Privacy Policy

Last updated: 16 April 2026

QuestHive Ltd ("QuestHive", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website, trading application, and trading terminal (collectively, the "Services"). This policy is written in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

1.1 Account Information

When you register an account, we collect:

• Full legal name
• Email address
• Phone number
• Date of birth
• Country of residence

1.2 Identity Verification Data (KYC)

To comply with anti-money laundering (AML) regulations, we collect identity verification data through our partner Veriff. This may include:

• Government-issued photo identification (passport, driving licence, national ID)
• Selfie photographs for facial matching
• Proof of address documents (utility bills, bank statements)
• Tax identification numbers where required

1.3 Financial Data

To facilitate fiat deposits and withdrawals via TrueLayer, we may collect:

• Bank account details (sort code, account number, or IBAN)
• Bank account holder name

1.4 Transaction Data

We record data related to all transactions on the platform:

• Orders placed, amended, and cancelled
• Trades executed (price, quantity, timestamp, counterparty)
• Deposits and withdrawals
• Voucher minting and redemption activity
• Governance votes cast

1.5 Work Verification Data

For freelancers participating in the voucher minting process:

• Work proofs submitted for verification
• ZK proof verification results
• Skill assessment data
• Voucher minting history and parameters

1.6 Usage Data

We automatically collect certain information when you access our Services:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent on each page
• Referring URL
• Device identifiers

1.7 Communication Data

When you contact us or configure notification preferences:

• Support ticket contents and correspondence
• Notification preferences (email, in-app)
• Marketing communication preferences

2. How We Use Your Information

We use your personal data for the following purposes:

• Service provision: To create and maintain your account, provide access to our trading platform, and facilitate transactions.
• Identity verification and fraud prevention: To verify your identity, screen against sanctions lists, detect and prevent fraudulent activity, and comply with KYC/AML obligations.
• Transaction processing: To process orders, execute trades, handle deposits and withdrawals, and maintain accurate account records.
• Communications: To send service-related notifications, account alerts, and (with your consent) marketing communications.
• Legal compliance: To comply with applicable laws and regulations, including those imposed by the FCA, MIFID II, UK GDPR, and AML legislation.
• Service improvement: To analyse usage patterns, identify bugs, improve user experience, and develop new features.
• Safety and security: To monitor for suspicious activity, enforce our Terms of Service, and protect the integrity of the platform.

3. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide our Services and fulfil our contractual obligations to you, including account management and transaction execution.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with KYC, AML, financial reporting, and other regulatory obligations under FCA rules, MIFID II, and UK law.
• Legitimate interest (Art. 6(1)(f)): Processing for fraud prevention, network security, service improvement, and business analytics, where such processing does not override your rights and freedoms.
• Consent (Art. 6(1)(a)): Processing for marketing communications and optional features that you have explicitly consented to. You may withdraw consent at any time.

4. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

• Veriff Ltd: Identity verification services. Veriff processes your identity documents and biometric data to verify your identity. Veriff Privacy Policy.
• TrueLayer Ltd: Open banking services for fiat deposit and withdrawal processing. TrueLayer acts as a regulated payment initiation and account information service provider. TrueLayer Privacy Policy.
• Solana blockchain: Transaction settlement data is recorded on the Solana public blockchain. This data is inherently public and immutable, including wallet addresses, transaction amounts, and timestamps.
• Financial regulators: The Financial Conduct Authority (FCA) and other applicable regulators, as required by law or regulation.
• Law enforcement: When required by law, court order, or government request, or to prevent fraud, money laundering, or other illegal activity.
• Sanctions screening providers: Third-party services used to screen users against international sanctions lists and politically exposed person (PEP) databases.

We do not sell your personal data to third parties.

5. Data Retention

We retain your personal data for the following periods:

• Active accounts: Personal data is retained for as long as your account remains active and in use.
• Closed accounts: Account data is retained for 6 years after account closure, in accordance with regulatory requirements.
• Transaction records: All transaction data is retained for 7 years from the date of the transaction, as required under MIFID II (Commission Delegated Regulation (EU) 2017/565).
• KYC documents: Identity verification documents and data are retained for 5 years after the termination of the business relationship, in accordance with the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.
• Usage data: Anonymised usage analytics are retained indefinitely. Non-anonymised usage data is retained for 2 years.

After the applicable retention period expires, personal data is securely deleted or anonymised.

6. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to regulatory retention obligations. We may be required to retain certain data to comply with financial regulations even after a deletion request.
• Right to restrict processing (Art. 18): You may request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@questhive.org. We will respond to your request within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

• Encryption at rest: All personal data is encrypted using AES-256 encryption.
• Encryption in transit: All data transmitted between your device and our servers is protected using TLS 1.3.
• Access controls: Role-based access control (RBAC) limits access to personal data to authorised personnel on a need-to-know basis.
• Security audits: Regular penetration testing and security audits are conducted by independent third parties.
• Infrastructure: We host our services on secure, audited cloud infrastructure. We are working towards SOC 2 Type II compliance.
• Incident response: We maintain a data breach incident response plan and will notify affected users and the ICO within 72 hours of a qualifying breach, as required by law.

8. Cookies

We use the following categories of cookies:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies: Used to understand how users interact with our Services. These are only set with your consent.

We do not use third-party advertising cookies or tracking pixels.

9. International Transfers

Your data may be transferred to and processed in countries outside the United Kingdom. Where such transfers occur, we ensure appropriate safeguards are in place, including:

• Transfers to countries with an adequacy decision from the UK government
• Standard Contractual Clauses (SCCs) approved by the ICO
• Binding Corporate Rules where applicable

10. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, where appropriate, by email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.