Privacy Policy

1. Introduction

1.1This Privacy Policy (the "Policy") explains how Entropy Protocol Foundation, a foundation company incorporated in the British Virgin Islands (the "Foundation," "we," "us," or "our"), collects, uses, discloses, retains, and protects personal data in connection with the SupraFX web, mobile, desktop, and other interfaces operated by the Foundation (collectively, the "Interface"), available at suprafx.ai.

1.2This Policy supplements our Terms of Service. Capitalized terms used but not defined in this Policy have the meanings given in the Terms of Service.

1.3By accessing or using the Interface, you acknowledge that you have read and understood this Policy and the privacy practices described herein. If you do not agree, do not access or use the Interface.

2. Scope and What This Policy Does Not Cover

2.1Scope. This Policy applies only to personal data we collect through the Interface and through direct interactions with you (for example, support requests, feedback submissions, or compliance correspondence).

2.2Not in scope. This Policy does not apply to:

• (a) on-chain data recorded on the Blockchain, including wallet addresses, transaction history, balances, smart-contract approvals, and any other information visible to the public on a blockchain explorer—such data is, by design, public and immutable, and the Foundation cannot delete, anonymize, or restrict access to it;
• (b) personal data collected by independent wallet providers (including StarKey), validators, RPC providers, indexers, analytics services, oracle operators, or other third parties that you may use in connection with the Protocol—each such third party is an independent controller (or processor) of your data and is governed by its own privacy policy;
• (c) the operation of the Protocol's smart contracts, which run autonomously on the Blockchain without any data collection by the Foundation; and
• (d) any website, application, or service operated by a third party that may be linked from the Interface.

3. Categories of Personal Data We Collect

Depending on how you interact with the Interface, we may collect the following categories of personal data:

3.1 Data You Provide

• Wallet address. When you connect a Non-Custodial Wallet, we receive the wallet's public address. We do not receive your seed phrase, private keys, or passwords.
• Contact data. If you contact support, submit feedback, subscribe to communications, or apply to a program, you may provide your name, email address, social media handle, organization, role, country, and any other information you choose to include in your message.
• Compliance data. Where required for compliance with Applicable Law or our internal policies, we may request additional information from you, including identity documents, source of funds information, or other materials required for know-your-customer ("KYC"), counter-terrorist financing, anti-money laundering ("AML"), or sanctions screening.
• Survey, beta, and event participation data. If you participate in surveys, betas, testnets, hackathons, or campaigns, we may collect responses, contributions, demo materials, and any contact information you provide.

3.2 Data Collected Automatically

• Device and connection data. IP address (or a derived approximation thereof), device type, operating system, browser type and version, language settings, screen size, time zone, referring URL, and other technical identifiers.
• Usage data. Pages visited, features used, links clicked, session length, error events, and similar interaction data.
• Cookies and similar technologies. Cookies, local storage, session storage, web beacons, pixels, and similar technologies, as described in Section 9.
• Geolocation data. We use IP-based geolocation to enforce eligibility restrictions (see Section 3 of the Terms of Service).

3.3 Data from Third-Party Sources

• Sanctions, fraud, and compliance providers. We may receive screening results from sanctions, watchlist, fraud, and on-chain analytics providers about wallet addresses or persons we are required to screen.
• Service providers. Hosting, analytics, error monitoring, and customer-support providers may furnish us with data they collect on our behalf.
• Public sources. Publicly available information from the Blockchain, blockchain explorers, and other public sources, where relevant for compliance or security.

4. How and Why We Use Personal Data

We process personal data for the following purposes, on the following legal bases (where applicable under, for example, the UK GDPR or EU GDPR):

4.1Provide the Interface. We process device, connection, wallet-address, and usage data as necessary to make the Interface available, render content, route requests, and enable wallet connections. Legal basis: performance of a contract or our legitimate interest in providing the Interface.

4.2Eligibility and access control. We process geolocation, wallet, and (where applicable) compliance data to determine whether you are a Restricted Person, to block access from Restricted Territories, and to screen wallet addresses for sanctions or other risk indicators. Legal basis: compliance with legal obligations and our legitimate interest in lawful operation.

4.3Security, fraud, and abuse prevention. We process technical, behavioral, and on-chain data to detect, prevent, investigate, and respond to fraud, abuse, market manipulation, security incidents, denial-of-service attacks, and other unauthorized activity. Legal basis: our legitimate interest in protecting the Interface and other Users.

4.4Communications. We process contact data to respond to inquiries, provide support, send service messages (such as security or maintenance notices), and—where you have opted in—send marketing or product communications. Legal basis: performance of a contract, legitimate interest, or consent, as applicable.

4.5Analytics and product improvement. We process aggregated usage and event data to understand how the Interface is used and to improve its features, performance, and reliability. Legal basis: our legitimate interest in improving the Interface.

4.6Compliance and legal obligations. We process personal data to comply with Applicable Law, regulatory requirements, court orders, lawful requests from authorities, and our own legal claims and defenses (including AML/CFT and sanctions). Legal basis: legal obligation and legitimate interest.

4.7Rewards, airdrops, and incentive programs. Where the Foundation operates programs that distribute tokens, points, or other rewards, we may process wallet addresses, eligibility data, and (in some cases) identity data to determine eligibility, prevent abuse, and effect distributions. Legal basis: performance of a contract, legitimate interest, or legal obligation.

4.8Corporate transactions. In the context of a financing, merger, acquisition, restructuring, or insolvency, we may process personal data to evaluate or effect the transaction. Legal basis: our legitimate interest.

5. How We Disclose Personal Data

We do not sell personal data. We may disclose personal data in the following circumstances:

5.1Service providers. We share personal data with third-party processors that perform services on our behalf, including hosting, cloud infrastructure, analytics, error monitoring, customer support, communications, sanctions screening, on-chain analytics, fraud detection, identity verification, and professional advisors. These providers act under written agreements that restrict their use of personal data to providing services to us.

5.2Affiliates. We may share personal data within the Foundation's group of Affiliates for the purposes described in this Policy.

5.3Legal and regulatory. We may disclose personal data to law enforcement, regulators, courts, governmental authorities, or other third parties where we believe disclosure is required or appropriate to comply with Applicable Law, respond to lawful requests, enforce our Terms of Service, protect our rights, property, or safety, or the rights, property, or safety of others, or as otherwise permitted by law.

5.4Corporate transactions. We may disclose personal data in connection with any merger, acquisition, financing, reorganization, sale of assets, dissolution, or similar transaction or proceeding, including diligence.

5.5With your consent or direction. We may disclose personal data with your consent or at your direction.

5.6Aggregated or de-identified data. We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you.

6. International Data Transfers

6.1The Foundation is based in the British Virgin Islands and uses service providers, infrastructure, and personnel in multiple jurisdictions. As a result, personal data may be transferred to, stored in, and processed in jurisdictions other than the one in which you are located. These jurisdictions may have data-protection laws that differ from those of your jurisdiction.

6.2Where we transfer personal data internationally and where required by Applicable Law, we implement appropriate safeguards, which may include standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms recognized in the relevant jurisdiction.

7. Data Retention

7.1We retain personal data for as long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, audit, or reporting requirements, resolving disputes, and enforcing our agreements.

7.2When personal data is no longer needed, we will delete, anonymize, or otherwise dispose of it in accordance with Applicable Law and our internal policies. On-chain data, however, remains on the Blockchain indefinitely and cannot be deleted by the Foundation.

8. Security

8.1We implement administrative, technical, and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

8.2No security measure is perfect. We cannot guarantee the absolute security of personal data transmitted to or held by us. You are responsible for the security of your Non-Custodial Wallet, your devices, your network, and your authentication credentials.

9. Cookies and Similar Technologies

9.1The Interface uses cookies, local storage, session storage, and similar technologies (collectively, "cookies") for purposes including (a) maintaining your session and wallet connection; (b) remembering your preferences; (c) ensuring security and integrity; (d) understanding how the Interface is used; and (e) measuring the performance of the Interface.

9.2You can control cookies through your browser settings or, where applicable, through a cookie-preference tool offered on the Interface. Blocking certain cookies may impair functionality.

9.3Do-Not-Track. We do not currently respond to "Do Not Track" browser signals.

10. Your Rights

Subject to Applicable Law and any applicable exceptions, you may have the following rights in respect of personal data we hold about you:

• Access. The right to request confirmation of whether we process personal data about you and to obtain a copy thereof.
• Rectification. The right to request the correction of inaccurate or incomplete personal data.
• Erasure. The right to request the deletion of personal data in certain circumstances.
• Restriction. The right to request that we restrict processing in certain circumstances.
• Objection. The right to object to processing carried out on the basis of our legitimate interests or for direct marketing.
• Portability. The right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Withdrawal of consent. Where we rely on your consent, the right to withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
• Complaint. The right to lodge a complaint with a supervisory or data-protection authority in your jurisdiction.

10.1We cannot delete or modify on-chain data. Requests that depend on the alteration of Blockchain data cannot be honored.

10.2To exercise any of these rights, contact us using the details in Section 14. We may need to verify your identity or your control over a relevant wallet address before responding.

11. Children

11.1The Interface is not directed to children under the age of eighteen (18), or such higher age of majority as may apply in your jurisdiction. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will take steps to delete such data.

12. Jurisdiction-Specific Disclosures

12.1European Economic Area, United Kingdom, and Switzerland. For individuals located in the EEA, the UK, or Switzerland, the Foundation acts as a controller of your personal data for the purposes of EU GDPR, UK GDPR, or the Swiss Federal Act on Data Protection, as applicable. The legal bases on which we rely are identified in Section 4. You may contact us using the details in Section 14, or contact your local supervisory authority.

12.2Other Jurisdictions. Additional jurisdiction-specific notices may be provided in supplemental disclosures or in the Interface itself.

13. Changes to This Policy

13.1We may update this Policy from time to time. When we do, we will update the "Last Updated" date at the top. If changes are material, we will provide reasonable notice (which may be by posting on the Interface). Your continued use of the Interface after the effective date of the revised Policy constitutes acceptance.

14. Contact Us

For questions about this Policy or to exercise your rights, contact: