This Privacy Statement ("Statement") explains how IBVM Global Foundation Inc., a Montana Nonprofit Mutual Benefit Corporation, with its principal office at 1001 S. Main St., STE 500 Kalispell, MT, United States of America (the "Foundation"), a non-profit entity responsible for the issuance of IBVM Token, and IBVM Inc. a Delaware corporation (the "Company"), a for-profit entity responsible for operating the IBVM Network blockchain (the "Network"), collect, use, store, and protect personal information ("Personal Data") across all jurisdictions in which IBVM Token is used.

We are committed to respecting your privacy and complying with all applicable data protection and privacy laws globally, including but not limited to:

• The EU General Data Protection Regulation (GDPR)
• The UK Data Protection Act 2018 (UK GDPR)
• The Nebraska Data Privacy Act (NDPA)
• The Texas Data Privacy and Security Act (TDPSA)
• The Australian Privacy Act 1988 (APPs) and Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
• The Personal Data Protection Act (PDPA) of Singapore
• The Personal Data Protection Act (PDPA) of Malaysia
• The Personal Data Protection Act of Thailand (B.E. 2562)
• The Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) of Hong Kong
• The Prevention of Money Laundering Act, 2002 (PMLA) and Digital Personal Data Protection Act 2023 of India
• Indonesia's Law No. 8 of 2010 on Prevention and Eradication of Money Laundering
• The UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law) and Federal Decree-Law No. 20 of 2018 (AML/CFT)
• The Saudi Arabian Personal Data Protection Law (PDPL) and Saudi Central Bank (SAMA) AML regulations
• Any other equivalent data protection regulations in jurisdictions where IBVM Token is available.

By using IBVM Token or engaging with the Network, you acknowledge that you have read and understood this Privacy Statement.

1. Data We Collect

We may collect the following categories of Personal Data:

(a) Information You Provide Directly

• Contact details (e.g., name, email address, or communication handle)
• Know Your Customer (KYC) information collected to comply with anti-money laundering (AML) and counter-terrorism financing (CTF) obligations in applicable jurisdictions
• Information shared via support inquiries, community interactions, or governance participation
• Information voluntarily provided in forms or registrations managed by the Foundation or Company

(b) Automatically Collected Data - Blockchain Data [UPDATED PER JD FEEDBACK]

Technical Information: IP address, browser type, operating system, device ID, and access times

Blockchain Data: The Network utilizes zero-knowledge (ZK) rollup technology to protect user privacy while maintaining transaction integrity. On-chain blockchain records contain

• Transaction data verified through zero-knowledge cryptographic proofs
• Smart contract interactions that prove validity without revealing participant identities
• Pseudonymous transaction identifiers

These on-chain records do NOT contain personally identifiable information. The zero-knowledge proof system ensures that:

• Transaction validity can be verified without revealing the identity of participants
• On-chain data cannot be linked to specific individuals without access to separately-stored off-chain identity data
• Personal data is effectively rendered anonymous on the blockchain through cryptographic commitments and encryption

While transaction records are permanently stored on the blockchain and publicly visible, they are cryptographically anonymized in compliance with GDPR's requirement that controllers must ensure personal data stored on blockchain can be effectively rendered anonymous.

Cookies and Similar Technologies: Used for analytics, security, and improving user experience (see Section 9)

(c) Third-Party Sources [UPDATED PER JD FEEDBACK]

We may receive the following categories of data from lawful third-party sources:

• KYC/AML verification data from identity verification service providers (such as name, date of birth, address, identification documents, verification status)
• Transaction monitoring data from compliance and security service providers (such as risk scores, sanctions screening results, transaction patterns)
• Analytics data from blockchain analytics platforms (such as wallet addresses, transaction volume, on-chain behavior patterns)
• Exchange integration data when you use IBVM Token on third-party exchanges (such as deposit/withdrawal records, trading activity)

These third-party sources help us maintain network security, prevent fraud, and comply with regulatory obligations.

2. How We Use Your Data

We process Personal Data for the following purposes:

To Operate the Network and Provide Services:
To enable IBVM Token transactions, support governance processes, and maintain technical performance.

To Ensure Security and Prevent Fraud:
To monitor for suspicious activity, prevent unauthorized access, and maintain system integrity.

To Comply with Legal Obligations:
Including Anti-Money Laundering (AML), Know Your Customer (KYC), Counter-Terrorism Financing (CTF), taxation, and regulatory requirements across all jurisdictions where we operate.

To Communicate with You:
To respond to inquiries, send updates, or notify you about governance or policy changes (you may opt out of non-essential messages).

To Improve the Ecosystem:
To understand usage patterns and develop better user experiences.

We process data based on one or more of the following lawful bases: consent, contractual necessity, legitimate interests, legal obligation, or public interest.

3. Overview of purposes, data categories and legal bases

You can find a specific description (overview) of purposes, data categories and legal bases applicable under the GDPR as well as the recipients, retention periods and information whether the provision of the respective personal data is a requirement (statutory or contractual) or voluntary and the consequences for not providing the personal data in Annex 1 to this Privacy Statement.

4. Global Data Protection Principles

We adhere to the following privacy principles recognized across major legal frameworks:

• Lawfulness, Fairness, and Transparency – We process data in accordance with applicable law and clearly communicate how and why we use it.
• Purpose Limitation – We only collect and use data for specific, lawful purposes.
• Data Minimization – We collect the minimum data necessary to achieve those purposes.
• Accuracy – We take reasonable steps to keep data accurate and up to date.
• Storage Limitation – We retain data only for as long as necessary or legally required.
• Integrity and Confidentiality – We implement appropriate technical and organizational measures to secure your data.

5. How and When We Share Data [UPDATED PER JD FEEDBACK]

We may share Personal Data only as necessary and in compliance with applicable laws:

With Service Providers: We share data with third-party service providers who help us operate the Network, including:

• Cloud infrastructure providers (such as AWS, Google Cloud, or Azure) for data storage and computing
• KYC/AML verification service providers for identity verification and compliance screening
• Blockchain analytics and security monitoring providers for fraud prevention and risk assessment
• Payment processors for transaction facilitation
• Customer support platforms for managing user inquiries

These service providers are contractually obligated to protect your data and use it only for the specified purposes.

With Regulators or Law Enforcement:When required by applicable law or lawful request, we may share data with regulatory authorities, law enforcement agencies, tax authorities, or other governmental bodies.

With Your Consent:When you explicitly agree to data sharing (e.g., for governance participation, event registrations, or third-party integrations).

Blockchain Transparency [UPDATED TO ADDRESS GDPR COMPLIANCE]:

Because the Network operates on blockchain technology, certain transaction data is recorded on-chain and is publicly visible. However, we have implemented zero-knowledge (ZK) rollup technology to comply with GDPR requirements regarding blockchain data:

• On-chain data is cryptographically anonymized through zero-knowledge proofs, making it impossible to identify individuals from blockchain records alone
• Personal identifiers are NOT stored on the blockchain
• The connection between on-chain transactions and individual identities is maintained exclusively in encrypted off-chain databases
• In the event of an erasure request, we delete the off-chain linkage data, effectively rendering the on-chain transaction data anonymous and unattributable to any individual
• This approach ensures compliance with GDPR Article 17 (right to erasure) by making personal data "effectively anonymous" as permitted under GDPR Guidelines 02/2025 on blockchain technologies

While on-chain transaction data itself is immutable and permanent, the cryptographic anonymization and deletion of identity linkages ensures that such data can no longer be considered "personal data" under GDPR once the off-chain connections are removed.

6. Cross-Border Data Transfers [UPDATED PER JD FEEDBACK]

We operate globally and may transfer Personal Data across borders to jurisdictions that may not provide the same level of data protection as your home country. Personal data may be transferred to and processed in the following countries:

• United States of America
• Singapore
• Hong Kong
• Malaysia
• Indonesia
• India
• Thailand
• United Arab Emirates
• Saudi Arabia
• Australia
• European Union member states

When we transfer data internationally, we use recognized legal mechanisms such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission under the GDPR
• UK International Data Transfer Agreements (IDTAs)
• Binding Corporate Rules (BCRs)
• Adequacy decisions by the European Commission or UK (where applicable)
• Other lawful transfer mechanisms under applicable privacy laws

If you would like to receive a copy of the implemented safeguards, please contact us via the methods described in Section 14 "Contact Information."

In exceptional cases we may rely on a statutory exception permitting an international transfer in the absence of safeguards, where:

• You have explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards pursuant to Art. 49 (1) lit. a) GDPR;
• The transfer is necessary for the performance of your contract with us or the implementation of pre-contractual measures taken at your request pursuant to Art. 49 (1) lit. b) GDPR;
• The transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and a third party pursuant to Art. 49 (1) lit. c) GDPR;
• The transfer is necessary for the establishment, exercise or defence of legal claims pursuant to Art. 49 (1) lit. e) GDPR.

7. Data Retention [COMPLETELY UPDATED PER JD FEEDBACK]

We retain Personal Data only as long as necessary for the purposes stated in this Statement, unless a longer period is required or permitted by law. Our retention practices distinguish between on-chain and off-chain data:

Off-Chain Personal Data:

KYC and Customer Verification Records: We retain these records to comply with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations in the jurisdictions where we operate. Retention periods vary by jurisdiction and begin when your account is closed or our business relationship ends:

• Australia: 7 years (AML/CTF Act 2006)
• Saudi Arabia: 10 years (SAMA AML Regulations)
• Hong Kong: 6 years (AMLO)
• Malaysia: 6 years (AMLATFA)
• United States: 5 years (Bank Secrecy Act / USA PATRIOT Act / FinCEN regulations)
• Singapore: 5 years (MAS AML/CFT Notice)
• Indonesia: 5 years (Law No. 8 of 2010)
• India: 5 years (Prevention of Money Laundering Act 2002)
• Thailand: 5 years (Anti-Money Laundering Act B.E. 2542)
• UAE: 5 years (Federal Decree-Law No. 20 of 2018)

Where multiple jurisdictions apply to your account, we apply the longest applicable retention period to ensure full regulatory compliance. After the required retention period expires, KYC data will be securely deleted or anonymized unless we are legally required to retain it for longer (e.g., for ongoing legal proceedings or regulatory investigations).

Accounting and Tax Records: Retained for the period required by applicable tax and corporate laws in each jurisdiction where we operate, typically 5-10 years depending on local requirements.

Customer Support and Communication Records: Retained for 3 years after the closure of your inquiry or last interaction, unless a longer period is required for legal compliance or dispute resolution.

Marketing and Analytics Data (where consent-based): Retained until you withdraw consent or for 2 years of inactivity, whichever comes first.

On-Chain Blockchain Data:

Transaction records on the blockchain are permanent and immutable. However, as explained in Section 1(b), this on-chain data is anonymized through zero-knowledge cryptographic proofs and does not contain personally identifiable information.

The connection between on-chain transactions and your identity exists only in our off-chain databases. When we delete or anonymize your off-chain identity data (either at your request or after the legal retention period expires), the on-chain transaction data can no longer be attributed to you and therefore no longer constitutes "personal data" under applicable privacy laws.

This approach complies with GDPR requirements as outlined in the European Data Protection Board's Guidelines 02/2025 on blockchain technologies, which permit storing data on blockchain where it is "done in a way that allows for the effective prevention of identification of the data subjects."

Criteria for Determining Retention Periods:

We determine appropriate retention periods based on:

• The purpose for which the data was collected
• Legal and regulatory requirements in applicable jurisdictions
• The nature and sensitivity of the data
• Whether we have an ongoing relationship with you
• Whether retention is necessary for the establishment, exercise, or defense of legal claims
• Industry best practices for similar data types

8. Your Rights [UPDATED PER JD FEEDBACK]

Depending on your jurisdiction and subject to the limitations under applicable data protection law, you may have the following rights:

Right to Access: The right to obtain confirmation as to whether Personal Data relating to you are being processed by us and, where that is the case, the right to access to the Personal Data relating to you and receive a copy thereof.

Right to Rectification: Correct inaccurate or incomplete data.

Right to Erasure: Request deletion of personal data we control. Please note:

• We can delete or anonymize off-chain personal data (such as KYC records) after applicable legal retention periods expire
• On-chain blockchain data is immutable, but it is cryptographically anonymized and cannot be linked to your identity once we delete the off-chain linkage data
• We cannot erase data where we have a legal obligation to retain it (such as KYC records during the required retention period)

Right to Restrict: Restrict under certain circumstances our processing of your Personal Data.

Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of Personal Data concerning you based on legitimate interest or for the performance of a task carried out in the public interest. You have the right to object to the processing of your Personal Data for direct marketing purposes at any time without stating grounds relating to your particular situation.

Right to Data Portability: If Processing is based on your consent or on a contract, and the processing is carried out by automated means, you have a right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from us.

Right to Withdraw Consent: Where consent is the legal basis for processing, you may withdraw your consent at any time with effect for the future. The withdrawal of consent will not affect the lawfulness of processing based on your consent before its withdrawal.

Automated Decision-Making:

We do not currently engage in automated decision-making under Art. 22 GDPR that produces legal or similarly significant effects concerning you. If this changes in the future, we will update this Privacy Statement and provide you with information about the logic involved, as well as the significance and envisaged consequences of such processing.

To exercise any of these rights, please contact us via the methods described in Section 14. You also have the right to lodge a complaint with your local data protection authority, such as:

•  EU: Contact the supervisory authority in your EU Member State
•  UK: Information Commissioner's Office (ICO)
•  Australia: Office of the Australian Information Commissioner (OAIC)
•  Singapore: Personal Data Protection Commission (PDPC)
•  Malaysia: Personal Data Protection Department
•  Thailand: Personal Data Protection Committee (PDPC)
•  Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD)
•  India: Data Protection Board (under Digital Personal Data Protection Act 2023)
•  Indonesia: Ministry of Communication and Information Technology
• UAE: UAE Data Office
•  Saudi Arabia: Saudi Data and Artificial Intelligence Authority (SDAIA)

9. Cookies and Similar Technologies [UPDATED PER JD FEEDBACK]

A cookie is a small text file that is stored by your browser when you visit a website. We use three types of cookies: strictly necessary cookies, performance cookies and targeting cookies.

You can manage or disable cookies at any time by adjusting your browser settings and at our Cookie Consent Tool. However, if you do not accept cookies, you may not be able to use some portions of our website.

In the below table we list the Cookies we use on our website:

Note: Complete this table with all cookies currently in use. Implement a Cookie Consent Tool for user management.

10. Security

We employ administrative, technical, and organizational safeguards to protect Personal Data against loss, theft, misuse, unauthorized access, disclosure, or alteration. However, due to the decentralized nature of blockchain technology, no system can guarantee complete security.

11. Children's Privacy [UPDATED PER JD FEEDBACK]

IBVM Token and the Network are not directed to individuals under 18. We do not knowingly collect or process data from minors. If we learn that we have inadvertently collected such data, we will delete it promptly.

Blockchain and Minors' Data: In the event we discover that a minor's information has been inadvertently collected, we immediately delete all off-chain personal data linking the minor's identity to any on-chain transactions. Since on-chain transaction data is cryptographically anonymized and contains no personally identifiable information, once the off-chain identity linkage is deleted, the remaining on-chain data cannot be attributed to the minor. This effectively removes the minor's personal data from our systems in compliance with applicable law.

12. Additional Information for Residents of Australia

For eligible residents of Australia, you may also have rights with respect to the personal information that we collect about you.

Compliance:We comply with the Privacy Act 1988 (Cth) including the Australian Privacy Principles, and applicable state/territory laws.

International Data Transfers:Your Personal Information may be held and processed overseas in: United States, Singapore, Hong Kong, Malaysia, Indonesia, India, Thailand, United Arab Emirates, Saudi Arabia, and EU member states.

13. Additional Information for Residents of Nebraska and Texas [UPDATED]

Your rights include: Right to Know/Access, Right to Delete, Right to Correct, Right to Opt Out, Right to Appeal, and Right to Non-Discrimination.

Targeted Advertising: We may share information with third parties for targeted advertising as described in Section 9. You can opt out via our Cookie Consent Tool.

Profiling: We do not engage in profiling that produces legal or similarly significant effects.

14. Contact Information

Foundation Privacy Contact:

[Name: Albert Dadon]

[Email: albertd@ibvmfoundation.org]

[Address: Office 2069, Regus Business Center, 3800 North Lamar Blvd, Austin, Texas, 78756, USA]

Company Privacy Contact:

[Name: Albert Dadon]

[Email: info@ibvmfoundation.org]

[Address: Office 2069, Regus Business Center, 3800 North Lamar Blvd, Austin, Texas, 78756, USA]

15. Updates to This Privacy Statement

We may update this Statement periodically. Updates will be effective as of the Last Updated date.

Annex 1

GDPR Overview of purposes, data categories and legal bases