Privacy Policy

Privacy Policy and Compliance Framework for Nyro.trade under Panamanian Law

Part I: Governing Legal Framework: Analysis of Panama's Law 81 of 2019

This section provides a foundational analysis of the Republic of Panama's Law 81 of March 26, 2019, on Personal Data Protection, and its supplementary Executive Decree No. 285 of May 28, 2021. This legal framework establishes the primary obligations for any entity, such as Nyro.trade, that processes personal data within its jurisdiction. A thorough understanding of its scope, principles, and mandates is essential for ensuring compliance.

1.1 Introduction and Territorial Scope

The applicability of Panama's data protection law is defined by a clear territorial scope, which has been deliberately expanded to address the realities of digital commerce. Law 81 applies to any databases that are physically located within the territory of the Republic of Panama, regardless of whether they store personal data of Panamanian nationals or foreigners. Furthermore, the law extends to any data controller, such as Nyro.trade, that is domiciled in Panama.

Critically, Executive Decree No. 285 of 2021 broadened this scope to encompass data processing conducted via the internet or other digital means when it is connected to commercial activities specifically aimed at the Panamanian market. This provision is of paramount importance for online platforms. It signifies that even if a company were to use cloud infrastructure hosted outside of Panama, its commercial focus on a global audience, which may include Panamanian residents, would likely subject it to the jurisdiction of Panama's National Authority of Transparency and Access to Information (ANTAI). For Nyro.trade, being legally established in Panama, its obligations under Law 81 are unequivocal and comprehensive, covering all its data processing activities irrespective of the geographic location of its users or its third-party service providers.

1.2 Core Principles of Data Protection

Law 81 is not merely a set of prescriptive rules but is founded upon a series of guiding principles that inform the interpretation and enforcement of all data protection obligations. These principles must be embedded in the design and operation of any data processing system. The regulator, ANTAI, will assess compliance through the lens of these core tenets.

The key principles are as follows:

• Legality and Loyalty: The processing of personal data is only lawful if it is based on the prior, informed, and unequivocal consent of the data subject, or if it rests on another valid legal basis stipulated in the law. The principle of loyalty requires that data is collected with the full knowledge of the individual, not through deceptive or surreptitious means.

• Purpose: Personal data must be collected for specific, explicit, and legitimate purposes. It cannot be subsequently processed in a manner that is incompatible with those original purposes without obtaining new consent from the data subject. This principle prevents "function creep," where data collected for one reason is later repurposed for another without the user's knowledge.

• Proportionality and Minimization: Data controllers must only collect personal data that is adequate, relevant, and limited to what is strictly necessary in relation to the purposes for which it is processed. This obligates organizations to avoid collecting superfluous data. The architectural decision of Nyro.trade to operate as a non-custodial platform by integrating Privy.io for wallet management is a powerful demonstration of this principle in practice. A traditional custodial platform would be required to collect and securely store highly sensitive information, including private keys and extensive Know Your Customer (KYC) documentation. By delegating wallet management to a specialized, non-custodial service, Nyro.trade inherently minimizes the volume and sensitivity of the personal data it directly controls, thereby aligning its technical design with its legal obligations under the proportionality principle. This "privacy by design" approach represents a significant compliance strength.

• Transparency: Data subjects must be provided with clear, accessible, and easily understandable information about the processing of their personal data. This includes details about what data is collected, why it is collected, who it is shared with, and how individuals can exercise their rights. Communications should use simple language and avoid convoluted legal jargon.

• Data Security: The data controller is responsible for implementing appropriate technical and organizational measures to guarantee the security of personal data and protect it against unauthorized access, alteration, disclosure, or destruction.

• Confidentiality: All individuals involved in the processing of personal data are bound by an obligation of secrecy, which persists even after their professional relationship with the data controller has ended.

• Portability: Data subjects have the right to receive a copy of their personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller.

1.3 Rights of the Data Subject (ARCO+P Rights)

Law 81 grants data subjects a robust set of inalienable rights, often referred to by the acronym ARCO, with the addition of Portability. The Privacy Policy for Nyro.trade must not only enumerate these rights but also provide a clear and straightforward process for users to exercise them. The law mandates that requests for access to data must be fulfilled within a period of ten business days.

The rights afforded to data subjects are:

• Right of Access: The right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and information about its processing.

• Right to Rectification: The right to obtain the correction of inaccurate, false, outdated, or incomplete personal data.

• Right to Cancellation (Erasure): The right to request the deletion of personal data on legitimate grounds, such as when the data is no longer necessary for the purpose for which it was collected.

• Right to Opposition: The right to object to the processing of personal data or to revoke previously given consent.

• Right to Portability: The right to obtain a copy of their personal data in a structured and commonly used format that allows for its transfer to another entity.

A significant challenge arises from the interaction between the Right to Cancellation and the fundamental nature of blockchain technology. While a user can validly request that Nyro.trade delete their account information from its internal, off-chain databases (such as usage logs or IP address records), neither Nyro.trade nor the user can erase transaction data that has been immutably recorded on the public Solana blockchain. This creates a potential conflict. However, Law 81 provides for specific exceptions to the right of erasure, including cases where processing is necessary to comply with a legal obligation or to protect the "right of freedom and expression". The Privacy Policy must proactively address this by clearly distinguishing between mutable, off-chain data that Nyro.trade controls and can erase, and immutable, on-chain data that is public and cannot be altered. This serves the dual purpose of managing user expectations and demonstrating a sophisticated understanding of the technology's privacy implications.

Part II: Analysis of Data Processing Operations at Nyro.trade

This section conducts a focused analysis of the specific data processing activities undertaken by Nyro.trade, mapping its operational functions to the legal framework established in Part I. This involves identifying the roles of each entity, classifying the data collected, and examining the function of third-party processors.

2.1 Data Controller and Processor Identification

Panamanian law distinguishes between the "Data Controller," the entity that determines the purposes and means of data processing, and the "Database Custodian" (equivalent to a Data Processor), which processes data on behalf of the controller.

• Data Controller: Nyro.trade is the Data Controller. It operates the platform, defines the services offered (trading terminal, copy trading), and makes the ultimate decisions regarding what personal data is collected from users and why.

• Data Processors (Database Custodians): Privy.io and Cloudflare, Inc. act as Data Processors. They provide specialized services to Nyro.trade and process user data solely on its instructions and for the purposes it defines.

This legal distinction is critical. The relationship between Nyro.trade and its processors must be governed by a formal contract, referred to as a "Database Custodian Agreement" in the regulations, which outlines the processors' obligations regarding data security and confidentiality. As the Data Controller, Nyro.trade remains ultimately responsible and accountable to its users and to ANTAI for the protection of their personal data, even when that data is handled by a third party. For example, in the event of a data breach at a processor, Nyro.trade holds the primary responsibility for notifying affected users and the regulatory authorities.

2.2 Data Collection Points and Classification

Personal data is defined broadly under Law 81 as any information that identifies or makes an individual identifiable. The law also establishes a special category of "Sensitive Data," which includes information on racial origin, religious beliefs, health, or political opinions. Given the nature of its services, it is highly unlikely that Nyro.trade collects any data that falls under this legal definition of "Sensitive Data," which is a favorable compliance position. However, all personal data it handles should be treated as confidential in line with the "Principle of Confidentiality".

The personal data processed by Nyro.trade can be categorized as follows:

• Data Provided via Privy.io Integration: Users do not create an account directly with Nyro.trade in the traditional sense. Instead, they authenticate through Privy.io, which may collect an email address or social media account identifier to create and manage the user's non-custodial wallet. Nyro.trade then receives a public wallet address and a unique user identifier from Privy, but it never receives or stores passwords, private keys, or other sensitive credentials.

• Data Collected Automatically: Through the standard operation of the website and its services, Nyro.trade automatically collects technical information. This includes the user's IP address, browser type, operating system, and device information. It also includes usage data, such as which features of the trading terminal are used, which traders are copied, and the timestamps of user activity. This information is essential for security, platform optimization, and analytics.

• Data from Public Blockchains: The core functionality of the platform involves interacting with and displaying data from the Solana blockchain. This includes the user's public wallet address and all associated transaction histories, which are inherently public and accessible to anyone.

The service of "copy trading" introduces a unique data processing scenario. The trading history and performance metrics of a "Leader" trader constitute personal data linked to their account. While this does not qualify as "Sensitive Data" under Law 81's narrow definition, it is highly personal and commercially valuable information. The processing of this data—specifically, sharing it with "Copier" users—is fundamental to the service. The legal basis for this specific sharing activity rests on both contractual necessity (it is impossible to provide the service without it) and the explicit consent of the Leader trader who agrees to have their trades mirrored. This specific data flow must be explained with absolute clarity in the privacy policy to satisfy the "Principle of Transparency."

2.3 Analysis of Third-Party Processors

Nyro.trade relies on two key third-party service providers, whose roles and data processing functions must be clearly disclosed to users.

• Privy.io:

• Function: Privy.io provides the core infrastructure for non-custodial wallet creation and user authentication. It acts as the secure bridge between the user and the blockchain, allowing users to sign transactions without ever exposing their private keys to Nyro.trade.

• Data Processed: The user provides authentication credentials (e.g., email) directly to Privy. Privy manages the cryptographic keys and processes authentication requests. Privy's privacy policy states that it does not share user data with other third parties beyond what is necessary to provide its own services.

• Significance: The integration with Privy is the cornerstone of Nyro.trade's non-custodial and privacy-centric architecture. The privacy policy must emphasize that Nyro.trade never has access to, nor does it store, user funds, private keys, passwords, or recovery phrases.

• Cloudflare, Inc.:

• Function: Cloudflare serves as a Content Delivery Network (CDN) and a critical security layer for the Nyro.trade website. It provides services such as DDoS mitigation, a Web Application Firewall (WAF), and performance optimization.

• Data Processed: To perform these functions, Cloudflare's global network processes website traffic metadata. This includes user IP addresses, system configuration details, request headers, and other data necessary to distinguish legitimate traffic from malicious attacks.

• Significance: The use of Cloudflare is a standard and essential practice for maintaining a secure and reliable online service. The privacy policy must disclose that this processing occurs and provide a link to Cloudflare's own privacy policy for users who wish to learn more, thereby fulfilling the transparency obligation.

Part III: Privacy Policy for Nyro.trade

Privacy Policy for Nyro.trade

Effective Date: October 9, 2025

1. Introduction and Scope

This Privacy Policy describes how Nyro.trade (hereinafter "Nyro," "we," or "us"), a company registered in the Republic of Panama, collects, uses, and protects your personal data when you visit our website at https://nyro.trade or use our trading terminal and copy trading services (collectively, the "Services").

Your use of the Services is subject to this Privacy Policy and our Terms of Service. By accessing or using our Services, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal data as described in this Privacy Policy.

2. Our Commitment to Data Protection under Panamanian Law

Nyro is domiciled in the Republic of Panama and is fully committed to protecting your privacy in compliance with the Law 81 of March 26, 2019, on Personal Data Protection and its related regulations (hereinafter "Law 81"). Our data processing practices are guided by the core principles established in Law 81, including Legality, Loyalty, Purpose, Proportionality, Transparency, Data Security, and Confidentiality.

3. The Personal Data We Collect and Our Purposes for Collection

We collect personal data to provide and improve our Services, maintain security, and comply with our legal obligations. We are committed to the principle of data minimization and only collect data that is necessary for these purposes.

• Data You Provide via our Partner, Privy.io: To use our Services, you will create a non-custodial digital wallet and authenticate your identity through our third-party partner, Privy.io. During this process, you may provide authentication information, such as your email address or social media account details, directly to Privy. We do not collect or store this information. Privy provides us with your public wallet address and a unique user identifier, which we use to associate you with your activity on our platform. At no point does Nyro receive, access, or store your private keys, passwords, or wallet recovery phrases.

• Data We Collect Automatically: When you interact with our Services, we automatically collect certain technical information from your device. This includes your IP address, browser type, operating system, device identifiers, and information about your usage of the Services, such as pages visited, features used, and actions taken.

• Data from Public Blockchains: Our Services interact with public blockchains, such as Solana. Your public wallet address and the transaction history associated with it are permanently recorded on the blockchain and are considered public information. Our Services may retrieve and display this public data.

Public Wallet Address	User (via Privy.io) / Solana Blockchain	To provide trading & copy trading services; display transaction history.	Contractual Necessity; Consent	N/A (Public Data)
Authentication Data (e.g., email)	User (via Privy.io)	To create and secure user account; service communications.	Contractual Necessity; Consent	Privy.io
IP Address & Device Info	Automatic	Security; fraud prevention; service optimization; legal compliance.	Legitimate Interest; Consent	Cloudflare, Inc.
Platform Usage Data	Automatic	To analyze and improve service features and user experience.	Legitimate Interest; Consent	N/A (Internal, Anonymized)
"Leader" Trader Performance Data	User (Leader Trader)	To enable the copy trading service for "Copier" users.	Contractual Necessity; Consent	Other platform users ("Copiers")

4. Our Legal Basis for Processing Your Data

Under Law 81, we process your personal data based on the following legal grounds:

• Consent: We rely on your explicit and informed consent to process your data when you create an account, agree to this Privacy Policy, and use our Services. This includes consent for the use of non-essential cookies.

• Contractual Necessity: We process personal data that is necessary for the performance of our contract with you, which is established when you agree to our Terms of Service. This includes processing your public wallet address and usage data to provide the core trading terminal and copy trading functionalities.

• Legitimate Interest: We process certain data, such as IP addresses and device information, for our legitimate interests in maintaining the security and integrity of our platform, preventing fraud, and analyzing usage to improve our Services. We only rely on this basis when our interests are not overridden by your fundamental rights and freedoms.

• Legal Obligation: We may be required to process or disclose your personal data to comply with a legal obligation or a lawful request from a competent public authority in the Republic of Panama.

5. How and Why We Share Your Personal Data

We are committed to maintaining the confidentiality of your data. We do not sell your personal data to third parties. We only share your data in the following limited circumstances:

• Service Providers (Data Processors): We engage third-party companies to perform specialized functions on our behalf. These processors are contractually bound to protect your data and may only use it for the purposes we specify.

• Privy.io: Used for non-custodial wallet management and user authentication. You can review their privacy practices at their Privacy Policy.

• Cloudflare, Inc.: Used for website security, performance, and content delivery. You can review their privacy practices at their Privacy Policy.

• Copy Trading Participants: If you choose to act as a "Leader" in our copy trading service, your trading activity and performance metrics (linked to your chosen username) will be shared with users who choose to "copy" you. This sharing is an essential function of the service and is based on your consent to participate as a Leader.

• Legal and Regulatory Bodies: We may disclose your personal data if required to do so by law or in response to valid requests by public authorities in Panama, such as a court or government agency.

• Business Transfers: In the event of a merger, acquisition, bankruptcy, or other sale of all or a portion of our assets, your personal data may be transferred to the successor entity, subject to the promises made in this Privacy Policy.

6. Data Security and Retention Protocols

• Security Measures: We implement and maintain reasonable administrative, technical, and physical security measures to protect your personal data from unauthorized access, use, alteration, and destruction. These measures include encryption of data in transit (SSL/TLS) and strict access controls within our organization, in accordance with the "Data Security" principle of Law 81.

• Data Retention: We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. - Account Data: We retain data associated with your account for as long as your account remains active. After account closure, we may retain certain information for up to seven years to comply with legal, accounting, or regulatory requirements, as permitted by Law 81. - Usage Logs: Technical data such as IP addresses may be retained for a shorter period (e.g., up to two years) for security analysis and fraud prevention. - Blockchain Data: Please be aware that any transaction data associated with your public wallet address is recorded on a public blockchain. This data is permanent, immutable, and not subject to our control or retention policies.

7. International Transfers of Personal Data

Our service providers, including Privy.io and Cloudflare, Inc., are based in the United States. Therefore, by using our Services, your personal data will be transferred to and processed in the United States. Law 81 permits such transfers with the data subject's explicit consent. Your agreement to this Privacy Policy and your use of our Services constitutes your informed and unequivocal consent to this international transfer of your personal data.

8. Your Rights Under Law 81 and How to Exercise Them

As a data subject under Panamanian law, you have the following inalienable rights regarding your personal data. These are known as the ARCO+P rights.

• Right of Access: To request a copy of the personal data we hold about you.

• Right to Rectification: To request the correction of any inaccurate or incomplete data.

• Right to Cancellation (Erasure): To request the deletion of your personal data from our systems.

• Right to Opposition: To object to the processing of your data or withdraw your consent at any time.

• Right to Portability: To receive your personal data in a structured, commonly used, machine-readable format.

To exercise any of these rights, please submit a written request to us at contact@nyro.trade. We will respond to your request within the timeframes mandated by law, including within ten (10) business days for access requests.

Limitation on the Right to Cancellation: Please note that while we can delete your personal data from our internal (off-chain) databases, we cannot alter or erase data that has been recorded on a public blockchain. This on-chain data is outside of our control and is not subject to the right of cancellation.

9. Use of Cookies and Other Tracking Technologies

We use cookies and similar technologies to operate and improve our Services. Cookies are small text files stored on your device that help us remember your preferences, secure your session, and analyze platform performance. We use both essential cookies, which are necessary for the Services to function, and non-essential cookies for analytics and performance. You can control or disable cookies through your browser settings, but please be aware that doing so may impair the functionality of our Services.

10. Policy Regarding Minors

Our Services are not intended for or directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete that information as soon as possible

11. Modifications to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify you by posting the updated policy on our website and updating the "Effective Date" at the top of this policy. Your continued use of the Services after such changes constitutes your acceptance of the new policy.

12. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy or our data protection practices, please contact us.

Data Controller: BM Operations Corp.

Email for Privacy Inquiries: contact@nyro.trade

Part IV: Strategic Recommendations for Implementation and Compliance

The following recommendations provide an actionable roadmap for Nyro.trade to ensure that the commitments made in the Privacy Policy are operationally effective and demonstrably compliant with Panamanian law.

4.1. Operationalizing Data Subject Rights (DSRs)

A policy is only as effective as the procedures that support it. To comply with Law 81, Nyro.trade must establish a formal, internal workflow for managing Data Subject Rights (DSR) requests.

• Recommendation: Create a standardized process for handling all requests received at contact@nyro.trade. This process should be documented and include the following stages:

1. Intake and Logging: All incoming requests must be logged in a central register to track their status, deadline, and resolution.

2. Identity Verification: Implement a secure procedure to verify the identity of the person making the request. This is crucial to prevent unauthorized disclosure of personal data.

3. Execution and Coordination: Establish clear lines of communication with technical teams responsible for accessing, rectifying, or deleting data from production and backup systems.

4. Formal Response: Draft and send a comprehensive response to the user within the legally mandated timeframe, confirming the action taken or explaining any legal grounds for refusal (e.g., limitations on erasing blockchain data).

Having a documented and consistently followed procedure is essential evidence of accountability and will be invaluable in the event of an audit or inquiry from ANTAI.

4.2. Consent Management

Law 81 places a strong emphasis on the quality of consent. It must be "prior, informed, and unequivocal".

• Recommendation: The user onboarding process must be designed to capture valid consent. This means avoiding pre-ticked boxes or bundling consent for data processing within a general acceptance of the Terms of Service. The best practice is to present a separate, unticked checkbox specifically for the Privacy Policy. The law requires that consent requests be "clearly distinguished from other matters". Furthermore, the system must be capable of logging the timestamp, user ID, and the specific version of the policy to which the user agreed. This creates a traceable audit trail of consent, as required by law.

4.3. Data Breach Response Plan

Under Panamanian law, there are strict obligations in the event of a data breach. Proactive planning is essential to mitigate legal and reputational risk.

• Recommendation: Develop a formal Incident Response Plan that outlines the steps to be taken in the event of a security breach that compromises personal data.

• Legal Requirements: Law 81 and its decree require the data controller to notify ANTAI within 72 hours of discovering the breach. Affected data subjects must also be notified "as soon as possible".

• Plan Framework: The plan should, at a minimum, include:

1. Detection and Assessment: Procedures for identifying and quickly assessing the scope and severity of a breach.

2. Containment: Immediate technical steps to contain the breach and prevent further data loss.

3. Notification: A clear protocol for preparing and dispatching notifications. This should include pre-drafted templates for both ANTAI and users. The notification must describe the nature of the incident, the data compromised, corrective actions taken, and recommendations for users to protect themselves.

4. Post-Incident Review: A process for analyzing the cause of the breach to implement preventative measures.

The 72-hour notification deadline is a stringent requirement. Failure to comply can lead to significant penalties, which range from $1,000 to $10,000 USD and can include more severe sanctions for grave infractions. Having a well-rehearsed plan is the only way to ensure this critical obligation can be met.