Legal

Privacy Policy

Last Updated: February 24, 2026 · Effective Date: February 24, 2026

This Privacy Policy describes how Elagon Inc. (DBA "Netaro") ("we," "us," or "our") collects, uses, discloses, and otherwise processes personal information in connection with our website, APIs, dashboard, and other online services that link to this Privacy Policy (collectively, the "Services"), as well as offline services and interactions.

By using our Services, you acknowledge that your personal information will be handled as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

1. Introduction & Scope

Elagon Inc. (DBA "Netaro") is a Delaware-incorporated financial technology company headquartered in Wilmington, Delaware, USA, with operational presence in GIFT City, Gujarat, India. Netaro is a Registered Money Services Business (MSB) under FinCEN and is actively pursuing VASP, VARA, and Money Transmitter Licenses (MTLs) across relevant jurisdictions.

Netaro provides API-first stablecoin payment infrastructure that enables business clients to execute cross-border fiat settlements using fiat-backed stablecoins (such as USDC) as the underlying settlement rail.

This Privacy Policy applies exclusively to: (a) business entities that have entered into a services agreement with Netaro ("Client(s)"); and (b) authorized representatives of those entities who access Netaro's platform, dashboard, or API. This Policy does NOT apply to retail consumers or individuals seeking personal payment services. Netaro does not offer consumer-facing payment products.

2. The Information We Collect

2.1 Corporate Identity & KYB Data

KYB documentation, Ultimate Beneficial Owner (UBO) information, director and officer details, corporate formation documents, beneficial ownership certifications, certificate of incorporation, regulatory filings, and related due diligence materials collected to fulfill AML and onboarding obligations.

2.2 Transaction Data

Sender and receiver bank account details, correspondent banking information, stablecoin wallet addresses (including public keys), transaction amounts, currency denominations, timestamps, transaction reference IDs, API request and response logs, and settlement confirmation records.

2.3 Authorized Representative Data

Names, business email addresses, direct phone numbers, job titles, organizational roles, and role-based access credentials of the individuals authorized to access the Netaro platform, dashboard, or API on behalf of a Client entity.

2.4 Technical & Usage Data

IP addresses, browser types and versions, device identifiers, API keys (stored in hashed form), platform usage analytics, session metadata, dashboard interaction logs, and error and performance telemetry.

3. How We Use Your Information

Service Delivery
To execute cross-border settlement instructions, fulfill API requests, and manage Client accounts.
Regulatory Compliance — AML & KYB
To conduct mandatory Anti-Money Laundering (AML) screening, Know Your Business (KYB) due diligence, and ongoing transaction monitoring as required by FinCEN, the Bank Secrecy Act (BSA, 31 U.S.C. § 5318 et seq.), and applicable global regulatory frameworks including FATF recommendations.
Sanctions Screening
To screen Clients, counterparties, and transactions against OFAC's Specially Designated Nationals (SDN) list and other applicable international sanctions regimes to prevent engagement with prohibited persons, entities, or jurisdictions.
Fraud Prevention & Platform Integrity
To detect and prevent fraud, unauthorized API access, account takeover, and abuse of the Netaro platform.
Regulatory Recordkeeping
To maintain audit trails, comply with suspicious activity reporting (SAR) obligations, and respond to lawful requests from regulatory and law enforcement authorities.
Platform Improvement
To analyze API performance metrics, improve dashboard UX, and enhance platform reliability and uptime.
Client Communications
To deliver service updates, compliance notifications, incident alerts, and account management communications.

4. Information Sharing and Disclosure

Netaro does not sell personal data to third parties. Data is shared only in the following circumstances:

Payment Execution Partners
Licensed local Payment Service Providers (PSPs), OTC desks, and correspondent banking partners required to execute fiat-to-stablecoin-to-fiat conversion and cross-border settlement.
Compliance & Verification Vendors
Third-party AML screening, KYB, and identity verification service providers who act as data processors under binding Data Processing Agreements (DPAs).
Regulatory & Law Enforcement Authorities
FinCEN, OFAC, FIUs (Financial Intelligence Units), and equivalent international regulatory bodies when legally required or in response to lawful legal process, including subpoenas, court orders, or national security directives.
Infrastructure Providers
Cloud hosting providers (e.g., AWS, GCP) that process data as sub-processors under DPAs consistent with applicable data protection law.

International Data Transfers: Data may be transferred to countries outside the European Economic Area (EEA) and India. For EEA-originating personal data, Netaro relies on EU Standard Contractual Clauses (SCCs) as the transfer mechanism. For India-origin data, Netaro complies with the Digital Personal Data Protection Act, 2023 (DPDP Act).

5. Data Security

Netaro maintains an information security program aligned with SOC 2 Type 2 controls and ISO 27001 standards, including:

Encryption
AES-256 encryption for data at rest; TLS 1.2 and TLS 1.3 for data in transit.
Access Controls
Role-Based Access Control (RBAC) enforced on the principle of least privilege; multi-factor authentication required for all administrative access.
Monitoring & Testing
Continuous security monitoring, vulnerability management, and periodic third-party penetration testing.
Incident Response
A documented incident response plan with breach notification procedures consistent with applicable law, including GDPR Article 33 timelines where applicable.

Notwithstanding the above, no security system is impenetrable. Clients remain solely responsible for the security of their API keys, access credentials, and endpoint security configurations.

6. Data Retention

BSA/FinCEN Compliance
Transaction records, AML/KYB documentation, and SAR-related materials are retained for a minimum of five (5) years from the date of the transaction or the conclusion of the client relationship, as required by 31 U.S.C. § 5318 and associated FinCEN regulations.
FATF Alignment
Netaro aligns its international recordkeeping practices with FATF Recommendation 11 standards.
Post-Relationship Retention
Following termination of a client relationship, Netaro may retain data as required for legal defense, regulatory examination, dispute resolution, and audit purposes.
Deletion & Anonymization
Upon expiry of all applicable legal retention periods, personal data is securely deleted or anonymized in accordance with Netaro's data lifecycle management procedures, where legally permissible.

7. Global Privacy Rights

Given Netaro's strictly B2B operating model, privacy rights are subject to the qualifications below:

7.1 GDPR (EU/EEA)

To the extent Netaro processes personal data of EU/EEA-based individuals (such as authorized representatives or UBOs of European Client entities), Netaro acts as a data controller or data processor, as applicable. Legal bases for processing include: (i) performance of a contract; (ii) compliance with a legal obligation; and (iii) legitimate interests. Applicable data subject rights include access, rectification, restriction of processing, data portability, and the right to object. The right to erasure is subject to mandatory BSA, AML, and other regulatory retention obligations that take precedence.

7.2 CCPA/CPRA (California)

To the extent Netaro processes personal information of California-resident individuals in a B2B context, Netaro acknowledges applicable rights under the CCPA and CPRA, subject to applicable B2B exemptions. Netaro does not sell or share personal information for cross-context behavioral advertising purposes.

7.3 India DPDP Act (2023)

Processing of personal data pertaining to individuals in India, including in connection with Netaro's GIFT City operations, is conducted in accordance with the Digital Personal Data Protection Act, 2023, to the extent applicable.

To submit a privacy rights request, contact: hello@netaro.xyz. Note that exercise of certain rights may be limited or delayed by Netaro's mandatory regulatory and legal obligations.

8. Cookies and Tracking Technologies

Netaro's platform operates as a B2B API and dashboard environment — not a consumer-facing website.

Strictly Necessary Cookies
Used for session authentication, CSRF protection, and platform security. These cannot be disabled without impairing platform functionality.
Analytics Cookies
Aggregate usage analytics are collected to monitor platform performance and improve service quality. Non-essential analytics tracking may be opted out of via dashboard settings.
Advertising & Behavioral Tracking
Netaro does not deploy third-party advertising, behavioral profiling, or cross-site tracking cookies on its platform.

9. Changes to This Privacy Policy

Netaro reserves the right to update this Privacy Policy at any time. For material changes, Netaro will provide at least thirty (30) days' advance notice via email to the registered contact of record and/or via a prominent dashboard notification. Non-material changes (e.g., typographical corrections or clarifications) may be made without notice. Continued use of Netaro's services following the effective date of an updated Policy constitutes acceptance of the revised terms.

10. Contact Information

For privacy-related inquiries, data subject requests, or concerns regarding this Policy:

Elagon Inc. (DBA Netaro)
Privacy & Compliance Team
Registered Address
Elagon, Inc. 131 Continental Dr Suite 305, Newark, DE, 19713, US
Principal Office
2010 El Camino Real, #1085, Santa Clara, CA 95050
India Office
Satellite, Ahmedabad, India 380015

For GDPR-related inquiries, EU/EEA-based individuals may also contact the relevant data protection supervisory authority in their jurisdiction.