BitLease Technologies Ltd. A subsidiary of 49G Holding Incorporated in Abu Dhabi Global Market (ADGM) ADGM Registration No.: 34619
Last Updated: 21 March 2026
Effective Date: 21 March 2026
Version: 1.0
This Data Processing Notice (“Notice”) provides a concise, accessible summary of how BitLease Technologies Ltd. (“BitLease,” “we,” “us”) processes your personal data when you access or use the Platform. It is designed to give you a clear understanding of what data we collect, why we collect it, how we use it, who we share it with, and what rights you have, without requiring you to read the full Privacy Policy.
We believe that understanding how your data is handled should not require a legal background. This Notice is written to be read, not filed away.
This Notice supplements but does not replace the Privacy Policy. For comprehensive information about our data processing practices, including detailed legal bases, retention periods, international transfer mechanisms, and security measures, please refer to the full Privacy Policy available on the Platform.
BitLease Technologies Ltd. is the data controller responsible for your personal data.
Incorporated in: Abu Dhabi Global Market (ADGM), United Arab Emirates Parent company: 49G Holding Data Protection Officer: dpo@bitlease.com
BitLease is a structured digital asset financing platform operating the Lease-to-Own (LTO) model. BitLease is not a cryptocurrency exchange, broker, lender, or investment service provider. All contracts are denominated in stablecoins. This context determines the scope and nature of data we process. Our data activities relate to structured financing, contract administration, and regulatory compliance, not to trading or exchange operations.
We collect only the data necessary for the purposes described in this Notice. The following table summarizes the categories of data, examples of specific data points, and the reason for collection.
| Category | Examples | Why We Collect It |
|---|---|---|
| Identity data | Full legal name, date of birth, nationality, citizenship(s) | Account creation, KYC verification, and sanctions screening |
| Contact data | Email address, phone number, residential address | Account management, communications, and proof of address verification |
| Verification documents | Passport, national ID, driver’s license, proof of address, selfie | KYC/KYB identity verification, AML/CTF compliance |
| Biometric data | Facial geometry (from selfie/liveness check) | Identity matching against ID document. Deleted immediately after verification, not retained by BitLease |
| Financial profile data | Source of funds declaration, employment status, and income information | Affordability assessment, AML source of funds requirements |
| LTO Contract data | Asset type, Down Payment, installment schedule, contract terms | Contract execution and administration |
| Transaction data | Payment history, Buyout records, Full Settlement records, LTO Wallet activity | Contract management, account statements, and regulatory record-keeping |
| Staking data | Staking opt-in/out, delegation status, yield records | LTO Staking Delegation administration |
| Wallet data | LTO Wallet balances, stablecoin transaction records, and receiving wallet addresses (for ownership transfer) | Payment processing, Buyout settlement, ownership transfer |
| Device and technical data | IP address, device type, browser, operating system, unique device identifiers | Security, fraud prevention, jurisdictional verification, MFA |
| Usage data | Pages viewed, features accessed, session timestamps, navigation patterns | Platform improvement, performance monitoring |
| Communications data | Support tickets, emails, complaint records | Customer support, complaint resolution, regulatory record-keeping |
| Compliance data | Sanctions screening results, risk scores, monitoring alerts, PEP status | AML/CFT compliance, sanctions enforcement, regulatory obligations |
We do not collect data from social media profiles or social media activity. We do not purchase data from data brokers or third-party marketing lists. We do not collect health data, genetic data, religious beliefs, political opinions, sexual orientation, or trade union membership. We do not collect biometric data beyond identity verification, and that data is deleted immediately after the verification is complete.
Being clear about what we do not collect is as important as being clear about what we do.
BitLease applies a risk-based approach to identity verification, consistent with FATF Recommendations and ADGM AML Rules. Access to Platform services is tiered based on verification status:
| Tier | Access Level | Verification Required |
|---|---|---|
| Tier 1, Basic | Browsing, educational content, simulations, calculators | Basic information: name, email, jurisdiction declaration. Sanctions screening. IP geolocation. |
| Tier 2, Standard | Full Platform access: LTO Contracts, LTO Wallet, Buyout, Full Settlement, staking | Full KYC: government-issued ID, proof of address, selfie/liveness, sanctions/PEP/adverse media screening, source of funds declaration |
| Tier 3, Enhanced | Same as Tier 2, with enhanced monitoring | Triggered by risk indicators: Enhanced source of funds/wealth documentation, senior management approval, increased monitoring frequency |
| Tier 4, Institutional | Lessor access: Investment Contracts, Institutional Dashboard | Full KYB: corporate documents, beneficial ownership (10%+), authorized signatories, financial statements, AML attestation |
Data collection is progressive. We collect more data only as needed for the services you choose to access.
At Tier 1, the data we collect is minimal. You can explore the Platform without submitting identification documents. At Tier 2, full verification is required before any financial service (LTO Contract execution, LTO Wallet funding). Tier 3 is triggered by specific risk indicators such as high-value contracts, PEP status, high-risk jurisdiction, unusual transaction patterns, or regulatory requirements. At any time, BitLease may request additional data based on transaction activity, regulatory requirements, or risk triggers identified through ongoing monitoring.
This approach has practical consequences for your experience. You are not asked to submit a passport scan just to browse the Platform. Sensitive verification data is collected only when you choose to access financial services. Additional data is requested only when risk factors justify it. The level of data collection is always proportionate to the services accessed and the risk identified.
Every piece of data we process has a defined purpose and a legal basis. The following table maps each purpose to the data activity and the legal ground that permits it.
| Purpose | Description | Legal Basis (GDPR equivalent) |
|---|---|---|
| Account management | Creating, maintaining, and administering your account | Contract performance |
| LTO Contract execution | Processing applications, executing contracts, managing installments, facilitating Buyouts and Full Settlements | Contract performance |
| Payment processing | Processing Down Payments, installments, Buyout proceeds, staking rewards, and LTO Wallet operations | Contract performance |
| Ownership transfer | Transferring Formal On-Chain Ownership upon Full Settlement or final payment | Contract performance |
| Affordability assessment | Evaluating whether the proposed LTO Contract payments are sustainable | Legitimate interest (responsible financing) |
| KYC/KYB verification | Verifying identity, nationality, residence, and beneficial ownership | Legal obligation (AML/CTF law) |
| AML/CFT monitoring | Transaction monitoring, suspicious activity detection, behavioral analysis | Legal obligation (AML/CTF law) |
| Sanctions screening | Screening against OFAC, EU, UN, UK, UAE, and other applicable sanctions lists | Legal obligation (sanctions law) |
| PEP screening | Identifying Politically Exposed Persons and applying Enhanced Due Diligence | Legal obligation (AML/CTF law) |
| Tax reporting | CRS, FATCA, and jurisdiction-specific tax reporting | Legal obligation (tax law) |
| Fraud prevention | Detecting unauthorized access, compromised accounts, bot activity, and jurisdictional circumvention | Legitimate interest (security) |
| Platform security | Monitoring for cyberattacks, intrusion detection, and vulnerability management | Legitimate interest (security) |
| Customer support | Responding to inquiries, resolving issues, and handling complaints | Contract performance / legitimate interest |
| Platform improvement | Analyzing usage patterns, identifying performance issues, and improving UX | Legitimate interest (with consent for analytics cookies) |
| Legal compliance | Responding to regulatory requests, court orders, and legal proceedings | Legal obligation |
| Communications | Sending contract-related notifications (payment reminders, status updates, settlement confirmations) | Contract performance |
| Marketing | Sending promotional communications about new features or services | Consent only (opt-in required; opt-out available at any time) |
We do not sell your data under any circumstances. We do not share your data with advertisers or ad networks. We do not build marketing profiles from your financial data. We never share Client data with Lessors (this is an absolute firewall enforced at the database architecture level). We do not share data with exchanges or trading platforms, because we are not an exchange and do not participate in trading activity.
We share your data only with the parties listed below, only for the purposes specified, and only to the minimum extent necessary.
| Recipient | Purpose | Data Shared | Legal Basis |
|---|---|---|---|
| Fireblocks | MPC custody and escrow | Wallet addresses, asset data, transaction data | Contract performance |
| Identity verification provider | KYC/KYB processing | ID documents, selfie, biometric data (deleted after verification) | Legal obligation |
| AML/CTF screening provider | Sanctions, PEP, adverse media screening | Name, DOB, nationality | Legal obligation |
| Blockchain analytics provider | Transaction monitoring, wallet risk scoring | Wallet addresses, transaction data | Legal obligation |
| Payment processor | Stablecoin payment processing | Payment details, amounts | Contract performance |
| Cloud infrastructure | Secure data hosting and processing | All hosted data (encrypted at rest and in transit) | Contract performance |
| Customer support tools | Ticket management | Contact info, ticket content | Contract performance / legitimate interest |
| Regulatory authorities | Supervisory requests, examinations, STR/SAR filings, tax reporting | As required by law | Legal obligation |
| Law enforcement | Court orders, warrants, criminal investigations | As required by legal process | Legal obligation |
This is a fundamental architectural principle, not merely a policy.
Client personal data is never shared with Lessors. Lessor personal data is never shared with Clients. This separation is enforced at the database architecture level, meaning it is built into the infrastructure, not layered on top of it as a rule. Lessors receive only aggregated, anonymized portfolio performance data that cannot be disaggregated to identify individual Clients. No BitLease employee has simultaneous access to both Client-identifying and Lessor-identifying data in connection with the same transaction.
BitLease does not sell, rent, lease, or trade personal data to any third party, under any circumstances, for any purpose.
BitLease is incorporated in ADGM (UAE) and may transfer your data to other countries for processing by our service providers. When we transfer data internationally, we ensure appropriate safeguards are in place:
| Your Location | Transfer Mechanism |
|---|---|
| EU/EEA | Standard Contractual Clauses (SCCs); Adequacy decisions, and supplementary measures per Schrems II |
| UK | UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs |
| ADGM | ADGM Data Protection Regulations 2021 transfer provisions |
| Singapore | PDPA cross-border transfer provisions (comparable protection standard) |
| Other | Applicable local mechanisms; explicit consent where no other safeguard is available |
Before transferring data to a new jurisdiction, we conduct a Transfer Impact Assessment. This evaluates the destination country’s legal framework, government access practices, and data subject rights enforceability. Where risks are identified, we implement supplementary technical measures (encryption, pseudonymization) to mitigate them.
We retain your data only as long as necessary for the purposes it was collected, or as required by law. When retention is no longer justified, data is securely deleted or irreversibly anonymized. We do not keep data “just in case.” Every retention period has a defined reason.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account and identity data | Account duration + 7 years after closure | Financial services record-keeping |
| KYC/AML documents | 7 years after the end of the business relationship | FATF, ADGM AML Rules, EU AMLD, UK MLR |
| Biometric data (facial geometry) | Deleted immediately after verification | Data minimized, not retained |
| LTO Contract and transaction records | 10 years after contract completion/termination | Financial record-keeping, tax, statute of limitations |
| Affordability assessment records | 7 years after assessment | Responsible financing documentation |
| Communications and support records | 5 years after the last interaction | Customer service, dispute resolution |
| Complaints and resolution records | 7 years after resolution | Regulatory complaint handling requirements |
| STR/SAR records | Indefinite (until authorized by FIU) | AML law cannot be deleted without permission |
| Usage and analytics data | 24 months (then aggregated/anonymized) | Legitimate interest, balanced with privacy |
| Cookie consent records | 12 months from consent | Consent documentation |
You have the following rights regarding your personal data. We facilitate these rights promptly and free of charge.
| Right | Description | Limitations |
|---|---|---|
| Access | Request a copy of all personal data we hold about you, and information about how it is processed | None, available to all users |
| Rectification | Request correction of inaccurate or incomplete data | None, we correct verified inaccuracies without delay |
| Erasure (“Right to be Forgotten”) | Request deletion of your personal data | Cannot delete: KYC/AML records during 7-year retention, transaction records during 10-year retention, STR/SAR records without FIU permission, and data required for active contracts |
| Restriction | Request restriction of processing in specific circumstances | Available when: contesting accuracy, objecting to processing, processing is unlawful, or data is needed for legal claims |
| Portability | Receive your data in a structured, machine-readable format (JSON/CSV) | Applies to data you provided, processed by automated means, based on consent or contract |
| Object | Object to processing based on legitimate interests | We cease unless compelling grounds override us. Absolute right to object to direct marketing. |
| Automated decisions | Not be subject to purely automated decisions with legal/significant effects | Where automated decisions are used (affordability, risk scoring), human review is available on request |
| Withdraw consent | Withdraw consent for consent-based processing at any time | Does not affect the lawfulness of prior processing. Withdrawal of marketing consent does not affect platform access. |
| Complain | Lodge complaint with supervisory authority | EU: national DPA. UK: ICO. ADGM: Registration Authority. Singapore: PDPC. |
Contact: privacy@bitlease.com or through Platform settings, Privacy section.
Identity verification: We verify your identity before processing requests to protect against unauthorized access.
Response timeline: Acknowledgment within 5 business days. Substantive response within 30 calendar days (extendable by 60 days for complex requests, with explanation).
Cost: Free, unless requests are manifestly unfounded or excessive.
Your data is protected by multiple layers of security, each reinforcing the others:
| Layer | Protection |
|---|---|
| Encryption | AES-256 at rest, TLS 1.3 in transit. MPC custody for digital assets (Fireblocks). |
| Access control | MFA mandatory. Role-based access. Least privilege. Privileged access management. |
| Monitoring | 24/7 Security Operations Center. Intrusion detection. Anomaly alerting. |
| Testing | Annual penetration testing. Continuous vulnerability scanning. SOC 2 Type II program. |
| Organizational | Employee background checks. Mandatory security training. Confidentiality agreements. Segregation of duties. |
If a data breach occurs that poses a risk to your rights, we notify the relevant regulatory authority within 72 hours, notify affected individuals without undue delay where the risk is high, and document all breaches in an internal breach register regardless of risk level.
BitLease uses automated processing in several areas. The following table explains where automation is used, how much human oversight exists, and what the impact on you may be.
| Process | Automation Level | Impact | Human Review Available? |
|---|---|---|---|
| Sanctions screening | Fully automated initial screening; human review for potential matches | Account restriction if match confirmed | Yes, all potential matches reviewed by a compliance analyst |
| Transaction monitoring | Automated alert generation; human investigation | Transaction holds, enhanced monitoring | Yes, all alerts investigated by the compliance team |
| Affordability assessment | Partially automated scoring; human oversight | Contract approval/denial/modification | Yes, on request |
| Risk scoring | Automated risk rating based on multiple factors | Determines CDD level (Standard/Enhanced) | Yes, on request |
| IP geolocation | Automated jurisdiction detection | Access blocking from Restricted Jurisdictions | Yes, through compliance appeal |
| Fraud detection | Automated pattern detection; human investigation | Account restriction pending review | Yes, all flagged accounts reviewed |
You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. Where such decisions are made, you may request an explanation of the logic involved, request human review of the decision, express your point of view, and contest the decision.
11. Children
The Platform is restricted to individuals aged eighteen (18) or above, or the age of legal majority in their jurisdiction, whichever is greater. We do not knowingly process data from minors. If we discover that data has been collected from a minor, it is deleted promptly and the associated account is terminated.
Material changes to this Notice are communicated via email and a prominent Platform notice at least thirty (30) days before the effective date. Where changes affect the legal basis or scope of processing, renewed consent is obtained where required.
Previous versions are available upon request from privacy@bitlease.com.
| Contact | Purpose | |
|---|---|---|
| Data Protection Officer | dpo@bitlease.com | Data protection inquiries, rights requests, complaints |
| Privacy team | privacy@bitlease.com | General privacy questions |
| Compliance | compliance@bitlease.com | AML/CFT data processing inquiries |
| EU Representative | eu-privacy@bitlease.com | EU/EEA data subject inquiries |
| UK Representative | uk-privacy@bitlease.com | UK data subject inquiries |
| General | info@bitlease.com | All other inquiries |
BitLease Technologies Ltd. A subsidiary of 49G Holding Incorporated in Abu Dhabi Global Market (ADGM) Registered Address: Unit PC-1, Level 7, Al Maryah Tower, Abu Dhabi Global Market Square, Abu Dhabi, Al Maryah Island, United Arab Emirates
ADGM Registration No.: 34619
Website: www.bitlease.com