Privacy Policy

Liquid Bitcoin Staking Platform — Effective Date: September 25, 2025

1. Introduction & Scope

   BITS Blockchain Inc. ("BITS," "we," "us," or "our") is a Wyoming company that operates a non-custodial, liquid staking platform for Bitcoin ("BTC") and supported wrapped BTC assets (e.g., wBTC, cbBTC) on networks including, but not limited to, Bitcoin mainnet and EVM chains such as Core, Ethereum, Base, and BNB. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our websites, applications, smart-contract interfaces, and related services (collectively, the "Services"). By using the Services, you acknowledge that you have read and understand this Policy.

   We comply with applicable data-protection laws, including the U.S. federal and state privacy regimes and, where applicable, the EU/EEA General Data Protection Regulation (GDPR) and the UK Data Protection Act. This Policy applies globally to information processed by BITS when you access the Services from any location.

2. Who We Are & Our Roles

   Controller. BITS is the data controller for personal information it processes directly to operate the Services, such as account administration, transaction telemetry, platform security, support communications, and compliance record-keeping.

   Independent Compliance Provider (Self-Service Users). For self-service onboarding, know-your-customer/anti-money-laundering (KYC/AML) checks are performed by an independent third party, the Core Foundation. You submit identity data directly to that provider; BITS generally receives only the verification outcome (e.g., pass/fail, risk flags) and limited metadata necessary to provide the Services.

   Institutional/Bespoke Arrangements. For institutional users utilizing custodial Account Control Agreements (ACAs), KYC/AML may be performed by BITS or a designated provider, and custody may be handled by approved custodians such as BitGo or COBO. Those entities act as independent controllers of any personal data they process in their services. The specific party acting as controller or processor will depend on the arrangement's documentation.

3. Personal Data We Collect

   We collect the following categories of information to provide and secure the Services:

   • Wallet, blockchain, and transaction information: public addresses, transaction hashes, deposit/withdrawal amounts and timestamps, staking activity, network and asset type (e.g., BTC, wBTC, cbBTC). Public blockchain data is inherently public and immutable.
   • Account and contact information: name, username, email, phone, mailing address, organization (if applicable), and communications you send to us (e.g., support tickets).
   • Identity verification data: for self-service onboarding, the Core Foundation (or another designated provider) collects identity documents, images/selfies for liveness, proof-of-address, sanctions screening and PEP checks. BITS stores verification status and limited attributes required for compliance; we do not store biometric identifiers from self-service verification.
   • Institutional/custody information: where a custodian (e.g., BitGo, COBO) is used under an ACA, we may receive account-level metadata necessary to reconcile deposits/withdrawals and fulfill compliance obligations.
   • Technical and usage data: IP address, device and browser type, operating system, language, time zone, referral URLs, page interactions, and basic telemetry for fraud prevention and security.
   • Cookies and local storage: strictly necessary cookies/local storage for session management and security; we do not presently use third-party advertising or analytics cookies. If this changes, we will provide notice/consent tools.
   • Information from service providers: results of sanctions/KYC screening, blockchain-analytics risk signals (e.g., exposure to sanctioned addresses), and fraud-prevention indicators.
   • Public or community interactions: forum or social media handles you share with us, and any content you publicly post on our channels.

4. How We Use Personal Data

   • Provide, operate, and improve the liquid staking Services (including minting BITS, wrapping/unwrapping to wBITS, recording accrual of yield in Core and QBITS entitlements, facilitating redemptions, and multi-chain operations).
   • Comply with law and enforce our Terms of Service and AML/Sanctions Policy (KYC/AML screening, sanctions controls, investigations, regulatory reporting).
   • Protect the platform and users (fraud prevention, abuse detection, security monitoring, incident response).
   • Provide support and communicate about your account, transactions, maintenance, and policy changes.
   • Research and product development (aggregated, de-identified analytics to improve stability, UX, and security).
   • Marketing (limited email updates about new features or programs, consistent with consent/opt-out requirements).
   • Legal defense and rights protection (handling disputes, responding to lawful requests, and enforcing agreements).

5. Legal Bases for Processing (EEA/UK Users)

   • Performance of a contract: to provide the Services you request (account administration, deposits, staking, redemptions).
   • Legal obligations: KYC/AML, sanctions screening, record-keeping, and regulatory reporting.
   • Legitimate interests: platform security and fraud prevention, service improvement, and basic communications (balanced against your rights).
   • Consent: where required (e.g., certain marketing or optional cookies). You may withdraw consent at any time.

6. How We Share Personal Data

   We do not sell personal information and we do not share it for cross-context behavioral advertising. We disclose data only as follows:

   • Compliance/KYC provider: the Core Foundation (self-service) processes identity data and returns verification outcomes to BITS.
   • Custodians under ACAs: BitGo, COBO (and future approved custodians) may process limited personal data as independent controllers.
   • Cloud, IT, and support vendors: hosting, email, ticketing, and operations tools under data-processing agreements.
   • Blockchain-analytics and sanctions-screening services: to assess on-chain risk signals and comply with legal requirements.
   • Affiliates and corporate transactions: intra-group transfers and disclosures in mergers, acquisitions, or similar events.
   • Legal/regulatory disclosures: to courts, regulators, or law enforcement where required by law or to protect rights.
   • With your direction or consent: for integrations you authorize or where you request us to share information.

7. International Data Transfers

   We operate in the United States and may transfer personal data internationally. For EEA/UK data, we use appropriate safeguards such as the European Commission Standard Contractual Clauses (and the UK International Data Transfer Addendum) and implement technical/organizational measures to protect your data.

8. Data Security

   • Encryption in transit, role-based access controls, MFA, least-privilege policies, logging and monitoring, and vulnerability management.
   • Vendor due diligence and contractual security obligations.
   • Incident response procedures and legal notifications where required.

   No system is perfectly secure; risks remain with any online service.

9. Data Retention

   We retain personal data only as long as necessary for the purposes described or as required by law. Typical retention periods include: KYC/AML and sanctions records for at least five (5) years; transactional records for at least five (5) years; support correspondence for as long as needed to resolve the matter; and longer where legal holds apply. Public blockchain data is permanent and outside our control. We may maintain backups for service resilience.

10. Your Rights & Choices

    • Access, rectification, erasure, restriction, portability, and objection (EEA/UK where applicable).
    • Right to withdraw consent where processing relies on consent.
    • U.S. state privacy rights (e.g., CA/VA/CO/CT/UT): request access/deletion/correction, and opt-out of "sale" or "sharing" (we do not sell or share).
    • Marketing choices: you can opt out of marketing emails at any time using provided links.

11. Cookies & Tracking

    We currently use only strictly necessary cookies/local storage for security and session management. We do not presently deploy third-party analytics or advertising cookies. If this changes, we will update this Policy and, where required, obtain your consent and provide a preference center.

12. Non-Custodial & On-Chain Considerations

    Smart contracts are non-custodial. Transactions and wallet addresses recorded on public blockchains are transparent and immutable. We cannot edit or erase on-chain records; where feasible, we delink our internal records from an address upon verified erasure requests.

13. Third-Party Sites & Services

    Links or integrations to third-party wallets, custodians, DEXs/bridges, or community platforms are provided for convenience. Those services are governed by their own privacy policies; we encourage you to review them.

14. Children's Privacy

    The Services are intended for adults (18+). We do not knowingly collect personal information from children. If we learn a child has provided personal data, we will delete it and close associated access.

15. Changes to This Policy

    We may update this Policy to reflect changes in our Services or legal requirements. Material changes will be notified via the website or email (where feasible). The "Effective Date" above indicates when the latest version took effect.

16. Contact Us

    Privacy inquiries and rights requests: privacy@bits.financial

    Mailing address: BITS Blockchain Inc., 30 N Gould St Ste R, Sheridan, WY 82801, USA