Privacy Policy
3-102-965053 Sociedad de Responsabilidad Limitada, trading as Newrails International Limited
Effective from: July 1, 2026
1. Introduction and scope
This Privacy Policy ("Policy") describes how 3-102-965053 Sociedad de Responsabilidad Limitada, corporate identification number 3-102-965053, with its registered office at Avenida Siete, Calle Veintinueve, Edificio 2910, Centro Corporativo AG, Barrio Escalante, Carmen, San José, Costa Rica, trading as Newrails International Limited ("Company", "we", "us") processes personal data in connection with the provision of virtual asset custody, exchange, and transfer services through the Newrails platform (www.newrails.xyz).
The Company is a responsible party within the meaning of the Law on the Protection of Individuals with regard to the Processing of their Personal Data (Law No. 8968) and its regulations ("Law No. 8968").
This Policy applies to personal data of the Company's clients and their representatives in connection with the services described in the Company's Terms and Conditions. It does not apply to services provided by Newrails UAB, the affiliated electronic money institution operating the Newrails platform (the "Affiliated EMI") — those are governed by the Newrails UAB Privacy Policy.
Contact for personal data matters: info@newrailsintl.com
2. How we receive your personal data
We collect personal data in the following ways:
- Data received from the Affiliated EMI — under the Master Intercompany Services Agreement, we receive KYB/KYC identification data, risk profile data, and account information collected by the Affiliated EMI during client onboarding and in the course of the business relationship.
- Data generated through use of services — transaction records, wallet addresses, on-chain activity.
- Data from third-party sources — blockchain analytics providers (for transaction screening and wallet risk assessment), public sanctions and PEP databases.
3. Purposes, legal bases, and retention periods
We process personal data for the following purposes:
3.1. Provision of virtual asset services
| Purpose | Providing virtual asset custody, exchange, and transfer services |
| Data subjects | Clients and their representatives |
| Personal data | Name, contact details, wallet addresses, transaction data, virtual asset balance data, questionnaire responses, proof of wallet ownership records |
| Legal basis | Performance of a contract (Law No. 8968) |
| Retention | 10 years after termination of the business relationship |
3.2. AML/CFT and sanctions compliance
| Purpose | Transaction monitoring, blockchain analytics screening, sanctions screening, and suspicious transaction reporting to competent authorities to the extent required by applicable Costa Rican law |
| Data subjects | Clients and their representatives |
| Personal data | Name, wallet addresses, transaction data, blockchain analytics screening results, PEP, sanctions and adverse media screening data, internal alert records and compliance decisions, suspicious transaction reports submitted to competent authorities where required by applicable law |
| Legal basis | Legal obligation (Law No. 8968) |
| Retention | 10 years after termination of the business relationship |
3.3. Reporting to competent authorities
| Purpose | Reporting to competent authorities as required by applicable law |
| Data subjects | Clients and their representatives |
| Personal data | All data necessary to fulfil reporting obligations, including identity data, transaction data, and AML/CFT records |
| Legal basis | Legal obligation (Law No. 8968) |
| Retention | 10 years after termination of the business relationship |
3.4. Travel Rule compliance
| Purpose | Collecting, verifying, and transmitting originator and beneficiary information for virtual asset transfers in accordance with FATF Recommendation 16 and applicable Costa Rican AML law |
| Data subjects | Clients |
| Personal data | Name, wallet address, proof of ownership records |
| Legal basis | Legal obligation (Law No. 8968) |
| Retention | 10 years after termination of the business relationship |
3.5. Direct communication and complaints handling
| Purpose | Responding to client enquiries, requests, and complaints |
| Data subjects | Clients and their representatives |
| Personal data | Name, contact details, communication content, transaction information |
| Legal basis | Legitimate interest of the Company in examining requests and providing accurate information (Law No. 8968) |
| Retention | 3 years |
3.6. Legal claims
| Purpose | Establishing, exercising, or defending legal claims |
| Data subjects | Clients and their representatives |
| Personal data | All data relevant to the claim |
| Legal basis | Legitimate interest (Law No. 8968) |
| Retention | Until end of relevant legal proceedings and for a further 10 years |
4. Data sharing and recipients
We may share your personal data with the following recipients:
- Affiliated EMI — under the Master Intercompany Services Agreement, for KYC/AML compliance and shared compliance services. The Affiliated EMI acts as a separate data controller for its own processing.
- Competent authorities — where required by applicable law, including for suspicious transaction reporting.
- Blockchain analytics provider — for transaction screening and wallet risk assessment, acting as data processor under a data processing agreement.
- Courts, law enforcement, and other competent authorities — where required by law or court order.
- Legal, audit, and professional service providers— where necessary for the Company's legitimate business operations.
Where personal data is transferred internationally, including to the Affiliated EMI in the European Union, the Company applies appropriate safeguards consistent with Law No. 8968 and its regulations, including contractual protections under the Master Intercompany Services Agreement.
5. Security of personal data
The Company implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, and other unlawful processing. These include:
- Encryption of personal data at rest and in transit
- Role-based access controls and multi-factor authentication
- Regular security assessments
- Data minimisation — we process only data that is necessary for the specified purposes
In the event of a personal data breach, we will notify the relevant competent authority and affected data subjects in accordance with Law No. 8968 requirements.
6. Your rights
As a data subject, you have the following rights under Law No. 8968:
- Right of access — you may request confirmation of whether we process your personal data and, if so, access to that data.
- Right to rectification — you may request correction of inaccurate or incomplete data.
- Right to erasure — you may request deletion of your data where there is no legal basis for continued processing. Note: this right is limited where we are required by law to retain data (e.g. AML retention obligations).
- Right to restriction of processing — you may request that we restrict processing of your data in certain circumstances.
- Right to object — you may object to processing based on legitimate interests.
To exercise your rights, please contact us at: privacy@newrails.xyz. Your request must include your name, company name, and contact details. We will respond within 30 calendar days. In complex cases, this may be extended with prior notice.
You have the right to lodge a complaint with the Costa Rican supervisory authority: Agencia de Protección de Datos de los Habitantes (PRODHAB), www.prodhab.go.cr. We recommend contacting us first to resolve any concerns.
7. Changes to this Policy
We may update this Policy from time to time to reflect changes in our services, applicable law, or data processing practices. We will notify you of material changes through the Platform or by email. The updated Policy will be effective from the date of publication.
3-102-965053 Sociedad de Responsabilidad Limitada, trading as Newrails International Limited
Registered office: Avenida Siete, Calle Veintinueve, Edificio 2910, Centro Corporativo AG, Barrio Escalante, Carmen, San José, Costa Rica
Privacy contact: info@newrailsintl.com | Web: newrails.xyz