Bastion Privacy Policy

Effective Date: November 18, 2025

View and Download as PDF

Welcome to the website of Bastion Platforms, Inc., Bastion Platforms US, LLC, and Dibbs Trust Company, LLC (https://bastion.com/) (the "Site"). We are called "we", "us", "our", or "Bastion" in this Privacy Policy (the "Policy"). Because we care about your privacy, we are committed to processing your information consistent with applicable data protection laws. This Policy applies when you visit and browse our Site, contact us, sign up for newsletters or communications from us, or work for one of our customers. We refer collectively to all of our interactions with you as the "Services."

We provide web 3.0 infrastructure services, including wallets-as-a-service (through BPUS) and, subject to approval of the New York Department of Financial Services, stablecoin issuance (through the Trust) to organizations (our "Customers"). Our Customers then offer white labeled wallets and stablecoins to end users or holders.

This Policy explains how we collect, use, store, protect, and disclose information about you if you use or interact with our Services. This also informs you about choices you have about how your information is collected and used.

This Policy does not apply when we are acting as a data processor (or similar role under data protection laws) and process information on behalf of our Customers. For example, if you're accessing our platform as part of a Customer organization, our services agreement or similar master agreement between us and that Customer, along with any associated data processing agreement or addendum, governs our processing of information about you. To the extent of any conflict between that agreement and this Privacy Policy, that agreement controls.

This Policy contains the following sections:

• The Information We Collect
• How We Use Your Information
• Online Analytics and Advertising
• How We Disclose Your Information
• Your Rights and Choices
• How We Secure Your Information
• Data Retention
• Notice of Policy Changes
• Privacy Information for International Users
• Privacy Information for California Residents
• Contact Bastion
• Vermont Consumer Privacy Statement

The Information We Collect

This section discusses the types of information we collect from and about you as you use the Services.

Information You Provide to Us

When you use our Services, you may choose to provide certain information directly to us. For example, we collect information directly from you when you register for the Services, interact with us through online forms or customer service, participate in a sales call, engage with us at a conference or event, participate in surveys or research, or otherwise interact with us through the Services. This information includes:

• Contact information, including: first and last name, email address, mailing address, and telephone number
• Company information, including company name, address, sector, your title and role, and business contact information
• Compliance information, including government identifiers, passports or other identification documents, dates of birth, beneficial ownership data, and due diligence data.
• Authentication information, which includes username and password
• Photos, video, and audio (from recorded sales/customer service calls)
• Payment information, including your financial account information, which is collected by our third-party payment processors on our behalf
• Bastion wallet information (public wallet address, private key)
• Your interests, preferences, and feedback provided to or inferred by us
• Event information including registration, attendance, and any accessibility requirements and dietary preferences, if you participate in an event.

Information we Automatically Collect as you Use the Services

There is certain information that we collect automatically from your use of the Services and from your device(s) used to access the Services. This information includes:

• Technical information - Technical information may include: Internet Protocol (IP) address, login information, browser type and version, browser plug-in types and versions, device IDs, time zone setting, operating system and platform, hardware version, device settings (e.g. language and time zone), file & software names and types (associated with your device and/or the Services), battery & signal strength, information relating to your mobile operator or Internet Service Provider (ISP).
• Browsing information - Information about your Site visit may include: the full Uniform Resource Locators (URL), clickstream to, through and from our Site (including date and time), pages and services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), demographic information (including age and gender), traceable campaign links (e.g. in emails, or via tracking URLs) or other information from analytics, advertising or search engine providers, methods used to browse away from the page.
• Location data (only if you opt-in) - Location data includes coordinates (latitude/longitude) of your location, country or region (based on your full or partial IP address), and/or Google Analytics information. This information allows us to deliver content or other services relevant to your location, like checking for fraudulent transfers and transactions. We may combine this with certain device identifiers, so we can recognize your mobile browser or device when you return to the Site.

We may collect this information using the types of technologies discussed in the "Online Analytics and Advertising" section below.

Information obtained from other sources

We (or third parties acting on our behalf) may collect additional information about you from public databases, joint marketing partners, social media platforms, conference hosts, event companies, and other third-parties to supplement the information we collect directly from you.

Combined Information

For the purposes discussed in this Privacy Policy, we may combine the information that we collect through the various methods discussed in this Privacy Policy, and use such combined information in accordance with this Policy.

De-identified Information

We may de-identify information we collect so the information cannot reasonably identify you or your device, or we may collect information that is already in de-identified form. For example, we may create and disclose de-identified information to better understand how people use the Services; develop insights and improvements to the Services; and create whitepapers and other information content. Our use and disclosure of such de-identified information is not subject to any restrictions under this Policy, and we may use and disclose it to others for any purpose.

How We Use Your Information

We use your information for the following purposes:

• To provide, administer, and manage the Services and respond to your requests (e.g., carry out instructions to hold and move digital asset actions connected to your Bastion wallet and to enable private key recovery).
• To analyze and improve the Services
• For customer service purposes (please note that customer service calls may be recorded and stored by us and our vendors for quality and training purposes)
• To communicate with you with transactional information related to the Services or about updates to our legal terms
• In accordance with applicable legal requirements, for advertising and marketing purposes, including to provide you with special offers and promotions both with respect to our products and services and the products and services of third parties that we believe will be of interest to you
• For our business operations, including maintaining your account, security, fraud prevention, legal compliance, and detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity
• For other purposes where we have your consent

The laws in some jurisdictions (e.g., EU/UK and Brazil) require companies to explain the legal grounds they rely on to process your information. Our legal bases for processing your information as described in this Policy are as follows:

• Where use of your information is necessary to perform our obligations under a contract or commitment to you. For example, to provide the Services you've requested from us, or to comply with our applicable agreements.
• Where use of your information furthers our legitimate interests or the legitimate interests of others. For example, to provide security for our Services, operate our business and our Services, make and receive payments, defend our legal rights, and prevent fraud.
• Where we use your information to comply with applicable legal obligations. For example, keeping track of purchases for tax and auditing purposes.
• Where you have consented to our processing of your information for a particular purpose.

Online Analytics and Advertising

Our Services use various technologies such as cookies, beacons, tags and scripts (collectively referred to herein as "cookies") for marketing automation, demand marketing, and web analytics partners. These technologies are used in analyzing trends, administering the Services, tracking users' movements around the Services and in gathering demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

Please note that you can change your settings to notify you when a cookie is being set or updated, or to block cookies altogether. Please consult the "Help" section of your browser for more information (e.g., Internet Explorer; Google Chrome; Mozilla Firefox; or Apple Safari). Please note that by blocking, disabling, or managing any or all cookies, you may not have access to certain features or offerings of the Services.

Online Analytics

We may use third-party web analytics services (such as those of Hubspot) on our Services to collect and analyze usage information through cookies and similar tools; engage in auditing, research, or reporting; assist with fraud prevention; and provide certain features to you. If you receive email from us, we may use certain analytics tools, such as tracking pixels, to capture data such as when you open our message or click on any links or banners our email contains. This data allows us to gauge the effectiveness of our communications and marketing campaigns.

Online Advertising

The Services may allow third-party advertising technologies (e.g., ad networks and ad servers) to place cookies or other tracking technologies on your computer, mobile phone, or other device to collect information about you to assist in the delivery of relevant advertising on the Services, as well as on other websites you visit and other services you use. These ads may be based on your current activity or your activity over time and across other websites and online services and may be tailored to your interests.

We neither have access to, nor does this Privacy Policy govern, the cookies or other tracking technologies that may be placed on the device you use to access the Services by such non-affiliated third parties. If you are interested in more information about tailored browser advertising and how you can generally control cookies from being put on your computer to deliver tailored advertising, you may visit the Digital Advertising Alliance's Consumer Opt-Out link, or Your Online Choices to opt out of receiving tailored advertising from companies that participate in those programs. Please note that these opt-outs apply per device, so you will have to opt-out for each device through which you access our Services.

How We Disclose Your Information

We may disclose your information to third parties in the following ways:

• Affiliates. We may disclose information to our affiliates for the purposes outlined in this Policy.
• Service Providers. We may disclose information to our third-party service providers, vendors, or others who provide services for Bastion's business operations and on our behalf. This may include such things as infrastructure, data analysis, order fulfillment, IT services, customer service, professional services or audit services, among others.
• Customers. If you are an end user of a customer, we may disclose information about you to the Customer in accordance with our agreement with such Customer to provide the relevant Services.
• Legal and Safety Disclosures. We may disclose Information as necessary or appropriate under applicable laws (including laws outside your country of residence) to: comply with legal process or requirements, including applicable notification obligations; respond in good faith as necessary to requests from public and government authorities (including public and government authorities outside your country of residence); enforce our terms and conditions; and protect our operations or those of any of our affiliates and our rights, privacy, safety, or property, and/or that of our affiliates, you or others.
• Business Transactions. We may disclose Information in the event of a proposed or actual reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Bastion's business, assets or stock (including in connection with any bankruptcy or similar proceedings).

Your Rights and Choices

Your Rights

Your local laws (including applicable laws in the EU, UK, Switzerland, and United States (including California, Connecticut, Colorado, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Montana, Minnesota, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Virginia, Tennessee, and Texas, as well as similar U.S. state laws)) may permit you to request that we:

• provide access to and/or a copy of certain information we hold about you
• update information which is out of date or incorrect
• delete certain information that we are holding about you
• restrict the way that we process and disclose certain of your information
• prevent the processing of your information for direct-marketing purposes (including any direct marketing processing based on profiling)
• opt out of the processing of your personal information for automated processing that results in legal or similarly significant effects (if relevant)

Your local laws may also permit you to revoke your consent to the processing of your information for certain purposes.

​​In addition:

• California and Oregon residents can request information about the categories of personal information we collect, disclose or "sell" or "share" (as defined in California law) about you; California residents can request the sources of such information, the business or commercial purpose for collecting or "selling" or "sharing" your information; and the categories of third parties to whom we disclose information. Such information is also set forth in this Privacy Policy.
• Oregon and Minnesota residents can request a list of the specific third parties, other than natural persons, to which we have disclosed personal information.

How to exercise your rights

If you wish to exercise your data subject rights, please email [email protected] or call us at (888) 608-4151. We will consider all requests and provide our response within the time period stated by applicable law and as otherwise required by applicable law. Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation. We may request you provide us with information necessary to confirm your identity before responding to your request. We cannot respond to your request or provide you with the information you seek if we cannot verify your identity or authority to make the request and confirm the request relates to you and your information. If permitted under applicable law, authorized agents may also initiate a request on behalf of another individual via email; authorized agents will be required to provide proof of their authorization and we may also require that the relevant Employee directly verify their identity and the authority of the authorized agent.

If you are a resident of Virginia, Minnesota, Montana, Oregon, Tennessee, Texas, Iowa, Indiana, Kentucky, Maryland, Nebraska, New Hampshire, New Jersey, Rhode Island, Delaware, Colorado, or Connecticut, and we deny your information request, you have the right to appeal our denial. You can exercise this right by contacting us at the contact information provided below. Your description must include your full name and the email address used for your account with us, along with a copy of the denial notice you received from us.

If you would like to submit your request through an authorized agent, we will ask the agent to provide written permission from you and we may need to separately verify your identity as discussed above.

Your Marketing Choices

You can opt-out of email marketing using the unsubscribe link in our email communications. You may also contact us at the contact information provided below and request that we no longer use your information for marketing purposes. We will process such requests in accordance with applicable law. Please note that even if you opt out of receiving marketing communications from us, you may still receive transactional communications about the Services or legal notifications.

Sale/Targeted Advertising Opt Out Rights

Under the laws in certain US jurisdictions (as indicated in the list above), you have the right to opt out of our processing or sharing of your information for online targeted advertising purposes. Note that certain state laws also allow you to opt out of the "sale" of your information to third parties in exchange for valuable consideration. We may use analytics and online advertising tools that result in the disclosure of your information to our third-party partners and that are subject to this opt out right. You can opt out of both of these activities by clicking the "Your Privacy Choices" link on our website footer. To opt out of our offline disclosure of your information for these purposes, please email us at [email protected].

Please note that we will also honor browser-based opt out signals (such as the global privacy control) in accordance with our legal obligations.

How We Secure Your Information

The security of your information is important to us. It is your responsibility to ensure that the Information you provide to us can be legally collected in the country of origin, transmitted to us and maintained or used by us. We employ a variety of technical, organizational, and physical measures to protect the information submitted to us, both during transmission and once we receive it. No method of transmission over the internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have any questions about the security of the Services, or reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please notify us immediately in accordance with the "Contact Bastion" section below.

Data Retention

We will retain your information for the period necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or not prohibited by applicable law.

Notification of Policy Changes

We may change this Policy from time to time. If we make changes, we will post an updated Policy on the Services, and it will become effective as of the date of posting ("Effective Date"). We will also comply with applicable legal requirements regarding Policy updates and any notice or consent requirements. We encourage you to periodically review this page for the latest information on our privacy practices. Your use of the Services following these changes means that you accept the revised Policy.

Privacy Information for International Users

Please note that information covered by this Policy will be hosted and stored by us and our service providers in the United States of America and other global jurisdictions where data protection laws may differ from the laws in your local jurisdiction. By using the Services, you acknowledge that your information will be stored and processed in the United States.

Privacy Information for California Residents

If you are a California resident, the California Consumer Privacy Act ("CCPA") requires us to provide you with the following additional information about:

• the purpose for which we use each category of "personal information" (as defined in the CCPA) we collect; and
• the categories of third parties to which we (a) disclose such personal information for a business purpose, (b) "share" personal information for "cross-context behavioral advertising," and/or (c) "sell" such personal information.

Under the CCPA, "sharing" is defined as the targeting of advertising to a consumer based on that consumer's personal information obtained from the consumer's activity across distinct online services, and "selling" is defined as the disclosure of personal information to third parties in exchange for monetary or other valuable consideration. We "share" information with our advertising partners to provide more relevant and tailored advertising to you regarding our Services. Moreover, our use of third-party analytics services and online advertising services may result in the sharing of online identifiers (e.g., cookie data, IP addresses, device identifiers, and usage information) in a way that may be considered a "sale" under the CCPA.

With respect to most commercial transactions, our business acts solely as a service provider/processor, merely processing personal information provided to us by our customers (i.e. the controllers) and returning the results to them. In those instances, we will not use or share any personal information provided by our customers with third parties except as authorized by law and this policy.

However, in some instance, such as where we collect personal information from business-to-business (B2B) contacts, we may use and share such personal information in accordance with this Privacy Policy. The chart below summarizes how we collect, use and share personal information by reference to the statutory categories specified in the CCPA, and describes our practices during the 12 months preceding the effective date of this Policy. Categories in the chart refer to the categories described above in the general section of this Policy.

Your California privacy rights. Please see the "Your Rights and Choices" section above for the rights you have under applicable law.

Your Choices Regarding "Sharing" and "Selling": You have the right to opt out of our sale/sharing of your personal information for purposes of online analytics and advertising by clicking the "Your Privacy Choices" link in our website footer. To opt out of the offline disclosure of your information to third parties for these purposes, please email us at [email protected]. Your opt out choice will apply only to the particular device and browser on which you are making the choice, so please repeat your opt out choice on other browsers and devices if you would like. Please note that we will also honor browser-based opt out signals (such as the global privacy control) in accordance with our legal obligations.

Other CCPA rights

• Financial incentives. If we offer any financial incentives in exchange for your personal information (e.g., discount coupons in exchange for your email address), we will provide you with appropriate information about such incentives so that you can make an informed decision as to whether to participate.
• Right to Limit. The CCPA allows you to limit the use or disclosure of your "sensitive personal information" (as defined in the CCPA) if your sensitive personal information is used for certain purposes. Please note that we do not use or disclose sensitive personal information other than for business purposes for which you cannot opt out under the CCPA.

Notice Concerning Do Not Track. Do Not Track ("DNT") is a privacy preference that users can set in certain web browsers. We are committed to providing you with meaningful choices about the information collected on our website for third-party purposes, which is why we describe a variety of opt-out mechanisms above. However, we do not currently recognize or respond to browser-initiated DNT signals. Please note that DNT is different from the browser-based privacy signal (the global privacy control) referred to above, which we do honor.

Shine the Light. The California "Shine the Light" law gives residents of California the right under certain circumstances to opt out of the disclosure of certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes, or in the alternative, that we provide maintain a policy of providing a cost-free means for consumers to opt out of any such disclosure. To opt out of any current or future disclosures of personal information subject to the Shine the Light law, please email us at [email protected].

Contact Bastion

If you have any questions or comments about this Policy, the information practices of the Services, or if you would like to exercise any applicable data rights, you can contact us at any time via email at: [email protected] or call us at (888) 608-4151.

The Information Commissioner's Office (ICO) is the supervisory authority in the UK. You can visit their website here.

If you are in the EU, you can find your local data protection authority here.

VERMONT CONSUMER PRIVACY STATEMENT

This Vermont Consumer Privacy Statement applies solely to Vermont consumers. Since Bastion Platforms US LLC is a licensed money transmitter under Chapter 79 of Title 8 V.S.A it will comply with provisions set form within Regulation B-2018-01. For the purposes of complying with Vermont law, Bastion Platforms US LLC will limit the sharing of Vermont consumer information.

For Vermont Members/Customers

We will not disclose information about your creditworthiness to our affiliates and will not disclose your personal information, financial information, or credit report, to nonaffiliated third parties to market to you, other than as permitted by Vermont law, unless you authorize us to make those disclosures.

Additional questions concerning our privacy policies can be answered by contacting Bastion Platforms US LLC at [email protected]

When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email. We (or service providers on our behalf) may then send communications and marketing to emails. You can opt out of both of these activities by clicking the "Your Privacy Choices" link on our website footer. To opt out of our offline disclosure of your information for these purposes, please email us at [email protected].