Privacy Policy

10 October 2025

1. What does this Privacy Policy mean and to whom does it apply?

This privacy policy (hereinafter referred to as the "Privacy Policy") defines the basic terms and conditions for the processing of personal data and the rules that apply to the personal data of the visitors, customers and partners/ service providers of UAB "Ambr Payments" (trading name Newrails), further referred as the "Company" or the "Controller", "Newrails") of the website https://www.newrails.xyz (hereinafter referred to as the "Website").

The owner and manager of the website is Newrails, legal entity code 305270426, registered office address Svitrigailos str. 11C, Vilnius, Republic of Lithuania, contacts for personal data issues: e-mail: complaints@newrails.xyz.

The data processing is carried out in due accordance with the General Data Protection regulation (EU Regulation 2016/679) (hereinafter referred to as the GDPR), the Law on personal data protection of the Republic of Lithuania, and all other applicable legal requirements for processing personal data.

The Privacy Policy becomes applicable for your data as soon as we receive it (provided by you or a Company intending to become our customer).

This Privacy Policy does not apply to links provided by the Website to third-party websites, and we recommend that you check the personal data processing rules of such websites separately.

2. How the Company receives your personal data

We access and/or use your personal data if any of the following applies:

Data received from you when:

You fill in the forms;
You contact us;
You sign up for using Company services;
You register for our newsletters and updates;
You allow us access to your device (contact information, log in information).

Data received from your device when:

You log in, sign up, do a transaction, send us a message;
You browse the information you can find on our Website;
You are on our platform My Newrails and allow access to your device's camera, GPS function of your device.

Data received from third parties:

We collect information from public databases such as PRADO in EU, for checking the validity of provided personal identification document;
We also check publicly available legal entities' databases, where, along with legal entities data, is provided information on the Chief Executive Officer, legal representative, management board members and other persons related to the legal entity;
We constantly check various lists of politically exposed persons and international financial sanctions; we search for our customer, its representatives, UBOs in those lists by various methods;
We collect information from third parties, such as credit reference agencies, fraud prevention agencies and partners who help us to provide our services.
We also get your data from various databases, as well as from other financial institutions and business partners.

It is the responsibility of the data subject to ensure that the personal data provided by him/her are accurate, correct and complete. If the personal data provided by the data subject changes, the data subject must immediately inform the Company thereof. The Company will not be liable for any damage caused to the person and/or third parties due to the fact that the data subject has provided incorrect, inaccurate and/or incomplete personal data or has not requested the data to be supplemented and/or amended in the event of a change in the data.

3. Personal data collected, purposes and grounds for processing

The Company processes your personal data for the following purposes and in accordance with the legal grounds relating to them:

3.1. Establishing and executing contracts with partners/suppliers, managing partners/suppliers

Purpose	Concluding and executing contracts with third parties for the provision of services
Data subjects	Company partners/suppliers; Representatives of the Company's partners/suppliers.
Personal data	For individuals: first name, last name, personal identification number/date of birth, business address, telephone number, email address, and other information specified in the document submitted by the supplier. For legal entities: first name, last name, position, place of work, telephone number, email address of representatives.
Legal basis	The conclusion or performance of a contract with you if the Company's partner/supplier is a natural person (Article 6(1)(b) GDPR). In the event that you do not provide the relevant personal data, we may not be able to enter into and/or perform a contract with you or with a partner or supplier that you represent.
Storage	Your personal data will be stored for 10 years after the end of the contract.

3.2. Verification of service providers

Purpose	Verification of service providers
Data subjects	Service providers
Personal data	First name, last name, date of birth, personal identification number, nationality, address, and information obtained from public media sources and databases.
Legal basis	Your consent (GDPR Article 6(1)(a)); legal obligation (GDPR Article 6(1)(c)).
Storage	During the term of the agreement.

3.3. Internal investigations and analysis

Purpose	For internal investigations and analysis of operational risk events
Data subjects	The Company's customers
Personal data	First name, last name, identification document information, mobile phone number, residential address, account information, transaction information, customer Newrails ID number.
Legal basis	Compliance with legal obligations (GDPR Article 6(1)(c)); the controller's legitimate interest in pursuing, exercising, or defending legal claims (GDPR Article 6(1)(f).
Storage	10 years.

3.4. Direct communication

Purpose	Direct communication with customers (complaints, inquiries, etc.)
Data subjects	Company's customers/ potential customers.
Personal data	First name, last name, email address, phone number, communication with the Company and its content.
Legal basis	The controller's legitimate interest in examining the request and providing accurate and comprehensive information about the company's activities (GDPR Article 6(1)(f).
Storage	3 years.

3.5. Reporting to supervisory authorities

Purpose	Ensuring accountability, reporting to supervisory authorities
Data subjects	The Company's customers, potential customers, related persons
Personal data	Natural persons- first name, last name, residential address, country, payment account information, the amount of funds in the account, copy of personal document (passport or ID card), copy of document confirming registration/residence address, documents confirming the origin of funds (e.g., employment contract, loan agreement, gift documents, bank account statements, etc.). Legal entities- identity documents of natural persons related to the legal entity, residential addresses of natural persons and documents confirming them, photos collected during remote verification (identity document, the person themselves). Contact details of related persons (e-mail, telephone number), information about payment account. Contact details of individual customers, documents confirming the origin of their funds, personal documents and all data contained therein, residential address.
Legal basis	Legal obligation (GDPR Article 6(1)(c)).
Storage	10 years.

3.6 AML/CTF and sanction prevention

Purpose	AML/CTF and sanction prevention
Data subjects	The Company's customers.
Personal data	Natural persons- first name, last name, mobile phone number, residential address, country, postal code, copy of personal document (passport or ID card), selfie, copy of document confirming registration/residence address, documents confirming the origin of funds (e.g., employment contract, loan agreement, gift documents, bank account statements, etc.). Legal entities- identity documents of natural persons related to the legal entity, residential addresses of natural persons and documents confirming them, photos collected during remote verification (identity document, the person themselves). Contact details of related persons (e-mail, telephone number), Login timestamps, IP address, device information, Political beliefs (due to politically exposed persons). Contact details of individual customers, documents confirming the origin of their funds, personal documents and all data contained therein, residential address.
Legal basis	Legal obligation (GDPR Article 6(1)(c)), GDPR Article 9(2))g).
Storage	Know-your-customer information – 8 years after the termination of the business relationship. Additional information received from the customer – 5 years after the termination of the business relationship. Data of not finished KYC onboarding process shall be stored for 3 (three) months. Refused customers due to AML/CTF concerns, the collected prospect customer's data will be stored for 5 (five) years.

3.7. International and domestic payments

Purpose	Making international and domestic payments
Data subjects	The Company's customers.
Personal data	First name, last name, payment account information, payment purpose information, identification number, beneficiary information (name, surname, account information).
Legal basis	Contractual relationship (GDPR Article 6(1)(b))).
Storage	10 (ten) years after closing the last account

3.8. Issuing Electronic money tokens

Purpose	Issuing Electronic money tokens
Data subjects	The Company's customers
Personal data	Private keys, wallets addresses, first name, last name, payment information, beneficiary information
Legal basis	Contractual relationship (GDPR Article 6(1)(b)))
Storage	10 (ten) years after closing the last account.

3.9. Mandatory sending of regulated information, newsletters, promotions, offers to customers

Purpose	Mandatory sending of regulated information, newsletters, promotions, offers to customers
Data subjects	The Company's customers.
Personal data	First name, last name, email address, phone number.
Legal basis	Your consent (Article 6(1)(a) GDPR), contractual relationship (GDPR Article 6(1)(b))).
Storage	During the validity period of the consent or contract.

3.10. Administration of business sale transactions

Purpose	Administration of business sale transactions.
Data subjects	The company's customers; service providers.
Personal data	Employee, board members data (first name, last name, contact details, job title; customer data, name, surname, profitability, transaction information, AML risk scoring.
Legal basis	Legal obligations (GDPR Article 6(1)(c)). The controller's legitimate interest in pursuing, exercising, or defending legal claims (GDPR Article 6(1)(f).
Storage	Until a decision is made not to invest, and if an investment is made, within the data retention periods established for individual purposes.

3.11. Processing of Company's App usage data

Purpose	Processing of Company's App usage data
Data subjects	The Company's customers
Personal data	Name, surname, identification data, IP information, transaction information
Legal basis	Contractual relationship (GDPR Article 6(1)(b))
Storage	8 years after the termination of the business relationship.

3.12. Administration of the whistleblower line

Purpose	Administration of the whistleblower line
Data subjects	The person who submitted the notification.
Personal data	First name, last name, contact details, other details specified in the notification.
Legal basis	Legal obligation (GDPR Article 6(1)(c)).
Storage	1 year from the date of completion of the investigation.

3.13. Potential cooperation

Purpose	To offer innovative, borderless payment solutions, including dedicated EUR IBAN
Data subjects	Potential customers recommended by the Company's partners
Personal data	First name, last name, contact details
Legal basis	Your consent (Article 6(1)(a)
Storage	1 year.

3.14. Website features and cookies

When you visit the Company's Website, we process your IP address, network and location data when you provide it. This data is collected through the use of cookies and other similar technologies. For more information about the cookies used on the Website, please see our Cookie Policy.

3.15. Legal requirements and dispute resolution

All of the above personal data may be processed by the Company for the purpose of asserting, exercising or defending legal claims. For this purpose, we will process the personal data on the basis of our legitimate interest to assert, exercise or defend legal claims (Article 6(1)(f) GDPR). We will process it for this purpose until the end of the relevant legal proceedings (e.g. settlement of a claim, entry into force of a court or arbitration award) and for a further 10 years.

4. Who is your data disclosed to?

The data is processed on our servers, stored in the territory of the European Union. We may provide your data to:

Other payment institutions and banks, participating in the chain of processing your payment order or other transaction;
E-commerce platforms and other partners, if you express your interest and consent to collaborate with them;
Newrails group companies, when this is necessary for execution of audit, risk assessment, financial reporting or in cases where we use unified information platforms or other technical solutions necessary for the provision of our services;
Bank of Lithuania, State Social Insurance Fund, State Tax Inspectorate, Department of Statistics, and other state institutions when executing mandatory reporting or other legal obligations;
Financial Crimes Investigation Authority, courts, notaries and other judicial institutions upon their request or in cases we have a reason to suspect a criminal activity;
Our partners for marketing, communication, legal advice, audit and other professional services;
We also provide data to data processors we engage to meet all the legal requirements or to efficiently execute our services (payment service provider, audit company, IT service provider, and others);
Partners who referred the customer to us, with the customer's prior consent.

5. Security of your personal data

Your personal data is processed in accordance with the GDPR, the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal requirements. When processing your personal data, we implement organisational and technical measures to ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure, as well as against any other unlawful processing.

Although the Company strives to protect the personal data it processes, please understand that the Company cannot guarantee or warrant the complete security of any information you transmit to us, as modern technology cannot provide a secure method of transmission or storage in all cases. The Company reserves the right to adapt new security technologies where necessary and to temporarily restrict the provision of services in the event of suspected security breaches.

6. Locations to Store Your Data

Mainly we store and process your personal data within EU/EEA territory. However, in some cases, for example, execution of contractual obligations or upon your consent, we transfer your data outside the European Union (EU)/ European Economic Area (EEA).

The Company may transfer your personal data outside the EU/EEA if your explicit consent is obtained or if it is necessary and appropriate safeguards will be in place in accordance with GDPR.

7. Your rights

We guarantee the exercise of these rights upon your request:

Right of access to your personal data - you have the right to ask the Company to confirm whether or not personal data relating to you is being processed and, if such personal data is being processed, you have the right to access and obtain information about the personal data.
Right to rectification - you have the right to request that the Company rectify inaccurate or incomplete personal data concerning you.
The right to erasure ("right to be forgotten") - this right is not absolute and can only be exercised in cases where: the personal data are no longer necessary for the purposes for which they were collected or otherwise processed. The right is exercisable where you withdraw your consent and there is no other legal basis for processing your personal data and there are no overriding legitimate reasons for processing your personal data.
Right to request restriction of processing - you may request restriction of the processing of your personal data only on the following grounds: you contest the accuracy of the data for a period of time during which we can verify the accuracy of your personal data. The processing of your personal data is unlawful and you do not consent to the erasure of your data and instead request that we restrict its use. We do not need your data for the purposes of processing it, but we do need it for you to assert, exercise or defend legal claims. Where the processing of your personal data is restricted, we may only process such personal data, other than for storage, with your consent or for the establishment, exercise or defence of legal claims and/or to protect your rights or the rights of another person or for reasons of public interest.
The right to data portability - this right can only be exercised where the processing is carried out by automated means and where it is technically feasible to do so.
Right to object to processing - you have the right to object at any time to the processing of your personal data on the grounds of legitimate interest of the Company. In this case, the Company will not process your personal data unless it can demonstrate legitimate grounds for processing your personal data which override your interests, rights and freedoms or are necessary for the establishment, exercise or defence of legal claims.
Right to withdraw consent - if your personal data is processed on the basis of your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent carried out before the withdrawal of consent.

You can exercise your rights in one of the following ways:

by sending us a free-form application to hello@ambrpayments.com. The application must be signed with an electronic signature.
by sending the application by registered post. The application must be signed. A copy of your identity document certified by a notary public must be attached to the application.

The request must be legible, signed and contain the name, surname, place of residence or e-mail address of the data subject to whom the reply is requested. It shall also indicate which of the data subject's rights the data subject wishes to exercise and to what extent.

We will respond to your request no later than 30 (thirty) calendar days from the date of receipt of your request. In exceptional cases requiring additional time, we shall be entitled, upon notice to you, to extend the time limit for the provision of the requested data or for the processing of any other requirements set out in your request by up to 60 (sixty) calendar days from the date of your request.

Upon receipt of your request, we will respond to you no later than 30 calendar days after we receive your request and all the documents necessary to respond.

You can complain about our actions and decisions to the competent supervisory authority, the State Data Protection Inspectorate (www.vdai.lt). However, we recommend that you contact us before making a formal complaint so that we can find a suitable solution to the problem.

If you have any requests or questions about the processing of your data, please contact us at complaints@newrails.xyz.

8. Information about the website and its owners

The Website, the material, code, design, domain name of the Website, all copyrights, trademarks, service marks, databases, names and other intellectual property or other intellectual property rights relating to the Website, social networking accounts, distributed through digital marketing channels and/or materials contained therein are wholly owned by the Company, with the exception of intellectual property (trademarks, logos, etc.) relating to the Company's partners or suppliers, and are protected by national and international intellectual property protection laws and regulations.

You may not, without the express permission of the Company, copy, fix, reproduce, perform, display, publish, transmit, sell, process, process, display, license, modify, republish, edit, broadcast, retransmit or otherwise publish, publicly display or perform, adapt, distribute or exploit in any form or by any means whatsoever, any material contained on the Website or the source code, or any part thereof, or any derivative works based on any of it, without the Company's express permission.

9. Changes to the Privacy Policy

This document comes into force upon the launch of our services. It may be amended when it is necessary due to product changes, legislation, or other reasons. Therefore, we kindly ask you to check for the updated version of the Privacy Policy on our website https://www.newrails.xyz.

We may amend this Privacy Policy at any time by posting a revised version on our website. The revised version will be effective as of the published effective date.

This Privacy Policy was last updated on 10 October 2025.