1. Introduction
1.1 BITSTACK SAS, having its registered office at Pepiniere Michel Caucik 100 Impasse des Houillères - Le Pontet, 13590 Meyreuil, (France), registered with the Aix-en-Provence Trade and Companies Register under the number 899 125 090 (“ BITSTACK”) and approved by the French Financial Markets Authority (“AMF”) as a Digital Asset Service Provider (“DASP”) in accordance with Article 59 of Regulation 2023/1114 of 31 May 2023 on markets in crypto-assets (“MiCA”) under the number A2025-003 since 30 June 2025 for the provision of the following services:
- the safekeeping and administration of crypto-assets on behalf of customers; (Article 3 (16) (a) MiCA), i.e. "the custody or control, on behalf of customers, of crypto-assets or the means of access to these crypto-assets, where appropriate in the form of private cryptographic keys".
- the exchange of crypto-assets for funds; (Article 3 (16) (c) MiCA), namely "the management of one or more multilateral systems, which bring together or facilitate the meeting of multiple buying and selling interests expressed by third parties for crypto-assets, within the system and in accordance with its rules, in a manner that results in a contract, either through the exchange of crypto-assets for funds or by the exchange of crypto-assets for other crypto-assets".
- the exchange of crypto-assets for other crypto-assets; (Article 3 (16) (d) MiCA), i.e. "the conclusion, with customers, of contracts for the purchase or sale of crypto-assets for funds, using equity capital;".
- the execution of orders on crypto-assets on behalf of customers: (Article 3 (16) (e) MiCA), i.e. "the conclusion, on behalf of customers, of agreements to buy or sell one or more crypto-assets, or the subscription, on behalf of customers, of one or more crypto-assets, including the conclusion of contracts for the sale of crypto-assets at the time of their public offering or admission to trading".
- the service of transferring crypto-assets on behalf of customers; (Article 3 (16) (e) MiCA) i.e. “ providing services transferring, on behalf of a natural or legal person, crypto-assets from one address or a distributed ledger account to another”.
1.2 This document is a retention policy (the “Policy”) put in place by Bitstack to govern the retention of Bitstack Customers' Crypto-Assets. A summary of this Policy will be made available to Customers.
1.3 The Policy should be read in conjunction with Bitstack's other policies and procedures and, in particular, with the relevant provisions of the applicable cybersecurity policies.
1.4 The Policy also takes into account the relevant provisions of Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (“MiCA Regulation”).
2. Definitions
For the purposes of this Policy:
Public Address means the hashed version of a public key, which is used to receive Crypto-Assets.
Private Key means the secret key in the form of a series of numbers that is used to sign transactions and generate a receiving address.
Customer means all natural and legal persons who enter into a business relationship with Bitstack.
Account means the register that belongs to each Customer to track their Crypto-Asset holdings from an accounting perspective.
Own Account refers to the register of Crypto-Assets that belong to Bitstack from an accounting perspective.
Custodian means an entity that provides the Retention Service.
Retention means the custody or control, on behalf of third parties, of Crypto-Assets or the means of access to these Crypto-Assets, where applicable in the form of private cryptographic keys (as referred to in Article L. 54-10-2, 1° of the FMFC and defined by Article 3.1.17 of the MiCA Regulations).
Crypto-Asset Retention Agreement means a written agreement that defines the operating principles of the Crypto-Asset Retention Service and identifies the respective rights and obligations of the parties in accordance with Article 722-4 of the AMF GR and Article 75(1) of the MiCA Regulations. The Crypto-Asset Retention Agreement concluded with Bitstack Customers corresponds to Bitstack's General Terms and Conditions.
Crypto-Asset(s) means the crypto-assets defined by Article 3, 1. 5) of the MiCA Regulations and authorised by Bitstack and on which Bitstack Services may be provided to Customer.
Deposit means the act of depositing a Crypto-Asset in a Bitstack Wallet by the Customer.
Employee is a person bound by an employment contract with Bitstack or a service contract with Bitstack.
BitGo is a digital asset custodian that provides digital wallet solutions with multi-signature key schemes or MPC (multi-party computing). BITSTACK uses BitGo Europe GmbH. BitGo Europe GmbH is a Digital Asset Service Provider (DASP) authorised by BaFin in accordance with the MiCA Regulations.
Bitstamp is a digital asset exchange platform that offers liquidity in crypto markets. Bitstamp allows these customers to exchange digital assets for legal tender currencies or other digital assets. Bitstamp is a Digital Asset Service Provider (DASP) authorised in accordance with the MiCA Regulations by the Financial Sector Supervisory Commission.
Fork refers to a process that leads to the division of a blockchain into two blockchains and the corresponding Crypto-Asset into two Crypto-Assets following the modification of the blockchain protocol.
Key Fraction refers to the secret information held by a party and allowing the reconstruction of a Private Key according to a set of predefined rules under the MPC (multi-party computing) Protocol.
Means of Access means all technical and legal means that allow a person or entity to transfer Crypto-Assets from one Public Address to another (including Private Keys).
Wallet means the software or another tool that is used to control, back up or manage Public Keys and Private Keys (or their equivalent) associated with Crypto-Assets. Wallets usually have multiple Addresses.
Hot Wallet means the Wallet for which the Key Fractions are kept online.
Cold Wallet means the Wallet where Key Fractions are kept offline.
Multi-Signature Protocol is a blockchain security feature that allows two or more users to securely sign documents as a group. In the case of digital assets, funds are stored using a multi-signature address and must be accessible by two or more keys, which are held by separate entities. This allows digital asset holders to create additional levels of security for their funds.
MPC protocol is a cryptographic method for securing digital wallets. Multi-party computing protocols allow a single key to be distributed among multiple entities or individuals.With multi-party computing, the key is never combined in a single place or on one computer. Multi-party computing uses an iterative process to reconstruct a digital signature using mathematical operations performed on separate machines. The resulting signature appears identical to that of a single signature system.
Register means the position register that contains the position data of the Customer's Crypto-Assets.
Distributed Ledger refers to the protocols and infrastructure that allow computers located at different locations to validate transactions and update a ledger in a synchronised manner. Blockchains are a variant of Distributed Ledgers.
MiCA Regulation means Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, as published in the Official Journal of the European Union on 9 June 2023.
Withdrawal means the act of transferring a Crypto-Asset from one Public Address to another. A Withdrawal may be initiated at the request of the Customer if the Bitstack Customer terminates the Crypto-Asset Retention Agreement.
Service means a service defined in Article L. 54-10-2 of the French Monetary and Financial Code (or in Article 3, 1. 16) of the MiCA Regulation), including the Retention of Crypto-Assets on behalf of third parties.
Smart Contract means the programme registered on a Distributed Register that is activated when predetermined conditions are met.
Sub-custodian means a person other than Bitstack who Retains the Customer's Crypto-Assets.
3. Scope
3.1 This Policy applies to all Crypto-Assets held by Bitstack on behalf of its Customers, whether Business Customers or Non-Business Customers.
3.2 To exercise its activity as a Custodian of Crypto-Assets, Bitstack complies with the French legal framework relating to Crypto-Assets.
3.3 The Policy also takes into account the relevant provisions of the MiCA Regulations.
4. General requirements
4.1 As a Custodian of Crypto-Assets, Bitstack exercises control over the Means of Access to its Customers' Crypto-Assets on the basis of its contractual relationship with them and by manipulating the Private Keys associated with the Public Addresses of the Crypto-Assets mentioned.
4.2 Bitstack uses different types of Crypto-Asset Wallets in which Crypto-Assets held on behalf of Customers are recorded.
4.3 As a Custodian of Crypto-Assets, Bitstack takes every care to record the movements of Crypto-Assets taking place on the Customer Registers and corresponding to the rights of each Customer and to control the Means of Access to the Crypto-Assets.
5. Segregation of Crypto-Assets
5.1 Bitstack ensures that the Crypto-Assets of Customers are separated from its own Crypto-Assets in the Distributed Ledger as well as operationally and ensures that the Means of Access to the Crypto-Assets of its Customers are clearly identified as such. Bitstack expressly undertakes not to use the Crypto-Assets of its Customers for its own benefit.
5.2 The Crypto-Assets held on behalf of the Customers are those deposited by the Customers in their individual Account opened with Bitstack or those acquired by the Customers through the Services offered by Bitstack:
(a) These Crypto-Assets may be used by Customers for the Services offered by Bitstack;
(b) These Crypto-Assets will be kept in a Distributed Ledger in Wallets dedicated to Bitstack Customers.
5.3 The Crypto-Assets belonging to Bitstack are those deposited in Bitstack's Own Accounts.
(a) This may include Crypto-Assets already held or received by Bitstack in connection with payments made in Crypto-Assets, fees (e.g. management fees) or commissions received from Customers in connection with the Services provided by Bitstack;
(b) These Crypto-Assets will be kept on the blockchain in Wallets dedicated to Bitstack's own Accounts.
5.4 In accordance with the law applicable to Bitstack and to the extent of existing legal mechanisms, the Crypto-Assets retained are legally separated from Bitstack's assets, in the interest of its Customers, so that Bitstack's creditors cannot assert any right over the Crypto-Assets retained by Bitstack, particularly in the event of insolvency proceedings.
6. Use of Crypto-Assets by Customers and by Bitstack
6.1 Bitstack makes every effort to facilitate the exercise of the rights attached to Crypto-Assets. Any event likely to create or modify the Customer's rights will be immediately recorded in the Customer's Register.
6.2 In the event of a Fork, or a similar change in the Distributed Ledger of Crypto-Assets likely to modify the rights of Customers, Bitstack shall provide the Customer, to the extent of the Customer's position at the time of the event, with the Crypto-Assets resulting from the Fork in accordance with the provisions of the Crypto-Asset Retention Agreement.
7. Return to Customers of Means of Access to Crypto-Assets
7.1 Bitstack shall return to its Customers the control of the Means of Access to their Crypto-Assets as soon as possible in any of the following situations:
(a) when the Customer has terminated the Crypto-Asset Retention Agreement entered into with Bitstack;
(b) at the Customer’s request;
(c) if Bitstack ceases its activity.
The Customer requests the withdrawal of their Crypto-Assets via the Application or by email to Bitstack. In practice, this return is carried out by the transfer(s) of the Customer's Crypto-Assets to one or more Wallet(s) for which the Customer holds the Private Keys or has access to via a Wallet management platform. A verification of the destination Wallet(s) is carried out (verification of the destination of the funds) by Bitstack. For example, the Wallet has already been verified by Bitstack, or a separate verification procedure is carried out before the return of the Crypto-Assets.
7.2 When it is impossible to return control of the Means of Access to a given Crypto-Asset, Bitstack provides compensation to the Customer equivalent to the market value (set by the Bitstack application) of the Customer's Crypto-Assets at the time when the loss of control of the Means of Access took place (see Customer Complaint System).
7.3 When it is impossible to return to Customers the Means of Access to their Crypto-Assets due to an event for which Bitstack can demonstrate is independent of its functioning (for example due to problems inherent in the functioning of the blockchain or a Smart Contract) Bitstack cannot be held responsible and the Customer cannot claim any compensation in any form whatsoever from Bitstack.
7.4 The Customer acknowledges that transfers to external Public Addresses are only allowed in compliance with the policy for combating money laundering and terrorist financing implemented by Bitstack.
7.5 The Customer acknowledges that Bitstack shall not be liable for any loss of funds or damage resulting from Customer's request to transfer Crypto-Assets to External Public Addresses due to any event which Bitstack
can demonstrate is independent of its functioning (for example due to problems inherent in the functioning of the blockchain or a Smart Contract).
7.6 The return of the Means of Access to the Crypto-Assets may also be carried out as part of the opening of legal proceedings or a liquidation of Bitstack ordered by the judge or in the event of the insolvency of the company. The Crypto-Assets of Customers are protected in accordance with Bitstack's Orderly Business Cessation Plan (OBCP). The OBCP is provided to Customers on request sent via the Application or by email to the address: security@bitstack-app.com.
8. Measures implemented to minimise risks related to Crypto-Assets
8.1 Bitstack implements operational measures in order to minimise the risks related to the loss of Customers' Crypto-Assets or the rights related to these Crypto-Assets resulting from abuse, fraud, deficient administration, cyber threats, erroneous registration or negligence regarding said Crypto-Assets.
8.2 In order to protect Customers against the loss of their Crypto-Assets in the face of the aforementioned risks, Bitstack monitors major developments (technological changes and the evolution of cybersecurity threats) related to the Crypto-Assets being retained.
8.3 In order to ensure the operational security of Customers' Crypto-Assets, Bitstack has adopted appropriate measures relating to the organisation of Crypto-Asset Wallets and Crypto-Asset Deposits and Withdrawals.
8.4 Crypto-Assets are held in Wallets controlled by Bitstack and secured by the Multi-Signature Protocol or MPC, and Customers' holdings of Crypto-Assets held in Hot Wallets are limited to the amount that Bitstack considers reasonably adequate for day-to-day market operations.
8.5 Decisions regarding transactions related to the Customer's Crypto-Assets located in the Wallets shall be based on the Multi-Signature Protocol or MPC.
8.6 Bitstack intends to minimise the risks related to Crypto-Assets through security measures related to the use and storage of Private Keys.
8.7 In the event of the opening of insolvency proceedings, Bitstack ceases its Retention activities in an orderly manner, in accordance with the applicable regulations and its Orderly Business Cessation Plan (OBCP) and returns the Customers' Crypto-Assets. The OBCP is provided to Customers on request sent via the customer area or by email to the address: security@bitstack-app.com.
8.8 In the event of an operational or security incident having an impact on the continuity of the Retention Service, Bitstack will take all necessary measures to safeguard the property rights of Customers and return to normal operations, as described in its Business Continuity Plan (BCP). The BCP is provided to Customers on request sent via the customer area or by email to the address: security@bitstack-app.com. In particular, Bitstack will take the following actions:
• Implementation of a crisis unit;
• Evaluation of the impact of the incident on the Retention Service;
• Determination of an objective for the resumption of the Service and the safeguard of the property rights of Customers;
• Definition of a strategy for the resumption of the Service and the safeguard of the property rights of Customers;
• If applicable, inform Customers of the duration of operation in degraded mode of the Retention Service.
9. Incident Liability
9.1 In the event of an incident occurring in the context of the provision of the Retention Service by Bitstack, its liability may be incurred vis-à-vis its Customers due to the loss of their Crypto-Assets or the Means of Access to the Crypto-Assets, insofar as the conditions of this liability are met, and on the sine qua non condition that the incident is attributable to the provision of the Retention Service or the activity of Bitstack.
9.2 Bitstack's liability is capped at the market value (set by the Bitstack application) of the Crypto-Assets lost at the time the loss occurred.
9.3 Bitstack shall not be liable for any loss of Customer's Crypto-Assets for reasons unrelated to the provision of a Service by Bitstack (such as a problem inherent in the operation of the Distributed Ledger that Bitstack does not control) or if Bitstack demonstrates that the incident occurred independently of the provision of the Retention Service.
10. Position Registers
10.1 Bitstack records all Crypto-Assets that belong to Customers and keeps Registers for each of its Customers. The Registers are opened in the name of each Customer and correspond to the rights of each Customer.
10.2 Bitstack records the movements of Crypto-Assets initiated by the instructions given by the Customers under the Crypto-Asset Retention Agreement in the Registers as soon as possible.
10.3 Bitstack retains records and data relating to these instructions in Bitstack databases hosted on Bitstack tools. Each transaction recorded in Bitstack's databases is linked to a Customer by a unique identifier.
10.4 Bitstack organises its internal procedures in such a way as to ensure that any movement affecting the registration of Crypto-Assets is justified by a transaction duly recorded on the Customer's Account. The verification is carried out by Bitstack, ensuring that the movements affecting the registration of the Crypto-Assets recorded in the database correspond to (i) registrations on the blockchain concerned and/or (ii) are associated with instructions given by the Customer.
10.5 Bitstack is able to justify at any time that the amount of Crypto-Assets for which the Means of Access are held under the Retention Service corresponds to the amount of Crypto-Assets recorded in the Registers. Customers can consult at any time their positions which are displayed in their individual Account. Bitstack performs real-time checks on the balances between the information displayed to Customers on the Application and the Crypto-Assets holding information recorded in the Omnibus Wallets. Bitstack's computer system is able to verify the correspondence between Bitstack's internal register of transactions carried out by its Customers and the Crypto-Assets actually kept in the Customers' Omnibus Wallet.
11. Relations with Sub-custodians
11.1 Bitstack may choose to have its Customers' Crypto-Assets held by a Sub-custodian that has the relevant authorisations and/or approval to carry out these operations..
11.2 Bitstack acknowledges that it cannot delegate all of its tasks related to the Retention of Customers' Crypto-Assets to the Sub-custodian.
11.3 Bitstack acknowledges that it may be liable for the delegation of certain tasks related to the Retention of Customers' Crypto-Assets to the Sub-custodian.
11.4 Before Bitstack decides to hold the Customers' Crypto-Assets with a Sub-custodian, Bitstack undertakes to:
(a) select the Sub-custodian from among the companies that have obtained MiCA approval for the Retention of Crypto-Assets or benefiting from the transitional period provided by MiCA for the provision of the Retention Service;
(b) select the Sub-custodian on the basis of the following selection criteria:
i. Quality and performance
ii. Subcontracting
iii. The service provider's expertise
iv. Backup mechanism
v. Reversibility clause
vi. Information and notification clause
vii. Control and right of audit
viii. Confidentiality clause
ix. Management of access to Bitstack data and its Customers
x. The service provider's price
xi. The service provider's security
(c) inform its Customers of the delegation of certain tasks to the Sub-custodian;
(d) carry out an evaluation of this Sub-custodian;
(e) put in place systems or procedures to effectively supervise the activities of the Sub-custodian regarding the Crypto-Assets of Customers;
(f) when assessing the suitability of the Sub-custodian, Bitstack endeavours to deal only with Sub-custodians providing protections equivalent to the protections conferred by this Policy and in accordance with the applicable regulations.
11.5 The entire relationship between Bitstack and the Sub-custodian is governed by the principles defined in Bitstack's Outsourcing Policy.
12. Information for Customers and Crypto-Asset Retention Agreement
12.1 At least once a month and at each request of the Customer, Bitstack provides the Customer with a position statement of the Crypto-Assets recorded in their name. This statement shall be provided in electronic format, on a durable medium.
12.2 The statement indicates the Crypto-Assets, their balance, their value and the movements made during the period concerned.
12.3 Bitstack shall transmit to its Customers, as soon as possible, the following information relating to transactions:
• information relating to transactions that require a response from the Customer;
• information relating to transactions that result in a change in the balance of the Customer's Account; and
• the information necessary to prepare their tax return.
12.4 Prior to the provision of the Retention Service, Bitstack enters into a written Crypto-Asset Retention Agreement with its Customers, provided on a durable medium, defining the operating principles of the Retention Service and
identifying the respective rights and obligations of the parties. The Crypto-Asset Retention Agreement shall include the following information:
(a) the identity of the person(s) with whom the Crypto-Asset Retention Agreement is entered into and all information required by the regulations on such persons;
(b) the nature and precise description of the Service provided, as well as the types of digital assets to which the Services relate;
(c) a description of the essential rights and obligations of Bitstack and its Customers;
(d) the conditions under which Bitstack, as a Custodian, transmits to its Customers information relating to Forks or any event likely to create or modify the Customer's rights as well as, where applicable, information on restrictions imposed by the initiator of the event;
(e) the description of the security systems used by Bitstack attached to the assets retained;
(f) the means of communication between Bitstack and the Customer, including the Customer authentication systems used by Bitstack;
(g) the confidentiality obligations borne by Bitstack in accordance with the laws and regulations in force relating to professional secrecy;
(h) the pricing of the Services provided by Bitstack (including the fees, costs and charges applied by Bitstack);
(i) the period of validity of the Crypto-Asset Retention Agreement;
(j) the governing law of the Crypto-Asset Retention Agreement;
(k) this Retention Policy.
12.5 The Policy is made available to Customers via a hyperlink on the Bitstack website.
13. Monitoring
12.1. The Bitstack Employees designated for this purpose carry out regular internal checks (such as verifying the ongoing segregation of Customers' Crypto-Assets in dedicated Wallets, the proper allocation of transfer fees, the consistency between transactions and operations/instructions, etc.) to ensure that Bitstack complies with the requirements regarding the Retention of its Customers' Crypto-Assets.
12.2. Designated Employees must report to Bitstack management as soon as possible any instance of non-compliance with regulations or with this Policy of which they become aware.
12.3. The Policy is subject to annual review and revision in the event of a significant change in the Retention Service.
14. Modification of the Policy and additional information
12.4. Bitstack reserves the right to revise and/or modify its Policy and to implement provisions when it deems it appropriate, in accordance with the GTCs accepted by the Customer.
12.5. Bitstack informs its Customers of the changes made to this Policy and to the terms of Crypto-Asset Retention.
15. Statutory auditors' report
12.6. Bitstack uses a statutory auditor to prepare an audit report on the Customer's Crypto-Asset Retention Service on an annual basis, in accordance with applicable regulations and accounting standards.
12.7. This report assesses whether, during the financial year in question, Bitstack had adequate control systems in place to ensure compliance with this Policy.
16. Document retention
Unless otherwise stated, all documents, records, statements and lists referred to in the Policy will be kept secure throughout the relationship with the Customer and for at least five years after the end of that relationship.
