Toto Privacy Policy

Last updated: February 2026

This Privacy Policy explains how Toto Finance Inc. collects, uses, stores, and protects personal data in connection with its platform and services.

Toto Finance Inc. is a U.S.-based infrastructure company providing technology for the tokenization, settlement, and lifecycle management of real-world assets, including commodities, metals, energy-related assets, and in-ground reserves.

This policy applies to:

• Websites and digital platforms
• Investor, partner, and user onboarding
• Use of services and infrastructure
• Communications with Toto Finance

Data controller

Toto Finance Inc.
447 Broadway, 2nd Floor, 3342, New York, NY 10013, United States

Local representatives or regulated partners may be appointed where required by law.

Data Protection Officer: dpo@totofinance.co

Information we collect

Personal information: Name; email address; phone number; company name; role and professional information; identification documents where required for compliance.

Account and transaction information: Wallet addresses; transaction identifiers; account credentials; access logs; asset ownership or participation records.

Technical and usage information: IP address; browser type; device identifiers; log files; platform interaction data; security and access monitoring data.

Communications: Emails; messages; meeting correspondence; investor or partner communications; support inquiries and responses.

How we use information

Service provision: Operate, maintain, and improve the platform and services.

Compliance and risk management: Meet legal, regulatory, KYC/AML, and sanctions obligations.

Security and integrity: Prevent fraud, unauthorized access, and misuse of the platform.

Business operations: Manage relationships with investors, partners, and asset owners.

Communications: Provide updates, respond to inquiries, and manage contractual relationships.

Personal data is not sold.

Automated decision-making: Automated systems may be used for compliance screening such as sanctions checks and KYC verification. Users may request human review of automated decisions that significantly affect them.

Legal basis for processing

Contract performance: Account creation, transaction processing, and service delivery.

Legal obligations: KYC/AML verification, sanctions screening, and regulatory reporting.

Legitimate interests: Platform security, fraud prevention, and service improvement.

Consent: Marketing communications and optional analytics.

Legitimate interests are balanced against user rights and interests.

Sharing and disclosure

We may share data with service providers and partners, including:

• Identity verification and KYC/AML providers
• Blockchain analytics providers
• Cloud infrastructure and hosting services
• Custody and settlement partners
• Legal and compliance advisors
• Audit and accounting firms

Data may be disclosed to comply with applicable laws or lawful requests.

Data may be shared during mergers, acquisitions, financing, or restructuring with appropriate safeguards.

Non-identifiable data may be used for analytics, research, or reporting.

International data transfers

Personal data may be transferred internationally, including to the United States and Europe.

Transfer safeguards include:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules where applicable
• Explicit user consent for specific transfers

For details, contact privacy@totofinance.co.

Data security

We implement measures including:

• Access controls and role-based permissions
• Encryption in transit and at rest
• Secure data storage and transmission
• Security monitoring and logging
• Regular security assessments and audits

Absolute security cannot be guaranteed, but data protection practices are continuously reviewed.

Data retention

• Account and identity information: Duration of account plus 7 years
• Off-chain transaction records: 7 years from transaction date
• On-chain transaction records: Permanent due to blockchain immutability
• KYC/AML documentation: 7 years after relationship ends
• Communications and support: 3 years from last contact
• Technical logs: 12 months
• Marketing preferences: Until consent is withdrawn

Retention may be extended for legal, regulatory, or litigation reasons.

Your rights

You may have the right to:

• Access: Request a copy of personal data
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request erasure of personal data
• Restriction: Request limitation of processing
• Portability: Receive data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where applicable
• Automated decisions: Request human review of automated decisions

How to exercise: Contact privacy@totofinance.co. We aim to respond within 30 days or as required by law. Identity verification may be required before processing requests.

You have the right to complain to a supervisory authority, including:

• Liechtenstein Data Protection Office
• EU/EEA national Data Protection Authority
• UK Information Commissioner's Office
• Swiss Federal Data Protection and Information Commissioner

Cookies and tracking

• Strictly necessary: Platform functionality, security, and authentication (Session)
• Analytics: Understand platform usage and performance (Up to 12 months)
• Preferences: Remember user settings and choices (Up to 12 months)

No third-party advertising cookies are used.

Cookie preferences can be managed through browser settings.

Children's data

Services are not intended for individuals under 18 years of age.

Any personal data collected from minors will be deleted promptly.

Changes to this policy

This policy may be updated to reflect service, operational, or legal changes. Changes are effective upon posting.

Material changes may be communicated via platform or email.

Regional provisions

California (CCPA / CPRA)

You may have the right to: know what personal information is collected, used, and shared; delete personal information; opt out of sale or sharing; and non-discrimination.

Personal information is not sold or shared for cross-context behavioral advertising.

EEA / UK (GDPR, UK GDPR)

See the user rights and legal bases sections above. Contact privacy@totofinance.co.

Switzerland

Processing may be subject to the Federal Act on Data Protection. You may contact the Federal Data Protection and Information Commissioner.

Contact information

• General inquiries: hello@totofinance.co
• Privacy and data protection: privacy@totofinance.co
• Data Protection Officer: dpo@totofinance.co