Aureo

PRIVACY POLICY

MEXICO

Version 2.0

Effective as of April 9, 2026

In compliance with the Federal Law on the Protection of Personal Data Held by Private Parties and its Regulations (the “LPD”), we make available to you the following privacy notice.

This notice applies to the extent that you are a visitor to our Website or a Client of our Platform or our Services, together with our Terms and Conditions, our ALD Policy, and any other document or contract we have entered into with you. Terms not expressly defined in the LPD or in this document shall have the meaning ascribed to them in our Terms and Conditions and our ALD Policy. We reserve the right to issue separate notices or policies to the extent they relate to specific data subjects, such as, for example, our employees, suppliers, and/or business partners.

As controllers of the processing of your personal data, we reserve the right to modify the content of this notice at any time. Changes to this notice will be notified to you by email, a pop-up notification on the Website, or publication on said Website with a numeric code identifying the version in force (“V.1.0”, “V.1.1”, “V.1.2”, “V.2.0”, and so on). The corresponding modifications shall take effect as of the day following that on which you became aware of them.

INFORMATION ABOUT THE CONTROLLER

Name: Swapido S.A.S. de C.V. (hereinafter, Aureo, we, us, our, etc.)

Address: Sandbox Business Center, WTC San Salvador Tower II, El Mirador, Escalón, San Salvador.

Email: legal@aureobitcoin.com

WHEN WE COLLECT PERSONAL DATA

We collect personal data when:

  • You visit our Website, use our Platform, or any interfaces we embed, insert, or connect on third-party sites or platforms through APIs, iframes, or similar mechanisms;

  • You create a Client account with us or in any way enter into a contract with us; or

  • You contact us through our contact channels, social media, or other direct electronic means of communication;

  • You carry out transactions on our Platform or use our Services.

PERSONAL DATA SUBJECT TO PROCESSING

I. Visitors to the Website or the Platform

  • Technical / IT data: the type of domain you use to connect to the internet, the IP address assigned to your device, geolocation, access information; date and time of access to the Website and the Platform; pages visited before or after; unique device identifiers, type of browser used, operating system; search engine used and the keywords used to find our Website or the Platform.

  • The use and processing of cookies is detailed at the end of this document, in a section incorporated specifically for that purpose.

II. Clients of the Platform

1. Legal entity of Mexican or foreign nationality

Documents:

  1. Articles of incorporation. In the case of a foreign legal entity, that it be duly legalized or, where the country in which said document was issued is a party to the “Convention Abolishing the Requirement of Legalization for Foreign Public Documents”, adopted at The Hague, Netherlands, on October 5, 1961, it shall suffice for said document to bear the apostille referred to in said Convention.

  2. Tax Status Certificate (Constancia de Situación Fiscal / CSF) or equivalent.

  3. Proof of current address (not older than 3 months).

  4. Document evidencing the powers of its legal representative(s).

  5. Express written statement as to whether it is aware of the existence of the Beneficial Owner.

Data:

  1. Data of the principal place of business in national territory where it carries out the majority of its services or conducts its activities (Street, Exterior number, Interior number (if applicable), Neighborhood, Postal code, Borough or Alcaldía, Locality, and Federative Entity)

  2. The information collected from visitors to the Website or the Platform, referred to in subsection I above;

  3. Contact: corporate name or business name, telephone numbers, email addresses, and addresses.

  4. Credentials: information that may be derived from the articles of incorporation, Federal Taxpayer Registry (RFC) key or tax identification number of its country of nationality in the case of a foreign entity. In the case of Legal Representative(s) of a Legal Entity, official photo identification (INE, driver’s license, resident card, or passport) and Unique Population Registry Code (Clave única de Registro de Población) or citizen identification number.

  5. Identification data of the sole administrator and/or partners and/or shareholders.

  6. Patrimonial or financial information: transactional profile, source of income, level of income and/or of your employer, salary, account number, CLABE and the balance, statement, or transactional history associated with your addresses or Wallets, as well as the number and type of Virtual Assets associated with them.

  7. Geolocation.

  8. Cryptographic wallet (Wallet) address, biometric details; electronic signature; and any public key you share with us; communications; two-factor authentication (2FA) reset codes.

  9. Information about how you use our website.

  10. Regulatory: information we request from you under our ALD Policy or legislation on the prevention of transactions involving proceeds of unlawful origin.

2. Natural person (who declares Mexican nationality or foreign nationality with the status of temporary or permanent resident, within the meaning of the Migration Law)

Documents:

  1. Current official photo identification (INE, driver’s license, or passport).

  2. Certificate of the Unique Population Registry Code (Clave única de Registro de Población), issued by the Ministry of the Interior, or Tax Identification Card issued by the SAT, when available.

  3. Proof of address, current (not older than 3 months), when the address stated by the Client does not match that on the identification or the identification does not contain it.

  4. Document evidencing powers or incorporation of authority, as applicable.

  5. Express written statement as to whether you are aware of the existence of the Beneficial Owner.

  6. Proof of employment.

Data:

  1. Home address (Street, Exterior number, Interior number (if applicable), Neighborhood, Postal code, Borough or Alcaldía, Locality, and Federative Entity).

  2. The information collected from visitors to the Website or the Platform, referred to in subsection I above;

  3. Contact: full given name(s) and surname(s), telephone numbers, email addresses, and addresses.

  4. Professional: details regarding your employment, occupation, business activity, or source of income.

  5. Identity: official identification, nationality, place and date of birth, gender, and biometric data (for proof of life and authentication).

  6. Credentials: information that may be derived from your official identification, Federal Taxpayer Registry (RFC) key or tax identifier and Unique Population Registry Code (Clave única de Registro de Población) or citizen identification number.

  7. Patrimonial or financial information: transactional profile, source of income, level of income and/or of your employer, salary, account number, CLABE and the balance, statement, or transactional history associated with your addresses or Wallets, as well as the number and type of Virtual Assets associated with them.

  8. Geolocation.

  9. Cryptographic wallet (Wallet) address, biometric details; electronic signature; and any public key you share with us; communications; two-factor authentication (2FA) reset codes.

  10. Names of family beneficiaries.

  11. Information about how you use our website.

  12. Regulatory: information we may request from you under our ALD Policy or legislation on the prevention of transactions involving proceeds of unlawful origin.

III. Foreign natural persons with visitor status or a status other than that set forth in section I of article 12 of the General Rules under the Law, within the meaning of the Migration Law

Documents:

  1. Passport or current official document with photograph, signature and, where applicable, address, issued by the competent authority of the country of origin, evidencing the nationality of the Client or User.

  2. Document issued by the National Migration Institute evidencing lawful entry or stay in the country, if available.

  3. Proof of address in national territory for receipt of correspondence, if the stated address does not match that on the identification or the identification does not contain it. A copy of a utility bill, bank statement (not older than three months), current registered lease agreement, RFC registration certificate, or other document approved by the UIF shall be included.

  4. Document evidencing powers or incorporation of authority, as applicable.

  5. Express written statement as to whether you are aware of the existence of the Beneficial Owner.

  6. Proof of employment.

Data:

  1. Data of the document used for identification, consisting of: name of the credential; issuing authority; and number thereof.

  2. Home address (Street, Exterior number, Interior number (if applicable), Neighborhood, Postal code, Borough or Alcaldía, Locality, and Federative Entity).

  3. Home address in your place of residence, consisting of the following elements: name of the street, avenue, or road in question, duly specified; exterior number and, where applicable, interior number; neighborhood or urbanization; territorial demarcation, municipality, or similar political demarcation, as applicable; city or locality, federative entity, state, province, department, or similar political demarcation, as applicable; postal code and country.

  4. The information collected from visitors to the Website or the Platform, referred to in subsection I above;

  5. Contact: full given name(s) and surname(s), telephone numbers, email addresses, and addresses.

  6. Professional: details regarding your employment, occupation, business activity, or source of income.

  7. Identity: official identification, nationality, place and date of birth, gender, and biometric data (for proof of life and authentication).

  8. Credentials: information that may be derived from your official identification, Federal Taxpayer Registry (RFC) key or tax identifier and Unique Population Registry Code (Clave única de Registro de Población) or citizen identification number.

  9. Patrimonial or financial information: transactional profile, source of income, level of income and/or of your employer, salary, account number, CLABE and the balance, statement, or transactional history associated with your addresses or Wallets, as well as the number and type of Virtual Assets associated with them.

  10. Geolocation.

  11. Cryptographic wallet (Wallet) address, biometric details; electronic signature; and any public key you share with us; communications; two-factor authentication (2FA) reset codes.

  12. Names of family beneficiaries.

  13. Information about how you use our website.

  14. Regulatory: information we may request from you under our ALD Policy or legislation on the prevention of transactions involving proceeds of unlawful origin.

PURPOSES OF PROCESSING

1. Primary purposes

  1. To offer you and enable you to create a Client account through which you may access the Services we provide.

  2. To identify you, authenticate you, generate your Client file, keep said file up to date, and comply with applicable regulations on the prevention of money laundering, terrorist financing, proliferation of weapons of mass destruction, and tax evasion.

  3. To identify and keep up to date your profile, your interests, and your transactional history regarding Virtual Assets.

  4. To collect any outstanding charges you may owe us.

  5. To perform any contractual obligation we have with you.

  6. To comply with the provisions of the Federal Law for the Prevention and Identification of Transactions with Proceeds of Unlawful Origin (LFPIORPI) and its regulatory provisions, particularly with respect to the identification of Clients and Users, as well as the generation and filing of Notices before the Financial Intelligence Unit (UIF) through the Tax Administration Service (SAT), in accordance with articles 24, 25, and 27 of the General Rules.

2. Secondary purposes

  1. To offer you updates, notices, news, promotions, or advertising that may be of interest to you, relating to our own or third parties’ goods or services;

  2. To assess the quality of our goods or services, your experience as a Client interacting with them, and to enable continuous improvement of the Platform, to analyze the Client’s use of the Platform and profile as a Client, seeking to identify, for example, personal preferences, interests, reliability, behavior, location, among others. Such analysis will then be used to personalize the Client’s experience on the Platform, suggest content, services, and products of interest, among other uses;

  3. To generate aggregated and anonymous statistical analyses and reports on the operation of the Platform and the services provided through it for our benefit, to conduct satisfaction surveys regarding the Platform and the services provided through it, to research and analyze how to improve the services offered to Clients, as well as to develop and improve the features of the Platform and the services offered to Clients, to generate new products, businesses, or market intelligence for us. We also use information anonymously for statistical purposes to analyze Clients’ behavior and trends, understand how Clients use the Platform, manage and improve the services offered, including the possibility of adding new features and functionality to the Platform. Such information may be shared provided it is pseudonymized; and,

  4. To use your data for marketing, advertising, or commercial prospecting purposes.

  5. Implementation of best practices in the preparation of Notices, taking into account guidelines and recommendations issued by the UIF, international organizations, and intergovernmental bodies on the prevention of money laundering and terrorist financing, as provided in article 26 of the General Rules.

You may at any time express your refusal to have your data processed for the secondary purposes by sending us an email to that effect with the subject line “REFUSAL - Personal Data”. The email must attach your official identification, legible, complete, and current. The response and follow-up will be sent to the email address from which you sent the message.

TRANSFERS

We may transfer personal data to (i) our parent, controlling, subsidiary, affiliate, and related companies and, in general, any person or entity belonging to our same group, to the extent such persons operate under the same processes and internal policies regarding personal data processing; (ii) financial institutions to receive or deliver Fiat Currency; (iii) financial institutions that offer products such as life insurance; (iv) providers of fund management and administration services; (v) providers of monitoring, supervision, reporting, and transactional alert generation services; (vi) providers of custody, storage, transfer, liquidity, or promotion services for Virtual Assets; (vii) financial institutions that request information to identify or verify the origin or source of our resources; (viii) supervisory or oversight authorities; and (ix) acquirers of all or part of our business or its assets, as part of a reorganization, merger, spin-off, or purchase.

In that sense, you grant your authorization for Aureo to carry out such transfers in order to provide our Services, access the Platform, and complete transactions the Client wishes to carry out, in particular:

  1. To detect and investigate fraud, as well as other unlawful activities and possible violations of our Privacy Policy, our General Terms of Use, and applicable law.

  2. To comply with our legal and/or regulatory obligations. Such obligations may include, for example, tax obligations, obligations regarding the maintenance of technical records, documentation of contracted services, accountability, among others;

  3. Subcontracted service providers (in the event of subcontracting of the service or resolution of incidents with the services) will have access to Clients’ Personal Data necessary to perform their functions;

  4. For the provision of services, depending on the geographic area from which Clients request services, certain Clients’ Personal Data may be transferred to our affiliates or related entities for performance of the contracts. Clients are informed that, by accessing, using, or registering on the Platform from any country in which we operate, their Personal Data will be stored in our databases or in third-party databases. In such cases, international transfers of Personal Data will be carried out in accordance with applicable law;

  5. Clients expressly authorize our affiliates or related entities to access their Personal Data from any territory for the purpose of providing the service requested by the Client;

  6. Likewise, to commercial and non-commercial third-party partners for use for (a) statistical purposes, provided the data are pseudonymous, and (b) to send commercial communications to Clients, provided such partners comply with applicable law and our Privacy Policy;

  7. We may engage third parties to assist in the provision of our services, such as cloud storage servers and payment processing platforms, infrastructure providers (servers, hosting, and cloud services) for the proper operation of the Platform, IT service providers and partners related to payment processing, providers who may nevertheless be replaced at any time, provided adequate standards of data security and confidentiality are maintained, as well as an adequate level of personal data protection;

  8. For the offer, negotiation, request, contracting, acquisition, and/or supply of products and services by third parties necessary for the provision of our services;

  9. Transfers of Personal Data may occur in the context of an acquisition, sale, merger, corporate reorganization, or other change of control. In such case, it shall be ensured that the natural or legal person that will access or take control of the Personal Data processed under our Privacy Policy is likewise bound by it and by any other applicable rules, ensuring continuity of protection of Personal Data, and Clients shall be notified in advance if such transfer entails any change to our Privacy Policy;

  10. We may share Personal Data with agencies, authorities, and other governmental entities, as well as with private natural or legal persons in compliance with legal or regulatory obligations; or in the event of a judicial, arbitral, or administrative requirement or summons;

  11. We may share Personal Data with third parties such as law firms, consultants, collection agencies, accounting firms, and similar entities in order to exercise our own rights or to ensure compliance with and enforcement of our Privacy Policy and Terms of Use.

If you do not agree to the transfer of your data on the terms set forth above, send us an email to that effect with the subject line “REFUSAL - Personal Data”.

CONSENT

As the holder of your personal data, you acknowledge that:

  1. You have read and understood this privacy notice;

  2. You grant your free, prior, express, unambiguous, informed, and, where applicable, written consent in accordance with the LPD regarding the processing of your personal data on the terms set forth herein, including the transfers referred to in the preceding section;

  3. Use of the website, social media, and applications or programs we have developed constitutes tacit confirmation of your consent to the provisions of this privacy notice. If you do not consent to the processing of your personal data on the terms described in this document, refrain from using said websites, social networks, and applications and remove them from your device immediately.

  4. By the very nature of distributed ledger technologies (“DLTs”) and blockchain, all transactions you carry out with your Wallet are permanently and immutably recorded and Aureo is not able to modify, reverse, or delete such transactions. Your consent to this privacy notice implies your acceptance of this fact and its implications, as well as acceptance of the fact that your rights of rectification, cancellation, and objection (referred to below) will be limited to data that have not been recorded on a DLT or blockchain.

You may revoke your consent at any time. To do so, you must send us an email that must attach your current, legible, complete official identification and any other requirements that correspond in accordance with the LPD. The response and follow-up to your request will be sent to the email address from which you sent the message.

If you wish to limit the use or disclosure of any of your data, you must send us an email in which you include the personal data whose processing you wish to limit, the reasons you wish to limit them, as well as your official identification. If your request is appropriate, we will register you on our exclusion list.

ARCO RIGHTS

Under applicable law and this privacy notice, you have the right to: (i) know what personal data we process and the purposes of such processing, among others (right of access); (ii) request correction of your personal data if they are outdated, inaccurate, or incomplete when omission, error, or falsehood has been noted, among others (right of rectification); (iii) request that your personal data be erased from our records or databases when you consider they are not being used appropriately, among others (right of cancellation or erasure); and (iv) object to the use of your personal data for specific purposes (right of objection), and any other right that corresponds under the LPD (collectively, the “ARCO” rights).

ARCO rights may be exercised at any time by sending an email to which you must attach your complete, current, legible official identification.

The email must bear the subject line “Exercise of ARCO Right” and must include the following information and documentation:

  1. Your full name and the email address at which you wish us to communicate the response;

  2. Your current official identification and, where applicable, documents evidencing legal representation of the data subject;

  3. Express mention of the right you wish to exercise and, where applicable, a clear and precise description of the personal data involved;

  4. A description of the grounds that support or justify the exercise of the relevant ARCO right; and

  5. Any other element or document that facilitates follow-up to your request.

Where appropriate, we will respond to your request by email to the address you designate for that purpose, within the timeframes set forth in applicable law for such rights.

In the case of the right of access, we will attach to the response email the electronic documents containing the information you requested, in any format that allows us to export from our databases the information you requested.

COOKIES

Cookies are a function of web browser software that allows web servers to recognize the device used to access a particular website. A cookie is a small text file downloaded to your device when you visit a site that allows that site to remember your actions and preferences (login, language, font size, and other display preferences) over time, so that you do not have to adjust them again when you return.

By using our Website or Platform you manifest your consent to the processing of cookies, web beacons, and other automatic technologies. If you do not agree with the foregoing, you may update your browser, explorer, or device settings to block or delete cookies, but note that doing so may affect the way our Website or Platform is displayed on your device, and note that some cookies are strictly necessary for their proper operation.