Privacy Policy


1.1. This Privacy Policy explains how information about you is collected, used and disclosed by SORA BIOME (“SORA,” “we”, "our" or “us”). This Privacy Policy applies to information we collect when you use our products and/or services ("Products" and "Services" respectively).

1.2. Occasionally we may, in our discretion, make changes to the Privacy Policy by posting a revised version and updating the ‘Effective Date’ above. The revised version will be effective on the “Effective Date” listed. If and when such notice is required by law, we may notice you at our own discretion through one of our channels. Where your explicit consent is not needed, your continued access or use of our Platform and/or Services constitutes your acceptance of the latest Privacy Policy. You are thus encouraged to periodically review this page.

1.3. The information published herein is limited to the collection and use of information with respect to your use of our website hosted at [] (“Website”), the Products and related Services. It is important that you read this Privacy Policy together with any other privacy notice or policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements the other notices and is not intended to override them.

1.4. Please read this Privacy Policy carefully before accessing or using our Website and/or Services. By entering, connecting to, accessing or using the website or Services and/or submitting your information in the registration procedure, you acknowledge that you have read and understood this Privacy Policy.


Who We Are

2.1. “SORA” refers to the company SORA BIOME, with the registered office at Sveta Sofia 8, Str., Floor 1, Office 101, 1000 Sofia, Bulgaria, and is a data controller in respect of personal data under this Privacy Policy.

2.2. Under relevant data protection legislation, including but not limited to the General Data Protection Regulation ("GDPR"), the UK GDPR and the Data Protection Act 2018 (the "Legislation"), the controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data. "Controller", "processor", "personal data" are as defined in the Legislation.

2.3. For any clarification, question or requirement related to your privacy and the processing of your personal data, please contact

Collection of Information

What personal data we may collect about you

3.1. Personal data means any information about an individual from which that person can be identified, directly or indirectly.

3.2. We will collect and process various types of personal data about you for the purposes described in this Privacy Policy, including:

  • Account Data includes your email address and password, as well as your communication preferences and your communication with our support staff.
  • Profile Data includes the data collected by us during the application and KYC processes, such as your name, address, mobile phone number, a video recording of your face, citizenship, date of birth, gender and identification numbers such as those contained on your driver's licence, passport or national identity card.
  • Transaction Data includes details about your financial transactions (e.g. payment history) and details of Services you have used.
  • Technical Data includes information about the device you are using to access our Services, such as your internet protocol (IP) address, operating system, time zone, country and language setting.
  • Usage Data includes information about when and how you use our Services (i.e. logs of interactions with our system).

3.3. We may also collect, use, and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature

3.4. If not explicitly written to inform you on collecting sensitive personal data (e.g., within the identification procedure), we do not collect any special categories of personal data about you (so called sensitive data; this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic data).

How is Your Data Collected

3.5. Information is gathered from you in a range of ways that are outlined below:

  • Direct interactions: You may give us your personal data by filling-in forms (e.g. creating an account with us, the KYC process, providing data required to process a payment) or by corresponding with us directly or by post, phone, email, chat plugin, Website, transactions or otherwise. Application fields are mandatory fields, because SORA needs this information to comply with statutory, legal or contractual requirements, internal procedures or to respond to user requests.
  • Automated interactions: As you interact with our Services, we may automatically collect certain Technical Data, Usage Data and Transaction Data.
  • Received from other sources: We may also receive personal data about you from third parties, including from our group entities and other companies providing services to us, regulatory bodies, public sources, data aggregators who may not have a relationship with you, etc. We may combine such information with information we collect through the Website, Products and Services. For instance, when you submit information for identity verification purposes, we may receive information about you from software “screening” programs or fraud prevention service providers, including information about you. We do not control how the third parties process your personal data, and any information request regarding the disclosure of your personal data to us should be directed to such third parties.

3.6. Personal Data that users provide to SORA should not include any of the following data types, and users hereby expressly warrant that they will not provide any of the following:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Private health data concerning a user;
  • Data concerning a natural person’s sex life or sexual orientation.

3.7. SORA may use user Personal Data to send direct marketing to our users via e-mail only when the user has given express prior consent in the relevant contact form. Users may at any time withdraw approval to receive marketing communications by expressly withdrawing consent via their individual SORA interface (wallet).

3.8. SORA will not rely solely on automated user onboarding processes or transaction monitoring, including profiling, with respect to its decisions regarding a user’s ability to transact business via the Website and Services.

Information We Collect Automatically

3.9. When you use the Website, Products and Services, we automatically collect information about you, including:

  • 3.9.1. Log Information: We collect log files that contain the type of browser you use, access times, pages viewed, your IP address and the page you visited before navigating to our websites.
  • 3.9.2. Information Collected by Cookies and Other Tracking Technologies: We and our service providers use various technologies to collect information about you when you use the Website, Products and Services, including cookies.
  • 3.9.3. Wallet Information: When you create a SORA wallet via the Website and Services, your browser generates a public address and private key pair for you. The public address is automatically added to the public storage component and the private key is automatically added to the restricted storage component. SORA does not have access to the private key, which is stored in an encrypted state. If you lose it, you cannot get it back and you will lose all assets associated with this account.

Use of Information

3.10. Our use of your personal data depends on how and where you interact with us. However, whenever we process your personal data, we do so on the basis of a lawful “justification” (or legal basis) for processing. In the majority of cases, the processing of your personal data will be justified on one of the following bases:

  • Provide, maintain and improve the Website, Products and Services;
  • Provide and deliver the Services you request, facilitate transactions and send you related information, including confirmations and informational notifications;
  • Verify your identity, monitor suspicious activity and prevent fraudulent or other illegal activities;
  • Send you technical notices, security alerts, and other support and informational messages;
  • Respond to your comments and questions and provide customer service;
  • Communicate with you about products, services, offers, promotions, rewards, and events offered by SORA and others, and provide news and information we think will be of interest to you;
  • Analyse trends and usage;
  • Process and deliver contest entries and rewards;
  • Link or combine any information we collect about you; and
  • Carry out any other purpose for which you provided the information.
Account Data, Profile Data, Transaction DataFulfilment of Services: To enable us to perform the services to you – to carry out our contractual obligations relating to you, to manage our relationship with you which will also include notifying you about changes to our service and changes to our terms or policies.It is necessary for us to process your information to perform our obligations in accordance with any contract that we may have with you. It is also in our legitimate interest to ensure quality Services are provided to you.We will store the data for as long as the agreement shall be in force and for an additional period in which either party can make any legal claims arising out of this agreement.
Account Data, Profile Data, Transaction DataSupport Services: To enable us to respond to your queries or requests in accordance with the content of such a query or request.It is necessary for us to process your information to perform our obligations in accordance with any contract that we may have with you. It is also our legitimate interest to ensure quality information is provided to users and potential users.We will store the data for as long as the agreement shall be in force and for an additional period in which either party can make any legal claims arising out of this agreement.
Account Data, Usage DataMarketing Communications: To provide news and information services including email briefings and newsletters.We will only send you marketing communications where you have consented and expressed a preference to receive such marketing communications, or where we have other lawful right to do so.Until withdrawal of consent.
Technical Data, Usage DataUser Insight and Analysis: To collect insights into how you interact with our services so that we can personalise our communications with you and maintain and improve our websites and services.Where your personal data is not in an anonymous form, it is in our legitimate interest to use your personal data in such a way to ensure that we deliver our online services to you and our other clients effectively and to ensure quality. Where lawfully required, we may also process your personal data in accordance with your consent to the processing.We will store the data for as long as necessary to properly perform our Services, in any case not longer than allowed according to the applicable regulation. Until withdrawal of consent.
Profile Data, Transaction DataCompliance with Legal Obligations: To comply with legal and regulatory obligations to which we are a subject (e.g. anti-money laundering).It is our legal obligation to do so.We will store the data for a period required under the applicable laws.
Account Data, Transaction Data, Technical Data, Usage DataSafety and Security: For internal operations, including bug fixes, troubleshooting, data analysis, testing, and general security developments.It is in our legitimate interests to improve the security and use of the Website, Platform and Services, including data security.We will store the data for as long as necessary to properly perform our Services, in any case not longer than allowed according to the applicable regulation.
Transaction DataBusiness Sale: In the event that we sell or buy any business or assets, disclose your data to a prospective seller or buyer,It is in our legitimate interests to deliver accurate information about our business to a prospective buyer. It is also our legal obligation to do so.We will store the data for as long as necessary to properly perform our Services, in any case not longer than allowed according to the applicable regulation.

Change of Purpose

3.11. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at

3.12. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Right to Withdraw Consent

4.1. Where the legal basis for processing your personal data is your consent, you have the right to withdraw that consent at any time. You can exercise this right by clicking on the “unsubscribe” button on our marketing emails or by choosing a similar opt-out option that we may provide for you to exercise your right to object to the processing of your personal data.

4.2. You may opt-out of receiving promotional messages from us by following the instructions in those messages. If you opt-out, we may still send you transactional or relationship messages.

Retention of Your Personal Data

5.1. Our general approach is to retain your personal data only for as long as required to fulfil the purposes for which it was collected, or to comply with any legal, regulatory or reporting obligations or to assert or defend against legal claims. We generally retain your personal data for 6 years from the end of our relationship, unless local law requires otherwise. However, in some circumstances we may retain personal data for longer periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements.

5.2. In specific circumstances we may also retain your personal data for longer periods of time corresponding to the applicable statute of limitations so that we have an accurate record of your dealings with us in the event of any complaints or challenges.

Sharing and Disclosing Your Personal Data

6.1. For achieving the purposes of use set out in this Privacy Policy (see above), your data may be accessible to certain categories of persons, employed or contracted by us, including financial institutions, lawyers, administrators, IT and system administration services provider, marketing and other services providers, on our behalf on a need-to know basis.

6.2. We may also share your personal data with law enforcement, data protection authorities, government officials, and other authorities, including when:

  • compelled by subpoena, court order, or other valid legal procedure;
  • we believe that the disclosure is necessary to prevent physical harm or financial loss;
  • disclosure is necessary to report suspected illegal activity;
  • disclosure is necessary to investigate violations of this Privacy Policy or other legal agreements;
  • you direct us to.

6.3. We may also disclose certain personal data to our current or future affiliates, subsidiaries and other related entities, as well as to our operational and business partners and subcontractors when this is necessary for the performance and execution of any contract we enter into with them or you. We may also share your personal data with third parties in connection with potential or actual restructuring, merger or sale of our company or any of our assets, or those of any associated companies, in which case personal data held by us about our users may be one of the transferred assets.

6.4. Other important cases when we share your personal data:

  • With service providers who need access to such information to carry out work on our behalf;
  • In response to a request for information if we believe disclosure is in accordance with, or as otherwise required by any applicable law, regulation or legal process;
  • To protect the rights, property and safety of SORA or others;
  • Between and among SORA, and its current and future parents, subsidiaries and affiliates;
  • With your consent or at your direction, including if we notify you through the Website, Products and Services that the information you provide will be shared in a particular manner and you provide such information.

6.5. With respect to US residents, we also may share your information with other financial institutions as authorised under Section 314(b) of the US Patriot Act, and with tax authorities, including the US Internal Revenue Service, pursuant to the Foreign Account Tax Compliance Act ("FATCA"), to the extent that this statute is determined to apply to us.

6.6. We may also share aggregated or de-identified information, which cannot reasonably be used to identify you

6.7. SORA does not process or collect any data. All data collected in the SORA side of the process is collected and transmitted through the interface under PayWings technical implementation. PayWings is involved in the regulated activities, supervised and executed by regulated entities. Privacy and data protection policies of PayWings are also supervised and inspected by SORA to ensure your privacy.

6.8. In accordance with GDPR policy (, PayWings only collects and processes the data that are absolutely required for our legitimate business needs, required by the laws and regulations, and we keep audit logs of all accesses and reasons for the particular access to the data whenever such event takes place.

6.9. Our service providers are required to provide sufficient assurances in accordance with data protection law. (e.g. being bound contractually to confidentiality and data protection obligations). We will only share personal data necessary for them to provide their services. For our business requirements that are mentioned at article 6.8., we share your data with our service providers in four main categories:

  • Regulated and Licensed Partners: These service providers are regulated and/or licensed by the EU or UK to conduct banking services.
  • PayWings: PayWings is our main business partner in this project.
  • KYC Providers: We must verify your identity to comply with the laws and regulations, thus we are cooperating with KYC service providers.
  • Regulated Crypto Exchanges: We cooperate with crypto exchanges that are regulated by the EU or UK in order to exchange cryptocurrencies for the services that you receive.

All of our partners are obligated to protect your data and privacy as required by the laws and regulation.

Data Storage and Security

7.1. We have adopted security measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure, or access. We limit access to your personal data to those employees and third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

7.2. For the best possible protection of your personal data outside the limits of our control, your computer or other device should be protected (such as by updated antivirus systems) and your internet service provider should take appropriate measures for the security of network data transmission (such as, for example, firewalls and anti-spam filtering).

7.3. While we take reasonable steps to protect your personal data, we cannot guarantee that the personal data you disclose to us will be 100% secure, nor that any data breach will not occur. You accept the inherent security implications of dealing on-line over the Internet and will not hold us or our processors responsible for any data breach unless it is due to our negligence.

7.4. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Transferring your information outside of the United Kingdom or European Economic Area

7.5. Your personal data is primarily stored and processed inside the United Kingdom (UK) and European Economic Area (EEA), but may also be transferred, processed and stored on servers located in countries outside the UK and EEA in order to carry out the activities specified in this Privacy Policy. Your personal data can therefore be subject to privacy laws that are different from those in your country of residence.

7.6. However, if we do transfer personal data to third parties outside the UK and EEA, such transfer will be based on appropriate legal safeguards. In these cases, we ensure that both ourselves and our partners take adequate and appropriate technical, physical, and organisational security measures to protect your data.

Third Party Links

8.1. Websites may include links to third-party websites, plug-ins, channels, or other applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party services and are not responsible for their privacy statements. When you use the third-party services, we encourage you to read the privacy notice of every website or application you use.

What Rights You Have Regarding Your Personal Data

9.1. Under certain circumstances, you have the following rights in relation to your personal data:

  • Request access to your personal data. You have the right to request that we provide you access to your personal data held by us.
  • Request correction of your personal data. You have the right to request correction of any personal data we hold about you that is inaccurate, incorrect, or out of date.
  • Request erasure of your personal data. You have the right to request deletion of your data when it is no longer necessary, or no longer subject to legal obligations to which we are subject to. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data justified on legitimate grounds. Where we are relying upon legitimate interest to process personal data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a justification for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
  • Request restriction of processing your personal data. You have the right to request that we restrict the processing of your personal data where:
    • you contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy;
    • the processing is unlawful but you do not want us to erase the data; or we no longer need your personal data for the purposes of the processing, but you require such data for the establishment, exercise or defence of legal claims; or
    • you have objected to processing justified on legitimate interest grounds (see above) pending verification as to whether we have overriding compelling legitimate grounds to continue processing.
    Where personal data is subject to restriction in this way, we will only process it with your consent or for the establishment, exercise or defence of legal claims.
  • Request transfer of your personal data. Under certain conditions, you have the right to receive all such personal data which you have provided to us in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
  • Right to withdraw consent. Where you have provided your consent to our processing of personal data, you have the right to withdraw it at any time. For example, if you wish to opt-out of receiving e-newsletters, you can use the ‘unsubscribe’ link provided in our emails or contact us directly via and we will stop sending you communications.

9.2. For further information regarding your rights, to exercise any of your rights, or if you have any complaints or questions regarding the processing of your personal data, please contact us via

9.3. Please note that we may request proof of identity, and we reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. We will endeavour to respond to your request as soon as possible and in any case within the applicable timeframes.

Contact Us

10.1. If you have any questions or concerns regarding our Privacy Policy or if you believe our Privacy Policy or applicable laws relating to the protection of your personal data have not been respected, you can file a complaint with us by using the contact details listed below and we will respond to let you know when you can expect a further response. We can request additional details from you regarding your concerns and may need to engage or consult with other parties to investigate and address your issue. We will keep records of your request and any resolution.


Sveta Sofia 8, Str., Floor 1, Office 101, 1000 Sofia, Bulgaria

Email address:

10.2. If your request or concern is not satisfactorily resolved by us, you may approach your local data protection authority.


The Information Commissioner is the supervisory authority in the UK:

We would, however, appreciate the opportunity to deal with your concerns before you approach the authorities, so please contact us in the first instance.

Document Compliance

Update and Approval

The present Privacy Policy should be revised annually and updated whenever appropriate.

Validity and Document Management

This Privacy Policy has been approved by the Company’s director on 28/10/2022. It replaces and supersedes any prior policy and procedures on this subject matter. The Privacy Policy is valid until a revision is published.

Download and install the SORA Wallet mobile app to create your SORA account and apply for SORA Card using the app
Get SORA Wallet for mobile:
Get the app via QR code:
QR Code

We use only necessary cookies to give you the most relevant experience. Learn more