Privacy Notice – Club Token Platform

1. Identity of the controller

For the purposes of Data Protection Laws, the controller of your personal data is ATFC Tokens Ltd., a company incorporated in the British Virgin Islands.

If you have any questions about this Privacy Notice or our data protection practices, you may contact our Data Protection Officer at info@alphafc.xyz.

2. Scope of this notice

This Privacy Notice covers personal data processed in connection with your use of the Club Token platform (the “Platform”), including the token sale interface, governance voting features, and any associated web or mobile applications we may make available. The Platform enables supporters to acquire non-equity, non-debt engagement tokens (“Club Tokens”) and participate in governance voting on certain club-related matters.

This Privacy Notice does not apply to processing that occurs solely on the public blockchain (such as the Solana network) as a direct consequence of you broadcasting a transaction. Such on-chain data are immutable, openly accessible, and processed in a decentralised manner outside our control. However, where we store or otherwise process off-chain data in connection with blockchain activity, this Privacy Notice applies.

3. Categories of personal data we process

Depending on how you engage with the Platform, we may process the following categories of personal data:

• Identity Data: name, username or user-chosen handle, date of birth, and where applicable for verification purposes, copies of government-issued identification documents.
• Contact Data: email address, telephone number, postal address, and delivery address where you elect to receive physical correspondence or merchandise.
• Blockchain Identifiers: public wallet addresses, transaction hashes, and smart-contract interaction logs that you voluntarily associate with your Platform account.
• Verification Data: proof of address documentation, source of funds information, sanctions-screening results, fraud-prevention flags, and audit trails collected as part of know-your-customer (“KYC”) and anti-money laundering (“AML”) procedures.
• Profile and Usage Data: account preferences, governance voting history, interaction history with Platform features, session logs, login timestamps, and engagement metrics.
• Technical Data: internet protocol (IP) address, device type, unique device identifiers, operating system and version, browser type and version, time zone setting, approximate geolocation derived from IP address, and other technical telemetry.
• Financial Data: payment card details, bank account information, and records of token purchase transactions processed through the Platform.
• Marketing and Communications Data: your preferences in receiving marketing communications from us and your communication preferences.

We do not intentionally collect special category data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). If you choose to share such data through the Platform, you do so at your own discretion.

We may be required by law to collect certain personal data about you, or as a consequence of any contractual relationship we have with you. Failure to provide Identity Data, Contact Data, and (where applicable) Verification Data may prevent us from registering you as a user, allowing you to participate in the token sale, or providing you with access to certain Platform features.

4. How your personal data is collected

We collect personal data from the following sources:

• Direct interactions: You provide personal data when you create an account, complete KYC/AML verification procedures, connect your wallet, participate in the token sale, cast governance votes, contact customer support, subscribe to communications, or otherwise interact with us.
• Automated technologies: We automatically collect Technical Data when you access the Platform through cookies, server logs, and similar technologies. Please see Section 14 (Cookies and Similar Technologies) for further details.
• Third parties: We may receive personal data from third-party verification providers who assist with KYC/AML checks, blockchain analytics providers, payment service providers, and from publicly available blockchain ledgers.

5. Purposes and lawful bases for processing

We process your personal data only where we have a lawful basis to do so under Data Protection Laws.

Contractual necessity: We process your personal data where necessary to perform our contract with you or to take steps at your request before entering into a contract. This includes: registering you as a user; authenticating your identity; facilitating your participation in the token sale; enabling governance voting; providing customer support; and enforcing our terms of service.

Legitimate interests: We process your personal data where necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your rights and freedoms. This includes: securing the Platform and detecting and preventing fraud or abuse; conducting internal analytics to improve Platform features; protecting the integrity of our community-owned football club ecosystem; administering and protecting our business; and communicating with you about Platform updates and governance matters.

Legal obligation: We process your personal data where necessary to comply with legal obligations to which we are subject. This includes: compliance with KYC/AML laws and regulations; financial services and sanctions regulations; court orders or law enforcement requests; tax obligations; and regulatory reporting requirements.

Consent: Where we rely on your consent to process personal data, we will obtain your consent before such processing. This includes: sending you marketing communications (where consent is required); placing certain non-essential cookies on your device; and any other processing where consent is the appropriate lawful basis. You may withdraw your consent at any time by contacting us or updating your preferences, without affecting the lawfulness of processing carried out prior to withdrawal.

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you.

6. Recipients and disclosure of your personal data

We do not sell your personal data. We may share your personal data with the following categories of recipients where necessary for the purposes set out in this Privacy Notice:

• Group entities: any subsidiary or affiliated entity involved in the administration of the Club Token platform or the football club, including the token issuance vehicle.
• Service providers: Third-party service providers acting as processors who supply services such as: KYC/AML verification; payment processing; hosting and cloud infrastructure; blockchain infrastructure (including the Solana network); analytics; and customer support services.
• Blockchain networks: When you interact with the Platform through blockchain transactions, certain data (including your public wallet address and transaction details) will be recorded on the public Solana blockchain. Once recorded, such data cannot be modified or deleted.
• Regulatory authorities: Regulatory bodies, supervisory authorities, law enforcement agencies, or courts where we are legally compelled or permitted to disclose your personal data.
• Professional advisers: Lawyers, accountants, auditors, and insurers who provide consultancy, legal, insurance, and accounting services to us.
• Business transferees: Prospective purchasers, investors, or professional advisers in connection with any merger, acquisition, reorganisation, or financing.

Whenever we share personal data, we do so on a need-to-know basis, applying data minimisation principles and appropriate safeguards.

7. International transfers

Given the global operations and distributed infrastructure nature of the Platform, your personal data may be transferred to, stored at, and processed in destinations outside the United Kingdom, including the British Virgin Islands and other jurisdictions where our service providers or group entities are located.

Where we transfer your personal data outside the United Kingdom to countries that have not been deemed to provide an adequate level of data protection, we will ensure that appropriate safeguards are in place, including the UK International Data Transfer Agreement or the International Data Transfer Addendum to the European Commission's standard contractual clauses, and supplementary technical and organisational measures such as encryption and pseudonymisation.

Please note that data recorded on public blockchain networks (such as the Solana network) is inherently borderless and may be accessed from any jurisdiction. We cannot control the distribution or access of such on-chain data.

8. Data security

We have implemented appropriate technical and organisational security measures designed to protect your personal data from accidental loss, unauthorised access, use, alteration, or disclosure. These measures include encryption of data in transit and at rest, multi-factor authentication, periodic penetration testing, access controls, and staff training.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

You are responsible for protecting your private keys, wallet credentials, account passwords, and devices. Please notify us immediately if you suspect any unauthorised access to your account.

9. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

In general, we will retain your personal data for the duration of your relationship with us and for a period of seven years thereafter, unless a longer retention period is required by law or necessary to defend legal claims. KYC/AML records and compliance data may be retained for longer periods where mandated by applicable regulations.

Please note that data recorded on the public blockchain cannot be deleted or modified. On-chain data, including your wallet address and transaction history, will remain on the blockchain indefinitely.

10. Your legal rights

Under Data Protection Laws, you have a number of rights in relation to your personal data. Subject to certain conditions and exceptions, you have the right to:

• Request access to your personal data (commonly known as a “subject access request”), enabling you to receive a copy of the personal data we hold about you.
• Request correction (rectification) of the personal data that we hold about you, enabling you to have any incomplete or inaccurate data corrected.
• Request erasure (deletion) of your personal data where there is no good reason for us continuing to process it. Note that this right does not extend to data recorded on public blockchain networks, which cannot be deleted.
• Object to processing of your personal data where we are relying on a legitimate interest, or for direct marketing purposes.
• Request restriction of processing of your personal data, enabling you to ask us to suspend the processing in certain circumstances.
• Request data portability, enabling you to receive a copy of your personal data in a structured, commonly used, machine-readable format.
• Withdraw consent at any time where we are relying on consent to process your personal data.
• Lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (www.ico.org.uk).

To exercise any of these rights, please contact us at info@alphafc.xyz. We aim to respond to all legitimate requests within one month.

11. Children

The Platform is intended for individuals aged eighteen (18) years or over. We do not knowingly collect personal data from anyone under the age of eighteen (18). If we discover that we have collected personal data from a person under eighteen (18), we will delete such data as soon as practicable.

12. Marketing communications

Where you have provided your consent or we otherwise have the right to do so, we may send you marketing communications about the Platform, the football club, governance opportunities, and related matters.

You have an absolute right to opt out of receiving marketing communications at any time by following the unsubscribe link in any marketing email, updating your preferences in your account settings, or contacting us. Please note that if you opt out of marketing communications, you will still receive service-related communications essential for the operation of your account.

13. Cookies and similar technologies

We use cookies and similar tracking technologies to collect and store information about how you interact with our Platform. For more information about the cookies we use, please see our Cookie Policy.

14. Geographic restrictions

Access to the Platform and participation in the token sale may be restricted based on your geographic location. We may use geofencing and other technology to verify your location and eligibility to access the Platform.

15. Contact details

If you have any questions about this Privacy Notice, wish to exercise your legal rights, or need further information about our data protection practices, please contact us:

Email: info@alphafc.xyz

16. Complaints

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). However, we would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.

17. Third-party links

The Platform may include links to third-party websites, plug-ins, applications, and blockchain explorers. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.

18. Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Any material changes will be notified to you via the Platform, by email, or by other appropriate means.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.