springb2

Privacy Policy

Effective June 16, 2026

This Privacy Policy explains how springb2 Labs, Inc. (“springb2,” “we,” “our”) collects, uses, shares, and protects information when you use our platform (the “Service”). It applies to everyone who interacts with us, whether you have an account or not.

We are the “controller” of your personal data for the purposes of GDPR and the equivalent role under CCPA/CPRA. Our sub-processors act on our instructions; see Section 4.

1. Scope and definitions

“Personal data” means information that identifies you or could reasonably identify you. “Process” means any operation we perform on personal data — collecting, storing, accessing, using, disclosing, deleting, and so on.

This Policy covers springb2's websites, dashboards, public API, and email communications. It does not cover third-party sites we link to (their own policies apply) or the public blockchains we observe (their data is, by definition, public).

2. The data we collect

We collect different categories of data for different purposes:

2.1 Account data

  • Name, email address, password (stored as a bcrypt hash, never plaintext).
  • Allocator profile and accreditation self-attestation.
  • Sign-in history — device label parsed from the user-agent string, IP address at sign-in, time of each sign-in.

2.2 Compliance and AML

  • Source-of-funds attestations and any supporting documentation you submit.
  • Sanctions, PEP, and adverse-media screening results for you and for transaction counterparties or destination addresses.
  • Records of suspicious-activity escalations, including any reports filed with FinCEN, the FCA, or other competent authorities.

2.3 Transaction data

  • Deposit transaction hashes, deposit-address attribution metadata, allocation history, withdrawal addresses, yield credits, and statement records.
  • Public on-chain data we observe to verify your activity.

2.4 Telemetry

  • Server logs (IP, user-agent, request path and method, response status, latency) retained for security and operational troubleshooting.
  • Aggregate usage metrics that help us understand which features are used and where users get stuck. We do not run third-party advertising or marketing trackers.

3. How and why we use your data

We process personal data only when one of the lawful bases below applies. For users in the European Economic Area, United Kingdom, and Switzerland, we identify the lawful basis explicitly:

  • Performance of contract — to provide the Service: account creation, allocations, withdrawals, yield accounting, statements, support.
  • Legal obligation — to meet AML/CTF, sanctions, tax-reporting, and recordkeeping requirements.
  • Legitimate interests — to keep the platform secure (anomaly detection, sign-in alerts, fraud prevention), to improve the product (aggregated analytics), and to defend legal claims. We balance these interests against your rights and do not use legitimate-interest processing for sensitive activities.
  • Consent — for any optional processing where consent is the appropriate basis (e.g., marketing emails, if and when we add them). You can withdraw consent at any time.

4. Sub-processors

springb2 uses the sub-processors below to operate the Service. Each is bound by a written data-processing agreement that restricts how they may use your data. Counsel: confirm each DPA URL on launch.

VendorPurposeRegion
Vercel Inc.Application hosting, edge networking, log retention.United States (multi-region)
Supabase Inc. / Neon Inc. / AWS RDSManaged Postgres database, point-in-time backups.United States or European Union (configurable)
Resend Inc.Transactional email delivery (sign-in alerts, statements, confirmations).United States
CoinGeckoIndicative USD spot prices for AUM display and statements.Singapore (no personal data shared)
Alchemy Insights, Inc.Blockchain RPC for deposit confirmation and reorg detection.United States (no personal data shared)
Sentry / DatadogError monitoring and performance telemetry.United States or European Union (configurable)

We will update this list when sub-processors change. Material additions will be announced at least thirty (30) days in advance through our in-app notification system.

5. International transfers

springb2 operates infrastructure in multiple regions. When we transfer personal data out of the European Economic Area or the United Kingdom to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021/914) or, for UK transfers, the UK International Data Transfer Addendum, in each case supplemented by the additional safeguards required by the Schrems II decision.

6. Retention

We keep personal data only as long as we need it. Specifically:

  • Account and transaction records — for the life of your account plus five (5) years after closure, in line with our recordkeeping obligations under the Bank Secrecy Act (31 C.F.R. § 1010.430) and equivalent regimes.
  • AML monitoring records — for at least five (5) years following the date of the relevant report or investigation.
  • Server logs — for ninety (90) days, after which they are aggregated or deleted.
  • Marketing consent records — until you withdraw consent or three (3) years after our last meaningful interaction with you, whichever is later.

After the relevant retention period elapses, we delete or anonymise the data. Anonymised data may be retained indefinitely for analytics and product improvement.

7. Your rights

Depending on where you live, you have some or all of the following rights. We honour each of them within thirty (30) days of receiving a verifiable request, or sooner where the law requires.

7.1 Rights for everyone

  • Access — request a copy of the personal data we hold about you. You can self-serve from Settings → Privacy to download a JSON export.
  • Correction — ask us to correct inaccurate or incomplete data. Most fields are editable from your dashboard.
  • Deletion — request that we delete your data, subject to the recordkeeping obligations described in Section 6.
  • Portability — receive your data in a structured, machine-readable format (JSON via the export above).

7.2 Additional GDPR rights

  • Restriction — ask us to limit how we process your data while you contest its accuracy or our lawful basis.
  • Objection — object to processing based on legitimate interests; we will stop unless we can show compelling overriding grounds.
  • Withdraw consent — at any time, where consent is the basis for processing.
  • Lodge a complaint — with your national data- protection authority. You can find yours at edpb.europa.eu.

7.3 Additional CCPA/CPRA rights (California residents)

  • Know what categories of personal data we collect and the purposes for which we use them. See Sections 2 and 3.
  • Delete personal data we collected from you, subject to statutory retention obligations.
  • Correct inaccurate personal data.
  • Opt out of the “sale” or “sharing” of personal data. springb2 does not sell or share personal data as those terms are defined in CCPA/CPRA.
  • Limit use of sensitive personal information. We use sensitive personal data only for the disclosed purposes — AML and fraud prevention — and not for inferring traits or for targeted advertising.
  • Non-discrimination — we will not deny service or charge a different price because you exercised a privacy right.

To exercise any right, email privacy@springb2.com or use the Settings → Privacy controls. We may need to verify your identity before we act on a request.

8. Children

The Service is not intended for, and we do not knowingly collect personal data from, anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete the relevant records.

9. Security

We protect personal data with administrative, technical, and physical safeguards:

  • TLS 1.2+ in transit; AES-256 at rest in the managed database.
  • Passwords stored as bcrypt hashes (cost factor 10).
  • A 24-hour cooling period for new withdrawal addresses before they can be used.
  • Strict role-based access control on the operations console; every administrative action is signed by an authenticated admin.
  • HTTP Strict-Transport-Security, Content-Security-Policy, and frame-ancestors header preset on every response.
  • Sub-processor selection criteria include independent audit coverage (SOC 2, ISO 27001, or equivalent).

No system is invulnerable. If we ever become aware of a breach affecting your personal data, we will notify you and the appropriate authorities within the timelines required by applicable law (72 hours for GDPR notifications to supervisory authorities, where applicable).

10. Cookies and similar technologies

We set a strictly necessary session cookie to keep you signed in. We do not run advertising or marketing cookies. See our Cookie Notice for the full list and how to manage them.

11. Automated decision-making

Sanctions screening relies in part on automated systems. We always provide a path to human review on request, and we will not refuse service based solely on an automated decision without giving you the opportunity to contest it.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced by email and via an in-app notification at least thirty (30) days before they take effect. The “effective date” at the top reflects the most recent version.

13. Contact us

For privacy questions or rights requests, contact privacy@springb2.com.