logologo

Business

Platform

Resources

Company

Privacy Policy

3-102-965053 Sociedad de Responsabilidad Limitada, trading as Newrails International Limited

Effective from: July 1, 2026

Official PDFDownload Privacy Policy PDF

1. Introduction and scope

This Privacy Policy ("Policy") describes how 3-102-965053 Sociedad de Responsabilidad Limitada, corporate identification number 3-102-965053, with its registered office at Avenida Siete, Calle Veintinueve, Edificio 2910, Centro Corporativo AG, Barrio Escalante, Carmen, San José, Costa Rica, trading as Newrails International Limited ("Company", "we", "us") processes personal data in connection with the provision of virtual asset custody, exchange, and transfer services through the Newrails platform (www.newrails.xyz).

The Company is a responsible party within the meaning of the Law on the Protection of Individuals with regard to the Processing of their Personal Data (Law No. 8968) and its regulations ("Law No. 8968").

This Policy applies to personal data of the Company's clients and their representatives in connection with the services described in the Company's Terms and Conditions. It does not apply to services provided by Newrails UAB, the affiliated electronic money institution operating the Newrails platform (the "Affiliated EMI") — those are governed by the Newrails UAB Privacy Policy.

Contact for personal data matters: info@newrailsintl.com

2. How we receive your personal data

We collect personal data in the following ways:

  • Data received from the Affiliated EMI — under the Master Intercompany Services Agreement, we receive KYB/KYC identification data, risk profile data, and account information collected by the Affiliated EMI during client onboarding and in the course of the business relationship.
  • Data generated through use of services — transaction records, wallet addresses, on-chain activity.
  • Data from third-party sources — blockchain analytics providers (for transaction screening and wallet risk assessment), public sanctions and PEP databases.

3. Purposes, legal bases, and retention periods

We process personal data for the following purposes:

3.1. Provision of virtual asset services

PurposeProviding virtual asset custody, exchange, and transfer services
Data subjectsClients and their representatives
Personal dataName, contact details, wallet addresses, transaction data, virtual asset balance data, questionnaire responses, proof of wallet ownership records
Legal basisPerformance of a contract (Law No. 8968)
Retention10 years after termination of the business relationship

3.2. AML/CFT and sanctions compliance

PurposeTransaction monitoring, blockchain analytics screening, sanctions screening, and suspicious transaction reporting to competent authorities to the extent required by applicable Costa Rican law
Data subjectsClients and their representatives
Personal dataName, wallet addresses, transaction data, blockchain analytics screening results, PEP, sanctions and adverse media screening data, internal alert records and compliance decisions, suspicious transaction reports submitted to competent authorities where required by applicable law
Legal basisLegal obligation (Law No. 8968)
Retention10 years after termination of the business relationship

3.3. Reporting to competent authorities

PurposeReporting to competent authorities as required by applicable law
Data subjectsClients and their representatives
Personal dataAll data necessary to fulfil reporting obligations, including identity data, transaction data, and AML/CFT records
Legal basisLegal obligation (Law No. 8968)
Retention10 years after termination of the business relationship

3.4. Travel Rule compliance

PurposeCollecting, verifying, and transmitting originator and beneficiary information for virtual asset transfers in accordance with FATF Recommendation 16 and applicable Costa Rican AML law
Data subjectsClients
Personal dataName, wallet address, proof of ownership records
Legal basisLegal obligation (Law No. 8968)
Retention10 years after termination of the business relationship

3.5. Direct communication and complaints handling

PurposeResponding to client enquiries, requests, and complaints
Data subjectsClients and their representatives
Personal dataName, contact details, communication content, transaction information
Legal basisLegitimate interest of the Company in examining requests and providing accurate information (Law No. 8968)
Retention3 years

3.6. Legal claims

PurposeEstablishing, exercising, or defending legal claims
Data subjectsClients and their representatives
Personal dataAll data relevant to the claim
Legal basisLegitimate interest (Law No. 8968)
RetentionUntil end of relevant legal proceedings and for a further 10 years

4. Data sharing and recipients

We may share your personal data with the following recipients:

  • Affiliated EMI — under the Master Intercompany Services Agreement, for KYC/AML compliance and shared compliance services. The Affiliated EMI acts as a separate data controller for its own processing.
  • Competent authorities — where required by applicable law, including for suspicious transaction reporting.
  • Blockchain analytics provider — for transaction screening and wallet risk assessment, acting as data processor under a data processing agreement.
  • Courts, law enforcement, and other competent authorities — where required by law or court order.
  • Legal, audit, and professional service providers— where necessary for the Company's legitimate business operations.

Where personal data is transferred internationally, including to the Affiliated EMI in the European Union, the Company applies appropriate safeguards consistent with Law No. 8968 and its regulations, including contractual protections under the Master Intercompany Services Agreement.

5. Security of personal data

The Company implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, and other unlawful processing. These include:

  • Encryption of personal data at rest and in transit
  • Role-based access controls and multi-factor authentication
  • Regular security assessments
  • Data minimisation — we process only data that is necessary for the specified purposes

In the event of a personal data breach, we will notify the relevant competent authority and affected data subjects in accordance with Law No. 8968 requirements.

6. Your rights

As a data subject, you have the following rights under Law No. 8968:

  • Right of access — you may request confirmation of whether we process your personal data and, if so, access to that data.
  • Right to rectification — you may request correction of inaccurate or incomplete data.
  • Right to erasure — you may request deletion of your data where there is no legal basis for continued processing. Note: this right is limited where we are required by law to retain data (e.g. AML retention obligations).
  • Right to restriction of processing — you may request that we restrict processing of your data in certain circumstances.
  • Right to object — you may object to processing based on legitimate interests.

To exercise your rights, please contact us at: privacy@newrails.xyz. Your request must include your name, company name, and contact details. We will respond within 30 calendar days. In complex cases, this may be extended with prior notice.

You have the right to lodge a complaint with the Costa Rican supervisory authority: Agencia de Protección de Datos de los Habitantes (PRODHAB), www.prodhab.go.cr. We recommend contacting us first to resolve any concerns.

7. Changes to this Policy

We may update this Policy from time to time to reflect changes in our services, applicable law, or data processing practices. We will notify you of material changes through the Platform or by email. The updated Policy will be effective from the date of publication.


3-102-965053 Sociedad de Responsabilidad Limitada, trading as Newrails International Limited
Registered office: Avenida Siete, Calle Veintinueve, Edificio 2910, Centro Corporativo AG, Barrio Escalante, Carmen, San José, Costa Rica
Privacy contact: info@newrailsintl.com | Web: newrails.xyz

Newrails Logo
X (Twitter)LinkedIn
English

Navigation

  • Business
  • Platform
  • Resources
  • Company

Legal

  • General terms and conditions
  • Privacy policy
  • Disclaimer
  • Whistleblowing
  • FAQ
  • EURW whitepaper
  • EMT redemption policy
  • Download centre
  • Complaints
  • On-chain FX Terms and Conditions
  • On-chain FX Privacy Policy

Contact us

  • info@newrails.xyz

Subscribe to our newsletter

Copyright @ Newrails. Newrails UAB (company code: 305270426), registered at Švitrigailos st. 11C, LT-03228 Vilnius, Lithuania, is authorised as an Electronic Money Institution by the Bank of Lithuania (licence No. 69). Verify our authorisation on the Bank of Lithuania register: here. For passporting, we are allowed to operate in 30 countries, all are specified in the above provided link – Lithuania, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.