Cayman Islands Privacy Policy For Paradex Foundation

Version dated: 05 March 2026
  1. Introduction AND PURPOSE
    1. In the course of business, Paradex Foundation (the "Company") and its service providers obtain personal information about individuals, including natural persons who are developers, contractors customers, directors, advisors and others. This information may come from sources such as  written, electronic or verbal correspondence, transactional documents, documents provided further to the "know your customer", anti-money laundering and other regulatory requirements, and/or from information captured on websites. 
    2. As the Company is registered and established in the Cayman Islands, the DPA applies to the processing by the Company of this information to the extent it constitutes Personal Data.  
    3. The purpose of this policy is to set out how we, and persons processing Personal Data on our behalf, shall handle Personal Data, including that of our clients, service providers, and other relevant third parties. This policy covers Personal Data held by us, and by third parties processing Personal Data on our behalf, regardless of the media on which that data are stored. 
    4. The Company is committed to the lawful processing of Personal Data, and to upholding the confidentiality, integrity, and security of Personal Data. Compliance with this policy is therefore mandatory.
    5. This Policy applies to the Company and shall be reviewed and updated as and when required but at least annually. It should be read in conjunction with the Company's Privacy Notice (attached at Appendix 2).
  2. Definitions
    1. "Service Provider" means any service provider engaged by the Company;
    2. "data controller" has the meaning given in the DPA;
    3. "data subject" has the meaning given in the DPA; 
    4. "DPA" means the Data Protection Act of the Cayman Islands (as revised and amended);
    5. "Personal Data" has the meaning given in the DPA. Examples of Personal Data include an individual's name, address, email address, date of birth, passport details or other national identifier, driving licence number, national insurance or social security number, income, employment information, tax identifier and tax residence, account numbers, and economic information. It also includes data which, when aggregated with other data, enables an individual to be identified, such as an IP address and geolocation data; 
    6. "Processing" has the meaning given in the DPA. It is widely construed and includes obtaining, recording and holding data, as well as carrying out any operation on Personal Data, such as sharing, destroying and mining the Personal Data; and 
    7. "we", "us" and "our" in this policy refer to the Company.  
  3. The DPA, the role of the Company and Service Providers  
    1. The Company is the decision maker as to the purposes, conditions and manner in which Personal Data are processed, and as such, is a data controller. This is so even though the Company may appoint third parties to carry out certain processing operations in relation to Personal Data. 
    2. Any service providers appointed on behalf of the Company have confirmed in writing that they shall only act in accordance with the instructions of the Company and that appropriate arrangements related to the security of any processing undertaken by that service provider. Appropriate arrangements have also been put in place for any cross border processing of personal data. 
    3. The Company may be a data controller jointly with another person where that person is also a decision maker. As a data controller, whether joint or sole, the Company recognises we are responsible and accountable for compliance with the DPA.    
    4. The Foundation Operations Team are the relevant point of contact for any correspondence, issues or queries related to the DPA. All escalations related to data breaches and or subject access requests (as discussed below) shall be made to info@paradex.foundation.    
  4. Ombudsman
    1. The Ombudsman is the supervisory authority of the Cayman Islands for oversight of the DPA. The primary roles of the Ombudsman are to investigate, mediate and make determinations on complaints made by data subjects.  The Ombudsman also provides guidance to data controllers and data subjects through publishing information resources and template documentation. 
    2. The Ombudsman also has the power to impose monetary penalties under the DPA for serious contraventions. Information orders and enforcement orders can also be imposed. 
    3. In the case of a data breach as further described below, a report must be made by the Company to the Ombudsman. The Ombudsman's recommended form for breach notification is included at Appendix 1. 
    4. The Foundation Operations team are responsible for considering any notifications received from staff or persons providing services to the Company and determining if a data breach notification is required to be made to the Ombudsman. 
  5. Data Protection Principles
    1. The Company is committed to processing Personal Data in accordance with the data protection principles set out in the DPA.
    2. The Company requires all persons processing Personal Data on our behalf to adhere to these principles which are:
      1. First Principle: personal data shall be processed fairly, and only if at least one of the conditions set out in paragraphs 1 to 6 of Schedule 2 of the DPA is met. When the data is sensitive personal data (as defined), additional conditions must be met. 
      2. Second Principle: personal data shall only be obtained for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
      3. Third Principle: personal data shall be adequate, relevant and not excessive in relation to the purposes.
      4. Fourth Principle: personal data shall be accurate and, where necessary, kept up to date.
      5. Fifth Principle: personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
      6. Sixth Principle: personal data shall be processed in accordance with the rights of data subjects under the DPA.
      7. Seventh Principle: appropriate technical and organizational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
      8. Eighth Principle: personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  6. The rights of data subjects  
    1. The Company recognises that individual data subjects have specific rights conferred on them by the DPA, including:
      1. the right to be informed about the purposes for which the individual's Personal Data are processed;
      2. the right to access the individual's Personal Data (known as a “subject access request”) - where a request is received on or behalf of a data subject pursuant to this right, it should be reported;  
      3. the right to restrict the processing of the individual's Personal Data;
      4. the right to have incomplete or inaccurate Personal Data corrected;
      5. the right to ask the Company to stop processing the individual's Personal Data; 
      6. the right to be informed of a Personal Data breach (unless the breach is unlikely to be prejudicial);
      7. the right to complain to the Data Protection Ombudsman; and
      8. the right to require the deletion of the individual's Personal Data in some limited circumstances. 
    2. In relation to the above rights, the Company:
      1. has disclosed the purposes for processing individuals' Personal Data in the Company's data protection notice; 
      2. will act on a legitimate request from a data subject promptly; and
      3. will disclose breaches in accordance with the DPA.        
  7. Subject access requests
    1. As mentioned above at 6.1 (b), individual data subjects have the right to access their own personal data and receive information about its use. All subject access requests received should be directed to The Foundation Operations team info@paradex.foundation.
    2. The Foundation Operations team will consider whether (i) the relevant request manifestly unfounded or excessive; and (ii) any of the relevant exemptions apply. The relevant exemptions include:
      1. the personal data is processed for crime prevention, detection or investigation;
      2. the personal data is processed for monitoring, inspection or a regulatory function (to the extent that applying it would be likely to prejudice the discharge of the function); 
      3. the data is processed for purposes of corporate finance and the application of the provision could affect the price of a financial instrument, or for the purpose of safeguarding an important economic or financial interest of the Cayman Islands; 
      4. the personal data consists of intentions in regard to any negotiations with the individual which would be prejudiced by the processing; and
      5. the personal data is being processed for legal or trust purposes.
    3. The Foundation Operations team will consider and balance the rights of any third party individual whose Personal Data may be affected by a subject access request before proceeding to comply with the subject access request.
    4. Such a request must be made in writing. However, a request does not have to include the phrase "subject access request" or refer to the DPA, as long as it is clear that the individual is asking for their own personal data. This may present a challenge as any staff could receive a valid request. 
    5. If the subject access request is legitimate, a copy of the personal data must be provided within a 30 day deadline. An individual is only entitled to their own personal data and certain information about the data, but not to information relating to other people (unless the information is also about them or they are acting on behalf of someone else). Therefore, it is important to vet and potentially redact the information provided. No fee can be imposed for providing a copy of the personal data, except in exceptional circumstances. Details of subject access requests received should be recorded. Cayman counsel can advise further if required.
  8. Lawfulness, fairness and transparency
    1. The Company recognises that Personal Data must be processed lawfully, fairly and in a manner that is transparent to the individual whose Personal Data is being processed. We also recognise that Personal Data may only be processed for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 
    2. The basis for the Company's processing of Personal Data, including the purposes for which Personal Data are processed and the persons with whom Personal Data are shared, are disclosed in a data protection notice issued to clients. In summary, the Company processes Personal Data: where it is necessary to perform contracts to which the data subjects are party or in the interests of the data subjects; where the processing is necessary for compliance with an applicable legal or regulatory obligation to which the Company is subject; and for the Company's legitimate interests, or those of a third party. 
    3. The Company only relies on these legitimate interests where it is considered that, on balance, the Company's legitimate interests are not overridden by data subjects' interests, fundamental rights or freedoms. 
    4. The Company prohibits any processing for purposes not already disclosed in the notice unless the purpose is obvious. The Company also prohibits disclosure to third parties not already specified in the notice unless such disclosure would be lawful. The Company does not buy or sell Personal Data or otherwise seek to monetise it, and require those acting on our behalf to act accordingly.
  9. Purpose limitation, data minimisation and accuracy
    1. The Company requires that Personal Data be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Irrelevant or unnecessary data must not be collected and, if collected, it must be deleted without delay.
    2. The Company also requires that Personal Data be accurate and, where necessary, kept up to date. Any inaccurate Personal Data must be erased or rectified without delay.
    3. Personal Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data is processed. If there is no longer any legal, regulatory or legitimate business purpose to keep Personal Data, the Company requires that the data be erased or anonymised. 
  10. Storage limitation
    1. The Company keeps Personal Data for as long as the Company requires it for legitimate business purposes, to perform contractual obligations, or such longer period as is required by law or regulation. The Company will generally retain Personal Data relating to clients and their customers throughout their engagement with us. Some Personal Data will be retained after our relationship with you ends. 
    2. As a general principle, the Company does not retain Personal Data for longer than necessary. The Company will usually delete the relevant Personal Data (at the latest) after our relationship with you ceases and there is no longer any legal or regulatory requirement or business purpose for retaining that Personal Data.
  11. Security, integrity and confidentiality
    1. The Company takes seriously the obligation that Personal Data be processed in a manner that ensures the security of the Personal Data. This is particularly the case given the data may include financial information, and evidence of identity. The Company recognises that protection against unauthorised or unlawful processing and against accidental loss, destruction or damage is critical. 
    2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the rights and freedoms of individuals, the Company implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, and requires those processing Personal Data on its behalf to do so.
  12. Breach/INTERNAL COMMUNICATION AND CORRESPONDENCE WITH THE OMBUDSMAN
    1. The Company, and those processing Personal Data on the Company's behalf, must have effective measures in place to enable the detection, investigation, and (where appropriate) timely reporting by the Company to the Ombudsman (and impacted individuals) of Personal Data breaches. 
    2. If there is a Personal Data breach, the Company will, without undue delay and, in any event, not later than five (5) days after having become aware, notify the personal data breach to the Ombudsman and the impacted individuals. As also set out above the Ombudsman's recommended form for breach notification is included at Appendix 1. 
    3. The Foundation Operations on behalf of the Company will also specify in such notice the measures taken in light of the breach, and those which individuals are recommended to take. The Company will only refrain from reporting where the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 
    4. The Company, and those processing Personal Data on the Company's behalf, shall document any Personal Data breaches, setting out the facts relating to the Personal Data breach, its effects and the remedial action taken. Given that trust is of paramount importance to the Company's business, it is critical that the breach be appropriately investigated and reported without delay.
    5. Staff and those associated with the Company should make breach notifications as soon as possible after becoming aware of them to the Foundation Operations team.
    6. The Foundation Operations team is responsible for considering any notifications and making any breach notifications to the Ombudsman.
    7. Failing to notify a breach when required to do so is an offence under the DPA and can result in a conviction and a fine of up to one hundred thousand dollars. Failing to notify may also be subject to a monetary penalty imposed by the Ombudsman.
    8. As with any security incident, the Company should investigate whether the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps. Cayman counsel can advise further on data breaches if required.
  13. Cross-border transfer 
    1. The DPA requires specific measures to be taken where there is any transfer of Personal Data to jurisdictions which do not have a level of data protection comparable to that of the Cayman Islands. The Company commits to transferring Personal Data to such jurisdictions only where they are satisfied that specific measures have been taken to ensure an adequate level of protection for data subjects and their Personal Data.
    2. In particular, the Company will require any such data transfers be performed pursuant to appropriate contractual terms. These provisions may be addressed in agreements with service providers. The Company will reserve the right to audit the measures put in place by the transferee so as to ensure an adequate degree of protection for data subjects and any Personal Data transferred.  

APPENDIX 1
Please complete this form to the extent possible when notifying a personal data breach to the Office of the Ombudsman.
Please submit the completed form to: info@ombudsman.ky
Download Form

APPENDIX 2

PARADEX FOUNDATION – PRIVACY NOTICE

The purpose of this document is to provide you with information on the use of your personal data in accordance with the Cayman Islands Data Protection Act (as amended) and, in respect of any EU data subjects, the EU General Data Protection Regulation (together, the “Data Protection Legislation”).

Your personal data

By virtue of providing us with personal information on individuals connected with you (for example directors, trustees, employees, representatives, shareholders, investors, clients, beneficial owners or agents), you will provide us with certain personal information which constitutes personal data within the meaning of the Data Protection Legislation. We may also obtain personal data on you from other publicly accessible directories and sources.

This includes information relating to you and/or any individuals connected with you such as: name, residential address, email address, contact details, corporate contact information, signature, nationality, place of birth, date of birth, tax identification, credit history, correspondence records, passport number, bank account details.

How we may use your personal data

We, to the extent we are a data controller under the Data Protection Legislation, may collect, store and use your personal data for purposes including the following:

The processing is necessary for the performance of a contract, including:

The processing is necessary for compliance with applicable legal or regulatory obligations, including:

The pursuit of our legitimate interests, or those of a third party to whom your personal data may be disclosed, including:

We will only process your personal data in pursuing our legitimate interests where we have considered that the processing is necessary and, on balance, our legitimate interests are not overridden by your legitimate interests, rights or freedoms.

Sharing your personal data 

We may share your personal data with our Affiliates and delegates. In certain circumstances we may be legally obliged to share your personal data and other financial information with relevant regulatory authorities such as the Cayman Islands Monetary Authority or the Tax Information Authority. They, in turn, may exchange this information with foreign authorities, including tax authorities and other applicable regulatory authorities. In exceptional circumstances, we will share your personal data with regulatory, prosecuting and other governmental agencies or departments, and parties to litigation (whether pending or threatened) in any country or territory.

Our Affiliates and delegates may process your personal data on our behalf, including with our banks, accountants, auditors and lawyers which may be data controllers in their own right.  Our service providers are generally processors acting on our instructions. Additionally, a service provider may use your personal data where this is necessary for compliance with a legal obligation to which it is directly subject. The service provider, in respect of this specific use of personal data, may be deemed to be acting as a data controller. 

Sending your personal data internationally 

Due to the international nature of our business, your personal data may be transferred to jurisdictions that do not offer equivalent protection of personal data as under the Data Protection Legislation. In such cases, we will process personal data or procure that it be processed in accordance with the requirements of the Data Protection Legislation. 

Retention and deletion of your personal data

We will keep your personal data for as long as it is required by us. For example, we may require it for our legitimate business purposes, to perform our contractual obligations, or where law or regulation obliges us to. Some personal data will be retained after your relationship with us ends.  We expect to delete your personal data (at the latest) once there is no longer any legal or regulatory requirement or legitimate business purpose for retaining your personal data.

Automated decision-making

We will not take decisions producing legal effects concerning you, or otherwise significantly affecting you, based solely on automated processing of your personal data, unless we have considered the proposed processing in a particular case and concluded in writing that it meets the applicable requirements under the Data Protection Legislation. 

Your rights 

You have certain data protection rights, including the right to:

Contact us 

We are committed to processing your personal data lawfully and to respecting your data protection rights. Please contact us at info@paradex.foundation if you have any questions about this notice or the personal data we hold about you marking your communication “[YOUR NAME] – Data Protection Enquiry”.

Heading 1

Heading 3

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

Text link

Bold text

Emphasis

Superscript

Subscript

EcosystemDocsBlog
© 2026 Paradex Foundation. All rights reserved.
Terms Of ServicePrivacy Policy