Privacy and Information Storage Policy

1. Introduction

JTSA Global LLC (“JTSA,” “we,” “us,” or “our”) is a global family office specializing in institutional lending against digital assets, serving only companies and excluding retail clients or individuals. This Privacy and Information Storage Policy (“Policy”) outlines how we collect, use, store, disclose, and protect your personal and confidential information (“Information”) in connection with our lending services (“Services”). We are committed to safeguarding your Information in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) (EU/UK), California Consumer Privacy Act (CCPA), and other relevant regulations in the U.S., Switzerland, UK, France, and other jurisdictions where we operate.

To ensure the security of confidential Information, JTSA Global LLC stores all sensitive data on a secure server system protected by triple authentication, designed to prevent unauthorized access, hacking, and theft. This Policy is effective as of April 16, 2025, and applies to all institutional Clients engaging with our Services.

‍2. Scope

This Policy applies to:

  • Clients: Companies (e.g., corporations, partnerships, or other legal entities) using our Services, including their authorized representatives.
  • Information: Personal data, business data, and confidential information collected or processed in connection with our Services, such as KYC/AML/CFT documentation, loan agreements, and digital asset collateral details.
  • Jurisdictions: U.S. (FinCEN, FINRA, SEC), Switzerland (FINMA), UK (FCA), France (TRACFIN), and other relevant jurisdictions.
  • Exclusions: This Policy does not apply to retail clients or individuals, as JTSA Global LLC does not serve such parties.

3. Information We Collect

We collect the following types of Information to provide our Services and comply with regulatory obligations:

  • Business Identification Information:
    • Company name, registration number, and legal structure.
    • Registered address and principal place of business.
    • Beneficial ownership details (e.g., names, addresses, and identification of ultimate beneficial owners).
  • Authorized Representative Information:
    • Names, job titles, and contact details (e.g., email, phone number).
    • Identification documents (e.g., passports, driver’s licenses) for KYC/AML/CFT purposes.
  • Financial and Transactional Information:
    • Details of digital assets pledged as collateral (e.g., type, quantity, wallet addresses).
    • Loan agreement details, including amounts, interest rates, and repayment schedules.
    • Source of funds and financial statements for due diligence.
  • Technical Information:
    • IP addresses, device identifiers, and log data from interactions with our website or secure client portal.
    • Metadata related to digital asset transactions (e.g., blockchain transaction IDs).
  • Compliance-Related Information:
    • AML/CFT screening results and suspicious transaction reports.
    • Correspondence with regulatory authorities (e.g., FinCEN, TRACFIN).

We collect Information directly from Clients during onboarding, through secure client portals, or via third-party service providers (e.g., KYC/AML vendors) acting under strict confidentiality agreements.

4. How We Use Information

We use Information for the following purposes:

  • Service Delivery:
    • Process loan applications and administer loan agreements.
    • Evaluate and manage digital assets pledged as collateral.
    • Communicate with Clients regarding loan terms, payments, or collateral adjustments.
  • Regulatory Compliance:
    • Conduct KYC/AML/CFT due diligence to comply with regulations from FinCEN, FINRA, FINMA, FCA, SEC, and TRACFIN.
    • File Suspicious Activity Reports (SARs) or equivalent reports (e.g., to TRACFIN) for suspicious transactions.
    • Verify that digital assets are not securities or financial instruments under applicable laws (e.g., SEC’s Howey Test, FINMA ICO Guidelines).
  • Security and Risk Management:
    • Monitor transactions and Client activities to detect and prevent fraud, money laundering, or cyber threats.
    • Protect the integrity of our secure server system and Client data.
  • Business Operations:
    • Maintain records for auditing, tax, and legal purposes.
    • Improve our Services through aggregated, anonymized data analysis (e.g., loan performance trends).

We do not use Information for marketing purposes or share it with third parties for commercial purposes unrelated to our Services.

5. Information Storage and Security

JTSA Global LLC is committed to protecting the confidentiality, integrity, and availability of your Information. We store all sensitive and confidential Information on a secure server system designed to prevent hacking, theft, and unauthorized access. Our security measures include:

  • Triple Authentication:
    • Our server system requires triple authentication for access, combining:
      1. Something You Know: A strong password or passphrase, meeting industry standards (e.g., minimum 12 characters, mixed case, numbers, and symbols).
      2. Something You Have: A hardware-based security token or mobile authenticator app (e.g., YubiKey, Google Authenticator).
      3. Something You Are: Biometric verification (e.g., fingerprint or facial recognition) for authorized personnel.
    • This multi-factor authentication (MFA) ensures that only authorized users can access sensitive data, significantly reducing the risk of unauthorized access.
  • Encryption:
    • Data at rest is encrypted using AES-256 or equivalent industry-standard algorithms.
    • Data in transit is protected with TLS 1.3 or higher, ensuring secure communication between Clients and our systems.
  • Access Controls:
    • Role-based access controls (RBAC) limit data access to authorized personnel based on their job functions.
    • Access logs are monitored and audited regularly to detect suspicious activity.
  • Network Security:
    • Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) protect our servers from cyber threats.
    • Regular vulnerability assessments and penetration testing are conducted to identify and address potential weaknesses.
  • Physical Security:
    • Servers are hosted in ISO 27001-certified data centers with restricted physical access, 24/7 surveillance, and environmental controls.
  • Incident Response:
    • A comprehensive incident response plan is in place to address data breaches or security incidents promptly.
    • Clients will be notified of any breach affecting their Information as required by law (e.g., GDPR Article 33, CCPA).

Our triple authentication system and layered security measures provide a safe harbor for confidential Information, ensuring robust protection against hacking and theft.

6. Information Sharing and Disclosure

We may share Information in the following circumstances:

  • Service Providers:
    • Third-party vendors (e.g., KYC/AML screening providers, cloud hosting services) may process Information under strict confidentiality agreements and in compliance with data protection laws.
    • Vendors are contractually obligated to implement security measures equivalent to ours, including encryption and access controls.
  • Regulatory and Legal Obligations:
    • We may disclose Information to comply with laws or regulations, such as:§ Filing SARs with FinCEN or reports with TRACFIN for suspicious transactions. § Responding to requests from FINRA, FINMA, FCA, or SEC during audits or investigations. § Complying with court orders or lawful requests from government authorities.
  • Business Transfers:
    • In the event of a merger, acquisition, or sale of assets, Information may be transferred to a successor entity, subject to equivalent privacy protections.
  • With Client Consent:
    • We may share Information with other parties if you provide explicit consent (e.g., sharing loan details with a Client’s auditor).

We do not sell, rent, or share Information with third parties for marketing or other purposes unrelated to our Services.

7. Data Retention

We retain Information only for as long as necessary to fulfill the purposes outlined in this Policy, comply with legal obligations, or resolve disputes. Retention periods include:

  • KYC/AML/CFT Records: Retained for at least 5 years after the termination of the Client relationship, as required by FinCEN, TRACFIN, and other authorities.
  • Loan Agreements: Retained for 7 years after loan repayment or termination, in accordance with tax and auditing requirements.
  • Technical Logs: Retained for 1 year for security and auditing purposes, then securely deleted.

Upon expiration of retention periods, Information is securely deleted or anonymized using industry-standard methods (e.g., NIST 800-88 guidelines).

8. Client Rights

Clients, as companies, may have representatives whose personal data is processed (e.g., beneficial owners, authorized contacts). Depending on the jurisdiction, these individuals may have rights under data protection laws, including:

  • Access: Request access to the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of data, subject to legal retention obligations (e.g., AML/CFT records).
  • Restriction: Request restriction of data processing in certain circumstances.
  • Portability: Request a copy of your data in a structured format.