Privacy Policy

Last updated: April 19, 2026 · Version 2.0

AELIRA LTD ("AsterPay", "we", "our", "us") operates the AsterPay trust, discovery and EUR-settlement layer for AI agent commerce. This Privacy Policy describes the personal data we process and your rights under the EU General Data Protection Regulation (GDPR) and other applicable EU data-protection law.

1. Data controller

AELIRA LTD, Reg. No. HE 490977, 9 Karpenisiou, Strovolos, 2021 Nicosia, Cyprus — is the data controller for personal data processed in connection with AsterPay services. Contact: [email protected].

2. Personal data we collect

Account & merchant data: name, business email, role, company name, VAT ID, registered address, dashboard credentials.
KYB / AML data: certificate of incorporation, UBO information (name, date of birth, nationality, ID document where required), director and PEP declarations, source-of-funds declarations.
KYA (Know Your Agent) data: agent identifiers (e.g. ERC-8004 ID), wallet addresses, behavioural signals, operator attestations, Trust Score components.
Sanctions screening data: screening verdicts and identifiers exchanged with our enterprise sanctions / AML screening provider against EU, UN, OFAC and HM Treasury lists.
Transaction & settlement data: transaction hashes, amounts, timestamps, source and destination wallet addresses, IBAN/BIC of beneficiary accounts, conversion rates, fee breakdowns, refund and chargeback records.
Travel Rule data (Reg. (EU) 2023/1113): for crypto-asset transfers at or above €1,000, originator and beneficiary information (name, address, account/wallet identifier, and where required date of birth or other unique identifier).
Verification of Payee (VoP, PSD2): beneficiary name and account identifiers used for IBAN/BIC matching.
Technical data: IP address, user agent, request headers, API key identifiers (hashed), error and rate-limit logs.
Communications: support tickets, partnership emails, scheduling data via cal.eu/asterpay.

3. Purposes & legal bases

Provision of services (Art. 6(1)(b) GDPR — contract): operating accounts, processing payments, computing Trust Score, executing EUR settlement.
Compliance with legal obligations (Art. 6(1)(c) GDPR): KYB, AML, sanctions screening, Travel Rule, VAT, MiCA-related record keeping, EU AI Act transparency.
Legitimate interests (Art. 6(1)(f) GDPR): fraud prevention, security monitoring, abuse detection, product analytics, partner due diligence.
Consent (Art. 6(1)(a) GDPR): marketing communications, non-essential cookies and any features explicitly described as opt-in.

4. Recipients & processors

We share personal data only as needed:

Licensed European payment partners for SEPA Instant settlement, IBAN issuance and partner-bank custody;
Stablecoin issuers and on-chain infrastructure (e.g. Circle for USDC/EURC operations, Base / Ethereum and partner RPC providers);
Sanctions and AML screening provider for per-transaction screening verdicts;
KYB / identity verification provider for company verification and UBO checks;
Cloud and hosting providers (Cloudflare, Railway, Supabase) for application infrastructure, with EU data-residency options where available;
Authorities when required by law, court order or a competent regulator.

All processors are bound by Art. 28 GDPR data-processing agreements. Public blockchain networks (Base, Ethereum, etc.) are not processors: information written on-chain is publicly visible and immutable.

5. International transfers

Where personal data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms under Chapter V GDPR. Any such transfer is subject to a transfer-impact assessment.

6. Retention

KYB and AML records: retained for the periods required by EU AML legislation (currently 5 years after end of business relationship, extendable to 10 years where mandated).
Transaction and settlement records: minimum 5 years.
Travel Rule data: as required by Reg. (EU) 2023/1113 and national implementing law.
KYA / Trust Score signals: rolling window aligned with operator data-retention requests, except where required for AML / fraud-prevention purposes.
Technical logs: rolling 90 days unless retained longer for security investigation.

7. Your rights

Under the GDPR you have the right to: access, rectification, erasure (subject to retention obligations), restriction, data portability, objection to processing based on legitimate interests, and to withdraw consent. You may also lodge a complaint with the Cyprus data-protection supervisory authority (Office of the Commissioner for Personal Data Protection) or your local EU supervisory authority.

To exercise your rights, contact [email protected].

8. Security

We apply technical and organisational measures appropriate to the risk, including: encryption in transit (TLS 1.2+) and at rest, hashed API keys, role-based access controls, Supabase row-level security, REVOKE-by-default policies on backend-only tables, audit logging, and security headers (CSP, HSTS) on all public surfaces. Security disclosures: see /security/ and our /.well-known/security.txt.

9. Cookies

We use only essential cookies to operate the website and dashboard, plus opt-in analytics where applicable. Cookie preferences can be controlled via your browser. We do not use third-party advertising trackers.

10. Children

AsterPay is not intended for individuals under 18 years of age and does not knowingly process personal data of minors.

11. Automated decision-making

Trust Score and tier assignment may, in part, rely on automated processing. Where an automated decision produces legal or similarly significant effects (for example, refusing a settlement), you have the right to obtain human review and to contest the decision by contacting [email protected].

12. Changes

We may update this Privacy Policy. Material changes will be announced at least 30 days in advance by email or dashboard notice and reflected by an updated "Last updated" date.

13. Contact

Privacy questions and rights requests: [email protected]
Partnerships & onboarding: [email protected]