Privacy Policy
NETTYWORTH PRIVACY POLICY
Nettyart Corporation d/b/a NettyWorth
Effective Date: July 03, 2026 | Last Updated: July 03, 2026
1. Overview
This Privacy Policy describes how Nettyart Corporation d/b/a NettyWorth ("NettyWorth," "we," "us," or
"our") collects, uses, shares, and protects personal data when you use the NettyWorth platform, website,
mobile applications, and related services (collectively, the "Service") at www.nettyworth.io.
This Policy applies globally and has been designed to comply with major privacy frameworks including the
EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act and
California Privacy Rights Act (CCPA/CPRA), Brazil's Lei Geral de Protecao de Dados (LGPD), Canada's
Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable laws.
Jurisdiction-specific provisions are set out in Section 14 onward.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do
not agree, please do not use the Service.
2. Who We Are
Legal Entity: Nettyart Corporation d/b/a NettyWorth
Address: 55 NW 29th Ave, #1206, Miami, FL 33125, United States
Privacy Contact: [email protected]
Data Controller (GDPR/UK GDPR): NettyWorth is the data controller for personal data processed
through the Service.
NettyWorth does not currently have a designated EU or UK representative. EU/UK users with privacy
concerns may contact us directly at [email protected]. We will respond within the timeframes
required by applicable law.
3. Definitions
The following key terms are used throughout this Policy:
• Account: A registered user account on the Service.
• Asset: A physical collectible (currently PSA-graded trading cards) stored in a vault facility and corresponding to a Digital Token.
• Blockchain Data: Transaction data recorded on a public blockchain network, including wallet addresses and token transfer history. Blockchain data is public and immutable -- see Section 12.
• CCPA/CPRA: The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 and implementing regulations.
• Digital Token: A blockchain-based non-fungible token (NFT) representing ownership of a
corresponding physical Asset in vault custody.
• GDPR: The EU General Data Protection Regulation (Regulation 2016/679).
• KYC Data: Identity verification data collected for know-your-customer and anti-money laundering
compliance.
• LGPD: Brazil's Lei Geral de Protecao de Dados Pessoais (Law No. 13,709/2018).
• Personal Data: Any information that identifies or can reasonably be used to identify a natural
person, directly or indirectly.
• PIPEDA: Canada's Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5).
• Sensitive Personal Information (SPI): Personal data requiring heightened protection, including government ID numbers, financial account information, biometric data, health data, and data about race, religion, or sexual orientation.
• UK GDPR: The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.
• Wallet Address: A public cryptographic identifier used to send and receive digital assets on a blockchain.
4. Data We Collect
4.1 Registration and Account Data
• Full legal name, email address, phone number
• Mailing address (for asset redemption and shipping)
• Username and password (stored in hashed form)
• Date of birth (for age verification -- Service is 18+ only)
4.2 Identity Verification (KYC) Data
To comply with anti-money laundering (AML) and know-your-customer (KYC) obligations, we collect:
• Government-issued photo identification (passport, driver's license, national ID)
• Proof of address documentation
• Facial image / selfie for identity matching
• KYC verification status and compliance records
KYC data is processed by our third-party KYC provider under a data processing agreement. Retention is
subject to AML regulations (typically 5 years from end of relationship).
4.3 Blockchain and Wallet Data
• Wallet address(es) you connect to or create through the Service
• Digital Token ownership and transfer history (publicly recorded on-chain)
• Transaction history on the NettyWorth Marketplace and Lending features
IMPORTANT: Wallet addresses and transaction data recorded on a public blockchain are publicly visible
and cannot be deleted. See Section 12.
4.4 Financial and Transaction Data
• Payment card details (processed by our PCI-DSS-compliant payment processor -- we do not
store card numbers)
• Transaction amounts, dates, and counterparty information
• Buyback transaction records; loan and repayment history
• Account balance and transaction history
4.5 Physical Asset and Vault Data
• PSA certification numbers for cards held in vault
• Card-level ledger mapping linking cert numbers to Digital Tokens and token holder accounts
• Redemption requests and shipping information
4.6 Usage and Technical Data
• IP address and approximate geolocation (country/region)
• Browser type, device type, operating system
• Pages visited, session duration, referring URL
• Unique device identifiers and log data
4.7 Communications and Marketing Data
• Support messages and correspondence
• Email marketing preferences and engagement data
4.8 Data We Do Not Collect
We do not intentionally collect: biometric identifiers (in the legal sense), health or medical data, racial or
ethnic origin data, religious beliefs, trade union membership, sexual orientation data, or criminal
conviction data beyond what is required for AML compliance screening.
5. How We Use Your Data
• Service delivery: Account management; Pack purchases; Marketplace and Lending transactions;
Buyback processing; vault custody and asset redemption; card-level ledger maintenance.
• Identity verification and compliance: KYC/AML verification; sanctions screening; compliance with financial regulations.
• Payments and fraud prevention: Payment processing; fraud detection and chargeback management.
• Security: Detecting and preventing unauthorized access, fraud, and abuse.
• Communications: Transactional notifications; support responses.
• Marketing: Newsletters and promotional content (where consented or where we have a legitimate
interest and you have not opted out). You may opt out at any time.
• Analytics and improvement: Usage analysis; testing new features; technical diagnostics.
• Legal compliance: Responding to lawful requests; enforcing Terms of Service; complying with regulations.
• Business transfers: Evaluating or executing mergers, acquisitions, or asset sales.
6. Legal Basis for Processing (GDPR and UK GDPR)
For users in the EEA or UK, we process personal data on the following legal bases:
Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service, process
transactions, and fulfill our obligations -- including account management, transactions, vault custody, and
asset redemption.
Legal obligation (Art. 6(1)(c)): KYC/AML compliance, tax reporting, financial recordkeeping, and lawful
regulatory/law enforcement requests.
Legitimate interests (Art. 6(1)(f)): Fraud prevention, security, analytics, product improvement, and direct
marketing to existing users. We have conducted balancing tests and concluded our interests are not overridden.
Consent (Art. 6(1)(a)): Marketing to new users, non-essential cookies, and other consent-based activities. Consent may be withdrawn at any time.
7. Data Retention
Account data: Duration of account plus 7 years after closure.
KYC/AML data: 5 years from end of customer relationship (or longer per applicable law).
Transaction records: 7 years from the date of transaction.
Vault and card ledger data: Duration of vault custody plus 7 years after final redemption.
Support records: 3 years (or longer if needed for pending disputes).
Marketing data: Until opt-out or consent withdrawal, plus 1 year for suppression records.
Usage/technical data: 13 months; aggregated analytics retained indefinitely.
Blockchain data: Permanently public; cannot be deleted. See Section 12.
8. How We Share Your Data
We do not sell personal data for monetary consideration. We may share personal data as follows:
Service Providers: KYC providers, payment processors, cloud infrastructure, analytics, email platforms,
and vault partners (PSA, Brinks/Alt) -- all under written data processing agreements.
Vault Partners: PSA cert numbers and card-level ledger data shared with vault custody partners as
necessary for storage, insurance, and redemption.
Law Enforcement and Regulators: Lawful requests from courts, regulators, and law enforcement;
mandatory AML/KYC reporting.
Business Transfers: In connection with a merger, acquisition, or asset sale. We will notify you before
data becomes subject to a different privacy policy.
Safety: Where necessary to prevent serious harm.
With Your Consent: Any other sharing with your explicit consent.
9. International Data Transfers
NettyWorth is headquartered in the United States. If you are outside the US, your data will be transferred
to and processed in the US, where data protection laws may differ from your jurisdiction.
For transfers from the EEA or UK, we rely on:
• EU Standard Contractual Clauses (Commission Decision 2021/914) and UK International Data
Transfer Agreements (IDTAs) as the primary transfer mechanism.
• Adequacy decisions where available.
• Technical supplementary measures (encryption, pseudonymization) where required.
To request information about transfer safeguards applicable to your data, contact [email protected].
10. Security
We implement industry-standard security measures including: TLS encryption in transit and encryption at
rest; role-based access controls and multi-factor authentication; regular security assessments; and
incident response procedures.
No method of transmission or storage is 100% secure. In the event of a data breach posing risk to your
rights and freedoms, we will notify you and applicable regulators within the timeframes required by law
(72 hours under GDPR/UK GDPR).
11. Cookies and Tracking Technologies
We use cookies and similar technologies. EEA and UK users will be presented with a cookie consent
banner on first access. You may accept, reject, or customize non-essential cookies at any time via the
cookie settings link in our website footer.
Strictly Necessary: Required for authentication and security. No consent required.
Functional: Personalization and saved preferences. Require consent.
Analytics: Usage analysis to improve the Service. Require consent.
Marketing: Interest-based advertising measurement. Require consent. We do not currently serve
third-party advertising.
Global Privacy Control (GPC): We honor GPC signals as a valid opt-out of the sale and sharing of
personal data for cross-context behavioral advertising, as required under CPRA.
12. Blockchain, On-Chain Data, and Deletion Rights
Public visibility: Wallet addresses and transaction details are recorded on a public blockchain and are
visible to anyone. This is inherent to blockchain technology.
Immutability: Blockchain records cannot be altered or deleted once confirmed. On-chain data -- including
wallet addresses, token transfers, and marketplace activity -- is permanently public and cannot be erased.
Effect on deletion rights: Where you exercise an erasure right, we will delete all off-chain personal data
subject to erasure. We cannot delete on-chain data and will inform you of this limitation when processing
your request.
Wallet pseudonymity: Wallet addresses are treated as personal data and protected accordingly.
Card-level ledger: Maintained off-chain on our servers and fully subject to data protection rights.
13. KYC/AML Data and Financial Regulation
Access to Pack purchases, Marketplace, and Lending features requires identity verification. We collect
KYC data solely for AML/KYC/CTF compliance. KYC data is not used for marketing. Retention is
governed by AML regulations (typically 5 years from end of relationship) regardless of any deletion
request.
We may share KYC data with regulators, law enforcement, and financial intelligence units as required by
law, including under the Bank Secrecy Act (US), EU Anti-Money Laundering Directives, and equivalent
laws.
14. Your Privacy Rights
Depending on your location, you have the rights described below. To exercise any right, contact
[email protected]. We will verify your identity before processing your request.
14.1 EU/EEA Users (GDPR)
• Access (Art. 15): Obtain a copy of your personal data and processing information.
• Rectification (Art. 16): Correct inaccurate or incomplete data.
• Erasure (Art. 17): Request deletion, subject to legal obligations and blockchain immutability
(Section 12).
• Restriction (Art. 18): Restrict processing in certain circumstances.
• Portability (Art. 20): Receive your data in machine-readable format.
• Object (Art. 21): Object to legitimate-interest or direct marketing processing.
• Automated decisions (Art. 22): Not to be subject to solely automated decisions with significant
effects; request human review.
• Withdraw consent: At any time, without affecting prior processing.
• Complaint: Lodge a complaint with your national EEA data protection authority.
Response time: 30 days, extendable by 2 months for complex requests.
14.2 UK Users (UK GDPR)
UK users have equivalent rights under the UK GDPR and Data Protection Act 2018. To lodge a complaint,
contact the Information Commissioner's Office (ICO) at www.ico.org.uk.
14.3 California Residents (CCPA/CPRA)
• Right to know: Categories and specific pieces of personal information collected in the past 12
months.
• Right to delete: Deletion of personal information, subject to exceptions.
• Right to correct: Correction of inaccurate personal information.
• Right to opt out of sale/sharing: See Section 16.
• Right to limit use of sensitive personal information.
• Right to non-discrimination.
• Authorized agents: You may designate an agent with written authorization.
Response time: 45 days, extendable by 45 days with notice.
14.4 Brazilian Users (LGPD)
• Confirmation of processing and data access
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary data
• Data portability
• Deletion of consent-based data
• Information about third-party sharing
• Revocation of consent
• Complaint to Brazil's ANPD
14.5 Canadian Users (PIPEDA)
Canadian users may access personal information we hold, challenge its accuracy, and complain to the
Office of the Privacy Commissioner of Canada at www.priv.gc.ca.
14.6 Other Jurisdictions
Users in other jurisdictions with applicable privacy rights (including Australia under the Privacy Act 1988,
Japan under the APPI, South Korea under PIPA, Singapore under the PDPA, and others) may contact
[email protected] to exercise applicable rights. We will respond in accordance with applicable law.
15. Children's Privacy
The Service is exclusively for users 18 years of age or older. We do not knowingly collect personal data
from anyone under 18. If you believe a minor has provided us with personal data, contact
[email protected]. We will promptly delete any data collected from users under 18.
16. Do Not Sell or Share My Personal Information
NettyWorth does not sell personal information to third parties for monetary consideration, and does not
share personal information for cross-context behavioral advertising as defined under CPRA.
We may share personal information with service providers for business purposes under contracts that
prohibit use for any other purpose. This does not constitute a 'sale' or 'sharing' under CCPA/CPRA.
We honor Global Privacy Control (GPC) signals as opt-out requests. If our practices change, we will
update this Policy, add a 'Do Not Sell or Share' link to our homepage, and provide 30 days' advance
notice.
To exercise your opt-out right: [email protected].
17. Automated Decision-Making
We use automated processes for:
• KYC verification: Automated document and facial matching. Negative results affecting Service
access may be appealed by contacting [email protected] for human review.
• Fraud detection: Automated transaction screening. Flagged accounts or transactions may be
reviewed on request.
• Loan-to-value calculations: Mechanical Protocol-based calculations; not a creditworthiness
assessment.
We do not use automated decision-making for credit scoring or other purposes producing significant legal
effects beyond those described above.
18. Third-Party Links and Services
The Service may contain links to third-party websites or integrate third-party services (including
embedded wallet providers, blockchain networks, and analytics tools). These parties have their own
privacy policies. We are not responsible for their data practices and encourage you to review their
policies.
19. Changes to This Policy
We may update this Policy periodically. Material changes -- including changes to data sharing, legal
bases, or user rights -- will be communicated by: (a) email to your registered address; (b) a prominent
notice on the Service for at least 30 days before the change takes effect; and (c) an updated 'Last
Updated' date.
For material changes affecting GDPR/UK GDPR users, we will re-seek consent where required. For
CCPA/CPRA material changes, we will provide at least 15 days' notice.
20. Contact Us
Email: [email protected]
Web: https://nettyworth.io/contact
Postal: Nettyart Corporation d/b/a NettyWorth, Attn: Privacy, 1023 3rd St, #530, San Francisco, CA
94158, USA
We aim to respond within 30 days. For requests requiring more time, we will notify you of the extension
and expected response date.
2026 Nettyart Corporation d/b/a NettyWorth. All rights reserved.