Privacy Policy

Version 2.0.0 · Effective Date: April 25, 2026

Note: This is a working version pending outside-counsel review. Customers with active Services Agreements will be notified by email at least thirty (30) days before any material change becomes effective.

1. Introduction

UTXOS Pte. Ltd. (UEN 202542261H) (“UTXOS”, “we”, “us”, or “our”) is a Singapore-incorporated company committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, transfer, and safeguard personal data when you use our services, including our Wallet-as-a-Service and Transaction Sponsorship products and related websites (together, the “Services”).

This Policy applies under the Singapore Personal Data Protection Act 2012 (“PDPA”) and, where applicable, the EU and UK General Data Protection Regulation (“GDPR”).

2. Controller and Processor Roles

For personal data we collect directly from you when you visit our website or sign up for an account, UTXOS acts as the data Controller.

For end-user personal data that our business Customers (e.g., developer organizations) collect through applications built on the UTXOS Services, our Customer is the Controller and UTXOS acts as the Processor, subject to a Data Processing Agreement made available under the applicable Services Agreement.

3. Information We Collect

3.1 From you (Controller capacity)

  • Account identifiers from your social login (Google sub, Apple sub, Discord ID, Twitter/X ID)
  • Email address from your OAuth provider profile
  • Account preferences and settings

3.2 From end users (Processor capacity, on behalf of Customers)

  • OAuth provider user ID (Google sub, Apple sub, Discord, Twitter/X)
  • Email address from OAuth profile
  • Cardano wallet public address
  • Transaction hashes and timestamps
  • Usage logs (request metadata, IP address, timestamps) for fraud prevention and service operation

3.3 Cookies and Tracking Technologies

We do not use cookies for advertising or cross-site tracking. We use only essential cookies required for authentication and session management.

4. Legal Bases for Processing (GDPR Article 6)

Where GDPR applies, we process personal data on the following legal bases:

  • Performance of contract (Art. 6(1)(b)) — to create and operate wallets, sponsor transactions, and manage your account
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, security monitoring, and service improvement
  • Consent (Art. 6(1)(a)) — for any optional marketing communications you opt into
  • Legal obligation (Art. 6(1)(c)) — where required by Singapore law, EU law, or other applicable law

5. How We Use Your Information

  • Providing and maintaining the Services (account management, wallet operation, transaction sponsorship)
  • Customer support and communications about service updates
  • Detecting and preventing fraud, abuse, and security incidents
  • Complying with legal and regulatory obligations
  • With your consent, sending you marketing and product updates

6. Sub-processors and Third-Party Sharing

We engage third-party sub-processors to deliver the Services. Our current sub-processor list is published at utxos.dev/subprocessors. We provide at least fourteen (14) days’ prior notice before adding or replacing a sub-processor; Customers may object on reasonable data-protection grounds within the notice period.

In addition, certain authentication is performed by independent Authentication Partners (Google, Apple, Discord, Twitter/X) under their own privacy policies; these providers act as independent Controllers with respect to your interactions with their authentication services.

We do not sell your personal data.

7. Blockchain Data

Some data processed by the Services is committed to the public Cardano blockchain (e.g., transaction records). On-chain data is by design immutable and publicly visible, and cannot be deleted from the ledger.

Consistent with applicable regulatory guidance on processing personal data through blockchain technology, when you exercise a deletion right, UTXOS will delete the off-chain linkage data (including OAuth identifiers, email addresses, and wallet-address mappings) such that the on-chain data is no longer attributable to an identified or identifiable natural person.

8. Data Security

We implement technical and organisational measures appropriate to the risk, including:

  • Wallet private-key material protected using cryptographic key-sharing techniques
  • Encryption at rest for user data and developer-controlled wallet keys
  • Role-based access controls and audit logging on administrative systems
  • Periodic third-party security assessments
  • Documented incident response procedures

9. Personal Data Breach Notification

Breach-notification obligations between UTXOS and Customers, and any notifications to supervisory authorities, are set out in the applicable Services Agreement and applicable law.

10. Data Retention

We retain off-chain personal data for the duration of your use of the Services plus thirty (30) days after termination, after which it is deleted or anonymised in accordance with our Data Processing Agreement. On-chain data is retained per Section 7 (off-chain linkage deleted on request).

11. Your Rights

11.1 Under GDPR (where applicable)

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate or incomplete data
  • Erasure (“right to be forgotten”) — subject to the limits described in Section 7
  • Restriction — limit processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Automated decision-making — opt out of solely automated decisions with legal effect (we do not currently make such decisions)
  • Lodge a complaint with your supervisory authority

11.2 Under Singapore PDPA

  • Access to and correction of personal data (PDPA Sections 21 and 22)
  • Withdrawal of consent (PDPA Section 16) — subject to legal or contractual restriction
  • Lodge a complaint with the Personal Data Protection Commission (https://www.pdpc.gov.sg)

To exercise any of these rights, contact us at privacy@utxos.dev. We will respond within the timeframes required by applicable law.

12. International Data Transfers

UTXOS Pte. Ltd. is incorporated in Singapore. Our infrastructure is hosted in the United States via Vercel Inc. and Prisma Data, Inc.

Where personal data of EEA or UK data subjects is transferred to UTXOS in Singapore, the transfer is made under the EU Standard Contractual Clauses (Module 2, Controller-to-Processor), incorporated by reference in our Data Processing Agreement. Onward transfers to United States sub-processors are governed by each sub-processor’s own data-processing agreement and standard contractual clauses.

Singapore PDPA Section 26 transfer requirements are met by ensuring all sub-processors are bound to comparable standards of protection.

13. Children’s Privacy

The Services are not directed to children. We do not knowingly collect personal data from individuals under the age of consent in their jurisdiction (which is generally thirteen (13) years of age, or sixteen (16) where required by GDPR). If we become aware that we have collected such data, we will delete it promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide thirty (30) days’ prior notice by email to your registered contact and by updating the Effective Date above.

15. Data Protection Officer and Contact

For privacy questions, complaints, or to exercise your rights:

  • Email: privacy@utxos.dev
  • Postal: UTXOS Pte. Ltd., Singapore

By using the Services, you acknowledge that you have read and understood this Privacy Policy.