Privacy Agreement

(version: 2025.11.12)

ZooFi Labs Limited ("Company", "we", "us" or "our") provides Service that facilitate interactions with the Protocol that serves as a non-custodial stablecoins transfer infrastructure.

This Privacy Notice forms part of our general Terms of Use. By accepting the Terms of Use, you also agree to the terms of this Privacy Notice. Unless otherwise defined, capitalised terms used in this Privacy Notice shall bear the same meaning as those defined in the Terms of Use. In this Privacy Notice, the term “you” or “your” means any person who has provided or will provide personal data to us.

This Privacy Notice describes how we collect, store, use and share your personal data in relation to your use of the Service.

1. Our privacy principles

   1. To preserve the confidentiality of all personal data provided to us, we maintain the following principles:

      1. We will only collect information that we believe to be relevant and required for the purposes set out in this Privacy Notice.

      2. We use your information to provide you with better Service.

      3. We may pass your information to third parties, as permitted by law.

      4. We will not disclose your information to any external organisation unless we have your consent or are required by law or have previously informed you.

      5. We may be required from time to time to disclose your information to governmental or judicial bodies or agencies or our regulators, but we will only do so under proper authority.

      6. We aim to keep your information up-to-date and retain your information only for such periods as necessary.

      7. We maintain strict security systems designed to prevent unauthorised access to your information by anyone, including our staff.

      8. We, all our staff and all third parties with permitted access to your information are specifically required to observe our confidentiality obligations.

   2. By maintaining our commitment to these principles, we will ensure that we respect the inherent trust that you place in us.

2. Personal data we collect

   1. Here’s the personal data we may collect in relation to your use of the Service:

      1. We may collect account information, such as your email address and login information.

      2. We may collect verification information about you. We may collect, generate and use certain information about you such as your email address, your geographic data and location data based on your mobile or other electronic device, attributes of the mobile or other electronic device you are using, connection information (such as the name of your mobile operator, ISP or other service provider, browser type and IP address), and information about how you use the Service in connection with our fraud detection and prevention procedures.

      3. We may collect activity data about your use of the Service. This includes transaction records and log files generated through your use of the Service.

      4. We may collect certain limited payment information about you such as your cryptocurrency wallet address.

      5. We may collect correspondence with you related to your use of the Service (such as when you contact us).

      6. From time to time, we may collect general or specific feedback and testimonials from you. For example, this might include written comments and quotes, and information you share with us.

      7. We may collect and generate general usage data in relation to your use of the Service, including data which we obtain through our, or our service providers’, analytics tracking systems. This might include your IP address, geographical location, operating system, length of visit, and other interactions with and uses of the Service, including information about the timing, frequency and pattern of those interactions and that use. We may associate this data with an advertising identifier that we generate or use which distinguishes you as a user from others.

   2. We may additionally receive information about you from business partners or co-branding partners. We may obtain information about you from the public domain.

3. What we do with your personal data

   1. We may use your personal data for the following purposes or as otherwise described at the time of collection:

      1. Service delivery and operations

         We may use your personal data to: (1) provide the Service and operate the App; (2) tailor the Service to your needs; (3) set up and manage your account and profile on the App; (4) keep you informed about the App and the Service, including sending announcements related to services, updates, security notifications, and support or administrative messages; (5) gain insight into your preferences and interests to customise your experience with the App, Service, and our communications; (6) assist with the App and Service addressing your inquiries, concerns, and feedback; and (7) perform deduplication checks to prevent multiple account registrations.

      2. Research and development

         We may employ your personal data for research and development efforts, such as evaluating and enhancing the App, Service, and our business, as well as creating new offerings and services. In doing so, we might generate aggregated, de-identified, or anonymised data from the personal information we gather. This process involves stripping away details that could link the data back to you personally. We may utilise this aggregated, de-identified, or anonymised data and share it with third parties for legitimate business or research purposes. Neither we nor any third parties we share this data with will attempt to trace it back to you.

      3. Analytics and service improvement

         1. We may utilise your usage data to gain insights into how you interact with the App and use the Services. This helps us refine the App and our overall business by supporting various research and analytical efforts. Additionally, we could use your data to experiment with new technologies and methods aimed at improving the experience for you and other users when engaging with the App and our Service.

         2. Occasionally, we may also use your data for staff training and development purposes.

      4. Marketing and advertising

         1. Direct marketing communications: we (and our service providers acting on our behalf) may use your data to send you details about offers and services provided by us, the Group, or our co-branding, rewards or loyalty programme partners, if you have consented (which includes an indication of no objection). You can opt out of our direct marketing communications at any time.

         2. Online marketing and advertising to others: if we have gathered feedback or testimonials from you, we might incorporate them into our marketing and advertising efforts (like ads or social media posts) to promote our brand.

      5. Compliance and protection

         1. Legal and regulatory compliance: We may use your personal data to meet obligations, requirements and arrangements, whether compulsory or voluntary, of the Company or its affiliates (together, the “Group”) to comply with or in connection with: (1) any law, regulation, judgment, court order, voluntary code, sanctions regime applicable to any Group entity and under any applicable jurisdiction (“Laws”); (2) any guidelines, guidance, rules or codes of practice or requests given, published or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, relevant stock exchange, self-regulatory or industry bodies or associations of financial service providers under any jurisdiction, and any international guidance, internal policies or procedures; (3) any present or future contractual or other commitment with any legal, regulatory, judicial, administrative, public or law enforcement body, or governmental, tax, revenue, monetary, court or other authorities, relevant stock exchange, self-regulatory or industry bodies or associations of financial service providers or any of their agents with jurisdiction over any Group entity (together the “Authorities” and each an “Authority”) that is assumed by, imposed on or applicable to any Group entity; (4) any agreement or treaty between an Authority and any Group entity; and (5) any Group entity defending or responding to any legal, governmental, or regulatory or quasi-governmental related matter, action or proceeding (including any prospective action or legal proceeding).

         2. Sanctions, AML/CTF and related compliance programmes: We may use your personal data to comply with any obligations, requirements, policies, procedures, measures or arrangements of any Group entity and/or any other use of data and information in accordance with any Group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions and/or acts or attempts to circumvent or violate any Laws relating to these matters.

         3. Consolidated supervision and risk management: We may use your personal data to facilitate consolidated supervision of the Group for the conduct of internal audit and the performance of risk management.

         4. Protection of rights and fraud prevention: We may use your personal data to: (1) confirm your identity to prevent fraud and documenting the verification steps we have taken, including using data for deduplication checks to ensure you are a unique user and to prevent fraudulent account creation; (2) safeguard the rights, privacy, safety, or property of the Group, you, or others (including by pursuing or defending against legal claims); (3) review our internal procedures to ensure compliance with legal, contractual, or internal policy standards; (4) uphold the terms and conditions that regulate the App and Service; and (5) prevent, detect, investigate, and discourage fraudulent, harmful, unauthorised, unethical, or illegal actions.

         In the table below, we have set out our purposes for using your personal data and the legal basis on which we do it. Where required, our legal bases for processing your personal data are:

         1. where we need to perform a contract that we are about to enter into or have entered into with you (“Contractual Necessity”);

         2. where it is necessary for our (or a third party’s) legitimate interests, and your interests and fundamental rights do not override those interests (“Legitimate Interests”);

         3. where we need to comply with a legal or regulatory obligation (“Compliance with Law”); and

         4. where we have your specific consent to carry out the processing for the Purpose in question (“Consent”).

Account information Activity data Payment information Correspondence Usage data	Contractual Necessity Where Contractual Necessity does not apply: Legitimate Interests We have a legitimate interest in conducting our business.	Service delivery and operations, including to: enable you to register to use the Service; provide you with the use of the Service; communicate with you in relation to your use of the Service; and perform our obligations under the Terms of Use.
Verification information	As part of our general fraud detection and prevention procedures: Legitimate Interests We have a legitimate interest in preventing fraud on, and maintaining the security of, the App and the Service. To conduct deduplication checks and keep a record of deduplication checks: Legitimate Interests We have a legitimate interest in preventing fraudulent account creation, as well as fraudulent, harmful, unauthorised, unethical, or illegal actions.	Verification checks, including to: prevent fraud and unauthorised or illegitimate use of the Service; perform deduplication checks to prevent multiple accounts; and keep a record of the checks we have done.
Activity data Correspondence Feedback and testimonials Usage data	Legitimate Interests: We have a legitimate interest in improving our Service. Consent, where consent is required under applicable data protection or privacy laws.	Research and development; improvement of Service and other content based on analysing user behaviour.
Account information	Legitimate Interests: We have a legitimate interest in promoting our products and services and sending or displaying marketing communications for that purpose. Consent, in circumstances or in jurisdictions where consent is required under applicable data protection or privacy laws for the sending of any given marketing communications.	Direct marketing communications.
Feedback and testimonials	Legitimate Interests We have a legitimate interest in promoting our products and services.	Using your feedback and testimonials in our marketing and advertising materials.
Any and all data types	Legitimate Interests We have a legitimate interest in using privacy-preserving techniques to analyse user behaviour	Creation of aggregated, de-identified and/or anonymised data.
Any and all data types	Compliance with Law Where Compliance with Law is not applicable: Legitimate Interests We have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We may also have a legitimate interest in ensuring the protection, maintenance, and enforcement of our rights, property and/or safety.	Compliance and protection, including to comply with applicable laws and legal processes, protect ours and others’ rights, audit our processes for legal and contractual compliance, and identify and prevent harmful, unauthorised or illegal activity.

1. How we share your personal data

   1. Service providers, suppliers, and contractors: We may disclose your personal data to other service providers, suppliers, or contractors in connection with the uses described above.

   2. Affiliates and Group entities. We may disclose your personal data to any Group company and to any agent, contractor, sub-contractor, or associate of the Company or any Group company (including their respective employees, officers, agents, contractors, service providers, and professional advisers) for any of the purposes described in this Privacy Notice or for purposes directly related to the operation of our business.

   3. Partners in co-branding, rewards, or loyalty programs: We may disclose your personal data to our partners, co-branding entities, or third-party providers that operate rewards, loyalty, or similar promotional programs with us. We share only the personal data that is reasonably necessary to administer the program, deliver benefits to you, or fulfil your requests in connection with such programs.

   4. Professional advisors: We may disclose your personal data to our professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

   5. Authorities and others: We may disclose your personal data to law enforcement, Authorities, and private parties as we believe in good faith to be necessary or appropriate for compliance and protection purposes.

   6. Business transferees: We may disclose personal data in the context of actual or prospective business transactions; for example, we may need to share certain personal data with prospective counterparties and their advisers. We may also disclose your personal data to an acquirer, successor, or assignee of the Company as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal data is transferred to one or more third parties as one of our business assets.

1. How long we keep your personal data

   1. We only retain your personal data for as long as we need it for the purposes described above and as permitted by law.

   2. However, there are some reasons that we need to keep your data for longer. For example:

      1. to comply with the law or to fulfil any financial reporting obligations;

      2. to demonstrate our compliance with relevant laws, legal terms and policies;

      3. in connection with an outstanding issue, complaint, dispute or claim;

      4. where it’s necessary for our legitimate business interests, such as preventing fraud or illegitimate activity and enhancing security for other users.

   3. We may create anonymised or aggregated records relating to demography or the use of the Service, from which no individual is identifiable, and we may keep those records indefinitely.

2. Your rights

   1. You may have rights under certain data protection laws to the extent they apply. In summary, these may include:

      1. the right to access: you may have the right to confirmation as to whether or not we process your personal data and, where we do, to access the personal data, together with certain additional information;

      2. the right to rectification: you may have the right to have any inaccurate or incomplete personal data about you rectified or completed;

      3. the right to erasure: in some circumstances you may have the right to the erasure of your personal data (for example, if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes);

      4. the right to restrict processing: you may have the right to restrict the processing of your personal data to limit its use. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except to the extent permitted by law;

      5. the right to object to processing: you may have the right to object to our processing of your personal data on the basis of legitimate interests (discussed above) or for direct marketing purposes and if you do so we will stop processing your personal data except to the extent permitted by law;

      6. to withdraw your consent: where we rely on consent as the legal basis to process your personal data, you can withdraw that consent at any time. (Please note that withdrawing your consent does not impact the lawfulness of any processing of your personal data based on that consent prior to you withdrawing it); and

      7. the right to complain to a supervisory authority: if you consider that our processing of your personal data is unlawful, you may have a legal right to lodge a complaint with your local data protection authority.

   2. You can submit requests to exercise these rights by contacting us. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfil any request you make will depend on a number of factors (e.g., why and how we are processing your personal data, where you are located, etc.). Further, please note that, in accordance with applicable laws, we may have the right to charge a reasonable fee for processing any such requests.

3. Security

   1. We provide and maintain stringent security measures to protect our systems, and the information and personal data retained therein, including:

      1. use of firewalls and network segregation to protect unauthorised access;

      2. regular review of our information collection, use, storage and processing practices;

      3. restriction of access to personal data to relevant employees on a “need-to-know” basis; and

      4. training to employees on the proper handling of personal data.

         Nevertheless, all internet and information technologies carry inherent security risks, and we cannot fully ensure the safety of your personal data.

   2. While the internet is not an inherently secure environment for communications, we continuously review and apply industry best practices to protect and secure this channel throughout our systems. The level of security on your personal device and the general measures you take in handling your own digital data are equally important. In most cases, an imprudent transmission and handling of sensitive data such as confidential documents, password, personal identifiers etc. would facilitate unauthorised access resulting in a data breach. Hence, we remind you to be cautious when using the Service and handling your own sensitive data.

4. Revisions

   1. We continuously track legal developments, add new product features, and work to enhance our processes, which may lead us to update this Privacy Notice periodically. Where required under applicable law, we will obtain your consent to such changes, otherwise, your continued use of our Service after any such updates take effect will constitute acceptance of those changes. If you do not accept any updates to this Privacy Notice, you should stop using our Service.