Legal
Privacy Policy
Effective: January 2026
This Privacy Policy explains how 28th.io (“we”, “us”, “our”) collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable European data protection laws.
1. Data Controller
The data controller responsible for your personal data is:
Beer Advisory & Ventures GmbH i.G.
Leipziger Straße 11b
45699 Herten, Germany
Managing Director: Julian Beer
Email: privacy@28th.io
2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Data You Provide
- —Email address (when requesting access)
- —Name and contact information
- —Identity verification documents (where required)
- —Business information for entity formation
2.2 Data Collected Automatically
- —IP address
- —Browser type and version
- —Device information
- —Usage data and access times
3. Legal Basis for Processing
We process your personal data based on the following legal grounds under Article 6 GDPR:
Consent — Where you have given explicit consent for specific processing activities
Contract — Processing necessary for the performance of a contract or pre-contractual measures
Legal Obligation — Processing necessary to comply with EU or Member State law
Legitimate Interests — Processing necessary for our legitimate interests, such as fraud prevention and service improvement
4. Purpose of Processing
We process your personal data for the following purposes:
- —Providing and maintaining our services
- —Processing your access requests and applications
- —Identity verification and KYC/AML compliance
- —Communicating with you about our services
- —Improving and optimizing our platform
- —Complying with legal and regulatory obligations
5. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
- —Account data: Duration of your account plus 5 years
- —Transaction records: 10 years (legal requirement)
- —Marketing data: Until consent is withdrawn
- —Access request data: 2 years or until fulfilled
6. Data Sharing and Transfers
We may share your personal data with:
- —Service providers operating within the EU/EEA
- —Regulatory authorities when required by law
- —Financial institutions for banking services
We do not transfer personal data outside the European Economic Area (EEA) unless adequate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
7. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
Right of Access — Obtain confirmation and a copy of your personal data
Right to Rectification — Correct inaccurate or incomplete data
Right to Erasure — Request deletion of your data (“right to be forgotten”)
Right to Restriction — Restrict processing in certain circumstances
Right to Data Portability — Receive your data in a structured, machine-readable format
Right to Object — Object to processing based on legitimate interests
Right to Withdraw Consent — Withdraw consent at any time without affecting prior processing
To exercise any of these rights, contact us at privacy@28th.io. We will respond within 30 days.
8. Automated Decision-Making
We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects you, as defined under Article 22 GDPR.
9. Cookies and Tracking
We use strictly necessary cookies to ensure the proper functioning of our website. These cookies do not require consent under Article 5(3) of the ePrivacy Directive (2002/58/EC).
We do not use third-party tracking, advertising, or analytics cookies.
10. Data Security
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security assessments, in accordance with Article 32 GDPR.
11. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).
12. Contact Us
For any questions or requests regarding this Privacy Policy or your personal data: