Privacy Policy

At Crypto.com Onchain, protecting your privacy is fundamental to our ethos. This Privacy Policy ("Policy") describes how Onchain Wallet Limited ("we", "us", or "our") collects, uses, shares, and protects your personal data when you use the Crypto.com Onchain mobile application, web application, self-custodial software wallet, and related services (collectively, the "Services").

CRITICAL NON-CUSTODIAL DISCLAIMER: Because our core product is a self-custodial wallet, we DO NOT collect, store, transmit, or have access to your private keys, wallet passcode, or backup recovery phrase (Seed Phrase). All cryptographic secrets remain encrypted locally on your personal device.

1. Controller and Contact Details

1.1. Data Controller. For the purposes of the Cayman Islands Data Protection Act (DPA), the General Data Protection Regulation (GDPR), and other applicable data privacy laws, the data controller is Onchain Wallet Limited, incorporated in the Cayman Islands.

1.2. Data Protection Officer (DPO). We have appointed a Data Protection Officer to oversee compliance with this Policy. If you have questions about this Policy or wish to exercise your legal data rights, please contact our DPO at: dpo@crypto.com.

1.3. Minors. The Services are strictly not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we discover we have inadvertently collected such data, we will securely delete it.

2. Information We Do Not Collect

To ensure your security and privacy, the following information is generated locally on your device and is never transmitted to our servers:

• Private Keys & Seed Phrases: Your cryptographic keys required to authorize blockchain transactions.
• Wallet Passcodes: The PIN or biometric signature used to unlock the App locally.
• Unbroadcasted Transactions: Any draft transactions that have not yet been signed and transmitted to the public network.

3. Information We Do Collect

When you interact with specific features of the Services, particularly our fiat ramps and physical card program, we may collect the following categories of personal data:

3.1. Identity and KYC Data. If you apply for a physical or virtual debit card, or utilize fiat-to-crypto bridging services, you will be required to provide: full legal name, date of birth, residential address, email address, phone number, government-issued identification documents (e.g., passport, driver's license), and biometric facial scans (liveness checks). This data is required by law for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) compliance.

3.2. Public Blockchain Metadata. When you use the Wallet to interact with blockchains, we may temporarily cache or index public data associated with your wallet address, including public wallet addresses, asset balances, transaction hashes, and smart contract interactions. This data is already publicly visible on decentralized ledgers.

3.3. Technical and Usage Data. To maintain security and optimize performance, our servers may log: IP addresses, device identifiers (e.g., IMEI, MAC address), operating system versions, browser types, crash reports, and anonymized interaction telemetry.

3.4. Support Communications. If you contact our customer support team, we collect your email address, support ticket history, and any attachments or context you voluntarily provide to help resolve your issue.

4. The Blockchain Reality and Erasure Limitations

4.1. Public Ledger Immutability. You must be aware that blockchains (e.g., Ethereum, Bitcoin, Base) are public, decentralized, and immutable ledgers. When you broadcast a transaction via the Wallet, the transaction metadata (including your public address and the transaction amount) is permanently recorded on the blockchain.

4.2. Inapplicability of Erasure Rights to Blockchains. Because we do not own, control, or operate these decentralized networks, we are technologically unable to edit, redact, or delete data written to the blockchain. Therefore, your legal right to erasure (the "right to be forgotten") under GDPR, CCPA, or the DPA does not apply to on-chain transaction data. Your data rights apply exclusively to the off-chain data stored directly on our private, centralized servers.

5. How We Use Your Data and Lawful Bases

We process your personal data only when we have a valid lawful basis to do so:

• Performance of a Contract: To provide the Services, facilitate card issuance, deliver customer support, and ensure the functionality of the App.
• Legal Obligations: To perform mandatory KYC/AML checks, screen against international sanctions lists, and report suspicious activities to regulatory bodies as mandated by law.
• Legitimate Interests: To monitor and prevent fraud, conduct security audits, analyze technical metrics to improve the App, and defend against legal claims.
• Consent: To send you optional marketing communications or collect non-essential telemetry. You have the right to withdraw your consent at any time.

6. Data Sharing and Third-Party Sub-Processors

We do not sell your personal data to advertisers. We only share data with trusted third parties necessary to operate the Services:

• Compliance and Identity Partners: Third-party KYC providers (e.g., Sumsub, Onfido) to verify your identity.
• Financial Issuers: Licensed banking partners who issue and manage the physical/virtual debit cards.
• RPC Nodes and Infrastructure: Providers who broadcast your transactions to the blockchain (e.g., Infura, Alchemy). Note: We attempt to proxy requests to hide your IP address from nodes where technically feasible.
• Law Enforcement: We may disclose your data to government authorities if required by a valid subpoena, court order, or binding legal request.

7. International Data Transfers

As a global service, your personal data may be transferred to, and processed in, jurisdictions outside of your home country, including outside the European Economic Area (EEA) or the Cayman Islands. When we conduct such transfers, we ensure appropriate safeguards are implemented, such as the European Commission's Standard Contractual Clauses (SCCs), to guarantee a level of data protection equivalent to your local laws.

8. Your Legal Rights

Depending on your jurisdiction (e.g., under GDPR, CCPA, or Cayman Islands DPA), you possess specific rights regarding your server-side personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request the correction of inaccurate or incomplete data.
• Right to Erasure: Request the deletion of your off-chain data (e.g., support tickets), subject to strict statutory financial retention periods.
• Right to Restrict or Object: Object to our processing of your data based on legitimate interests or direct marketing.
• Right to Data Portability: Request your data in a structured, commonly used, machine-readable format.

To exercise these rights, email dpo@crypto.com. You also have the right to lodge a formal complaint with your local data protection supervisory authority or the Cayman Islands Ombudsman (https://ombudsman.ky).

9. Security and Data Retention

9.1. Security Measures. We implement robust, industry-standard technical and organizational measures (including AES-256 encryption, TLS protocols, and strict access controls) to safeguard your server-side data from unauthorized access, loss, or alteration.

9.2. Retention Periods. We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Policy. Specifically, identity verification and compliance records associated with the Card program are retained for a minimum of five (5) to seven (7) years following the termination of your account, as strictly required by international AML laws and financial auditing regulations.

10. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements or our operational practices. The updated version will be indicated by an updated "Last Updated" date at the top of this page. We encourage you to review this Policy periodically.