Baysart
← Legal

Privacy Policy

Last updated: June 2026

1. Who we are (data controller)

For the Baysart mobile application and related services, the controller of your personal data (data controller) is Baysart MMC (the "Provider", "we", "us", "our").

Taxpayer identification number (VÖEN): 1703115231. Registered (legal) address: Baku, Azerbaijan. Contact email: [email protected]. Support and documents: https://baysart.com.

For any privacy-related requests, you may contact our data protection officer (DPO): [email protected].

This Policy explains for what purposes and on what legal bases we collect your personal data, with whom we share it, how long we retain it, and what rights you have.

2. Bank-secrecy-grade confidentiality commitment

In the Republic of Azerbaijan, a bank-secrecy regime applies to user and transaction data. We commit to keeping information about your account, identity, balance and transactions confidential at a bank-secrecy grade.

User, account and transaction data may be disclosed to third parties only in the following cases, and is disclosed to no other third party.

  • Based on your express and specific consent.
  • Pursuant to an order (judicial act) of a competent court.
  • To the financial-monitoring authority or law-enforcement authorities under the legislation on combating the legalization of criminally obtained funds and the financing of terrorism (AML).

3. Data we collect

Depending on the nature of the Services, we collect and process data in the following categories.

  • Account and authentication: email address, optional phone number, password hash, OAuth identifiers for Apple/Google sign-in, and the full name or username you provide.
  • Identity verification (KYC): only for the fiat (manat) ramp (Tier 2) — ID document image, selfie/liveness check, the name, date of birth, document number, nationality and address extracted from the document, face-match and fraud signals. This processing is carried out via an Identity Verification Provider.
  • Device and technical data: device identifier, name and type, push-notification tokens, IP address, user-agent, app build, and language.
  • Analytics: an analytics provider receives in-app events (registration, login, purchases/revenue, KYC status changes) and device identifiers.
  • Financial and transaction data: fiat deposit records (card masks only — no full card numbers are stored), AZNS mint and burn records, saved-card masks, and on-chain addresses. On-chain transaction data is public and permanent.

4. Purposes and legal bases of processing

We process each category of data only for a specific purpose and on the appropriate legal basis.

  • Account and authentication data — processed to perform our contract with you (providing the service, enabling sign-in). Legal basis: performance of a contract.
  • KYC data — processed to comply with obligations under AML/KYC legislation. Legal basis: legal obligation.
  • Device and technical data — processed for fraud detection, security and service stability. Legal basis: legitimate interest.
  • Analytics and marketing data — processed only where you have given consent. Legal basis: consent (withdrawable at any time).
  • Financial and transaction records — processed to perform the contract and to meet the requirements of AML legislation. Legal basis: performance of a contract and legal obligation.

5. Self-custody and zero-knowledge

Your wallet operates on a self-custody (under your sole control) principle. The Provider never holds your private key or seed phrase — these are generated and encrypted on your device.

This means the Provider cannot move your funds without your consent and cannot sign transactions on your behalf.

Any security breach that may occur on our servers cannot drain the funds in your wallet, because the keys are not stored on our servers but only on your device.

6. On-chain transactions are public

Transactions carried out on the blockchain are public, permanent, and beyond the Provider's control. A transaction written to the blockchain cannot be deleted, altered or reversed.

Blockchain addresses are pseudonymous, but pseudonymity is not anonymity. The public transaction history can be analyzed to establish links between addresses.

At a fiat ramp, linking your blockchain address to your KYC data may lead to your identity being determined (deanonymization). With this in mind, you are advised to use your addresses with care.

7. Sharing of data and sub-processors

We share your data only where necessary and only by category of processor, with the parties listed below.

Specific vendor names are not listed in this Policy; they are recorded in a separately maintained and versioned "Sub-Processor Register": https://baysart.com/legal.

Some processors may process data outside Azerbaijan. Such international transfers are carried out only on the basis of appropriate safeguards.

  • Identity Verification Provider — to carry out KYC verification.
  • Payment Partner — to process card payments.
  • Settlement/Liquidity Partner — to execute orders (in anonymized form).
  • Infrastructure Providers — for blockchain node/RPC, email, push-notification and analytics services.

8. Retention period

AML/KYC data and transaction records are retained for 5 (five) years after the end of the relationship and are then deleted or anonymized. This is a requirement of AML legislation.

During that 5-year retention window, an erasure request results not in deletion of the data but in restriction of processing — that is, the data is kept but used only to meet the legal obligation.

Analytics data is retained until you withdraw your consent.

A request to delete your account is carried out with a 30 (thirty)-day grace period; during this period you may reverse your decision.

9. Your rights

You have the following rights regarding your personal data.

To exercise your rights, you may contact us at [email protected] or via https://baysart.com. We respond to your request within 1 (one) month.

Note: the right to erasure is limited by the 5-year retention obligation arising from AML legislation; during that period the data is not deleted but processing is restricted.

  • Right of access — to learn which of your data we process.
  • Right to rectification — to request correction of inaccurate or incomplete data.
  • Right to erasure — to request deletion of your data (subject to AML retention requirements).
  • Right to restriction of processing.
  • Right to portability — to receive and transfer your data in a structured format.
  • Right to object — to object to processing based on legitimate interest.

10. Security

We apply technical and organizational measures to protect your data: data is encrypted both in transit and at rest.

Your seed phrase and private key are encrypted on your device — client-side — and are not transmitted to our servers.

If a security breach (data breach) affecting your personal data occurs, we notify the relevant authority, and where necessary you, without undue delay, within 72 (seventy-two) hours where applicable.

11. Children

The Services are not intended for persons under 18 years of age. We do not knowingly collect data from persons under 18. If we discover that such data has been collected, we delete it.

12. Changes to this Policy

We may update this Policy from time to time. The updated version takes effect from the moment it is published in the application, and the "Last updated" date above changes accordingly.

We notify you of material changes in advance via in-app notice or email.

This document is provided as a pre-licensing draft pending the forthcoming law on crypto-asset markets. The English and Russian translations are provided for information purposes only; the Azerbaijani text is legally controlling.