instructions established on the basis of the International Sanctions Act. The position of a Compliance officer within the organizational structure of the Company allows the Compliance officer to be appointed as a person who shall be responsible for the compliance with the obligations provided by §21, §22 and §23 of the International Sanctions Act.

3.3. The management board of the Company appoints a Compliance officer. The functions of a Compliance officer are performed by an employee and a structural unit subordinate to the Compliance officer with the relevant duties.

3.4. The Company ensures that only a person who has the education, professional suitability, the abilities, personal qualities, experience and impeccable reputation required for performance of the duties of a Compliance officer may be appointed as a Compliance officer.

3.5. Only a person who works permanently in Estonia and has the education, professional suitability, abilities, personal qualities, experience and impeccable reputation required for performance of the duties of a compliance officer may be appointed as a compliance officer. The appointment of a Compliance officer is coordinated with the Financial Intelligence Unit (“FIU”).

3.6. The position of a Compliance officer within the organizational structure of the Company shall allow for the performance of the requirements provided by law for the prevention of money laundering and terrorist financing. Upon establishment of the compliance officer position, the compliance officer shall be made directly accountable to the management board of the Company and made as independent of business processes as possible.

3.7. The Compliance officer’s independence from business processes does not mean that the officer is prohibited to advise or train colleagues for the purpose of ensuring the compliance of the actions of the executives and employees with the requirements of the Money Laundering and Terrorist Financing Prevention Act.

3.8. The functions of the Compliance officer are as follows:3.8.1. organization of collection and analysis of information referring to unusual transactions or transactions suspected of money laundering or terrorist financing in the activities of the Company (collection of information means collection of any and all suspicious or unusual notices received from the employees, contractual partners and agents of the Company, and systemizing and analysis of the information contained in them);3.8.2. reporting to the FIU in the event of suspicion of money laundering or terrorist financing (notice being given in the manner agreed with the FIU);3.8.3. periodic submission of written statements on implementation of the rules of procedure to the management board of the Company; and3.8.4. performance of other obligations related to the fulfilment of the requirements of the Money Laundering and Terrorist Financing Prevention Act by the Company and training employees and applying respective control mechanisms).

3.9. The Compliance officer shall have access to the information forming the basis or prerequisite for establishing a business relationship, including any information, data or documents reflecting the identity and business activity of the Customer. The management board also grants the compliance officer the right to participate in the meetings of the management board if the compliance officer deems this necessary to perform their functions.3.10. The contact details of the Compliance officer shall be communicated to the Financial Supervision Authority. The Compliance officer shall inform the Financial Supervision Authority within a reasonable term about the appointment of a new compliance officer or a change in contact details.

‍4. RISK LEVELS AND CATEGORIES

‍4.1. The Company shall classify Customers into various risk categories and based on the risk perception decide on the acceptance criteria for each category of Customer. Where the Customer is a prospective Customer, an account must be approved only after the relevant pre-account opening CDD and identification measures and procedures have been conducted, according to the principles and procedures set in Policy. No account shall be opened in anonymous or fictitious names.

4.2. The criteria for accepting new Customers and categorization of Customers based on their risk is described below. The Compliance Officer shall be responsible for categorizing Customers in one of the following three (3) categories based on the criteria of each category set below in the Tables #2, #3, #4 and Table #1 set above.