Privacy Policy
Last updated: 15th September 2025
Chapter 1 – Preliminary
1.1 Overview of the RULES and the Platform
Rules Holdings BVI Ltd. (“RULES”) is a company established in the BVI and licensed and regulated by the Financial Services Commission (“FSC”) to provide:
1. “Virtual Asset Exchange”; and
2. “Virtual Asset Custody Service”;
in relation to “Accepted Virtual Assets” in or from the BVI (as provided under the Virtual Asset Service Provider Act, 2022) through its Platform.
1.2 Defined terms and interpretation
Unless the context requires otherwise, capitalised terms are defined terms and shall have the meanings set out in the Glossary in Schedule 1 of this Privacy Policy.
1.3 Purpose and scope of this Privacy Policy
This Privacy Policy is issued by RULES in compliance with the relevant data protection laws and regulations, including:
(a) the Virgin Islands Data Protection Act 2021 (“the BVI Law”);
(b) the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados – “LGPD”);
(c) the General Data Protection Regulation (“GDPR”); and
(d) Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”).
This Privacy Policy governs RULES’s processing of the Personal Data of Users and any relevant natural person (such as potential clients) collected in connection with the use of any of the Services. The purpose of this Privacy Policy is to inform Data Subjects on how RULES, as the Controller of their Personal Data, may Process Personal Data in line with the relevant laws and regulations.
This Privacy Policy, as amended from time to time and published on the Website, applies to and is binding on (i) all Data Subjects who access or use the Website; and (ii) all Users of the Platform pursuant to the User Agreement; continued use of the Website, Platform or API by any of the foregoing or their Authorised Representative(s) constitutes acknowledgement and consent to this Privacy Policy as amended.
1.4 Competent Authorities and applicable data protection laws
In Processing Personal Data, RULES as a Controller established in the BVI will ensure compliance primarily with the BVI DP law as administered by the BVI Office of the Information Commissioner. Given the Platform’s global reach, RULES may also be required to comply with other applicable DP laws (such as the PDPL and the GDPR) where Data Subjects are located outside of the BVI.
Chapter 2 – When, What and Why RULES Processes Personal Data?
2.1 When RULES Processes Personal Data
RULES processes Personal Data provided directly by a Data Subject or generated/obtained through third-parties during operation of the Platform, including when a Data Subject:
(a) applies to open an account with RULES;
(b) uses any of the Services (e.g., transacting on the Platform); and
(c) visits or uses the Website or the API.
2.2 Which categories of information RULES Processes?
RULES processes the following categories of information which may contain Personal Data (illustrative examples only):
| Categories of User Information | Examples |
|---|---|
| Identifying Data | (a) Name(s)/alias(es) including maiden name (b) Gender (c) Nationality (d) Date of birth (e) Official documents: passport, national ID, driver’s license, visa (f) Proof of address (g) Facial image (h) Signature/seal/stamp |
| Personal Information | (a) Physical/Billing address(es) (b) Telephone number(s) (c) Email address(es) (d) Tax IDs (CPF, CNPJ, TIN) (e) Mother’s/Father’s name (where applicable) |
| Compliance Data | (a) Information for risk assessment, background/sanctions checks, or Financial Crime investigations (b) Employment Status (c) Proof of source of funds/wealth (d) Employment details (e) Tax forms/declarations |
| Financial Data | (a) Bank/brokerage account details (b) Payment card details (c) Balances (d) Employment details (e) Estimated monthly income |
| Marketing Data | (a) Communication preferences (b) Marketing material preferences (c) Contact consent(s) (d) Survey inputs |
| Transactional Data | (a) Payment details (b) Transaction details on Services/Platform/Website/API |
| Technical Data | (a) IP, ISP/carrier, browser/device/OS info (b) Time zone, location, language (c) Logs (d) Any content you grant access to (e) Cookies/other tokens |
| Usage Data | (a) Platform access credentials/client number (b) Product/service requests, interests, preferences, feedback, surveys |
RULES does not process Sensitive Personal Data about Users unless it is necessary for performing or exercising obligations or rights. RULES may use information relating to criminal convictions where permitted by law and where necessary to carry out statutory obligations.
2.3 Why RULES Processes Personal Data?
RULES Processes Personal Data only for legitimate and lawful purposes, including where RULES:
(a) Processes with the Data Subject’s consent;
(b) performs the User Agreement or takes steps at a Data Subject’s request prior to entering into the User Agreement;
(c) must comply with legal and regulatory obligations (e.g., AML/CFT requirements);
(d) protects vital interests of the Data Subject or another person; or
(e) defends legal/regulatory proceedings or complies with lawful requests by Competent Authorities.
If a Data Subject fails to provide required information, RULES may be unable to perform a contract or comply with legal obligations. Some information requested may therefore be obligatory.
Chapter 3 – How RULES Collects Personal Data
3.1 How does RULES collect Personal Data directly from a User?
RULES may collect Personal Data directly, including when a Data Subject:
(a) applies for the Services;
(b) completes application forms;
(c) provides information while using the API or Website;
(d) transacts on the Platform; or
(e) responds to requests for information or makes notifications to RULES.
3.2 How does RULES collect Personal Data from third parties
RULES may collect Personal Data about a Data Subject from:
(a) law enforcement and government/judicial bodies;
(b) public records (e.g., company registers);
(c) paid-for information aggregators or due diligence/compliance providers;
(d) other Data Subjects (e.g., referrals); or
(e) publicly accessible sources, including the internet.
Such collection is mainly for legal/regulatory compliance (e.g., AML CDD), investigations, marketing, or service improvement.
3.3 How does RULES automatically collect Personal Data
RULES may collect Personal Data automatically when a Data Subject uses the API or Website, for example through cookies, server logs or similar technologies. Information collected automatically typically relates to Technical and Usage Data and is anonymised in aggregate; however, some instances may contain Personal Data.
Chapter 4 – How RULES Transfers Personal Data
4.1 Who RULES transfers Personal Data to?
RULES may transfer Personal Data to third parties to fulfil contractual obligations with the User, including:
(a) other members of the RULES group;
(b) agents (contractors, professional advisors, auditors, personal data processors);
(c) law enforcement and authorities (including for legal proceedings); and
(d) other third parties in an aggregated or anonymised form where identification is not reasonably possible.
Regarding Users, such transfers are mainly done on the basis of consent (which may be withdrawn in accordance with this Privacy Policy) or other lawful grounds under applicable law.
4.2 Where RULES transfers Personal Data to?
RULES may transfer Personal Data outside of the BVI. RULES will only do so where adequate safeguards exist or where there is valid consent or another lawful basis. Where applicable, RULES will follow any lists of “adequate” jurisdictions published by Competent Authorities.
4.3 How RULES ensures Personal Data is protected when transferred to a jurisdiction that is not deemed to be adequate?
Where RULES transfers Personal Data to jurisdictions without an adequacy determination, RULES will implement appropriate safeguards which may include:
(a) obtaining permission from the relevant Competent Authority for the transfer;
(b) contractual clauses requiring appropriate protection and oversight; and/or
(c) use of Standard Contractual Clauses or equivalent instruments.
4.4 Does RULES guarantee the secure transmission of Personal Data?
RULES cannot guarantee that transmission of Personal Data over the internet is totally secure; transfers are at the User’s own risk. RULES nonetheless implements reasonable measures to mitigate risks and keep electronic communications safe.
Chapter 5 – How RULES Stores Personal Data
5.1 How RULES ensures Personal Data is safely stored?
RULES employs industry-standard measures validated by the Chief Information Security Officer, including (but not limited to): password-protected directories, transport security (e.g., HTTPS/TLS), and secure cloud controls. Users are responsible for safeguarding their account credentials and must notify RULES immediately in case of suspected compromise. Multi-factor authentication is used to mitigate password compromise risks.
5.2 For how long?
RULES retains Personal Data for as long as necessary for the legitimate purpose for which it was collected and to comply with legal/regulatory requirements. Where Personal Data is no longer needed, RULES will securely destroy or irreversibly anonymise it. In certain cases, RULES may anonymise data such that it is no longer Personal Data and may continue to use it without further notice.
Chapter 6 – What Are the Rights of a User under the DP Laws and Regulations
6.1 Right of access
A Data Subject may request access to and a copy of their Personal Data processed by RULES.
6.2 Right to rectification
A Data Subject may request correction or update of inaccurate/incomplete Personal Data.
6.3 Right to erasure
A Data Subject may request deletion of Personal Data where it is no longer necessary for the purpose collected and where RULES has no continuing legal obligation. If a User closes its account, RULES marks the account “closed” and may retain certain information (including the request) for up to seven years for fraud prevention and legal compliance. No Personal Data will be used/shared except to prevent fraud or meet legal requirements.
6.4 Right to restrict Processing
A Data Subject may request restriction/suspension of Processing where:
(a) the Processing is for direct marketing purposes;
(b) RULES’s use is unlawful;
(c) the Data Subject requires retention to establish, exercise or defend legal claims; or
(d) the Data Subject has objected to the Processing.
6.5 Right to data portability
A Data Subject may request to receive or transmit Personal Data in a commonly used machine-readable format, including to a third party where technically feasible.
6.6 Right to object to Processing and Automated Processing
A Data Subject may request not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significant effects.
6.7 Right to obtain information on Processing
A Data Subject may obtain information about Processing, including purposes, categories of data, recipients, and storage periods. RULES meets this obligation through this Privacy Policy.
Chapter 7 – How a User May Exercise Their Rights
7.1 How to opt out or withdraw consent?
A Data Subject may withdraw consent via (a) an online link on the API/Website; or (b) by emailing [email protected]. Even after withdrawal, RULES may continue Processing if another lawful basis applies.
7.2 How to exercise other rights?
A Data Subject may exercise rights under Chapter 6 at any time. RULES will act as soon as possible and within thirty (30) days of receipt. The CEO may extend the time limit (with notice) where meeting the original deadline would unreasonably interfere with operations, consultations are required, or additional time is needed for format conversion.
7.3 How to complain to RULES?
Complaints about Processing may be sent to [email protected]. A Data Subject may also file a formal complaint with the Office of Data Protection.
Chapter 8 – Communication with Data Subjects
8.1 Reporting of breaches
In the event of a data breach (subject to legal obligations), RULES will endeavour to inform Data Subjects and the relevant Competent Authority. Notifications may include: (a) nature/time of the breach; (b) data compromised; (c) actions taken by RULES; and (d) suggested protective actions for Data Subjects.
8.2 Means of notification
Communications from RULES under this Privacy Policy may be provided via:
(i) a Notice through/posted on the API or Website;
(ii) email to the Data Subject’s address on record; or
(iii) any other electronic means notified by RULES.
Communications are deemed received when sent by RULES.
Communications to RULES shall use the means made available on the Platform, Website, API, or email, as directed by RULES. Communications on the Platform between Users are monitored.
8.3 Communication with Regulator
Where a personal-data breach is likely to have a material impact on clients or on the Firm’s regulatory compliance, the Firm will notify the Financial Services Commission without delay. Notifications to the Commission and to affected clients will be factually consistent, with regulatory reports formatted for the Commission and client notices written in clear, accessible language.
8.4 English language requirement
All communications between a Data Subject and RULES shall be in English. Any document or information required to be provided by a Data Subject to RULES, or by RULES to a Data Subject, must be in English.
Chapter 9 – Amendment of this Privacy Policy
RULES may amend this Privacy Policy by publishing the amended policy on www.bumba.global. RULES will send a Notice of the update along with a link to the updated Privacy Policy.
Schedule 1 – Glossary and Interpretation
Interpretation
Glossary
| Term | Meaning |
|---|---|
| BVI | British Virgin Islands |
| Standard Contractual Clauses | Model contracts for transfer of personal data from the EU to third countries adopted by the European Commission. |
| RULES | Rules Holdings BVI Ltd., company number 1970684, including affiliates. |
| BVI DP law | Virgin Islands Data Protection Act 2021 (and regulations), as amended. |
| AML | Anti-money-laundering (including counter-terrorist financing). |
| API | Application Programming Interface to operate an Account without using the Website. |
| Authorised Representative | A representative authorised to operate a User’s Account or, as context requires, a Data Subject’s authorised representative. |
| Business Day | A day other than Saturday/Sunday on which banks in the BVI and Brazil are generally open. |
| Competent Authority | Any regulatory, judicial, law-enforcement or public authority (inside/outside BVI) with jurisdiction over RULES’s processing of Personal Data. |
| Data Controller | Has the meaning in the BVI DP law. |
| Data Subject | A natural person (living or deceased) whose Personal Data is processed by RULES, including Users and potential clients. |
| DP Laws and Regulations | Relevant data protection laws applicable to RULES’s Processing, including the BVI Law, LGPD, GDPR and PDPL. |
| Financial Crime | Money laundering, terrorist financing, sanctions evasion, tax evasion, bribery/corruption, and behaviour that may amount to Market Abuse as defined by FATF and applicable laws. |
| GDPR | Regulation (EU) 2016/679, as amended. |
| Information Commissioner | The authority in the BVI tasked with administering the BVI DP law. |
| Notice | A communication from RULES made using appropriate means. |
| Personal Data | Any information in respect of commercial transactions that is processed or intended to be processed by automated means or forms part of (or is intended to form part of) a relevant filing system and relates to an identified or identifiable Data Subject, including Sensitive Personal Data and expressions of opinion. |
| Platform | The multilateral trading facility operated by RULES. |
| Privacy Policy | This RULES policy for processing Users’ personal data when providing the Services. |
| Processing | Any operation on Personal Data, including collection, recording, storage, use, disclosure, alignment, combination, correction, erasure or destruction. |
| Services | The services provided by RULES to its Users under the User Agreement. |
| Sensitive Personal Data | Personal Data about health, sexual orientation, political opinions, religious or similar beliefs, criminal convictions/charges, or other categories prescribed by law. |
| User | A person admitted to trading on the Platform. |
| User Agreement | The agreement between RULES and a User for the provision of Services. |
| Website | The RULES website providing an interface to access the Platform and Notices and other functionality. |