Privacy Policy

Data Controller and Contact Information

Digital Heritage & Asset Protection Ltd (DHAP) is the data controller for personal data collected through this website. Our registered address is 21 Blockchain Lane, Gibraltar GX11 1AA. For all data protection queries, contact the Data Protection Officer at [email protected]. This policy complies with the EU General Data Protection Regulation (GDPR), UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA) as amended by the CPRA.

Categories of Personal Data We Collect

A. Information You Provide: When you contact us, schedule a consultation, or subscribe to our threat intelligence newsletter, we collect your name, email address, professional affiliation, and wallet address (if provided). For incident response services, we may collect additional verification documents including government-issued ID and screen captures of ownership proofs.
B. Automatically Collected Information: Our servers log IP addresses, browser types, operating systems, and referring URLs via secure logging mechanisms. We use Matomo, a self-hosted analytics platform, to capture page interactions; no data is shared with third parties or used for behavioral advertising.
C. Cookies: We deploy essential session cookies for form functionality and a persistent cookie to remember your cookie consent preferences. No tracking or third-party cookies are used.

Legal Bases for Processing

We process your data under the following lawful bases: (i) Contractual necessity – to provide asset protection services you have engaged; (ii) Legitimate interest – to secure our digital infrastructure and respond to inquiries; (iii) Consent – for newsletter subscriptions and non-essential cookies; (iv) Legal obligation – to comply with anti-money laundering (AML) and know-your-customer (KYC) regulations where applicable.

Data Sharing and International Transfers

We do not sell or rent personal data. We may share necessary information with: (a) blockchain forensic partners (e.g., Chainalysis) under strict NDA for incident response; (b) law enforcement pursuant to a valid legal request; (c) professional indemnity insurers. Data may be transferred to jurisdictions with adequacy decisions (UK, Switzerland). We use Standard Contractual Clauses for any transfers to non-adequate countries.

Data Retention

We retain personal data for the duration of the contractual relationship plus six years to meet legal and audit requirements. Newsletter subscriber data is retained until you unsubscribe. Incident response records are retained for ten years per professional indemnity insurance requirements.

Your Rights

Under GDPR and CCPA, you have the right to: access, rectify, erase, restrict processing, data portability, and object to processing. CCPA grants rights to know, delete, and opt-out of sale (we do not sell data). To exercise rights, contact [email protected] with subject ‘Privacy Request’. We respond within 30 days. You may also lodge a complaint with your local supervisory authority (e.g., ICO for UK, CNIL for France, CPPA for California).

Security Measures

We enforce encryption at rest (AES-256) and in transit (TLS 1.3), access controls based on least privilege, and regular penetration testing by a CREST-accredited firm. Our infrastructure is hosted on AWS in eu-west-2, with SOC 2 Type II certification. Nonetheless, no method of transmission or storage is 100% secure.

Policy Updates

This policy was last updated on March 15, 2025. Material changes will be communicated via email to active clients and via a site banner for all visitors.