PRIVACY POLICY

Preamble -Who is SoleCrypt and what is its GDPR role?

Effective date: 06 April 2026
This Privacy Policy ('Policy') is issued by SOLECRYPT LTD ('SoleCrypt', 'we', 'us', 'our'), a company incorporated under the laws of England and Wales under number 13985222, with its registered office at 71- 75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom, operating through its subsidiaries
SOLECRYPT TUNISIA SARL and SOLECRYPT DC SARL (PAEB Bizerte, RNE W1955448).


SoleCrypt's GDPR positioning

SoleCrypt operates as a pure physical infrastructure provider (colocation, dedicated bare metal servers, GPU capacity, connectivity) based on a strict No-Access Model:

› SoleCrypt is a data controller (Art. 4(7) GDPR) for personal data it collects and processes for its own
operational purposes (visitor data, CCTV, physical access, employee data, billing, etc.).

› SoleCrypt is not, within its pure infrastructure model, a data processor (Art. 4(8) GDPR) for data
hosted by customers in their own environments. Customers retain exclusive control over their
environments, data and access rights.

› In exceptional situations where SoleCrypt intervenes, on the customer's express written instruction,
within the customer's environment, a processor qualification under Article 28 GDPR may apply. Such
situations are governed by SoleCrypt's General Terms of Service and, where applicable, a dedicated
Data Processing Agreement (DPA).

Data Controller

SOLECRYPT LTD

Registered address

71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Data protection contact

contact@solecrypt.com

ICO registration

Reference ZC098123 -Data Controller -25 February 2026

Publication Director

Amir Ben Gacem, Co-founder and CEO

Share capital

GBP 14,285.72

UK supervisory authority

Information Commission (formerly ICO) -https://ico.org.uk

EU supervisory authority

CNIL -https://www.cnil.fr (for users in France / the EU)

Tunisian supervisory authority

INPDP -https://www.inpdp.nat.tn (for users in Tunisia)

Internal privacy lead

Rebecca Venis, COO and Co-founder

1. Personal data we collect

1.1 Data centre visitors and persons accessing the Bizerte site

Any individual accessing SoleCrypt's premises (Bizerte data centre and future sites) is subject to aregistration and access control procedure. Data collected includes:

  • First name, surname, company and job title
  • Official identity document (type, number, expiry date) -verified at reception
  • Professional email address and telephone number
  • Date, time of entry and exit -physical access logs
  • Badge access data (unique identifier, authorised zones, access history)
  • Biometric data (fingerprints, palm scan or equivalent) -only if deployed and following prior legalvalidation
  • CCTV footage -continuous recording 24/7
  • Data relating to the purpose of the visit and equipment accessed
1.2 Customer representatives

SoleCrypt processes data of representatives designated by its customers for: access authorisation,intervention management, ticketing, billing and incident management. Data collected includes:

  • First name, surname, job title and company
  • Professional contact details (email, telephone)
  • Access rights and levels granted (zones, equipment)
  • Intervention history and support tickets
  • Badge data and physical access logs
  • Professional correspondence relating to incidents and interventions

1.3 Data collected via the Website (www.solecrypt.com)

As detailed in version 1.1, SoleCrypt collects via the contact form: name, email address and message. Noanalytics tools or conversion pixels are installed. Only strictly necessary cookies are present.

1.4 Operational and commercial data

Category

Data concerned

Population

Billing and accounting data

Billing contact details, bank details (IBAN/SWIFT), amounts, payment history, commercial correspondence

Customers, suppliers, partners

Supplier and partner data

Name, contact details, contracts, performance
assessments, payment data

Service providers,
subcontractors, partners

Support and ticketing data

Identity of requester, incident description,
exchanges, attachments, timestamps

Customer representatives,
suppliers

Physical and cyber security data

Access logs, security alerts, incident reports,
monitored equipment data

Staff, visitors, customer
representatives

1.5 Employee data

Details of processing of employee personal data are set out in the Employee Privacy Notice (Document 07of this pack). Categories covered include: identification data, contact details, payroll data, health data (sickleave), performance data, access logs and on-site CCTV footage

2. Purposes and legal bases for processing

Purpose

Legal basis

Data subjects

Retention period

Physical access control
and data centre security

Legitimate interests (Art. 6(1)(f)) -
security of persons and property;
Legal obligation (Art. 6(1)(c))

Visitors, customer
reps, staff

Access logs: 90 days -Visitor ID
data: 12 months

CCTV surveillance

Legitimate interests (Art. 6(1)(f)) -
protection of property,
infrastructure integrity and
personal safety

All persons on site

Footage: 30 days (standard) to 90
days (high-security zones)

Biometric data
management (if
deployed)

Substantial public interest (Art.
9(2)(g)) or explicit consent (Art.
9(2)(a)) -after DPIA and legal
validation

Staff and authorised
visitors

Duration of access + 30 days

Responding to website
contact form enquiries

Legitimate interests (Art. 6(1)(f))

Website visitors

3 years from last exchange

Commercial and
contractual relationship
management

Performance of contract (Art.
6(1)(b)); Legal obligation (Art.
6(1)(c))

Customers,
suppliers, partners

Contract duration + 10 years

Billing and accounting

Legal obligation (Art. 6(1)(c)) -
UK/TN accounting law

Customers,
suppliers

10 years

Technical support and
ticket management

Performance of contract (Art.
6(1)(b)); Legitimate interests (Art.
6(1)(f))

Customer
representatives

3 years from ticket closure

Employee data
management

Performance of employment
contract (Art. 6(1)(b)); Legal HR
obligations (Art. 6(1)(c))

Employees

See Employee Privacy Notice
(Doc. 07)

IT systems security
(technical logs)

Legitimate interests (Art. 6(1)(f)) -
cybersecurity

Staff, customer
representatives

Maximum 12 months

Compliance with legal
and regulatory obligations

Legal obligation (Art. 6(1)(c))

As required

Applicable statutory periods

3. Recipients and sub-processors

SoleCrypt does not sell, rent or transfer personal data to third parties for their own commercial purposes.Data may be shared with the following categories of recipients:

Recipient / Sub-processor

Role and purpose

Safeguards

Webflow, Inc. (United States)

Website hosting, delivery and security -
accesses technical navigation data and contact
form data

Webflow DPA + SCCs (EU
Decision 2021/914)

Physical security providers

Guarding, access management, CCTV -
operating on the Bizerte site

Sub-processing contracts
with GDPR clauses and
confidentiality obligations

IT and maintenance providers

Technical intervention on SoleCrypt's own
infrastructure (not on customer environments)

Confidentiality clauses and
DPA where applicable

Banks and payment providers

Payment processing, billing management

Applicable banking
regulations

Legal advisers, auditors and
accountants

Legal advice, audit, litigation -subject to
professional privilege

Legal and professional
confidentiality obligations

SoleCrypt group subsidiaries
(SOLECRYPT TUNISIA SARL,
SOLECRYPT DC SARL)

Internal operational coordination

Intra-group SCCs between
SOLECRYPT LTD and its
Tunisian subsidiaries

Competent authorities, courts and
regulatory bodies

Upon legal or judicial request

Legal obligation

4. International data transfers

4.1 Transfers of SoleCrypt's own operational data
  • To the United States (Webflow): governed by SCCs (Decision 2021/914/EU) for EU → US transfers,and by the IDTA or UK Addendum to SCCs for UK → US transfers.
  • To Tunisia (operations, subsidiaries): in the absence of an EU adequacy decision for Tunisia, thesetransfers are governed by Standard Contractual Clauses (SCCs) between SOLECRYPT LTD andits Tunisian subsidiaries, pursuant to Decision 2021/914/EU.
4.2 Customer-hosted data

SoleCrypt draws the attention of its customers operating in the EEA or the United Kingdom to the fact thatstoring personal data of European or British residents on infrastructure located in Tunisia constitutes aninternational transfer under Articles 44 to 49 EU GDPR and UK GDPR. Each customer-controller isresponsible for governing this transfer using appropriate mechanisms (SCCs, IDTA, adequacy decision ifapplicable). SoleCrypt can provide the technical information necessary for a Transfer Impact Assessment(TIA) on written request to: contact@solecrypt.com

5. Your rights

Under the EU GDPR, UK GDPR (as amended by DUAA 2025), French Data Protection Act and TunisianLaw No. 2004-63, data subjects have the following rights:

Right

Description

Legal reference

Right of access

Obtain confirmation that data concerning you is
being processed and receive a copy together with information on the processing.

Art. 15 EU/UK GDPR

Right to rectification

Request correction of inaccurate data and
completion of incomplete data, without undue
delay.

Art. 16 EU/UK GDPR

Right to erasure

Request deletion of your data in the cases
provided for by the Regulation (no longer
necessary, withdrawal of consent, unlawful
processing, etc.).

Art. 17 EU/UK GDPR

Right to restriction

Obtain temporary restriction of processing where accuracy is contested, processing is unlawful, or an objection is raised.

Art. 18 EU/UK GDPR

Right to data portability

Receive your data in a structured, commonly
used, machine-readable format and transmit it to another controller

Art. 20 EU/UK GDPR

Right to object

Object at any time to processing based on
legitimate interests, in particular for direct
marketing purposes.

Art. 21 EU/UK GDPR

Right to withdraw consent

Withdraw consent at any time without affecting
the lawfulness of prior processing.

Art. 7(3) EU/UK GDPR

Right to lodge a direct
complaint (new -DUAA
2025)

Lodge a complaint directly with SoleCrypt if you
believe a data protection breach has occurred.
SoleCrypt undertakes to respond within one
month.

Art. 77A UK GDPR (DUAA
2025)

Right to complain to a
supervisory authority

Lodge a complaint with the Information
Commission (UK), CNIL (France) or INPDP
(Tunisia) if you believe your rights have not been
respected.

Art. 77 EU/UK GDPR

To exercise any of these rights: contact@solecrypt.com -Response deadline: one month (extendable bytwo months for complex requests -Art. 12(3) GDPR). Specific notices for visitors and employees are set outin Documents 06 and 07 of this pack.

6. Security

SoleCrypt implements appropriate physical, technical and organisational security measures, including:multi-level access control, CCTV 24/7, TLS/HTTPS encryption of data in transit, segregation of customerenvironments, access restricted to authorised personnel, data breach management procedures (72-hournotification to supervisory authority -Art. 33 GDPR), and logging and auditing of administrator access.SoleCrypt intends to obtain ISO 27001 and SOC 2 Type II certifications, the sector reference standards(ref.: Equinix, Digital Realty).

7. Policy updates

This Policy may be updated at any time. The applicable version is that published on the Website at the dateof your visit. Material changes will be signalled by a prominent notice on the Website.

Talk to sales team

Whether you're scaling AI operations, optimizing high-performance computing, or aligning with sustainability goals, Solecrypt is here to help. Connect with our experts to explore tailored solutions for your business.

let's chat
Empowering AI with Sustainable Energy
Book a call
HOME
Vision
Renewable Energy
Digital Infrastructure
Strategic Location
Press Release
Media
Partners
Investors
Contact
© Solecrypt 2026. All Rights Reserved
|
legal notice
|
privacy policy
|
terms of use
|
cookie policy
|
corporate information