S Solidus

Solidus privacy policy

This policy explains how Solidus collects, uses, stores, shares, and protects information connected with the website, the application, quotes, orders, holdings, and compliance checks.

Last updated: 30 March 2026

Overview

This privacy policy explains how Solidus collects, uses, stores, discloses, and protects information when you visit the website, use the application, request a quote, place an order, complete compliance checks, or contact us about your holdings. It is intended to work alongside our Terms of Service, Custody and Insurance Terms, Redemption and Withdrawal Policy, and Complaints and Support page.

Because Solidus operates a wallet-linked physical-gold platform, some of the information we handle is sensitive. That includes verification information, wallet addresses, operational activity records, and the records we keep about orders, holdings, storage, reconciliation, and insurance status. We therefore keep this policy practical and specific rather than generic.

Who this policy applies to

This policy applies to information collected through the Solidus website, the Solidus application, and direct communications with us. It applies whether you are browsing publicly available pages or using a wallet-linked customer account. The application can show more detailed information than the public website, so the data we process for signed-in users is broader than the data we process for casual visitors.

What information we collect

Depending on how you interact with Solidus, we may collect and generate the following categories of information:

  • identity and contact information, such as your name, email address, phone number, date of birth, nationality, residential address, and any information you provide during onboarding or support communications
  • wallet and account information, including XRPL wallet addresses, sign-in records, browser-session security values, login timestamps, IP-related request data, and device or browser context used to protect the application
  • quote, order, holdings, statement, activity, custody, reconciliation, and insurance records generated when you use the service
  • compliance information collected directly from you or from Sumsub and related providers, including identity-verification outcomes, sanctions or politically exposed person screening outcomes, wallet-ownership and wallet-risk results, and manual-review notes
  • document and biometric information if the verification flow requires it, such as photographs of identity documents, selfies, liveness checks, face-match outputs, and the related metadata
  • website and technical information, including standard server logs, page requests, error logs, security logs, and cookies or similar technologies used to run the website and application
  • communications and support records, including complaints, dispute correspondence, service requests, and any evidence you send to help us investigate an issue.

Why we collect and use information

We collect and use information only for purposes reasonably connected with operating and protecting the Solidus service. That includes verifying your identity, screening for sanctions and wallet-related risk, providing quotes, creating and administering orders, recording holdings, coordinating storage and insurance administration, generating statements, responding to support requests, investigating complaints, detecting fraud, securing the platform, complying with legal requirements, and improving the clarity and reliability of the service.

We also use information to control the order lifecycle. For example, the system may prevent order creation until required acknowledgements and compliance checks are complete, and it may hold or delay an order if payment, storage, reconciliation, or insurance administration is incomplete. Those controls exist to reduce the chance that a customer sees a final state before that state has actually been reached.

Compliance, biometrics, and screening

Solidus currently uses Sumsub as its configured provider for identity verification, sanctions-related workflow, and wallet-ownership or wallet-risk checks. Where the verification flow requires it, Sumsub may collect and process identity documents, selfies, liveness checks, facial-comparison outputs, and other compliance information on our behalf. We use those results to decide whether a customer can be onboarded, whether an order can proceed, and whether a manual review is required.

If biometric verification is used, it is used for identity-verification, fraud-prevention, and security purposes connected with the service. We do not treat biometric checks as casual analytics. They are part of the compliance and security controls used to reduce impersonation and other misuse. We expect any biometric processing carried out for Solidus to be handled in line with applicable New Zealand privacy law and the Biometric Processing Privacy Code 2025 where that code applies.

Cookies and similar technologies

Solidus uses essential technical cookies and similar technologies to run the website and application securely. In the application, those controls help maintain signed-in sessions, protect against session mix-ups, and keep the service usable. The website may also use basic technical storage for security, routing, and performance.

As at the last updated date above, Solidus is not relying on broad advertising or personalisation cookies on the public website. If we introduce non-essential analytics, advertising, or personalisation technologies later, we will update this policy and any related consent or notice mechanisms before using them in a materially different way.

Who we share information with

We may share information with trusted service providers and counterparties where that is reasonably necessary for the purposes described above. Depending on the circumstances, recipients may include Sumsub and its relevant sub-processors for verification services, cloud hosting and infrastructure providers, security and monitoring providers, legal and professional advisers, auditors, payment or banking service providers if enabled, Commonwealth Vault for operational storage coordination where necessary, Rothbury Insurance Brokers Limited and relevant insurers or administrators where insurance administration requires it, and public authorities where disclosure is permitted or required by law.

We do not sell customer personal information. Where we disclose information, we try to limit the disclosure to what is reasonably needed for the relevant purpose. We may also use aggregated or de-identified information for service improvement and reporting where it no longer identifies a particular person.

Storage and overseas processing

Solidus uses cloud-based systems and third-party service providers, which means information may be stored or processed outside New Zealand. For example, infrastructure, compliance, security, or support providers may process information in other jurisdictions. Where that occurs, we remain responsible for taking reasonable steps to make sure the information is handled appropriately for the service being provided.

You should also understand that an overseas processor used on our behalf is not the same thing as an unrestricted onward disclosure. Even where a provider is processing data for us, we are still responsible for the way we collect, use, and safeguard the information within our service.

How long we keep information

We keep personal information for no longer than is reasonably necessary for the purposes for which it was collected, plus any period needed for security, fraud prevention, dispute handling, legal claims, tax, accounting, or regulatory reasons. Different records may be kept for different periods. For example, active customer records, compliance records, and operational ledger records may need to be retained longer than transient website logs. When information is no longer needed, we aim to delete it, de-identify it, or otherwise dispose of it securely.

Security

We use a combination of technical and organisational safeguards designed to reduce the risk of unauthorised access, alteration, loss, or misuse. Those measures can include role-based access controls, secured sessions, audit logging, environment-level secrets management, transport encryption, and controlled operational workflows. No online system is perfectly secure, however, so we cannot guarantee absolute security. If you believe your wallet, browser session, or account data has been compromised, you should contact us immediately.

Your rights

You may ask for access to the personal information we hold about you and you may ask us to correct information that is inaccurate, incomplete, out of date, irrelevant, or misleading. In many cases, the application will already show you a useful subset of your account, order, and holdings information, but you can still make a formal request if you need a broader or corrected record.

We may need to verify your identity before releasing or correcting information. In some cases, a request may be declined or limited where the law allows that, but if so we will explain the position as clearly as we reasonably can.

Complaints and contact

If you have a privacy question, access request, correction request, or complaint, please contact us first at compliance@solidus.nz. If your concern relates to urgent operational or security matters, you can also contact operations@solidus.nz. We will try to review and respond promptly.

If you are not satisfied after giving us a reasonable opportunity to respond, you may be able to complain to the Office of the Privacy Commissioner. Nothing in this policy limits any rights you may have under applicable privacy law.

Changes to this policy

We may update this privacy policy from time to time to reflect changes to the service, law, suppliers, or operating model. Where a change is material, we will update the page and, where appropriate, take additional steps to bring the update to users’ attention.