This policy is effective as of November 28, 2024.

Welcome and thank you for utilizing, visiting, or considering Zero Hash – a digital asset, cryptocurrency, and blockchain infrastructure platform – as your modern financial services provider. We at Zero Hash (the Zero Hash entities listed in Section XI below, referred to here as “Zero Hash,” “we”, “us,” or “our”) respect and protect the privacy of those who explore our Services (“Users”) and Users who sign up for and access our Services (“Customers”) (together referred throughout this policy as “you” and “your”).

This Privacy Policy describes how we collect, use, and share personal information when you explore, sign up for or access our Services, which include any Services offered on or through our websites, including without limitation zerohash.com, or when you use the Zero Hash application programming interface (“API”), software development kit (“SDK”), or a third party application relying on such APIs or SDKs (together, the “Apps”) and any related services.

Because we collect, use, and are responsible for certain personal information about Users or Customers in numerous jurisdictions, we are subject to various laws in the United States and other jurisdictions, including the EU’s General Data Protection Regulation (“EU GDPR”) which applies across the European Union and its United Kingdom GDPR equivalent (“UK GDPR” and collectively with EU GDPR, “GDPR”). Please see the Appendices to this Privacy Policy for terms specific to the following jurisdictions:

• Appendix A: United States Privacy Notice (including California)
• Appendix B: Brazil Privacy Notice

If you reside outside of the United Kingdom (“UK”) and the European Economic Area (the “EEA”), accessing and using our Services means that you accept this Privacy Policy and its terms.

If you are a job applicant or prospective candidate, please refer to our separate Applicant Privacy Notice, available at Appendix C.

It is important that you understand how we use your information. You should read this page in full, but below are the key highlights and some helpful links:

• We may collect data that identifies or is associated with you ("personal information" or “PII”) when you access or use our websites, blogs, mobile sites, applications, widgets, Apps, APIs, SDKs, and other interactive features, when you register or attend an event organized or hosted by us, or when you otherwise contact us or provide us your PII (our "Services");
• If you do not wish for your personal information to be collected, used, or disclosed as described in this Privacy Policy, or you are under 18 years of age, you should stop accessing our Services;
• We collect and use your personal information in order to provide or improve our Services, protect the security and integrity of our platform, and meet our legal or regulatory obligations;
• We share your information with our affiliates, subsidiaries, and associated entities (the “Zero Hash Group” of companies), our client and the platform that you used to apply for a Zero Hash account and/or use to access our Services (“Platform”), as well as trusted third party professionals and service providers, in order to offer our Services and fulfill our legal and regulatory requirements;
• We offer privacy opt-out tools for you to request access to or deletion of information we hold about you. You can use these tools by visiting our Support Portal Depending on where you live, you may also have other privacy rights under law, which we address herein; and.
• If you have any questions, please Contact Us on our Support Portal or at [email protected].

I. WHAT INFORMATION WE COLLECT

We collect data about visitors to our websites and any affiliated blogs, mobile sites, or applications; about Users that access, directly or indirectly, our Services or Apps, or any other Users or Customers that attend events organized or hosted by us; and about our clients, including Platforms, (where these are natural persons) or their employees, agents and representatives (and these individuals about whom we collect data are incorporated into any reference to "you" or “your” in this Privacy Policy). Please refer to the below for further information about the personal information we may collect and how it may be used:

A. Information You Provide To Us

B. Information Collected Automatically

C. Information we obtain from Affiliates and Third-Parties

II. HOW WE USE YOUR INFORMATION

We use your personal information to deliver, personalize, operate, improve, create, and develop our Services, to provide you with a secure, smooth, efficient and safe experience, and for legal and regulatory compliance, theft and loss prevention, and anti-fraud purposes. Below is additional information about how we use your personal information and our legal basis for doing so:

A. As Necessary to Perform a Contract with Users

We may use certain information that is necessary to perform our duties under an applicable Zero Hash Group company user agreement (e.g., the Zero Hash & Zero Hash Liquidity Services User Agreement in the United States) or similar customer or end-user agreement or other relevant contract with you. We may need to suspend or terminate our Services or otherwise close your user account if we cannot process your personal information or similar data for these purposes.

B. Data used to comply with our legal obligations

Our Services are subject to laws and regulations – including laws in the local jurisdiction you sign up for or access the Zero Hash Services – that require us to collect, use, and store your personal information in certain ways and for specified periods. If you do not provide and continue to provide access to the personal information as required by law, we may have to suspend or close your account.

C. Data use for our Legitimate Interests

We rely on our legitimate interests or those of third parties (like Platforms, our other Customers and potentially the public) where they are not outweighed by your rights. In certain jurisdictions – including the EEA and UK – you may have the right to object to, and seek the restriction of this processing.

D. Data use based on your consent

When we use your information based on your consent, you have the right to withdraw your consent at any time on a go-forward basis (which will not affect our prior use of your data, based on your previously given consent). Please see our Privacy Opt Out or contact Customer Support to make changes to your consent preferences.

E. Data use to protect your or others’ vital interests

If you reside outside the UK or EEA, the legal bases on which we rely in your country may differ from those listed above.

III. HOW AND WHY WE SHARE YOUR INFORMATION

We work with service providers, partners and other third parties to help us provide our Services, and as a result we need to share certain information with these third parties. Here’s how:

A. Affiliates

Personal information that we process and collect may be transferred between Zero Hash Group companies, Services, and personnel affiliated with us as a normal part of conducting business and offering our Services to you and to comply with our legal or regulatory obligations. See Section XI. for a list of our affiliated companies.

B. Platform Third Party

Personal information that we process and collect may be transferred between Zero Hash and the Platform which you use to sign up for and/or access the Zero Hash Services as a normal part of conducting business and offering our Services to you and to comply with our respective legal or regulatory obligations. Please note that when you use the Platform’s other services and products, which are not governed by this Privacy Policy, the Platform's own terms and privacy policies will govern your use of those services and products.

C. Linked Third Party Websites or Applications

When you utilize certain Services that use third-party services or websites (e.g., AML/KYC services, pay with crypto, withdrawal services, etc.) that are linked through to our Services, the providers of those services or products may receive information about you that Zero Hash, you, or others share with them. Please note that when you use third-party services or websites, which are not governed by this Privacy Policy, their own terms and privacy policies will govern your use of those services and products.

D. TRUST

TRUST is a global, secure, and industry-driven solution designed to comply with a requirement known as the Travel Rule while protecting your security and privacy. Zero Hash and other custodial cryptocurrency exchanges and financial institutions share certain basic information about their customers when sending funds over a certain amount to another financial institution. To learn more, see Travel Rule FinCEN Advisory.

E. Professional advisors, industry partners, authorities and regulators

We may share your information described in Section I. with our professional advisors, regulators, tax authorities, law enforcement, government agencies, Platforms, and industry partners to:

• respond pursuant to applicable law or regulations, court orders, legal process or government requests;
• comply with our reporting and information sharing obligations with industry partners (e.g., other Virtual Asset Service Providers (“VASPs”) and regulatory authorities)
• detect, investigate, prevent, or address fraud and other illegal activity or security and technical issues; and
• protect the rights, property, and safety of our Users, Customers, the Zero Hash Group, or others, including to prevent death, imminent bodily harm, or exploitation.

F. Asset Transfer or Company Acquisition

We may choose to buy or sell assets, and may share and/or transfer information about our Users or Customers in connection with the evaluation of and entry into such transactions. Also, if we (or our assets) are acquired, merged, reorganized, or if we go out of business, enter bankruptcy, or go through some other change of control or similar event, your personal information could be one of the assets transferred to the acquiring party.

G. Third-Party Service Providers

We work with third-party service providers to help us provide our Services. When we share information with third-party service providers in this capacity, we require them to use your information on our behalf in accordance with our instructions and terms and only process as necessary and proper for the limited purpose of the contract. We work with different types of third-party service providers, including:

IV. HOW LONG WE RETAIN YOUR PERSONAL INFORMATION

We retain your information as needed to provide our Services, comply with legal or regulatory obligations, or protect our, your, or others’ vital or necessary interests. While retention requirements vary by country, we maintain internal retention policies on the basis of how information needs to be used. This includes considerations such as when the information was collected or created, whether it is necessary in order to continue offering you our Services, whether we are required to hold the information to comply with our legal obligations, including AML/KYC compliance and other regulatory obligations, whether we need it is necessary to protect a vital interest, or if it meets other information preservation requirements. We also keep certain information where necessary to protect the safety, security and integrity of our Services, Platforms, Customers, and Users. Our third-party electronic identity verification providers collect and retain information, which may include biometric information, for the period required for financial regulatory compliance or otherwise as required by applicable law. They retain this information as described in their respective policies.

In line with these considerations, we delete information that is no longer required or needed for the above purposes when you close your account, or when you request deletion of your information (which you can initiate through our Privacy Opt Out), and delete any other information when permitted pursuant to the above considerations.

V. CHILDREN'S PERSONAL INFORMATION

The Services are not directed to persons under the age of 18, and we do not knowingly request or collect any information about persons under the age of 18. If you are under the age of 18, please do not provide any personal information to any Zero Hash Group company. If a User or Customer submitting personal information is suspected of being under 18 years of age, we will require the relevant Customer or User to close the account, and will take all reasonable steps to delete or purge the individual’s information as soon as possible.

VI. INTERNATIONAL TRANSFERS

To facilitate our global operations, Zero Hash, its Affiliates, third-party partners, and service providers may transfer, store, and process your personal information throughout the world, including Australia, Bermuda, Brazil, Germany, the Netherlands, the UK, and the United States. Further information is available at Appendix D.

If you reside in the EEA, Switzerland, or the United Kingdom, we rely upon a variety of legal mechanisms to facilitate these transfers of your personal information (collectively, “European Personal Data”).

• We rely on the European Commission and the UK Information Commission Office’s Standard Contractual Clauses to facilitate the international and onward transfer of European Personal Data to third countries, including from our EU and UK operating entities to Zero Hash Group entities in the United States. For further information about our standard contractual clauses, please contact [email protected].

• We further rely on exemptions and adequacy decisions provided for under data protection law for our international transfers, including from the European Commission. For example, we operate globally and need to share information with Zero Hash Group companies and to data centers outside the EEA in order to develop and provide Zero Hash Services (Article 49(1)(b) GDPR). In addition, we may rely on certain exemptions for sharing personal information with law enforcement or regulators outside of the EEA in emergency situations (Article 49(1)(f) GDPR).

VII. YOUR PRIVACY RIGHTS AND CHOICES

Depending on where you live, you may be able to exercise certain privacy rights related to your personal information. For any of your privacy rights and choices referenced below, requests relating to your personal information can be made by contacting Customer Support or by submitting a request via our Privacy Opt Out or at [email protected]. If any of the rights listed below are not provided under law for your operating entity or jurisdiction, Zero Hash has absolute discretion in honoring your request regarding these rights.

• Right to access and portability:

  You may request that we provide you a copy of your personal information held by contacting Customer Support, or by submitting a request [email protected].

• Right to rectification:

  You may update or request us to rectify or update any of your personal information held by Zero Hash that is incomplete or inaccurate by logging in to your Platform account and/or Zero Hash account and updating the details in your account profile, by contacting Customer Support, or by submitting a request [email protected].

• Right to deletion/erasure:

  You may request to erase your personal information, subject to applicable law. If you close your Zero Hash Account, we will retain or delete information associated with your account in accordance with our obligations under applicable law and as described in Section IV.

• Right to withdraw your consent:

  To the extent the processing of your personal information is based exclusively on your consent, you may withdraw your consent at any time. The lawfulness of Zero Hash’s processing before you withdraw your consent will not be affected by such withdrawal.

• Right to object to or restrict processing:

  You may have the right to restrict or object to us using or transferring your personal information based on our legitimate interests, in the public interest, or for marketing purposes. We may continue to process your personal information where permitted or required by applicable law. You can opt-out of certain processing or communications by contacting Customer Support, or by submitting a request [email protected].

• Right to non-discrimination:
  We will not discriminate against you for exercising any of your rights provided to you under law.

• Right to lodge a complaint:

  If you reside in the EEA, Switzerland, or the UK, you have the right to lodge a complaint about our practices with respect to your personal information with the supervisory authority of your country or state. In the UK, the relevant data protection authority is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, +44 (0303) 123 1113, email: [email protected]. In the Netherlands, the relevant data protection authority is the Dutch Personal Data Authority, PO Box 93374, 2509 AJ, The Hague, Netherlands, (+31)0881805250, email: [email protected] or by using the following Online Form.

If you reside in Australia, you may lodge a complaint about our practices with respect to your personal information with the supervisory authority of your country. In Australia, the relevant data protection authority is the Office of the Australian Information Commissioner, and complaints may be made through their website at www.oaic.gov.au.

To protect your privacy and security, we may take steps to verify your identity before complying with your request and we may decline your request if we are unable to verify your identity.

Under certain US data privacy laws, as well as in Brazil, you may also designate an authorized agent to make these requests on your behalf.

These rights are not absolute, and may be denied: (a) when granting access or assisting portability would adversely affect the rights and freedoms of others; (b) to protect our rights and properties; (c) where the request is frivolous, vexatious, or abusive; or (d) as otherwise permitted by law.

VIII. ADDITIONAL PRIVACY NOTICES FOR RESIDENTS OF SPECIFIC JURISDICTIONS

A. If you are a United States Resident, you can learn more about how we use your information and your privacy rights, including rights provided to residents of certain states like California, by reviewing Appendix A: United States Privacy Notice. Any terms defined in the California Consumer Privacy Act (as amended) (“CCPA”) have the same meaning when used in the US Privacy Notice.

B. If you are a Brazilian Resident, you can learn more about how we use your information and your privacy rights by reviewing Appendix B: Brazil Privacy Notice. Any terms defined in the Brazil General Data Protection Law (“LGPD”) have the same meaning when used in the Brazil Privacy Notice.

IX. HOW TO CONTACT US WITH QUESTIONS

If you have questions or concerns regarding this Privacy Policy, or if you have a complaint, please reach out to us at Customer Support or at [email protected], or by writing to us at the address of your Zero Hash service provider, provided in Section XI.

X. CHANGES TO THIS PRIVACY POLICY

We’re constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time as well. We post any changes we make to our Privacy Policy on this page and, where appropriate, we will provide you with reasonable notice of any material changes before they take effect or as otherwise required by law. The date the Privacy Policy was last updated is identified at the top of this page.

We may provide additional specific or immediate disclosures or information about how we collect or use your information in the context of specific Services; these in-product or supplemental notices may supplement or clarify our privacy practices or may provide you with additional information or choices about how we use your information.

XI. OUR RELATIONSHIP WITH YOU

A. If you reside in the EEA or Switzerland, Zero Hash LLC acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under the GDPR.

B. If you reside in the UK, Zero Hash LLC acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under the UK GDPR.

C. If you reside in the United States or Canada, Zero Hash LLC acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under applicable law.

D. If you reside in Australia or New Zealand, Zero Hash Australia Pty LTD acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under applicable law.

E. If you reside in Brazil, Zero Hash Brazil Limitada acts as controller with respect of your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under the LGPD.

F. If you reside in any other jurisdiction not other listed in this Section IX, Zero Hash Worldwide LTD acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under the applicable law, including without limitation the Bermuda Personal Information Protection Act (PIPA).

---

APPENDIX A

United States Privacy Notice

Updated: November 15, 2024

This United States Privacy Notice (“Notice”) is for Zero Hash User or Customers living in the U.S., and clarifies or further describes how we collect, use, and disclose your personal information. This Notice supplements the Zero Hash Global Privacy Policy (“Privacy Policy”). For purposes of the Notice, the terms “personal information” and “sensitive personal information” encompass the terms “personal data” and “sensitive personal data” and have the meaning provided under applicable U.S. state privacy laws, including the California Privacy Rights Act of 2020 (“CCPA”). Any capitalized terms not defined herein shall have the meaning provided in the Privacy Policy.

Continued Use. By continuing to use the Zero Hash Services, Apps, APIs, or SDKs, by accessing or using our websites, or by contacting us on our systems, you agree to this Privacy Policy.

Purpose for Collection and Disclosure of Personal Information. We’ve collected and disclosed the below categories for personal information to create, develop, operate, deliver, and improve our Services, to communicate with you, to ensure the safety, security and integrity of our Services, and for the business and commercial purposes outlined in Section II and Section III of the Privacy Policy. We do not collect, use, or disclose sensitive personal information for purposes other than those specified in this Privacy Policy, to provide the Services, or as permitted under applicable law. In addition, to the extent that Zero Hash de-identifies personal information, we take reasonable measures to maintain and use the information in a de-identified manner and do not make any attempts to re-identify such information, except as permitted under applicable law.

Collection and Disclosure of Personal Information. We collect the below categories of personal information, and disclose the specified types of personal information below (as that data is further referenced and outlined in Section I of the Privacy Policy) with the following categories of third parties:

Collection and Disclosure of Sensitive Personal Information. We collect and disclose the following categories of sensitive personal information, with the following categories of third parties:

Sources of Personal Information. We gather various types of personal information from our customers and individuals who access or use our Services from a range of sources, such as:

• information you give us when you sign up for, or otherwise use our Services;
• information we receive from our Affiliates and third parties; and
• information we collect automatically through cookies and similar technologies (see our Cookie Policy for more information on this type of information).

Selling or Sharing of Personal Information. We share (as that term is defined in the CCPA) identifiers with third party analytics providers or advertising partners, for analytics and advertising purposes.

We do not have actual knowledge that we sell or share the personal information of individuals under 16 years of age.

How Long We Retain Your Personal Information.We retain your information as needed to provide our Services, comply with legal obligations, or protect our or others’ interests. We decide how long we need information on a case-by-case basis.

• Here is what we consider:
  • When the information was collected or created,
  • Whether it is necessary in order to continue offering you our Services,
  • Whether we are required to hold the information to comply with our legal obligations, including AML/KYC compliance or other financial regulatory obligations, or information preservation requirements.
  • We also keep certain information where necessary to protect the safety, security and integrity of our Services, Customers, and Users.

Privacy Rights. Residents of specific states (e.g., California) have certain rights with respect to personal information collected and processed under state privacy laws. You may exercise the following rights, subject to certain exceptions and limitations:

• Right to Know. You have a right to request the following information about our collection, use and disclosure of your personal information, and ask that we provide you with a copy of the following:
  • categories of and specific pieces of personal information we have collected, sold, or shared about you;
  • categories of sources from which we collect personal information;
  • the business of commercial purposes for collecting personal information;
  • categories of third parties to whom the personal information was disclosed for a business purpose; and
  • categories of personal information disclosed about you for a business purpose.
• Right to Correct. You have a right to request that we correct inaccurate personal information maintained about you.
• Right to Delete. You have a right to request that we delete personal information, subject to certain exceptions.
• Right to Opt Out. You have the right to opt out from the “sale” / “sharing” of your personal information, including the processing of your personal information for purposes of targeted advertising.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

Exercising Your Rights. You may exercise your rights by contacting us at Customer Support or at [email protected]. We may take steps to verify your identity before complying with your request to protect your privacy and security, and may decline your request if we are unable to verify your identity. To verify your identity, we may collect information such as your email address, government issued ID, or date of birth, before providing a substantive response to the request.

Authorized Agent. Under certain U.S. state privacy laws, you may designate an authorized agent to exercise privacy rights on your behalf. To do so, you must: (1) provide that authorized agent written and signed permission to submit such a request; and (2) verify your own identity directly with us. Please note, we may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf.

Appeal. You have the right to appeal Zero Hash’s decision regarding a privacy right request. In order to appeal a declined request, please email [email protected].

Questions. If you have questions or concerns regarding this Notice, or if you have a complaint, please contact us at Customer Support or at [email protected], or by writing to us at the address of your Zero Hash service provider (provided in Section XI of the Privacy Policy.

---

APPENDIX B

Brazil LGPD Notice

Updated: November 15, 2024

This Brazil LGPD Notice (“Notice”) is part of the Zero Hash Privacy Policy and is applicable to Customers, Users, or clients of Zero Hash Brazil Limitada (“Zero Hash” or “Zero Hash Brazil” herein this Section III), a limited company enrolled with the CNPJ No. 46.534.916/0001-22, with its head office at Avenida Brigadeiro Luis Antonio, 300, 10th floor, conjunto 104, in the city of São Paulo, state of São Paulo, CEP 01318-903, which is an affiliate of Zero Hash Holdings Ltd, a US based company.

The purpose of this Notice is to illustrate Zero Hash's commitment to processing data in accordance with its responsibilities under the Law No. 13,709 of August 14th, 2018 - General Data Protection Law (“LGPD”). Zero Hash is committed to protecting the privacy and security of your personal data. The information you share with Zero Hash Brazil and its affiliates worldwide (the “Zero Hash Group”) allows Zero Hash to provide you the best experience with our products and services. Zero Hash has implemented a privacy program to protect all personal data collected and to help Zero Hash properly handle your personal data.

This Notice explains our specific privacy practices in Brazil. Please read this notice together with the Zero Hash Privacy Policy to understand how Zero Hash collects and uses your personal data. Should any terms conflict, the terms of this Notice shall control. Any capitalized terms not defined herein shall have the meaning provided in the Privacy Policy.

If you do not agree with the practices or policies described in this Notice or the Zero Hash Privacy Policy, we ask that you discontinue use of our website or other services. Likewise, both this Notice and Zero Hash Holdings Privacy Policy may change from time to time and your continued use will be deemed to be acceptance of such changes.

Definitions

• Anonymization: Refers to the use of reasonable and available technical means at the time of the processing, through which the data loses the possibility of being directly or indirectly associated with an individual.

• Anonymized data: Data that went through the anonymization process, i.e., related to a data subject who can no longer be identified, considering the use of reasonable and available technical means at the time of the processing.

• ANPD: The National Data Protection Authority, which is the federal public administration body responsible for ensuring the protection of personal data and for regulating, implementing and supervising compliance with the LGPD in Brazil.

• Blocking: Temporary suspension of any processing operation, by means of retention of the personal data or the database

• Consent: Means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by an affirmative action, signifies agreement to the Processing of personal data relating to him or her.

• Controller: A natural person or legal entity, either public or private, that makes decisions about the processing of personal data.

• Data Protection Officer: A person named by the company to act as a channel of communication between the controller, the data subjects and the National Data Protection Authority (ANPD)

• Data subject: Means a natural person, such as an individual, a customer, a prospect, an employee, a contact person, etc, to whom the personal data that are the object of processing refer to.

• Database: Is a structured set of personal data, kept in one or several locations, in electronic or physical support.

• Deletion: Refers to the exclusion of data or a set of data stored in a database, irrespective of the procedure used.

• International transfer of data: Means the transfer of personal data to a foreign country or international organization of which the country is a member. Examples of activities with international data transfer: sharing a database between companies of the same economic group, storing data in data centers located abroad, hiring a cloud computing service provider, among others.

• Operator (or Processor): A natural person or legal entity, either public or private that processes personal data on behalf of the controller.

• Personal data: Any information relating to an identified or identifiable person (data subject).

• Processing: Covers any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, diffusion or extraction.

• Processing Agents: Refers to the controller and the operator (or processor).

• Research body/entity: Means a body or entity from the direct or indirect public administration or nonprofit legal entity of private law, legally organized under Brazilian law, with headquarters and jurisdiction in the Country. This body or entity includes in its institutional mission, in its corporate or statutory purposes basic or applied research of historical, scientific, technological or statistical nature.

• Sensitive personal data: Means the personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.

• Shared use of data: Communication, dissemination, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in compliance with their legal powers, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or between private entities.

• Third Party means a natural or legal person, public authority, agency or body other than the data subject, controller, operator (or processor) who, under the direct authority of the controller or Processor, are authorized to process personal data.

LGPD Principles

Zero Hash will ensure that all activities of processing personal data are done in good faith and in accordance with the principles defined by the Article 6 of LGPD, as follows:

1. Purpose: processing of personal data needs to be done for a legitimate, specific and explicit purpose of which the data subject is informed, with no possibility of subsequent processing in a way incompatible with these purposes.

2. Adequacy: Personal data shall be processed in a manner that is compatible with the purposes informed to the data subject, in accordance with the context of the processing.

3. Necessity (data minimization): Processing of personal data must be limited to the minimum necessary to achieve its purposes, covering only relevant, proportional and non-excessive data in relation to the purposes for which they are processed.

4. Free access: Guarantee to data subjects an easy and free of charge consultation way about the form and duration of the processing, as well as the integrity of their personal data.

5. Quality of the data (accuracy): Guarantee to data subjects the accuracy, clarity, relevancy and updating of the data, according to the need and for achieving the purpose of the processing.

6. Transparency: Guarantee to data subjects a clear, precise and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy.

7. Security: Use of technical and administrative measures to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination.

8. Prevention: Adoption of measures to prevent the occurrence of damages due to the processing of personal data.

9. Nondiscrimination: Processing of personal data can not be done for unlawful or abusive discriminatory purposes.

10. Accountability: The data processing has to demonstrate the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the effectiveness of such measures.

Lawful Purpose of Processing

All data processed by Zero Hash will be done in accordance with the lawful bases provided by Article 5 of LGPD:

• With your consent¹. Zero Hash will seek consent before using your personal data for commercial purposes, especially when/if the processing involves sensitive personal data. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent will be kept with your personal data.

• For compliance with legal or regulatory obligations by the controller.

• For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data.

• When necessary for the execution of a contract, agreement or preliminary procedures related to a contract of which you are a party³.

• For the regular exercise of rights in judicial, administrative or arbitration procedures.

• For the protection of life or physical safety of you or a third party, if applicable.

• When necessary to fulfill our legitimate interests controller or of a third party, except when your fundamental rights and liberties which require personal data protection prevail.¹

• For the protection of credit, including as provided in specific legislation.

¹ If we process information based on your consent, you may withdraw such consent at any time, through a free and facilitated procedure. Please contact the Data Protection Officer outlined below to withdraw your consent.

Where communications are sent to you based on your previous consent, the option to revoke your consent (unsubscribe) should be clearly available and systems should be in place to ensure such unsubscription is reflected accurately in Zero Hash’s systems.

² Note that Zero Hash gathers and processes personal data to fulfill its anti-money laundering and know your customer obligations, open and manage your account, and track and monitor account activity. Besides being a regulatory obligation, Zero Hash has determined these activities to be in its legitimate business interest.

³ Zero Hash also processes your personal data in furtherance of the User Agreement you have entered with Zero Hash, including when onboarding you as a customer, funding your account, processing your orders, facilitating transactions, and processing withdrawals. Zero Hash may share your personal data between its affiliated entities, in Brazil or abroad, or with Third Parties, also both in Brazil or abroad, to facilitate these actions, which are necessary in furtherance of your agreement(s) with Zero Hash.

Zero Hash will take reasonable steps to ensure personal data is accurate, so that, where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date, in accordance with the principle of quality of data.

The Data We Collect

Zero Hash collects the data as described in the item “3. Personal Information We Collect About You” of the Zero Hash Privacy Policy, such as, but not limited to:

• Identifying Information, including names, government issued identification, Taxpayer ID number, passport numbers, birth dates, addresses, telephone number, e-mail address, occupation and all other background information necessary for AML/KYC requirements, including a copy of your ID.
• Financial Information, including bank account number(s), transaction history, net worth, account balances, assets and liabilities, wallet address.
• Account Authenticating Information, including hashed representations of account passwords, PINs, and account recovery information.
• Biometric information generated based on photos or videos you provide to verify your identity
• Technical data such as IP address and device fingerprinting.
• Compliance and reputational data, such as news and media search, sanctions and PEP screenings.

Personal Data does not include generic email address or general business information that is not linked to an individual.

How We Collect Your Data

We collect this personal information directly from you – from in person contact, telephone, text, email, text or messaging service, or via our website. However, we may also collect information::

• Automatically via our IT systems or automatic electronic record capture and retention methods (e.g., logs, system files, electronic usage trackers, or cookies)
• From publicly accessible sources (e.g., property records);
• Directly from a third party (e.g., sanctions screening providers, credit reporting agencies, or customer due diligence providers);
• From a third party with your consent (e.g., your bank or platform provider);

Zero Hash may also receive your data indirectly from vendors and third parties when conducting “know your customer” background checks or confirming the personal information you have provided. We only collect information that is reasonably necessary to fulfill the identified purpose. Although you access our services through an application provided by a platform based in Brazil, the data is processed in the United States given that Zero Hash Brazil is an affiliate of a US based company that uses the systems based in the US.

How We Will Use Your Data

Zero Hash will use your data:

• To properly identify you.
• To manage your account(s) with Zero Hash.
• To determine your eligibility for products and services and the products and services of companies with whom we are affiliated.
• To respond to questions, requests, or concerns regarding the products and services provided by Zero Hash.
• To process your orders related to the digital asset trading/custody/settlement/account servicing and related services contracted for.
• To communicate with you and email you with offers on other products and services we think you might like and inform you about the products and services we provide.
• To recruit for positions at Zero Hash.
• To investigate legal claims.
• To detect suspicious activities and protect against fraud, money laundering and other illicit activities.
• To administer Zero Hash websites and any Zero Hash software applications.
• For such purposes for which Zero Hash may obtain your consent from time to time.
• For such other uses as may be permitted or required by law.

Your data may also be anonymized or aggregated to enable Zero Hash to manage its business, develop statistical information, test our performance, or develop products. Anonymized and/or aggregated data will not identify you. Zero Hash does not sell your Personal Data or information.

Sharing Data With Third Parties

Zero Hash may share your Personal Data with Third Parties, both within your jurisdiction and abroad:

• To provide and support Zero Hash's products and services. For example, Zero Hash may submit your information to credit bureaus or KYC vendors for identification purposes.
• To comply with legal obligations, such as responding to regulatory or criminal investigations or mandatory reporting to our regulators.
• To protect you from fraud, abuse, or illegal activity. In such cases, Zero Hash may disclose your information to an appropriate governmental authority or next of kin to prevent illegal or fraudulent activity in your account.
• If, in our best judgment, we believe someone is seeking your information as your agent, with your consent, or if otherwise permitted by law.
• Any other situation or purpose for which Zero Hash obtains your consent to share, as described in the Zero Hash Privacy Policy.

Please note that Zero Hash Brazil, in accordance with LGPD and other Data Protection laws applicable to the Zero Hash Group, has the right to share your personal data without your consent with any national/federal, state, local and international legal, governmental and regulatory entities, authorities and officials in order to cooperate with any investigation or governmental, legal or regulatory proceeding relating to any information collected and/or website content or to any purported unlawful activities of any visitor.

How We Protect Your Data

Zero Hash has many processes and controls in place to protect your personal data. Controls include limiting access to private data and confidential information to authorized employees, service providers, representatives, or agents who have all been made aware of the importance of keeping your information confidential. That is, Zero Hash only allows access to confidential information on a need-to-know basis and appropriate security will be in place to avoid unauthorized sharing of information.
Additionally, Zero Hash uses safeguards that are consistent with the industry standard, including firewalls, data encryption, physical access controls, appropriate back-up and disaster recovery solutions. As stated above, Zero Hash Brazil is an affiliate of a US based company and may store your personal data both in Brazil and in the United States. Data transfers are carried out in accordance with applicable laws and regulations, and transfers to another jurisdiction will also be subject to the laws of the jurisdiction where the data is held.
In the event of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, Zero Hash shall promptly assess the risk to people’s rights and freedoms and report the breach, if applicable, to the impacted individual(s) and the ANPD, within the deadline and format defined by the ANPD.

Retention and Deletion

According to LGPD, personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but the storage is authorized for the following purposes:

• Compliance with a legal or regulatory obligation by the controller.

• Study by a research entity, ensuring, whenever possible, the anonymization of the personal data.

• Transfer to third parties, provided that the requirements for data processing as provided in the Law are obeyed

• Exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized.

To ensure that personal data is kept for no longer than necessary, Zero Hash adopts a records retention policy for each area in which personal data is processed and reviews this process periodically.

The records retention policy considers what data should/must be retained, for how long, and why. Your data is only retained for as long as reasonably necessary to fulfill the purpose for which it was collected. Your data will be destroyed or de-identified once no longer necessary or required to be stored by law. When personal data is deleted this must be done safely such that the data is irrecoverable.

Zero Hash Brazil is required by regulators to keep and maintain much of your personal data for prescribed periods from 5 (five) to 10 (ten) years, this last one to comply with AML requirements provided by the Central Bank of Brazil.

Some of your personal data may be deleted prior to the expiration of the above period, if such deletion is permitted by the local laws and regulations.

Marketing

Zero Hash would like to send you information about products and services of ours that we think you might like. If you have agreed to receive marketing, you may opt out at a later date.

You have the right at any time to stop Zero Hash from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, you can unsubscribe through the link available in the communication or submit a request to our data privacy officer through the email: [email protected].

Your Data Protection Rights

• Confirmation of the existence of treatment: In response to this request, we will inform you if we process your Personal Data or not. Note that, if you are an User of our website or any of our services, we necessarily process your Personal Data, as explained in this Notice and in the Zero Hash Privacy Policy.

• The right to access: You have the right to request, free of charge, a copy of your personal data that is processed by us.

• The right to rectification: If you consider that your personal data is incomplete, inaccurate or outdated, you can request the rectification, indicating what needs to be changed and why. It is possible that we request a proof or supporting document to make this change.

• The right to anonymization, blocking or erasure: If you consider that we are processing your Personal Data in an unnecessary and excessive manner or in breach of the LGPD, you can request that the Personal Data be anonymized, blocked or erased, under certain conditions.

• The right to data portability: You can request the transfer of your Personal Data to another service or product supplier, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets. The portability does not include data that has already been anonymized.

• The right to deletion: You can request deletion of your personal data processed on the basis of your consent, except in the events of retention of Personal Data prescribed by law.

• The right to obtain information about:

  • Public and private entities with which we share your Personal Data.

  • The possibility of denying consent and the consequences of such denial, when the consent is used as legal basis for processing of personal data.

• The right to Withdraw your consent: If your personal data is processed based on your consent, you can withdraw this consent. With that, any processing of your data that is made based on consent will be interrupted. Please note that we may not be able to offer our services or features of the services without your consent.

• Request the revision of decisions taken based on automated processes: It is possible that decisions are taken based on automated processing of your Personal Data. You have the right to request the review of such decisions that affect your interests, including decisions aimed at defining your personal, professional, consumption and credit profile.

• Right to lodge a complaint before the ANPD.

You can exercise your rights by submitting a request to [email protected].

Note that the rights above can be exercised exclusively by you or your legal representative, upon express request. So, before answering any request for exercise of the abovementioned rights, we can request that you provide us with some information and supporting documentation to confirm and validate your identity.

Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology. You may refuse to accept browser cookies by activating the appropriate setting on your browser. Check the cookies settings information available in the Zero Hash Privacy Policy.

For further information about cookies visit the ANPD Orientation Guide here.

Minors

In the event that our products or services are made available to minors and the processing of personal data of children and teenagers under the age of 18 years old is necessary, it will be necessarily carried out with the specific and prominent parental (or legal guardian) consent. Measures to verify and validate the parent’s or legal guardian identity will also be applied.

Changes to Our Privacy Policy

Zero Hash keeps this Notice and the Zero Hash Holdings Privacy Policy under regular review and will place any updates on this web page. Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates

Contact Information

Our Data Protection Officer is available through the email: [email protected]

Contact us if you have any questions or comments regarding this Notice, the Zero Hash Privacy Policy or our privacy practices.

You can find more information about the LGPD here.

---

APPENDIX C

Applicant Privacy Notice

Updated: November 15, 2024

This Applicant Privacy Notice (“Applicant Notice”) explains how Zero Hash collects, uses and discloses personal information during the application and recruitment process. Generally, the personal information we collect from you helps us manage the recruiting and hiring process with you, conduct Zero Hash’s business, and comply with Zero Hash’s legal, regulatory, or contractual obligations. We reserve the right to change any of our policies and practices at any time. Your continued use of the services after any such updates take effect will constitute acknowledgement and (as applicable) acceptance of those changes.

For California resident job applicants, please refer to Appendix A for additional information on the disclosures, rights, and treatment of categories of data collected pursuant to the California Consumer Privacy Act.

I. Personal Information we collect

As used herein, “Personal Information” means information that identifies or is reasonably capable of identifying an individual, directly or indirectly, and information that is being associated with an identified or reasonably identifiable individual.

A. We may collect the following Personal Information directly from you:

• Identification Information, such as name, email, phone number, postal address, government identification numbers; your work permit or visa status;
• Your resume or CV, cover letter, previous and/or relevant work experience or other experience, education, transcripts, or other information you provide to us;
• Data pertaining to work preferences and abilities;
• Job and salary expectations, willingness to relocate, or other job preferences; or
• Sensitive Information,such as gender, gender identity, sexual orientation, religion, marital status, race, ethnicity, whether you are a member of a trade union or a veteran, or have a disability, to the extent you provide us such information.

Additional safeguards are in place for processing of Sensitive Information. We will only collect and use ‘Sensitive Information’ in cases where: (i) we have your explicit consent, (ii) is necessary for legal compliance, (iii) you have manifestly made such information available to us, (iv) it is necessary for reasons of substantial public interest, or (v) it is necessary for the exercise or defense of our legal rights. When you choose to provide any such Sensitive Information, it will not be used in the hiring decision unless specifically permitted by law.

B. We may collect the following Personal Information automatically:

• Online Identifiers, such as IP address; domain name;
• Device Information, such as hardware, operating system, browser;
• Usage Data, such as your interaction with us, our recruiting applications or our recruiting posts on other platforms; or
• Geolocation Data.

Our automatic collection of Personal Information may involve the use of Cookies, described in greater detail below

C. We may collect the following Personal Information from third parties:

• Information from references or background checks (as applicable);
• Information you make available publicly (e.g., your LinkedIn profile);
• Information related to any assessment you may take as part of the interview process;
• Immigration information from immigration advisors in the course of filing work permit or visas (as applicable).

II. How we use Your Personal Information

We will use your Personal Information for our recruitment process, including:

• Evaluating your candidacy, such as assessing your skills, qualifications and interests against our career opportunities;
• Verifying your information, by carrying out reference checks and/or conducting background checks (as applicable) if you are offered a job;
• Communicating with you about the recruitment and on-boarding process;
• Providing immigration assistance, such as facilitating filing of any necessary visas or work permits (as applicable);
• Improving our recruiting processes, to enhance our tools and improving diversity in our recruiting;
• Complying with applicable law and other obligations, legal processes or other government requests; or
• Complying with applicable internal governance processes such as meeting record-keeping obligations and conducting audit.

For residents of European Economic Area or the United Kingdom, we process personal data subject to applicable law on one or more of the following legal bases:

• Contractual obligation: As necessary to potentially enter into an employment contract with you;
• Legal obligation: For compliance with applicable legal obligations or in connection with legal claims;
• Legitimate Interest: For our legitimate interest in improving our recruitment process (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or
• Consent: Where we have your explicit consent.

III. Who may have access to your information

Your Personal Information will only be shared where lawful to do so and for legitimate business purposes. We will not sell or share your Personal Information with third parties, except as described below:

• Affiliates: We may share your Personal Information with our affiliates and our employees, for the purposes outlined above.
• Service Providers: We may share your Personal Information with third-party service providers to perform some of the services described above. We share your Personal Information with these service providers only so that they can provide us with services, and we prohibit our service providers from using or disclosing your Personal Information for any other purpose. Our third-party service providers are subject to strict confidentiality obligations.
• Law Enforcement: We may be compelled to share your Personal Information with law enforcement, government officials, or regulators.
• Corporate Transactions: We may disclose Personal Information in the event of a proposed or consummated merger, acquisition, reorganization, asset sale, or similar corporate transaction, or in the event of a bankruptcy or dissolution.
• Professional Advisors: We may share your Personal Information with our professional advisors, including legal, accounting, or other consulting services for purposes of audits or to comply with our legal obligations.
• Consent: We may share or disclose your information with your consent.

IV. International transfer of Personal Data

Zero Hash operates internationally with many of our systems based in the United States. Therefore, we may need to transfer your Personal Data to other affiliates or third parties to fulfill the purposes described herein. When we transfer your personal data outside the country (or jurisdiction where relevant) in which you are located, we endeavor to ensure safeguards are implemented such as: (i) adequacy decisions; (ii) suitable Standard Contractual Clauses; or (iii) other valid transfer mechanisms.

V. Cookies

When you access Zero Hash, we may make use of the standard practice of placing tiny data files called cookies, flash cookies, pixel tags, or other tracking tools (herein, “Cookies”) on your computer or other devices used to visit Zero Hash’s website or job postings. We may use Cookies for various purposes, such as to enforce our terms, prevent fraud, and analyze your use and interaction with Zero Hash. Please see our Cookies Policy for more information.

We may make use of third-party Cookies or analytics services. Third-party tracking technologies are not controlled by us, and statements regarding our practices do not apply to these third-parties or their use of information. We make no representations regarding the policies or practices of such third parties. You may be able to opt out of the practices of some of these third parties if they are members of the Network Advertising Initiative (“NAI”) by visiting http://www.networkadvertising.org/choices or if they participate in the Digital Advertising Alliance (“DAA”) by visiting http://www.aboutads.info/choices. We are not responsible for effectiveness of or compliance with any third-parties’ opt-out options.
You also can learn more about cookies by visiting https://www.allaboutcookies.org, which includes additional useful information on cookies and how to block cookies on different types of browsers and mobile devices. Please note that if you reject Cookies, you will not be able to use some or all of our website or postings.

VI. Our retention of your information

We will retain personal information in accordance with the Company’s data retention schedule for various purposes described herein, including for consideration for future roles, to analyze and improve our recruiting practices, to protect Zero Hash from potential legal claims and as required by applicable law or regulation. If you are offered and accept employment with the Company, the information collected during the application and recruitment process will become part of your employment record.

VII. Your rights in respect of your information

In certain countries, you may have certain rights under applicable privacy laws. This may include the right to request access, obtain or to update your information, request that it be deleted or anonymized, or object to or restrict us using it for certain purposes.

If you wish to submit a request to access, obtain or delete your personal information, please contact [email protected]. We will respond to any requests in accordance with applicable law. We are legally obligated to verify your identity when you submit a request. We may request additional information from you to verify your identity.

If you are a European Economic Area or a United Kingdom resident and you believe that we have not adequately resolved any such issues, you have the right to contact [email protected] or your local supervisory authority.

---

APPENDIX D

International Transfers

Updated: November 15, 2024

To facilitate our global operations, Zero Hash, its Affiliates, third-party partners and service providers may transfer, store, and process your personal information throughout the world. Below is a list of geographic locations where your information may be transferred:

• Australia

• Argentina

• Bermuda

• Brazil

• Canada

• European Union

• New Zealand

• Philippines

• Switzerland

• United Kingdom

• United States