Promis Privacy Policy

1. Introduction and Scope

This Privacy Policy (“Policy”) explains how information about you is collected, used, and shared by Promis Finance Foundation, a Panama Foundation (hereafter “Promis,” “our,” “we,” or “us”). This Policy is intended to inform our users (“user(s),” “you,” or “your”) about how we may collect and use the personal information that you provide through your use of and access to our website, decentralized applications, smart contracts, staking pools, and other services, or when you otherwise interact with us (collectively, the “Services”), the manner in which we may use such information, how we protect it, and the choices available to you regarding our use of your personal information.

We may modify or supplement this Policy from time to time by posting those changes on this page. Any changes will become effective as of the date of posting. Please review this Policy often so you are always fully informed of any changes. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us or if you are aware that any personal data we hold is inaccurate.

This Policy is binding on all those who access, visit, and/or use the Services, whether acting as an individual or on behalf of an entity. If you do not agree to be bound by this Policy, then do not access or use the Services. This Policy is part of our Terms of Service, which govern your use of the Services. By using the Services, contacting us to inquire about the Services, or otherwise providing us with information, you consent to our Policy and agree to our Terms of Service.

The Services may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites, including our third-party payment processors, and are not responsible for their privacy statements. When you leave the Services, we encourage you to read the privacy policy of every website you visit.

Depending on your location, you may be subject to different protection standards and broader standards may therefore apply to some. In order to learn more about the protection criteria, please refer to the applicable section below.

Prohibited Jurisdictions. The Services are not available to, and are not intended for, persons located in the United States, the United Kingdom or other prohibited jurisdictions as identified in our Terms of Service (collectively, “Prohibited Jurisdictions”). We do not knowingly collect Personal Data from, or provide Services to, persons located in Prohibited Jurisdictions. If we become aware that a user is located in a Prohibited Jurisdiction, we will take steps to terminate access and delete any associated Personal Data. Notwithstanding the foregoing, to the extent that any data protection laws of any jurisdiction apply to the processing of your Personal Data, we will comply with such laws as applicable.

This Policy is drafted to comply with the following data protection laws, to the extent applicable:

• The E.U. General Data Protection Regulation (EU) 2016/679 (“EU GDPR”);
• The GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland (“UK GDPR”) (collectively with the EU GDPR, the “GDPR”);

For the purposes of compliance with the GDPR, we are the data controller of information we collect from data subjects through the Services. For the purposes of this Policy, “data subject” means an identified or identifiable natural person.

If you have any questions about this Policy, please contact us as directed below.

2. Definitions

“Account” means an account or profile of a User that is registered with Promis or connected to the Services, including through a cryptocurrency wallet.

“Agreement” means this Policy, our Terms of Service, all amendments, addenda, and licenses to each of the Policy and the Terms of Service.

“Content” means all information and other materials present on the Services, including Promis’s products and services, text, images, protocol documentation, financial information, or similar information.

“Controller” means a person or entity who, either alone or jointly, determines the purposes and means of the processing of Personal Data, controls the data, and is responsible for it.

“Data Protection Officer” means the person or entity in charge of the data processing operation.

“Data Subject” means an identified or identifiable natural person.

“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. For the avoidance of doubt, wallet addresses and on-chain transaction data may constitute Personal Data where they can be linked, directly or indirectly, to an identified or identifiable natural person.

“Processing” means any operation or set of operations performed upon Personal Data.

“Sensitive Personal Data” means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation, as well as government identification numbers and financial account information, as applicable under relevant law.

“User” means a legal or natural person who accesses or uses the Services.

“Visitor” means a legal or natural person who visits the Services without having an Account.

3. Promis as Data Controller / Data Protection Officer

This Policy applies to the information and data collected by Promis as a Controller. For the purposes of the GDPR and other applicable data protection laws, the data controller is Promis Finance Foundation with registered office at Province of Panama, district of Panama, Betania, Vía Ricardo J. Alfaro, PH The Century Tower, office 317.

Should you have questions or requests regarding your Personal Data, you may contact Promis’s Data Protection Officer at any time at data@promis.fi. You may also write to us at: Province of Panama, district of Panama, Betania, Vía Ricardo J. Alfaro, PH The Century Tower, office 317.

4. Collection of Personal Data

The information we collect depends on your interactions with us, the choices you make, the products and features you use, your location, and applicable laws. We may collect or receive information directly from you, or we may receive information through your use of our Services, such as IP addresses, wallet addresses, and telemetry data.

We may collect several types of information from and about Users of the Services, including:

Accounts and Personal Information. You may choose to interact with our Services, and we may collect certain personal information from you in order to provide services and facilitate protocol participation. When you interact with us through our Services, we may request Personal Data. Personal Data may include your name, phone number, email address, postal address, username, password, and age.

Wallet and Blockchain Data. When you connect a cryptocurrency wallet to the Services, we collect your public wallet address. We may also collect transaction data associated with your wallet to the extent such data is publicly available on the blockchain or provided to us through the Services. On-chain data (including public addresses and transaction hashes) may be open to forensic analysis and can potentially be combined with other data to re-identify individuals. Because public blockchains are not controlled by Promis, we cannot modify, delete, or erase on-chain data once it is published.

Know Your Customer (KYC) / Know Your Business (KYB). If applicable, we or our third-party verification providers may collect information as part of KYC or KYB procedures, including government-issued identification documents, proof of address, and other identity verification information. Any information collected during the KYC/KYB process will be used solely for the purpose of completing identity and business verification procedures and retained as long as required by applicable laws and regulations.

Requests for Support; Contact Forms. To contact us for more information or to request support via the Services, you will need to provide your contact information (e.g., full name, postal address, email address, phone number) as applicable and the subject matter in which you are interested.

Third-Party Links and Websites. Our Services may provide links to third-party applications, products, services, or websites for your convenience and information. If you access those links, you will leave our Services. We do not control those third-party sites and services or their privacy practices, which may differ from our practices. We do not endorse or make any representations about third-party sites. Any information you choose to provide to, or that is collected by those third parties is not covered by this Policy.

Social Media and Community Channels. We may maintain a presence on social media platforms, including but not limited to Discord, X, Telegram, and similar platforms. If you interact with us through social media, the operators of the respective social networks may record that you are on the Services and may use this information. This processing of your personal data is the responsibility of these individual social media platforms and occurs according to their respective privacy policies.

Information Collected Automatically. As you navigate through and interact with our Services, we may use automatic data collection technologies to collect information that may include Personal Data. Information collected automatically may include:

• Internet protocol (“IP”) addresses assigned to the computers and other devices from which you access the Internet;
• Your Internet service provider (“ISP”);
• Device ID numbers and unique identifiers;
• Your media access control (“MAC”) address;
• Your operating system and computer screen resolution;
• Your web browser type;
• The pages you access on the Services;
• The websites you access before and after visiting the Services;
• The length of time you spend on the Services;
• Date and time stamps and clickstream data;
• Your approximate geographic location;
• Performance statistics and usage data; and
• Wallet connection events and interaction logs.

Geolocation and VPN Detection Data. We use third-party services, including but not limited to GeoComply, to identify and block users located in Prohibited Jurisdictions. In connection with this, we may collect geolocation data and VPN detection signals to enforce geographic restrictions on the Services.

Sanctions and Compliance Screening Data. We use third-party services, including but not limited to TRM Labs, to screen wallet addresses against sanctions lists and for connections to illicit activity. In connection with this screening, we may process wallet addresses, transaction histories, and risk scores.

The types of Personal Data we have collected, used, stored, and disclosed include the following categories of information:

We do not knowingly collect Sensitive Personal Data about you unless you provide it or it is required by law for compliance purposes (e.g., as part of KYC procedures performed by a third-party provider). Sensitive Personal Data, if collected, is handled in accordance with applicable law.

5. Legal Basis for Collecting Your Personal Data

Our legal basis for collecting and using your Personal Data will depend on the Personal Data concerned and the specific context in which we collect it. However, we will normally collect Personal Data from you only where:

Performance of a contract: We need your Personal Data to perform or prepare a contract with you, including to provide the Services.

Legitimate interests: The processing is in our legitimate interests and is not overridden by your data protection interests or fundamental rights and freedoms. Our legitimate interests include operating and improving the Services, ensuring network security, preventing fraud, and enforcing our terms and policies.

Legal obligation: We have a legal obligation to collect or process your Personal Data, such as compliance with anti-money laundering regulations, sanctions screening, or other legal requirements.

Consent: We have your consent to do so. Where we rely on consent, you have the right to withdraw your consent at any time.

Your consent to our Terms of Service and this Policy also constitutes the legal basis upon which we may collect your Personal Data, to the extent permitted by applicable law.

6. Purposes for Which We Collect Personal Data

Promis uses the information we collect for the following purposes:

Provide Our Services. To provide the services we offer, to communicate with you about your use of our Services, to respond to your inquiries, to provide troubleshooting, and for other support designed to make your experience better.

Protocol Operations. To facilitate staking, liquidity provision, token minting, and other protocol-related functions.

Compliance and Security. To enforce geographic restrictions, screen wallets against sanctions lists, detect and prevent fraud, block VPN access from Prohibited Jurisdictions, and comply with applicable legal and regulatory requirements.

Analytics and Improvement. To help us operate our Services more efficiently, to gather broad demographic information, to monitor the level of activity on our Services, and to improve our Services.

Communications. To send you updates, notifications, and other informational communications related to the Services. Where permitted by applicable law, we may send promotional communications; you may opt out of these at any time.

Legal and Regulatory. To comply with applicable laws, regulations, legal processes, or governmental requests; to enforce our terms and policies; and to protect our rights, privacy, safety, or property.

7. How We Share and Disclose Personal Data

We do not sell your Personal Data to third parties. We may share or disclose your Personal Data in the following circumstances:

Service Providers. We may employ third-party companies and individuals to administer and provide the Services on our behalf, including but not limited to GeoComply (geolocation and VPN detection), TRM Labs (sanctions and wallet screening), hosting providers, analytics services, and customer support tools. These service providers are authorized to use your Personal Data only as necessary to provide services to us and are contractually obligated to protect your information.

Affiliates. We may share your Personal Data with our affiliated entities for the purposes described in this Policy.

Law Enforcement, Safety, and Legal Processes. We may disclose your Personal Data to law enforcement or other government officials if it relates to a criminal investigation or alleged criminal activity. We may also disclose your Personal Data: (i) if required or permitted to do so by law; (ii) for fraud protection and risk reduction purposes; (iii) in the good-faith belief that such action is necessary to protect our rights, interests, or property; (iv) in the good-faith belief that such action is necessary to protect your safety or the safety of others or the public; or (v) to comply with a judicial proceeding, court order, subpoena, or other similar legal, arbitration, or administrative process.

Any Other Party with Your Consent. We may disclose your information to other third parties with your consent.

8. Cookies and Tracking Technologies

The servers used to operate and provide the Services may collect data pertaining to you and the equipment, software, and communication methods you use to access the Internet and the Services.

Cookies. A cookie is a small data file that is transferred to an internet browser, which enables the Services to remember and customize your subsequent visits. We may use session cookies to make it easier for you to navigate the Services. Session cookies expire when you close your browser. We may also use persistent cookies to track and target your interests to enhance your experience on the Services. Persistent cookies remain on your device for an extended period of time. You may refuse to accept cookies by adjusting your browser settings; however, if you do so, some features of the Services may not function properly.

Web Beacons. Some parts of the Services and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those parts or opened an email and for other related statistics.

Analytics. We may use third-party analytics services to help us understand how Users engage with the Services. These services may use cookies and similar technologies to collect information about your use of the Services and report trends without identifying individual visitors.

Do Not Track. Some internet browsers may transmit “do-not-track” signals to websites with which the browser communicates. The Services do not currently respond to these “do-not-track” signals. You may use other privacy tools to manage your tracking preferences.

9. International Data Transfers

Your information, including Personal Data that we collect from you, may be transferred to, stored at, and processed by us and our affiliates and other third parties outside the country in which you reside, including but not limited to Panama, the Cayman Islands, and other locations where our service providers operate. Data protection and privacy regulations in those countries may not offer the same level of protection as in your jurisdiction.

Where required by applicable law, your prior consent will be obtained for such transfers, or we have ensured that Personal Data included in such transfer is adequately protected through the use of contractual clauses or other adequate measures under such applicable laws, including:

• Standard Contractual Clauses approved by the European Commission;
• Standard Contractual Clauses approved by the UK Information Commissioner’s Office;
• Certifications recognized by the European Commission or ICO (as appropriate);
• Binding Corporate Rules that have been approved by the European Commission/ICO and deemed to ensure adequate protection; or
• Other lawful transfer mechanisms available under applicable data protection law.

If none of these transfer bases are available, we may transfer subject to appropriate derogations under applicable data protection law. Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data, including the then-current transfer basis used to authorize transfers to specific third parties.

10. Data Retention

We retain Users’ Personal Data while you maintain an account or profile with us or for as long as necessary to provide the Services and to satisfy the purposes described in this Policy. Thereafter, we retain Personal Data for as long as reasonably necessary: (i) to respond to inquiries from Users; (ii) to demonstrate that we treated Users fairly; (iii) for ordinary business continuity and backup procedures; (iv) to comply with legal, regulatory, tax, accounting, or reporting obligations; and (v) to enforce our rights and agreements.

When we no longer have an ongoing legitimate business need to process your Personal Data, we will delete or anonymize it within a reasonable period. When we choose to anonymize information, we take commercially reasonable efforts to ensure that the information cannot be linked back to you or any specific user. If deletion is not possible (e.g., backups), we will securely store and isolate it from further processing until deletion is possible.

Blockchain Data. Deletion of blockchain data is not possible. On-chain records are immutable and beyond Promis’s control. Your rights to deletion or correction under applicable laws may not be fully realizable with respect to data stored on public blockchains.

11. Data Subject Rights

Depending on your location and applicable law, you may have certain rights regarding your Personal Data. While the availability of these rights varies by jurisdiction, and subject to all applicable limitations, exemptions, and exceptions, they may include:

• Right to Access: You may have the right to request a copy of the Personal Data we hold about you.
• Right to Rectification: You may have the right to request that we correct any inaccurate or incomplete Personal Data.
• Right to Erasure: You may have the right to request that we delete your Personal Data.
• Right to Restrict Processing: You may have the right to request that we restrict processing of your Personal Data.
• Right to Object to Processing: You may have the right to object to our processing of your Personal Data.
• Right to Data Portability: You may have the right to receive your Personal Data in a structured, commonly used, and machine-readable format.
• Right Not to Be Subject to Automated Decision-Making: You may have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects.
• Right to Withdraw Consent: Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You may have the right to lodge a complaint with a competent data protection supervisory authority.

To exercise these rights, please contact us using the information provided in the “Contact Information” section below. We will respond to your request within the applicable timeframe required under applicable law. We may need to verify your identity before processing your request.

12. Children’s Privacy

The Services are not intended for use by minors under the age of eighteen (18) and are not targeted to children. We do not knowingly collect Personal Data from children under 18. If we learn that we have collected or received Personal Data from a child under 18 years of age without verification of parental consent, we will take steps to delete that information. If you believe we have inadvertently collected information from a child, please contact us immediately.

13. Security

The security and confidentiality of your Personal Data is important to us. We use commercially reasonable administrative, technical, and physical security measures to protect your Personal Data from unauthorized or unlawful access, use, modification, destruction, loss, alteration, and/or disclosure. These measures include, but are not limited to, data minimization, access controls, encryption of data in transit and at rest (as applicable), logging and monitoring of systems and access, and conducting due diligence on vendors who may process or store Personal Data on our behalf.

However, no data transmitted over or accessible through the internet can be guaranteed to be 100% secure. As a result, while we attempt to protect your Personal Data, we cannot guarantee or warrant that your Personal Data will be completely secure (i) from misappropriation by hackers or from other nefarious or criminal activities, or (ii) in the event of a failure of computer hardware, software, or telecommunications networks.

We require third parties acting on our behalf or with whom we disclose your information to provide security measures in accordance with industry standards and in compliance with contractual obligations, their privacy and security obligations, and any other appropriate confidentiality and security measures. We are not responsible for the privacy and security practices of such third parties outside of the information we receive from or disclose to them.

You are responsible for maintaining the security of your wallet credentials, private keys, and seed phrases. Promis will never ask you for your private keys, seed phrases, or two-factor authentication codes. Never share these with anyone.

14. Blockchain and Immutability

Public blockchains are distributed ledgers intended to immutably record transactions across decentralized networks. On-chain data (including public addresses and transaction hashes) may be open to forensic analysis and can potentially be combined with other data to re-identify individuals. Because blockchains are not controlled by Promis, we cannot modify, delete, or erase on-chain data once it is published. Your rights to deletion or correction under applicable laws may not be fully realizable with respect to data stored on public blockchains.

15. SPAM

We do not participate in bulk email solicitations that you have not consented to receiving. We do not sell or disclose customer lists or email address lists to unrelated third parties. Except as otherwise provided herein, we do not share Personal Data with any third-party advertisers.

16. Modifications and Updates

We reserve the right to update this Policy in our sole discretion. If our privacy practices change materially in the future, we will post an updated version of the Policy on the Services. We will notify you of material changes by updating the “Last Updated” date at the bottom of this Policy and/or through a notice on the Services. It is your responsibility to review this Policy for any changes each time you use the Services. Your continued use of the Services after we make changes is deemed to be acceptance of those changes.

17. Contact Information

If you have questions about this Policy or wish to contact us with questions or comments, please contact us at:

Promis Finance Foundation Attn: Data Protection Officer Province of Panama, district of Panama, Betania, Vía Ricardo J. Alfaro, PH The Century Tower, office 317 contact@promis.fi